You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
# Challenge 1 - add the Code Scanning GitHub action to a repository
2
-
In this challenge, we will enable code scanning on a fork of this repository and observe what vulnerabilities CodeQL finds. The repository contains several intentionally vulnerable code snippets.
2
+
In this challenge, we will enable code scanning on a fork of this repository and observe what vulnerabilities CodeQL finds. The repository contains several intentionally vulnerable code snippets, which should be found by code scanning. Follow Instructions-option A to enable code scanning on the fork.
3
3
4
-
If you prefer, you can choose another open source project, make a fork of it on your personal GitHub account and then enable Code Scanning on it. You can also choose one of your own public projects instead. If you encounter problems, see documentation for [enabling code scanning](https://docs.github.com/en/code-security/code-scanning/automatically-scanning-your-code-for-vulnerabilities-and-errors/configuring-code-scanning-for-a-repository#configuring-code-scanning-automatically).
4
+
If you prefer, you can choose another open source project for this challenge. In that case, you can either fork it (Instructions-option B) or clone and upload to a new repository on your account (Instructions—option C).
5
+
6
+
You can also choose one of your own public projects instead. If you encounter problems, see documentation for [enabling code scanning](https://docs.github.com/en/code-security/code-scanning/automatically-scanning-your-code-for-vulnerabilities-and-errors/configuring-code-scanning-for-a-repository#configuring-code-scanning-automatically).
5
7
6
8
Hint: If you can’t find a project, use the GitHub search functionality, e.g. type in the GitHub search bar “language:python stars:>100 type:repositories”
7
9
8
-
## Instructions:
10
+
## Instructions-option A—fork this repository and enable code scanning
11
+
12
+
1. Fork this repository
13
+
Note: If any of the steps below do not work or look different, check out the [documentation](https://docs.github.com/en/code-security/code-scanning/automatically-scanning-your-code-for-vulnerabilities-and-errors/configuring-code-scanning-for-a-repository#configuring-code-scanning-automatically).
9
14
10
-
1. Fork this repository.
11
-
Note: If anyone of the steps below do not work or look different, check out the [documentation](https://docs.github.com/en/code-security/code-scanning/automatically-scanning-your-code-for-vulnerabilities-and-errors/configuring-code-scanning-for-a-repository#configuring-code-scanning-automatically).
12
15
2. Go to the 'Security' tab > click 'Set up code scanning' button.
@@ -21,6 +24,50 @@ Note: If anyone of the steps below do not work or look different, check out the
21
24
22
25
5. Wait a few minutes for the scan to complete. Go to 'Security' tab and see the alerts that have been triggered.
23
26
27
+
## Instructions—option B—fork another open source repository and enable code scanning
28
+
Some open source projects will have their own Actions workflows defined. If you fork a repository with existing workflows, these workflows will be disabled by default. This is a security measure to protect you from potentionally [malicious workflows](https://securitylab.github.com/research/github-actions-preventing-pwn-requests/), to prevent errors and lower Actions minutes usage.
29
+
30
+
That's why before you enable code scanning, it's better if you first delete all actions workflows from your fork (generally they can be found in the `.github/workflows` folder), then go to the Actions tab and make sure that Actions are enabled.
31
+
32
+
1. Fork an open source project. When forking, select the option `Copy the main branch only`.
33
+
34
+
2. Check if the `.github/workflows` folder exists and if it does, delete it from your fork.
35
+
36
+
3. Go to the Actions tab and make sure that Actions are enabled (if they are disabled, a big pop up will show up).
37
+
38
+
4. Go to the 'Security' tab > click 'Set up code scanning' button.
7. Wait a few minutes for the scan to complete. Go to 'Security' tab and see the alerts that have been triggered.
49
+
50
+
## Instructions—option C—clone another open source project and upload to a new repository on your account
51
+
52
+
In a similar way as in option B, we don't want unknown Actions workflows running on your account.
24
53
The code for this challenge has shamelessly been copied from the [CodeQL examples](https://github.com/github/codeql/blob/main/python/ql/src/Security/CWE-089/examples/sql_injection.py).
25
54
55
+
1. Create a new repository on your account.
56
+
57
+
2. Duplicate an open source repository following the instructions [here](https://docs.github.com/en/repositories/creating-and-managing-repositories/duplicating-a-repository). Make sure to check if the `.github/workflows` folder exists and if it does, delete it from your copy of the repository.
58
+
59
+
3. Go to the Actions tab and make sure that Actions are enabled (if they are disabled, a big pop up will show up).
60
+
61
+
4. Go to the 'Security' tab > click 'Set up code scanning' button.
0 commit comments