Skip to content

Commit 8725935

Browse files
CopilotCalinL
Copilot
and
CalinL
committed
feat: Add DevSecOps-7809 demo page with intentional vulnerabilities for GHAS demonstration
Co-authored-by: CalinL <10718943+CalinL@users.noreply.github.com>
1 parent 3a8d3b0 commit 8725935

File tree

4 files changed

+513
-3
lines changed

4 files changed

+513
-3
lines changed

src/webapp01/Pages/DevSecOps-7809.cshtml

Lines changed: 265 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,265 @@
1+
@page
2+
@model DevSecOps7809Model
3+
@{
4+
ViewData["Title"] = "DevSecOps Demo 7809 - GitHub Advanced Security";
5+
}
6+
7+
<div class="container">
8+
<div class="row">
9+
<div class="col-12">
10+
<h1 class="display-4 text-primary">@ViewData["Title"]</h1>
11+
<p class="lead">Latest developments in GitHub Advanced Security and DevSecOps practices</p>
12+
<hr />
13+
</div>
14+
</div>
15+
16+
<!-- Alert for TempData messages -->
17+
@if (TempData["LogMessage"] != null)
18+
{
19+
<div class="alert alert-info alert-dismissible fade show" role="alert">
20+
@TempData["LogMessage"]
21+
<button type="button" class="btn-close" data-bs-dismiss="alert" aria-label="Close"></button>
22+
</div>
23+
}
24+
25+
@if (TempData["ErrorMessage"] != null)
26+
{
27+
<div class="alert alert-danger alert-dismissible fade show" role="alert">
28+
@TempData["ErrorMessage"]
29+
<button type="button" class="btn-close" data-bs-dismiss="alert" aria-label="Close"></button>
30+
</div>
31+
}
32+
33+
<div class="row">
34+
<!-- Latest GHAS News Section -->
35+
<div class="col-lg-8">
36+
<div class="card mb-4">
37+
<div class="card-header bg-dark text-white">
38+
<h3 class="card-title mb-0">
39+
<i class="bi bi-newspaper"></i> Latest GitHub Advanced Security News - 2026
40+
</h3>
41+
</div>
42+
<div class="card-body">
43+
@if (Model.LatestSecurityNews.Any())
44+
{
45+
<div class="list-group list-group-flush">
46+
@foreach (var newsItem in Model.LatestSecurityNews)
47+
{
48+
<div class="list-group-item d-flex align-items-start">
49+
<span class="badge bg-primary rounded-pill me-3 mt-1">2026</span>
50+
<div>
51+
<h5 class="mb-1">@newsItem.Title</h5>
52+
<p class="mb-1">@newsItem.Description</p>
53+
<small class="text-muted">Published: @newsItem.Date.ToString("MMMM dd, yyyy")</small>
54+
</div>
55+
</div>
56+
}
57+
</div>
58+
}
59+
else
60+
{
61+
<p class="text-muted">No news available at this time.</p>
62+
}
63+
</div>
64+
</div>
65+
66+
<!-- Advanced Features Section -->
67+
<div class="card mb-4">
68+
<div class="card-header bg-success text-white">
69+
<h3 class="card-title mb-0">
70+
<i class="bi bi-stars"></i> New GHAS Features in 2026
71+
</h3>
72+
</div>
73+
<div class="card-body">
74+
<div class="row">
75+
<div class="col-md-6 mb-3">
76+
<h5><i class="bi bi-cpu"></i> AI-Powered Code Analysis</h5>
77+
<p>Next-generation CodeQL powered by machine learning for improved accuracy and reduced false positives.</p>
78+
</div>
79+
<div class="col-md-6 mb-3">
80+
<h5><i class="bi bi-lock"></i> Advanced Secret Prevention</h5>
81+
<p>Real-time secret scanning with AI-based pattern detection and automatic remediation suggestions.</p>
82+
</div>
83+
<div class="col-md-6 mb-3">
84+
<h5><i class="bi bi-diagram-3"></i> Supply Chain Security</h5>
85+
<p>Enhanced SBOM generation, dependency attestation, and provenance tracking for complete supply chain visibility.</p>
86+
</div>
87+
<div class="col-md-6 mb-3">
88+
<h5><i class="bi bi-shield-check"></i> Automated Remediation</h5>
89+
<p>GitHub Copilot integration for automated security fix suggestions and pull request generation.</p>
90+
</div>
91+
</div>
92+
</div>
93+
</div>
94+
95+
<!-- Best Practices Section -->
96+
<div class="card mb-4">
97+
<div class="card-header bg-info text-white">
98+
<h3 class="card-title mb-0">
99+
<i class="bi bi-lightbulb"></i> DevSecOps Best Practices
100+
</h3>
101+
</div>
102+
<div class="card-body">
103+
<ul class="list-group list-group-flush">
104+
<li class="list-group-item">
105+
<strong>Shift Left:</strong> Integrate security scanning early in the development lifecycle
106+
</li>
107+
<li class="list-group-item">
108+
<strong>Automate Everything:</strong> Use GitHub Actions to automate security checks on every commit
109+
</li>
110+
<li class="list-group-item">
111+
<strong>Track Dependencies:</strong> Enable Dependabot for automated dependency updates and security patches
112+
</li>
113+
<li class="list-group-item">
114+
<strong>Review Regularly:</strong> Schedule periodic security reviews and penetration testing
115+
</li>
116+
<li class="list-group-item">
117+
<strong>Train Developers:</strong> Provide security training and best practices documentation
118+
</li>
119+
</ul>
120+
</div>
121+
</div>
122+
</div>
123+
124+
<!-- Sidebar with Demo Tools -->
125+
<div class="col-lg-4">
126+
<!-- Security Demo Section -->
127+
<div class="card mb-4 border-warning">
128+
<div class="card-header bg-warning text-dark">
129+
<h4 class="card-title mb-0">
130+
<i class="bi bi-exclamation-triangle-fill"></i> Security Demo Zone
131+
</h4>
132+
</div>
133+
<div class="card-body">
134+
<p class="text-danger small fw-bold">
135+
⚠️ WARNING: This page contains intentionally vulnerable code for educational purposes.
136+
</p>
137+
<p class="text-muted small">
138+
The backend code includes common security vulnerabilities that should be detected by GitHub Advanced Security:
139+
</p>
140+
<ul class="small">
141+
<li>Log Forging / Injection</li>
142+
<li>Regular Expression Denial of Service (ReDoS)</li>
143+
<li>Hardcoded Credentials</li>
144+
<li>SQL Injection Risks</li>
145+
<li>Insecure Deserialization</li>
146+
</ul>
147+
148+
<!-- User Input Form for Log Forging Demo -->
149+
<form method="post" asp-page-handler="LogInput" class="mt-3">
150+
<div class="mb-3">
151+
<label for="userInput" class="form-label">Test User Input Logging:</label>
152+
<input type="text" class="form-control form-control-sm" id="userInput" name="userInput"
153+
placeholder="Enter any text" required>
154+
<div class="form-text">
155+
⚠️ This input is logged without sanitization (log forging vulnerability)
156+
</div>
157+
</div>
158+
<button type="submit" class="btn btn-warning btn-sm w-100">
159+
<i class="bi bi-play-fill"></i> Submit & Log
160+
</button>
161+
</form>
162+
163+
<!-- Regex Testing Form -->
164+
<form method="post" asp-page-handler="TestRegex" class="mt-3">
165+
<div class="mb-3">
166+
<label for="regexPattern" class="form-label">Test ReDoS Pattern:</label>
167+
<input type="text" class="form-control form-control-sm" id="regexPattern" name="regexPattern"
168+
placeholder="e.g., aaaaaaaaaa!" value="aaaa">
169+
<div class="form-text">
170+
⚠️ Uses vulnerable regex: ^(a+)+$ (exponential backtracking)
171+
</div>
172+
</div>
173+
<button type="submit" class="btn btn-danger btn-sm w-100">
174+
<i class="bi bi-bug-fill"></i> Test Regex
175+
</button>
176+
</form>
177+
</div>
178+
</div>
179+
180+
<!-- Statistics Card -->
181+
<div class="card mb-4">
182+
<div class="card-header bg-primary text-white">
183+
<h4 class="card-title mb-0">
184+
<i class="bi bi-graph-up"></i> GHAS Adoption Stats
185+
</h4>
186+
</div>
187+
<div class="card-body">
188+
<div class="mb-3">
189+
<h6>Organizations Using GHAS</h6>
190+
<div class="progress">
191+
<div class="progress-bar bg-success" role="progressbar" style="width: 85%" aria-valuenow="85" aria-valuemin="0" aria-valuemax="100">85%</div>
192+
</div>
193+
</div>
194+
<div class="mb-3">
195+
<h6>Vulnerabilities Detected</h6>
196+
<p class="h4 text-primary">1.2M+</p>
197+
</div>
198+
<div class="mb-3">
199+
<h6>Average Fix Time</h6>
200+
<p class="h4 text-success">14 days</p>
201+
</div>
202+
</div>
203+
</div>
204+
205+
<!-- Quick Links -->
206+
<div class="card">
207+
<div class="card-header bg-secondary text-white">
208+
<h4 class="card-title mb-0">
209+
<i class="bi bi-link-45deg"></i> Resources
210+
</h4>
211+
</div>
212+
<div class="card-body">
213+
<div class="d-grid gap-2">
214+
<a href="https://docs.github.com/en/code-security" class="btn btn-outline-primary btn-sm" target="_blank">
215+
<i class="bi bi-book"></i> GHAS Documentation
216+
</a>
217+
<a href="https://github.com/github/codeql" class="btn btn-outline-secondary btn-sm" target="_blank">
218+
<i class="bi bi-github"></i> CodeQL Repository
219+
</a>
220+
<a href="https://github.blog/category/security/" class="btn btn-outline-info btn-sm" target="_blank">
221+
<i class="bi bi-newspaper"></i> Security Blog
222+
</a>
223+
<a href="https://github.com/features/security" class="btn btn-outline-success btn-sm" target="_blank">
224+
<i class="bi bi-shield-check"></i> Security Features
225+
</a>
226+
</div>
227+
</div>
228+
</div>
229+
</div>
230+
</div>
231+
232+
<!-- Footer Section -->
233+
<div class="row mt-5">
234+
<div class="col-12">
235+
<div class="alert alert-light border" role="alert">
236+
<h5 class="alert-heading">
237+
<i class="bi bi-info-circle"></i> About This Demo
238+
</h5>
239+
<p>
240+
This page demonstrates how GitHub Advanced Security can detect common security vulnerabilities
241+
in ASP.NET Core applications. The intentional vulnerabilities included here should trigger
242+
alerts in GHAS code scanning, providing practical examples of security issues.
243+
</p>
244+
<hr>
245+
<p class="mb-0">
246+
<strong>Learn more:</strong> Visit the <a asp-page="/About">About GHAS</a> page to understand
247+
how to enable and configure GitHub Advanced Security for your repositories.
248+
</p>
249+
</div>
250+
</div>
251+
</div>
252+
</div>
253+
254+
@section Scripts {
255+
<script>
256+
// Auto-dismiss alerts after 6 seconds
257+
setTimeout(function() {
258+
const alerts = document.querySelectorAll('.alert-dismissible');
259+
alerts.forEach(alert => {
260+
const bsAlert = new bootstrap.Alert(alert);
261+
bsAlert.close();
262+
});
263+
}, 6000);
264+
</script>
265+
}

0 commit comments

Comments
 (0)