A full-stack Node.js + React monorepo intentionally loaded with security vulnerabilities, weak dependencies, and hardcoded secrets — purpose-built to demonstrate every pillar of GitHub Advanced Security.
This repo contains intentional vulnerabilities. Every hardcoded secret is fake/demo-only. Do not deploy to the internet. Do not use real credentials here.
| GHAS Pillar | What's Demonstrated |
|---|---|
| Code Scanning (CodeQL) | SQL Injection, XSS, SSRF, Command Injection, Path Traversal, SSTI, XXE, JWT flaws, ReDoS, Code Injection, Prototype Pollution, Open Redirect, Log Injection |
| Secret Scanning | GitHub PAT, AWS keys, Stripe key, SendGrid key, Google API key, JWT secrets, DB credentials — all fake |
| Dependabot | 12+ packages with known CVEs across frontend + backend |
| Dependency Review | PR-level blocking of vulnerable dep introductions |
| SBOM | SPDX-format bill of materials for both workspaces |
| Container Scanning | Vulnerable base image, secrets in ENV, root user, exposed ports |
ghas-poc-webapp/
├── .github/
│ ├── workflows/
│ │ ├── codeql.yml # CodeQL scanning (push + PR + schedule)
│ │ ├── security.yml # Dep review, secret scan, SBOM, OSV, Trivy
│ │ └── ci.yml # Build + test
│ ├── dependabot.yml # Dependabot config (npm + actions)
│ ├── codeql-config.yml # Extended query suite config
│ └── secret_scanning.yml # Custom secret patterns
├── backend/
│ ├── src/
│ │ ├── index.js # Express app + hardcoded secrets
│ │ └── routes/
│ │ ├── auth.js # SQLi, JWT flaws, insecure random
│ │ ├── products.js # XSS, Path Traversal, SSRF, Command Injection, XXE
│ │ ├── admin.js # Prototype Pollution, YAML injection, SSTI, Code injection
│ │ ├── upload.js # Unrestricted upload, Path Traversal
│ │ ├── users.js # IDOR, SQLi, ReDoS
│ │ └── reports.js # SSRF, CSV Injection, Open Redirect
│ ├── tests/
│ │ └── auth.test.js # Tests that document (and fail on) vuln behaviors
│ ├── package.json # Intentionally outdated vulnerable deps
│ └── jest.config.json
├── frontend/
│ ├── src/
│ │ ├── App.js # DOM XSS, hardcoded API keys
│ │ └── pages/
│ │ ├── SearchPage.js # DOM XSS, dangerouslySetInnerHTML
│ │ ├── LoginPage.js # Open redirect, localStorage JWT, password logging
│ │ ├── ProfilePage.js # IDOR, sensitive data display
│ │ └── AdminPage.js # eval(), no authz check
│ └── package.json # Outdated vulnerable deps (lodash, marked, etc.)
├── Dockerfile # Vulnerable base image, root user, secrets in ENV
├── docker-compose.yml # Exposed DB ports, hardcoded creds
├── SECURITY.md # Full vulnerability inventory
└── README.md
gh repo create ghas-poc-webapp --privatecd ghas-poc-webapp
git init
git add .
git commit -m "feat: initial GHAS POC webapp"
git remote add origin https://github.com/YOUR_ORG/ghas-poc-webapp.git
git push -u origin mainGo to: Settings → Security → Code security and analysis
Enable all of the following:
- ✅ Dependency graph
- ✅ Dependabot alerts
- ✅ Dependabot security updates
- ✅ Code scanning → Set up CodeQL (or the workflow handles it)
- ✅ Secret scanning
- ✅ Secret scanning push protection
- ✅ Dependency review
# Make a small change and push to trigger CodeQL
echo "# trigger" >> README.md
git add . && git commit -m "chore: trigger GHAS scan" && git push| Where | What you'll see |
|---|---|
| Security tab → Code scanning | 15+ CodeQL alerts across CWE categories |
| Security tab → Secret scanning | 6+ hardcoded secrets flagged |
| Security tab → Dependabot alerts | 12+ CVEs across frontend + backend packages |
| Actions tab | SBOM artifacts generated, Trivy + OSV results uploaded |
| Pull Requests | Dependency Review blocks PRs introducing new vulns |
Try to push a new "secret" to trigger push protection:
echo 'const key = "AKIAIOSFODNN7EXAMPLE_NEW";' >> backend/src/config/test.js
git add . && git commit -m "test: push protection trigger" && git push
# GitHub should BLOCK this pushCreate a PR that introduces a new vulnerable dependency:
git checkout -b test/add-vuln-dep
cd backend
# Add a known-vulnerable package
npm install --package-lock-only electron@1.0.0 # Example of high-severity dep
git add package-lock.json package.json
git commit -m "feat: add electron dependency"
git push origin test/add-vuln-dep
# Open PR → Dependency Review Action will block it# Install dependencies
npm install
# Start backend + frontend
npm run dev
# Run tests (includes tests that document vulnerable behaviors)
cd backend && npm testAfter pushing and running scans, expect approximately:
| Pillar | Expected Alert Count |
|---|---|
| CodeQL (High/Critical) | 15–25 |
| CodeQL (Medium) | 8–15 |
| Secret Scanning | 6–10 |
| Dependabot (Critical) | 4–6 |
| Dependabot (High) | 6–10 |
| Dependabot (Moderate) | 3–5 |
Exact numbers vary by CodeQL version and query suite used.
Browser
└── React Frontend (port 3000)
└── axios → Express Backend (port 3001)
├── MongoDB (port 27017)
└── Redis (port 6379)
MIT — for educational/POC purposes only.