-
Notifications
You must be signed in to change notification settings - Fork 10
Expand file tree
/
Copy pathDevSecOps2.cshtml
More file actions
252 lines (236 loc) · 11.8 KB
/
DevSecOps2.cshtml
File metadata and controls
252 lines (236 loc) · 11.8 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
@page
@model DevSecOps2Model
@{
ViewData["Title"] = "Advanced DevSecOps Security Demonstrations";
}
<div class="container">
<div class="row">
<div class="col-12">
<h1 class="display-4 text-danger">@ViewData["Title"]</h1>
<p class="lead">Extended security vulnerability demonstrations for GitHub Advanced Security scanning</p>
<hr />
</div>
</div>
<!-- Alert for TempData messages -->
@if (TempData["SqlResult"] != null)
{
<div class="alert alert-info alert-dismissible fade show" role="alert">
@TempData["SqlResult"]
<button type="button" class="btn-close" data-bs-dismiss="alert" aria-label="Close"></button>
</div>
}
@if (TempData["SqlError"] != null)
{
<div class="alert alert-danger alert-dismissible fade show" role="alert">
@TempData["SqlError"]
<button type="button" class="btn-close" data-bs-dismiss="alert" aria-label="Close"></button>
</div>
}
<div class="row">
<!-- Extended GHAS Features Section -->
<div class="col-lg-8">
<div class="card mb-4">
<div class="card-header bg-danger text-white">
<h3 class="card-title mb-0">
<i class="bi bi-bug"></i> Advanced Security Vulnerabilities Demo
</h3>
</div>
<div class="card-body">
@if (Model.SecurityDemos.Any())
{
<div class="list-group list-group-flush">
@foreach (var demo in Model.SecurityDemos)
{
<div class="list-group-item d-flex align-items-start">
<span class="badge bg-danger rounded-pill me-3 mt-1">VULN</span>
<div>
<p class="mb-1">@demo</p>
<small class="text-muted">Detected by GHAS Code Scanning</small>
</div>
</div>
}
</div>
}
else
{
<p class="text-muted">No vulnerability demonstrations available.</p>
}
</div>
</div>
<!-- Security Tools Overview -->
<div class="card mb-4">
<div class="card-header bg-secondary text-white">
<h3 class="card-title mb-0">Extended GHAS Capabilities</h3>
</div>
<div class="card-body">
<div class="row">
<div class="col-md-6">
<h5><i class="bi bi-shield-exclamation"></i> Advanced Code Analysis</h5>
<p>Deep semantic analysis with custom CodeQL queries for complex vulnerability patterns.</p>
<h5><i class="bi bi-database-exclamation"></i> SQL Injection Detection</h5>
<p>Automated detection of SQL injection vulnerabilities in database queries.</p>
</div>
<div class="col-md-6">
<h5><i class="bi bi-file-earmark-code"></i> Custom Security Rules</h5>
<p>Organization-specific security policies and custom vulnerability detection rules.</p>
<h5><i class="bi bi-cloud-upload"></i> Supply Chain Security</h5>
<p>Comprehensive dependency vulnerability tracking and remediation guidance.</p>
</div>
</div>
</div>
</div>
<!-- Security Metrics -->
<div class="card mb-4">
<div class="card-header bg-info text-white">
<h3 class="card-title mb-0">Security Metrics Dashboard</h3>
</div>
<div class="card-body">
<div class="row text-center">
<div class="col-md-3">
<h4 class="text-danger">@Model.VulnerabilityCount</h4>
<small class="text-muted">Critical Vulnerabilities</small>
</div>
<div class="col-md-3">
<h4 class="text-warning">@Model.SecretCount</h4>
<small class="text-muted">Exposed Secrets</small>
</div>
<div class="col-md-3">
<h4 class="text-primary">@Model.DependencyCount</h4>
<small class="text-muted">Vulnerable Dependencies</small>
</div>
<div class="col-md-3">
<h4 class="text-success">@Model.FixedCount</h4>
<small class="text-muted">Issues Resolved</small>
</div>
</div>
</div>
</div>
</div>
<!-- Advanced Security Demo Tools -->
<div class="col-lg-4">
<!-- SQL Injection Demo Section -->
<div class="card mb-4">
<div class="card-header bg-danger text-white">
<h4 class="card-title mb-0">
<i class="bi bi-database-exclamation"></i> SQL Injection Demo
</h4>
</div>
<div class="card-body">
<p class="text-muted small">
This form demonstrates SQL injection vulnerabilities that should be detected by GHAS.
<strong>DO NOT use in production!</strong>
</p>
<!-- SQL Injection Testing Form -->
<form method="post" asp-page-handler="TestSql" class="mt-3">
<div class="mb-3">
<label for="username" class="form-label">Username Search:</label>
<input type="text" class="form-control" id="username" name="username"
placeholder="Enter username" value="admin">
<div class="form-text text-danger">
⚠️ This query is vulnerable to SQL injection attacks.
</div>
</div>
<button type="submit" class="btn btn-danger btn-sm">
<i class="bi bi-search"></i> Search User
</button>
</form>
</div>
</div>
<!-- CSRF Demo Section -->
<div class="card mb-4">
<div class="card-header bg-warning text-dark">
<h4 class="card-title mb-0">
<i class="bi bi-shield-slash"></i> CSRF Demo
</h4>
</div>
<div class="card-body">
<p class="text-muted small">
This form lacks CSRF protection, demonstrating a common security vulnerability.
</p>
<!-- CSRF Vulnerable Form -->
<form method="post" asp-page-handler="UnsafeAction" class="mt-3">
<div class="mb-3">
<label for="action" class="form-label">Action:</label>
<select class="form-control" id="action" name="action">
<option value="view">View Data</option>
<option value="delete">Delete Record</option>
<option value="update">Update Settings</option>
</select>
</div>
<button type="submit" class="btn btn-warning btn-sm">
<i class="bi bi-play"></i> Execute
</button>
</form>
</div>
</div>
<!-- Advanced Resources -->
<div class="card">
<div class="card-header bg-dark text-white">
<h4 class="card-title mb-0">Advanced Resources</h4>
</div>
<div class="card-body">
<div class="d-grid gap-2">
<a href="https://docs.github.com/en/code-security/code-scanning/using-codeql-code-scanning-with-your-existing-ci-system" class="btn btn-outline-primary btn-sm" target="_blank">
<i class="bi bi-gear"></i> CodeQL CI Integration
</a>
<a href="https://docs.github.com/en/code-security/secret-scanning/defining-custom-patterns-for-secret-scanning" class="btn btn-outline-secondary btn-sm" target="_blank">
<i class="bi bi-key"></i> Custom Secret Patterns
</a>
<a href="https://docs.github.com/en/code-security/dependabot" class="btn btn-outline-success btn-sm" target="_blank">
<i class="bi bi-arrow-repeat"></i> Dependabot Configuration
</a>
<a href="https://docs.github.com/en/code-security/security-advisories" class="btn btn-outline-info btn-sm" target="_blank">
<i class="bi bi-exclamation-triangle"></i> Security Advisories
</a>
<a asp-page="/DevSecOps" class="btn btn-outline-primary btn-sm">
<i class="bi bi-arrow-left"></i> Basic Demo
</a>
</div>
</div>
</div>
</div>
</div>
<!-- Extended Footer Section -->
<div class="row mt-5">
<div class="col-12">
<div class="alert alert-danger" role="alert">
<h5 class="alert-heading">
<i class="bi bi-exclamation-triangle-fill"></i> Security Warning:
</h5>
<p>
This page contains <strong>intentionally vulnerable code</strong> designed for GitHub Advanced Security
demonstrations. The vulnerabilities include SQL injection, CSRF, hardcoded credentials,
and insecure data handling patterns.
</p>
<hr>
<p class="mb-0">
<strong>Never deploy this code to production!</strong> Use it only for learning and testing
GHAS capabilities in a secure, isolated environment.
</p>
</div>
</div>
</div>
</div>
@section Scripts {
<script>
// Auto-dismiss alerts after 6 seconds
setTimeout(function() {
const alerts = document.querySelectorAll('.alert-dismissible');
alerts.forEach(alert => {
const bsAlert = new bootstrap.Alert(alert);
bsAlert.close();
});
}, 6000);
// Add warning confirmation for dangerous actions
document.addEventListener('DOMContentLoaded', function() {
const dangerousForms = document.querySelectorAll('form[asp-page-handler="UnsafeAction"], form[asp-page-handler="TestSql"]');
dangerousForms.forEach(form => {
form.addEventListener('submit', function(e) {
if (!confirm('This action demonstrates a security vulnerability. Continue for demo purposes?')) {
e.preventDefault();
}
});
});
});
</script>
}