docs/content/get-started/learning-to-code/finding-and-fixing-your-first-code-vulnerability.md

title, shortTitle, intro, versions, topics

title	shortTitle	intro	versions	topics
Finding and fixing your first code vulnerability	Secure your code	Learn the basics of securing your code by resolving a {% data variables.product.prodname_code_scanning %} alert in a demo repository.	fpt *	Code Security Code scanning Alerts

As you're learning to code, it's normal to accidentally introduce vulnerabilities into your projects. If these security issues aren't addressed before you share your work, attackers can use them to manipulate your code and access sensitive data, so it's important to identify and patch them as soon as possible.

Thankfully, there are tools like {% data variables.product.prodname_code_scanning %} that automatically find, explain, and even fix vulnerabilities in your public repositories. In this tutorial, you'll learn how to keep your work secure with {% data variables.product.prodname_code_scanning %}.

Setting up the demo repository

Let's get started by forking a demo project with a security vulnerability. This project builds a simple webpage, but since we won't deploy the project, there is no security risk in this exercise.

1. Navigate to the new2code/code-scanning-demo repository.
2. In the top right of the page, click {% octicon "repo-forked" aria-hidden="true" %} Fork.
3. In the page that appears, click Create fork.

Finding vulnerabilities in your code

Now that we've set up the project, let's turn on {% data variables.product.prodname_code_scanning %} for your fork to check for vulnerabilities in the code.

1. Back on {% data variables.product.github %}, on the home page of your repository, click {% octicon "shield" aria-hidden="true" %} Security.
2. In the "{% data variables.product.prodname_code_scanning_caps %} alerts" row, click Set up {% data variables.product.prodname_code_scanning %}.
3. In the "Tools" section, next to "{% data variables.product.prodname_codeql %} analysis", select Set up, then click Default.
4. In the pop up that appears, click Enable {% data variables.product.prodname_codeql %}. This will trigger a {% data variables.product.prodname_actions %} workflow that scans your code for vulnerabilities.
5. To check the status of your workflow, in the navigation bar, click {% octicon "play" aria-hidden="true" %} Actions.
6. Once the workflow is complete, in the navigation bar, click {% octicon "shield" aria-hidden="true" %} Security.
7. To view the {% data variables.product.prodname_code_scanning %} alert discovered by the workflow, in the side navigation, click {% octicon "codescan" aria-hidden="true" %} {% data variables.product.prodname_code_scanning_caps %}, then click Reflected cross-site scripting.

Understanding a {% data variables.product.prodname_code_scanning %} alert

Now that {% data variables.product.prodname_code_scanning %} has identified a vulnerability in the code, let's break down the information provided in the alert.

Location

The alert shows a small preview of a file, centered on the lines of code creating the vulnerability. In our case, the vulnerability is detected on line 8 of our index.js file, where we implement the user-provided input in our site.

If we take a closer look, we can see that the underlying issue occurs on line 7, when we assign greet to user input without checking for malicious code. To see a step-by-step view of the vulnerability in our code, in the callout below the vulnerable lines, click Show paths.

Description and recommendation

Below the file preview, {% data variables.product.prodname_code_scanning %} provides a more detailed description of the vulnerability. To see the recommended fix, as well as examples of the vulnerable and fixed code, click Show more {% octicon "chevron-down" aria-hidden="true" %}.

In our case, the recommendation is to sanitize user input before using it. This means we need to check the input for malicious code, then clean it up if necessary.

[!TIP] If you don't fully understand the recommended fix, try asking {% data variables.product.prodname_copilot_chat_short %} to explain it.

Timeline

Finally, you can see the timeline of the alert at the bottom of the page. Our timeline contains the commit where the vulnerability was first detected, and will be updated automatically when we fix the vulnerability.

Fixing a vulnerability automatically

To secure our project quickly and easily, let's use {% data variables.product.prodname_copilot_autofix %} for {% data variables.product.prodname_code_scanning %}.

1. Below the alert title, in the box suggesting you "Speed up the remediation of this alert using {% data variables.product.prodname_copilot_autofix_short %} for {% data variables.product.prodname_codeql %}", click {% octicon "shield-check" aria-hidden="true" %} Generate fix.

2. After {% data variables.product.prodname_copilot_short %} generates the fix suggestion, it will describe the changes it is suggesting, render a preview of the changes, and call out any added dependencies. Take a moment to read through {% data variables.product.prodname_copilot_short %}'s work.

3. To create a pull request with the fix, click Commit to new branch, then click Commit change.

4. Once the draft pull request is created, at the bottom of the page, click Ready for review to make it mergeable.

5. To apply the fix, click Merge pull request, then click Confirm merge.

   Once the pull request is merged and the {% data variables.product.prodname_code_scanning %} workflow runs again, the alert will be closed automatically, and the commit fixing the vulnerability will be added to the timeline.

[!NOTE] In real projects, you should always review the changes suggested by {% data variables.product.prodname_copilot_short %} before committing them to your code.

Next steps

Now that you've tried out {% data variables.product.prodname_code_scanning %} on a demo repository, enable it on your own projects to quickly find and fix current and future vulnerabilities.