Introduction • Prerequisites • Mona Gallery • Learning Objectives • Learning Resources
This repository contains the source code for the Mona Gallery vulnerable web application. The exercises for this workshop can be found in the exercises.md file.
Please make sure that you have all the prerequisites in place before we start the wokshop.
-
Create a codespace from the repository
Demo
-
Verify that GitHub Copilot, GitHub Copilot Chat, and GitHub Copilot Lab plugins are pre-installed in your codespace. These installations should occur automatically when you start the codespace.
-
Configure the plugin to grant you access to GitHub copilot through the githubuniverseworkshops Org that you have been granted access to
-
Confirm that Advanced Security and all its features have been enabled on your repository
The Mona Gallery is a delibrately vulnerable web application consisting of several prevalent vulnerability types, such as SQL injection, XSS, and deserialization, among others. The application's codebase is diverse, utilizing multiple technologies, including Go, Python, Javascript, and Java. A architecture diagram can be found below. We will use this application's codebase for this workshop.
The application's frontend is built with Vue.js 3 and Bootstrap 5, while authorization is managed through the Zitadel OIDC service implemented in Go. Middleware functions are handled in Python. The API is developed in Go, and Blob storage is implemented with MinIO, written in Java. Furthermore, the API layer is also implemented in Go, and the database relies on SQL Lite. Each of these services is encapsulated in its respective Docker container, resulting in a total of five images. To run the application, you can utilize Docker Compose.
- Hands on exercise demonstrating our new feature to generate regexes using AI
- Use AI to find generic secrets
- Practical lab demonstrating the new autofix feature for Javascript CodeQL alerts on the pull request
- How to use GitHub Copilot to learn about CodeQL
- Use GitHub Copilot to learn about application security