In this challenge, we will enable code scanning on a fork of this repository and observe what vulnerabilities CodeQL finds. The repository contains several intentionally vulnerable code snippets, which should be found by code scanning. Follow Instructions-option A to enable code scanning on the fork.

If you prefer, you can choose another open source project for this challenge. In that case, you can either fork it (Instructions-option B) or clone and upload to a new repository on your account (Instructions—option C).

You can also choose one of your own public projects instead. If you encounter problems, see documentation for enabling code scanning.

Hint: If you can’t find a project, use the GitHub search functionality, e.g. type in the GitHub search bar “language:python stars:>100 type:repositories”

1. Fork this repository Note: If any of the steps below do not work or look different, check out the documentation.

2. Go to the 'Security' tab > click 'Set up code scanning' button.

3. You'll be moved to another page. Now in 'Code scanning' section click 'Set up' button, then 'Default'.

4. A pop up should appear. Click 'Enable CodeQL'

5. Wait a few minutes for the scan to complete. Go to 'Security' tab and see the alerts that have been triggered.

Some open source projects will have their own Actions workflows defined. If you fork a repository with existing workflows, these workflows will be disabled by default. This is a security measure to protect you from potentionally malicious workflows, to prevent errors and lower Actions minutes usage.

That's why before you enable code scanning, it's better if you first delete all actions workflows from your fork (generally they can be found in the .github/workflows folder), then go to the Actions tab and make sure that Actions are enabled.

1. Fork an open source project. When forking, select the option Copy the main branch only.

2. Check if the .github/workflows folder exists and if it does, delete it from your fork.

3. Go to the Actions tab and make sure that Actions are enabled (if they are disabled, a big pop up will show up).

4. Go to the 'Security' tab > click 'Set up code scanning' button.

5. You'll be moved to another page. Now in 'Code scanning' section click 'Set up' button, then 'Default'.

6. A pop up should appear. Click 'Enable CodeQL'

7. Wait a few minutes for the scan to complete. Go to 'Security' tab and see the alerts that have been triggered.

In a similar way as in option B, we don't want unknown Actions workflows running on your account. The code for this challenge has shamelessly been copied from the CodeQL examples.

1. Create a new repository on your account.

2. Duplicate an open source repository following the instructions here. Make sure to check if the .github/workflows folder exists and if it does, delete it from your copy of the repository.

3. Go to the Actions tab and make sure that Actions are enabled (if they are disabled, a big pop up will show up).

4. Go to the 'Security' tab > click 'Set up code scanning' button.

5. You'll be moved to another page. Now in 'Code scanning' section click 'Set up' button, then 'Default'.

6. A pop up should appear. Click 'Enable CodeQL'

7. Wait a few minutes for the scan to complete. Go to 'Security' tab and see the alerts that have been triggered.

Congrats on completing challenge 1! 🎉