A Node.js/Express application intentionally built with security vulnerabilities to demonstrate GitHub Advanced Security (GHAS).
⚠️ This code is deliberately insecure. Never use any of these patterns in production.
| GHAS Feature | What it finds in this repo |
|---|---|
| CodeQL (SAST) | SQL injection, path traversal, command injection, XSS, SSRF, ReDoS, insecure crypto |
| Secret Scanning | Hardcoded JWT secrets, AWS keys, Stripe API key, DB passwords |
| Dependabot (SCA) | Vulnerable versions of lodash, express, axios, jsonwebtoken with known CVEs |
| Code Coverage | Jest test suite with lcov report and Codecov integration |
- Hardcoded secrets: JWT secret, AWS keys, Stripe live key, DB password
- No rate limiting on
/login(brute force) - Plaintext password comparison
- Sensitive data (password, SSN) embedded in JWT payload
- Admin bypass via predictable
x-admin-bypassheader
- SQL injection in
getUserByUsername— raw string concatenation - SQL injection in
searchProducts—LIKE '%${input}%' - SQL injection in
getUserById— unvalidated numeric ID - All queries return
password,ssn, andcredit_cardfields
- IDOR on
GET /users/:id— no ownership check - Mass assignment on
PUT /users/:id— attacker can setrole: "admin" - Unauthenticated
GET /usersexposing all PII - XSS via reflected query parameter in
/profile/view
- MD5 and SHA1 for password hashing (broken algorithms)
- DES-ECB encryption (broken cipher + mode)
- Hardcoded IV and encryption key
Math.random()for security-sensitive token generation- Non-constant-time string comparison (timing attack)
- Path traversal in
GET /admin/files— no base directory check - Command injection in
POST /admin/pingviaexec() - SSRF in
POST /admin/fetch— fetches any URL including cloud metadata - No role check on admin routes
- ReDoS via catastrophic backtracking regex
lodash@4.17.4— CVE-2019-10744 (prototype pollution)express@4.17.1— multiple known CVEsaxios@0.21.1— CVE-2021-3749 (ReDoS)jsonwebtoken@8.5.1— CVE-2022-23529 (remote code execution)
.github/
workflows/
ghas.yml — CodeQL, dependency review, tests + coverage, summary
dependabot.yml — weekly npm + GitHub Actions updates
- Push to
main/develop - Pull request to
main(also runs dependency review) - Schedule — every Monday 08:00 UTC
CodeQL SAST ──────────────────────┐
Dependency Review (PRs only) ─────┤──▶ Security Summary
Secret Scanning (auto by GitHub) ─┤
Tests + Coverage ─────────────────┘
npm install
npm test # runs Jest + lcov coverage
npm start # starts server on :3000- Go to Settings → Code security and analysis
- Enable: Dependency graph, Dependabot alerts, Dependabot security updates
- Enable: Code scanning → set up with CodeQL
- Enable: Secret scanning (+ push protection)
- Push this repo — alerts will appear in the Security tab within minutes
After the workflow runs, you should see alerts in Security → Code scanning alerts including:
js/sql-injectionjs/path-injectionjs/command-line-injectionjs/server-side-request-forgeryjs/reflected-xssjs/insecure-randomnessjs/polynomial-redosjs/hardcoded-credentials
Secret scanning will separately flag the hardcoded keys in src/auth.js.