Skip to main content

Finding and fixing your first code vulnerability

As you're learning to code, it's normal to accidentally introduce vulnerabilities into your projects. If these security issues aren't addressed before you share your work, attackers can use them to manipulate your code and access sensitive data, so it's important to identify and them as soon as possible.

Thankfully, there are tools like code scanning that automatically find, explain, and even fix vulnerabilities in your public repositories. In this tutorial, you'll learn how to keep your work secure with code scanning.

Let's get started by forking a demo project with a security vulnerability. This project builds a simple webpage, but since we won't deploy the project, there is no security risk in this exercise.

  1. Navigate to the new2code/code-scanning-demo repository.
  2. In the top right of the page, click Fork.
  3. In the page that appears, click Create fork.

Now that we've set up the project, let's turn on code scanning for your fork to check for vulnerabilities in the code.

  1. Back on , on the home page of your repository, click Security.
  2. In the "Code scanning alerts" row, click Set up code scanning.
  3. In the "Tools" section, next to "CodeQL analysis", select Set up, then click Default.
  4. In the pop up that appears, click Enable CodeQL. This will trigger a Actions workflow that scans your code for vulnerabilities.
  5. To check the status of your workflow, in the navigation bar, click Actions.
  6. Once the workflow is complete, in the navigation bar, click Security.
  7. To view the code scanning alert discovered by the workflow, in the side navigation, click Code scanning, then click Reflected cross-site scripting.

Now that code scanning has identified a vulnerability in the code, let's break down the information provided in the alert.

The alert shows a small preview of a file, centered on the lines of code creating the vulnerability. In our case, the vulnerability is detected on line 8 of our index.js file, where we implement the user-provided input in our site.

If we take a closer look, we can see that the underlying issue occurs on line 7, when we assign greet to user input without checking for malicious code. To see a step-by-step view of the vulnerability in our code, in the callout below the vulnerable lines, click Show paths.

Screenshot of the location of a code scanning alert. A "Show paths" button is outlined in orange.

Below the file preview, code scanning provides a more detailed description of the vulnerability. To see the recommended fix, as well as examples of the vulnerable and fixed code, click Show more .

Screenshot of the details of a code scanning alert. A dropdown labeled "Show more" is outlined in orange.

In our case, the recommendation is to sanitize user input before using it. This means we need to check the input for malicious code, then clean it up if necessary.

Conseil

If you don't fully understand the recommended fix, try asking Copilot Chat to explain it.

Finally, you can see the timeline of the alert at the bottom of the page. Our timeline contains the commit where the vulnerability was first detected, and will be updated automatically when we fix the vulnerability.

Screenshot of the timeline for a code scanning alert.

To secure our project quickly and easily, let's use Copilot Autofix for code scanning.

  1. Below the alert title, in the box suggesting you "Speed up the remediation of this alert using Copilot Autofix for CodeQL", click Generate fix.

  2. After Copilot generates the fix suggestion, it will describe the changes it is suggesting, render a preview of the changes, and call out any added dependencies. Take a moment to read through Copilot's work.

  3. To create a pull request with the fix, click Commit to new branch, then click Commit change.

  4. Once the draft pull request is created, at the bottom of the page, click Ready for review to make it mergeable.

  5. To apply the fix, click Merge pull request, then click Confirm merge.

    Once the pull request is merged and the code scanning workflow runs again, the alert will be closed automatically, and the commit fixing the vulnerability will be added to the timeline.

Remarque

In real projects, you should always review the changes suggested by Copilot before committing them to your code.

Now that you've tried out code scanning on a demo repository, enable it on your own projects to quickly find and fix current and future vulnerabilities.