skills · chriswblake · Jun 7, 2025 · Jun 7, 2025 · Jun 7, 2025 · Jun 7, 2025
diff --git a/.github/dependabot.yml b/.github/dependabot.yml
diff --git a/.github/steps/-step.txt b/.github/steps/-step.txt
diff --git a/.github/steps/0-welcome.md b/.github/steps/0-welcome.md
diff --git a/.github/steps/1-enable-codeql.md b/.github/steps/1-enable-codeql.md
diff --git a/.github/steps/1-step.md b/.github/steps/1-step.md
@@ -0,0 +1,48 @@
+## Step 1: Enable Code Scanning
+
+Let's start by learning a bit about code scanning with [CodeQL](https://codeql.github.com/) and how it helps secure your code.
+
+### What is GitHub Code Scanning?
+
+[Code scanning](https://docs.github.com/en/code-security/code-scanning/automatically-scanning-your-code-for-vulnerabilities-and-errors/about-code-scanning) is part of the [GitHub Advanced Security (GHAS)](https://docs.github.com/en/get-started/learning-about-github/about-github-advanced-security) product suite. It allows development teams to integrate security testing tools directly into the same process you already use for shipping code. It supports many types such as SAST, container, and infrastructure as code. And, the best part is that the results can also live directly in GitHub next to your code. No need for context switching! 🎉
+
+> [!TIP]
+> All features of GitHub Advanced Security are free for public repositories. However, private repositories require a compatible [paid account](https://docs.github.com/en/billing/managing-billing-for-your-products/managing-billing-for-github-advanced-security/about-billing-for-github-advanced-security).
+
+### What is CodeQL?
+
+[CodeQL](https://docs.github.com/en/code-security/code-scanning/automatically-scanning-your-code-for-vulnerabilities-and-errors/about-code-scanning-with-codeql) is a static analysis testing tool that helps you identify security weaknesses such as SQL injection, cross-site scripting, and code injection issues.
+
+Typically CodeQL [queries](https://codeql.github.com/docs/writing-codeql-queries/about-codeql-queries/) are collected into [query suites](https://docs.github.com/en/code-security/code-scanning/automatically-scanning-your-code-for-vulnerabilities-and-errors/about-code-scanning-with-codeql#about-codeql-queries) to cover multiple patterns. When combined well, this can be a very powerful! To help with this, teams of security experts have pre-populated suites for many common scenarios and programming languages.
+
+In many cases, taking advantage of CodeQL is as simple as accepting the default suite, but you can also select the extended suite or customize your own with [GitHub Actions]().
+
+<img width="200" align="right" alt="codeql default configuration box" src="https://github.com/user-attachments/assets/cf5ba96b-98bb-4db5-b743-bd31bceaabac"/>
+
+Here are some of the options the default configuration provides:
+
+- **Languages:** Supported languages will automatically detected in your repository and scanning will be enabled.
+
+- **Query suites:** A list of the available suites of patterns that will be used. The **Default** or **Extended** are provided automatically.
+
+- **Events:** Triggers for running a CodeQL scan. It's common to run before merging and on a schedule for production code.
+
+### ⌨️ Activity: Enable code scanning with CodeQL
+
+1. Open a second tab and navigate to this repository. Ensure you are on the **Code** tab.
+
+1. In the top navigation, select the the **Settings** tab.
+
+1. In the left navigation, fine the **Security** section and select **Advanced Security**.
+
+1. Scroll down and find the **Code scanning** area.
+
+1. In the **CodeQL** setting, click the **Set up** dropdown menu and choose **Default**.
+
+   <img width="400" alt="enable code scanning" src="https://github.com/user-attachments/assets/0d639af3-a8fb-4ea7-8b94-44621a34fc3c"/>
+
+1. Click **Enable CodeQL**.
+
+   > 💡 Tip: This will trigger a first run of CodeQL. You can view the progress in the **Actions** tab.
+
+1. With CodeQL now enabled, Mona will check your progress and share the next steps.
diff --git a/.github/steps/2-review-and-triage-codeql-alerts.md b/.github/steps/2-review-and-triage-codeql-alerts.md
diff --git a/.github/steps/2-step.md b/.github/steps/2-step.md
@@ -0,0 +1,61 @@
+## Step 2: Detect Vulnerabilities in a Pull Request
+
+To see how Code Scanning works, we will introduce a vulnerability into the `routes.py` file to trigger an alert.
+
+### ⌨️ Activity: Create a vulnerability
+
+1. In the top navigation, select the **Code** tab.
+
+1. Navigate to the `server` folder and select the `routes.py` file.
+
+1. In the top right of the preview, click the **Edit** button.
+
+   <img width="500" alt="edit button" src="https://github.com/user-attachments/assets/19462cc5-a360-4dae-a97b-ecfd571aa403"/>
+
+1. Navigate to about **line 16** and modify it to the below.
+
+   ```py
+   "SELECT * FROM books WHERE name LIKE '%" + name + "%'"
+   ```
+
+1. Above the editor in the top-right, click the **Commit changes...** button. In the prompt window, select the radio button for the **Create a new branch** option. **DO NOT commit to the main branch.**
+
+1. Click the **Propose changes** option and click **Create pull request**. Use the below branch name.
+
+   ```txt
+   learning-codeql
+   ```
+
+### ⌨️ Activity: Review pull request
+
+1. If needed, navigate to the newly created pull request from the previous activity.
+
+1. Scroll to the bottom of the pull request and search for a check named `CodeQL`. This is the analysis job scanning the proposed code changes in the pull request.
+
+   <img width="500" alt="pr panel" src="https://github.com/user-attachments/assets/1c29ee0f-cc1d-4568-9e71-338d45ad1d54"/>
+
+1. If the job is still running, wait a few minutes for it to complete.
+
+1. Search the comments to find a report from the analysis.
+
+   - Notice that the results found a SQL injection vulnerability. It is also suggesting a fix.
+   - Don't worry about responding or resolving this problem (yet).
+
+   <img width="500" alt="image" src="https://github.com/user-attachments/assets/677cc104-9116-44a9-8061-091e8126442a">
+
+### ⌨️ Activity: View the CodeQL scanning logs
+
+1. In the top navigation, select the **Actions** tab.
+
+1. Click on the **CodeQL Setup** workflow run entry to open a page showing more details.
+
+   <img width="500" alt="codeql setup" src="https://github.com/user-attachments/assets/016a729e-3b41-466c-8edf-3d4b41a86b7d"/>
+
+   > 💡 Tip: The workflow run contains additional CodeQL information such as the run duration, logs, and analysis artifacts.
+
+1. With the pull request started and CodeQL scan finished, Mona will check your progress and share the next steps.
+
+> [!TIP]
+> Check out the [Triage code scanning alerts in pull requests](https://docs.github.com/en/code-security/code-scanning/automatically-scanning-your-code-for-vulnerabilities-and-errors/triaging-code-scanning-alerts-in-pull-requests) page to learn more about integration of code scanning into pull requests.
+
+<!-- > 💡 Tip: Clicking the **Show paths** link will provide additional insights about the alert's data flow from user input (source), through the application, and when it is acted on (sink). -->
diff --git a/.github/steps/3-fix-security-vulnerabilities.md b/.github/steps/3-fix-security-vulnerabilities.md