Lab 4 Security
The code that we have created at the moment is vulnerable and can be misused by malicious users. Because we now also expose the API via the web, we must be aware this can be exploited from outside of our application. To find vulnerabilities, and help us fix them we can use standard tools available in GitHub. In this lab we are going to use GitHub advanced Security to help us find known vulnerabilites in our code and we are going to use Copilot to help us resolve these issues.
We could of course go through the code line by line ourseves, and then see if we can find code that is vulnerable. This is in some cases very obvious, e.g. sql injection problems where we concatenate sql statements before we execute them and without checking the input we got from the user.
To help us find also the less obvious security vulnerabilities, we can use GitHub advanced security to help us with this. You can find GitHub advanced security as part of the code security tab in your settings of the repository.
GitHub advanced security is comprised out of three parts.
- Vulnerability scanning of dependencies, better known under the name Dependabot
- Code Scanning of own code on known vulnerabilities, this is done with CodeQL
- Secret scanning, ensuring you don't add secrets to your source repository. Here you cn think of our API key for Azure OpenAI or the connectionstring to the database.
In the next three labs you will enable GitHub advanced security for our.