The apps here contain intentional, illustrative weaknesses so CodeQL has something to find. Do not deploy them. No real secrets are used.
Focused practice for GH-500 domain 2.0 - Configure and manage code scanning with CodeQL (the heaviest domain at 35%), by Certy.
javascript-app/- a tiny Express app with a reflected XSS pattern.python-app/- a tiny Flask app with reflected XSS and clear-text logging..github/workflows/:codeql-matrix.yml- the active scan: CodeQL across JavaScript and Python on every push and pull request.codeql-default.yml- a teaching example of the standard generated workflow (manual run).codeql-custom.yml- a teaching example using a config file and an extended query suite (manual run).
codeql/- a config file and notes on query suites and custom queries.docs/- alert triage, the false-positive process, configuration notes.
- Click Use this template, make it public, clone it.
- Let
codeql-matrix.ymlrun, then open the Security tab > Code scanning and triage the alerts for both languages. - Work through
labs/: default vs advanced setup, query suites, fixing an alert, dismissing a false positive, and reviewing alerts in a pull request.
- CodeQL needs a checkout; compiled languages need a build (autobuild or manual) while JavaScript and Python are interpreted and need none.
security-events: writelets the workflow upload results.- Results are uploaded as SARIF and appear in the Security tab and on pull requests.
- Free GH-500 course and mock exam: https://certy.pro
- Course content: https://github.com/CertyPro/certy-ghas-course-content
MIT.