This is an educational repository for GH-500: GitHub Advanced Security exam preparation. It contains intentionally vulnerable code in demos/05-code-scanning/vulnerable-app/ for learning purposes.
This repository is a study resource, not a deployed application. There are no versioned releases to support. Content is kept current with the official exam objectives.
Important
If you discover a security vulnerability in this repository's actual code (e.g., a script that could be exploited, a workflow with a security flaw), please report it responsibly.
Do NOT open a public GitHub issue for security vulnerabilities.
- Use GitHub's private vulnerability reporting feature (available in the Security tab of this repo)
- Or email:
security@example.com(replace with your contact)
- Description of the vulnerability
- Steps to reproduce
- Potential impact
- (Optional) Suggested fix
| Stage | Timeline |
|---|---|
| Acknowledgment | Within 48 hours |
| Initial assessment | Within 7 days |
| Fix or mitigation | Within 30 days |
| Public disclosure | Coordinated with reporter |
The following are intentional and should not be reported:
| File | Intentional Issue |
|---|---|
demos/05-code-scanning/vulnerable-app/app.py |
SQL injection, XSS, command injection (CodeQL demo) |
demos/05-code-scanning/vulnerable-app/app.js |
Prototype pollution, SQL injection (CodeQL demo) |
demos/03-dependabot/package.json |
Outdated/vulnerable npm dependencies (Dependabot demo) |
demos/03-dependabot/requirements.txt |
Outdated/vulnerable Python dependencies (Dependabot demo) |
demos/02-secret-scanning/sample-secrets.md |
Non-functional credential patterns (secret scanning demo) |
These files exist explicitly to demonstrate GHAS detection capabilities.
When contributing to this repository:
- Do not commit real credentials or API keys
- Do not add real working exploits (demo code should be functional but clearly non-production)
- Keep workflow files secure — avoid injection vulnerabilities in GitHub Actions YAML
- Sign your commits when possible (
git config commit.gpgsign true)