You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
# AppSec Analyst Home Exercise
## Prerequisites
- Python 3.8+
- [Gitleaks](https://github.com/gitleaks/gitleaks)
- [Semgrep](https://semgrep.dev/) (`pip install semgrep`)
## Repository Structure
```
analysts-ex/
│
├── README.md # This file
├── run-secrets-scan.sh # Test Gitleaks rules
├── run-sast-scan.sh # Test Semgrep rules
│
├── task1-secrets/
│ ├── rules/
│ │ └── custom-rules.toml # TODO: Complete patterns
│ └── test-data/ # Test files with secrets
│
├── task2-sast/
│ ├── rules/
│ │ ├── sql-injection.yml # TODO: Complete pattern (Node.js)
│ │ └── path-traversal.yml # TODO: Complete pattern (Python)
│ └── vulnerable-code/ # Code with vulnerabilities
│ ├── nodejs-sql/ # SQL injection examples
│ └── python-path-traversal/ # Path traversal examples
│
└── task3-sca/
├── lodash-analysis.md # TODO: Complete analysis
└── express-analysis.md # TODO: Complete analysis
```
## Tasks
### Task 1: Secret Scanning
Complete the Gitleaks rules in `task1-secrets/rules/custom-rules.toml`
- Fill in patterns where you see `YOUR_PATTERN_HERE`
- Test with: `./run-secrets-scan.sh`
### Task 2: SAST Rules
Complete the Semgrep rules:
- `task2-sast/rules/sql-injection.yml` - For Node.js/JavaScript
- `task2-sast/rules/path-traversal.yml` - For Python
- Fill in patterns where you see `YOUR_PATTERN_HERE`
- Test with: `./run-sast-scan.sh`
**BONUS**: Each rule file contains a remediation section. Complete it with:
- Description of the vulnerability and its impact
- At least 3 recommended fixes
- Code examples showing vulnerable vs. secure implementations
### Task 3: Vulnerability Analysis
Complete the analysis files:
- `task3-sca/lodash-analysis.md` - Analyze CVE-2020-8203 (Prototype Pollution)
- `task3-sca/express-analysis.md` - Analyze CVE-2022-24999 (Open Redirect)
- Review the vulnerable code provided in each file
- Answer all questions and fill in `[TODO]` sections
- Assess exploitability and provide remediation advice
## Tips
- All files are pre-created - just fill in the blanks
- Look at the test data to understand what to detect
- For Task 3, focus on practical exploitability, not just theoretical vulnerabilities
Good luck! 🚀
# security-analyst-home-exercise