Skip to content

MeShivsai/GHAS-POC

Repository files navigation

🔐 GHAS POC Webapp

A full-stack Node.js + React monorepo intentionally loaded with security vulnerabilities, weak dependencies, and hardcoded secrets — purpose-built to demonstrate every pillar of GitHub Advanced Security.


⚠️ Warning

This repo contains intentional vulnerabilities. Every hardcoded secret is fake/demo-only. Do not deploy to the internet. Do not use real credentials here.


What This Covers

GHAS Pillar What's Demonstrated
Code Scanning (CodeQL) SQL Injection, XSS, SSRF, Command Injection, Path Traversal, SSTI, XXE, JWT flaws, ReDoS, Code Injection, Prototype Pollution, Open Redirect, Log Injection
Secret Scanning GitHub PAT, AWS keys, Stripe key, SendGrid key, Google API key, JWT secrets, DB credentials — all fake
Dependabot 12+ packages with known CVEs across frontend + backend
Dependency Review PR-level blocking of vulnerable dep introductions
SBOM SPDX-format bill of materials for both workspaces
Container Scanning Vulnerable base image, secrets in ENV, root user, exposed ports

Repo Structure

ghas-poc-webapp/
├── .github/
│   ├── workflows/
│   │   ├── codeql.yml          # CodeQL scanning (push + PR + schedule)
│   │   ├── security.yml        # Dep review, secret scan, SBOM, OSV, Trivy
│   │   └── ci.yml              # Build + test
│   ├── dependabot.yml          # Dependabot config (npm + actions)
│   ├── codeql-config.yml       # Extended query suite config
│   └── secret_scanning.yml     # Custom secret patterns
├── backend/
│   ├── src/
│   │   ├── index.js            # Express app + hardcoded secrets
│   │   └── routes/
│   │       ├── auth.js         # SQLi, JWT flaws, insecure random
│   │       ├── products.js     # XSS, Path Traversal, SSRF, Command Injection, XXE
│   │       ├── admin.js        # Prototype Pollution, YAML injection, SSTI, Code injection
│   │       ├── upload.js       # Unrestricted upload, Path Traversal
│   │       ├── users.js        # IDOR, SQLi, ReDoS
│   │       └── reports.js      # SSRF, CSV Injection, Open Redirect
│   ├── tests/
│   │   └── auth.test.js        # Tests that document (and fail on) vuln behaviors
│   ├── package.json            # Intentionally outdated vulnerable deps
│   └── jest.config.json
├── frontend/
│   ├── src/
│   │   ├── App.js              # DOM XSS, hardcoded API keys
│   │   └── pages/
│   │       ├── SearchPage.js   # DOM XSS, dangerouslySetInnerHTML
│   │       ├── LoginPage.js    # Open redirect, localStorage JWT, password logging
│   │       ├── ProfilePage.js  # IDOR, sensitive data display
│   │       └── AdminPage.js    # eval(), no authz check
│   └── package.json            # Outdated vulnerable deps (lodash, marked, etc.)
├── Dockerfile                  # Vulnerable base image, root user, secrets in ENV
├── docker-compose.yml          # Exposed DB ports, hardcoded creds
├── SECURITY.md                 # Full vulnerability inventory
└── README.md

Quick Start: Push to GitHub + Enable GHAS

Step 1: Create a new GitHub repo

gh repo create ghas-poc-webapp --private

Step 2: Push this code

cd ghas-poc-webapp
git init
git add .
git commit -m "feat: initial GHAS POC webapp"
git remote add origin https://github.com/YOUR_ORG/ghas-poc-webapp.git
git push -u origin main

Step 3: Enable GHAS on the repo

Go to: Settings → Security → Code security and analysis

Enable all of the following:

  • ✅ Dependency graph
  • ✅ Dependabot alerts
  • ✅ Dependabot security updates
  • ✅ Code scanning → Set up CodeQL (or the workflow handles it)
  • ✅ Secret scanning
  • ✅ Secret scanning push protection
  • ✅ Dependency review

Step 4: Trigger the workflows

# Make a small change and push to trigger CodeQL
echo "# trigger" >> README.md
git add . && git commit -m "chore: trigger GHAS scan" && git push

Step 5: Observe results

Where What you'll see
Security tab → Code scanning 15+ CodeQL alerts across CWE categories
Security tab → Secret scanning 6+ hardcoded secrets flagged
Security tab → Dependabot alerts 12+ CVEs across frontend + backend packages
Actions tab SBOM artifacts generated, Trivy + OSV results uploaded
Pull Requests Dependency Review blocks PRs introducing new vulns

Testing Secret Scanning Push Protection

Try to push a new "secret" to trigger push protection:

echo 'const key = "AKIAIOSFODNN7EXAMPLE_NEW";' >> backend/src/config/test.js
git add . && git commit -m "test: push protection trigger" && git push
# GitHub should BLOCK this push

Testing Dependency Review

Create a PR that introduces a new vulnerable dependency:

git checkout -b test/add-vuln-dep
cd backend
# Add a known-vulnerable package
npm install --package-lock-only electron@1.0.0  # Example of high-severity dep
git add package-lock.json package.json
git commit -m "feat: add electron dependency"
git push origin test/add-vuln-dep
# Open PR → Dependency Review Action will block it

Running Locally

# Install dependencies
npm install

# Start backend + frontend
npm run dev

# Run tests (includes tests that document vulnerable behaviors)
cd backend && npm test

GHAS Alert Expected Counts

After pushing and running scans, expect approximately:

Pillar Expected Alert Count
CodeQL (High/Critical) 15–25
CodeQL (Medium) 8–15
Secret Scanning 6–10
Dependabot (Critical) 4–6
Dependabot (High) 6–10
Dependabot (Moderate) 3–5

Exact numbers vary by CodeQL version and query suite used.


Architecture

Browser
  └── React Frontend (port 3000)
        └── axios → Express Backend (port 3001)
                      ├── MongoDB (port 27017)
                      └── Redis (port 6379)

License

MIT — for educational/POC purposes only.

About

This repo is Created for the POC of GHAS and as a part of GitHub Advanced Security Features exploration

Resources

Security policy

Stars

Watchers

Forks

Releases

No releases published

Packages

 
 
 

Contributors