With Code Scanning enabled, we want to block vulnerable code from entering the codebase. We can define a repository ruleset to enforce this.
- Navigate to the routes/login.ts file in your repository (make sure the Code tab is selected).
- Click the Pencil icon on the top right of the file view to edit the file.
- Find lines 36-46 and delete them
- models.sequelize.query(
- 'SELECT * FROM Users WHERE email = :email AND password = :password AND deletedAt IS NULL',
- {
- replacements: {
- email: req.body.email || '',
- password: security.hash(req.body.password || '')
- },
- model: UserModel,
- plain: true
- }
- )- At line 36, add the following code:
models.sequelize.query(`SELECT * FROM Users WHERE email = '${req.body.email || ''}' AND password = '${security.hash(req.body.password || '')}' AND deletedAt IS NULL`, { model: UserModel, plain: true })- Let's push our new branch with the vulnerability up to GitHub.
- Click the green Commit Changes button on the top right of the file view.
- Keep the commit message the same, but feel free to add a description.
- Select the Create a new branch for this commit and start a pull request radio button.
- Keep the branch name at the default, which should be your GitHub handle followed by -patch-1.
- Click the Propose changes button.
- Click the Create pull request button at the bottom of the text field in the next view.
- The page will redirect to the pull request that was just created. Do not merge the pull request yet, as we want to see the code scanning results first.
- After the pull request is created, the code scanning job will have been initiated. You can see the status of the job in the pull request checks. It will take a few minutes to run.
Details
- CodeQL should find the vulnerability, so the check will fail. Also, we should see Copilot create us an autofix on the PR as a code suggestion change that we can review (and commit)
- It might take Copilot a few moments to create the autofix.
- Review the autofix - we can prevent a vulnerability from entering the repository now with a click of a button! 🎉
⚠️ ⚠️ But don't commit the suggestion yet.⚠️ ⚠️
Details
Without a ruleset (GitHub's new version of branch protections), even though CodeQL found the vulnerability, a developer could still merge the code mistakenly, or merge the code before the CodeQL checks finish. Let's prevent this!
Note
We want to wait for the PR check to finish entirely (with a pass or fail) before creating the ruleset!
- Let's go into the Settings tab of the repository (we will be adding a branch ruleset).
- On the left hand list of options, click on Rules --> Rulesets.
Details
- Click on New ruleset ▾ --> New branch ruleset
- Create the ruleset:
- Give the ruleset a name (any name is fine)
- Change the enforcement status to Active.
- Under target branches, click Add target and select Include default branch.
- Scroll down and check the Require code scanning results box
- The CodeQL tool should already be there - there's nothing to change
- Scroll down and click the Create button.
Details
- With the ruleset created, both the JavaScript scan has to finish and no vulnerabilities found with CodeQL in order to merge the code.
- Navigate back to our open PR. The Merge pull request button should now be grayed out (there also a big red icon and the text Merging is blocked with the list of blocking reasons underneath), preventing us from merging vulnerable code.
Details
- Review the Copilot Autofix suggestion.
- Click on the commit suggestion button and commit changes.
- After another CodeQL scan, the PR should pass and the Merge pull request button should be enabled, allowing you to merge the change without the vulnerability.
- ➡️ For the purposes of this lab, you don't have to actually merge the PR, so you don't have to wait fo the CodeQL scan to finish before moving on.
- Celebrate 🎉! We just prevented a security vulnerability from entering our codebase!
Excellent! In this lab we saw how GitHub code scanning can find bugs in the pull request and suggest solutions for them. And we learned how to use repository rulesets to block a pull request from merging until the checks are resolved.
In the next lab, we are going to learn about Dependency Review, and how it can help us stop bad dependencies from making it to the default branch.
➡️ Head to the next lab.