Welcome to the workshop Harnessing AI: Next Level Strategies for Advanced Security! Below you will find the exercises to complete as a part of this workshop. There will be a set amount of time to complete each one. We will provide a walkthrough of the solution after each exercise. If you get stuck there are hints along the way. Additionaly you can access GIF-based solutions for each exercise.
If you are interested in participating in the limited public beta for secret scanning please join the waitlist and the GitHub staff will be in touch. You can find the terms and conditions here.
This Universe, we are excited to be launching the AI-generated custom patterns feature as a limited public beta. In this exercise, we will generate a custom pattern using this new feature.
Prerequiste - secret scanning must be enabled for this exercise. This feature should already be enabled by default for this repository. If not, please follow the instructions here to enable secret scanning.
Scenario
You are a part of the security team, and it has been brought to your attention that the MinIO password mona_value_abc124
for the object store has been leaked in the code!
You want to write a custom pattern to detect this.
-
Navigate to
Settings
tab of the repository, click onCode security and analysis
section, and underCustom Patterns
click onNew pattern
-
In the top right hand corner, click on
Generate with AI
-
Fill in the options
I want a regular expression that
andExamples of what I am looking for
Hint
You want to find a string that starts with `mona_value_` -
Assume that we know that the custom secret pattern always ends with an alphanumeric character of length 6. Can you make the regex pattern more precise? For the most accurate results, it is imperative when dealing with AI that we provide as much detail as possible with as much context as possible.
Hint
Provide the AI with more details about the pattern. Consider factors such as length. What about character composition? Is it entirely numerical?
At Universe 2023 we will also be shipping the generic secret detection using AI feature as a limited public beta. Enabling this feature will use an AI model to detect additional secrets beyond the secrets detected with regular expression.
-
Enable this feature by navigating to the
Settings
tab of the repository, click on theCode security and analysis
section, and tick the checkboxUse AI detection to find additional secrets
under secret scanning. -
Add Bob's credentials to the end of the
password.txt
file located at the root of the repository.username=bob@localhost password=verysecure1234
-
To view detected alerts, navigate to the
Security
tab, underSecret Scanning
, click theOther
option
Scenario
You have just joined a new team as a developer. To familiarize yourself with the codebase, you've been tasked with remediating some code scanning vulnerabilities in the repository.
You will be remediating an existing SQL Injection vulnerability in main.go
on line 309.
There are two tasks to remediate this vulnerability:
- sanitize input in the javascript (Exercise 1)
- fix the SQL prepare statement in the go code (Exercise 2 and Exercise 3)
This Universe we will be launching the code scanning autofix feature as a limited public beta. This feature uses AI to generate fixes on pull requests that contain JavaScript CodeQL alerts. We will see this feature in action in this exercise. If you are interested in participating in this limited public beta, please reach out to your Account Manager if you are an existing customer. Otherwise, reach out to the GitHub Sales Team for assistance. You can find the terms and conditions here.
Input sanitization is a fundamental security practice to prevent SQL injection attacks. Let's add a sanitize method in the javascript to help in mitigating against injection attack vectors.
You can solve this exercise using either the codespaces or the UI. Codespaces is preferable as this is what a developer would use under normal circumstances. However, if codespaces is not loading for you please use the UI.
-
Create a branch called
sql-injection-fix
and push it to the remote repo.Hint
Run the command:$ git checkout -b sql-injection-fix $ git push -u origin sql-injection-fix
-
Add the following sanitization function on line 233 of
frontend/components/Gallery.vue
function sanitizeInput(input) { if (input == null) { return ""; } //escape all occurances of apostrophe input = input.replace("'", "''"); return input; }
-
Call the sanization function from the Update function by placing the following call on line 347 of
/frontend/components/Gallery.vue
artItem.description = sanitizeInput(artItem.description) artItem.title = sanitizeInput(artItem.title)
-
Commit and push the code
- Raise a pull request to the
main
branch. Wait for the scans to complete and you should see a CodeQL javascript alert in your pull request. Oh no! There is a vulnerability in our vulnerability! Lucky we have autofix.
Autofix feature
The autofix feature suggests fixes for CodeQL alerts raised as a part of the pull request. At the moment, it only supports JavaScript. Our sanitize function only replaced the first occurance of the string. Autofix has suggested a fix to replace the string with a regular expression and uses the g flag to ensure all occurrences are replaced. You should be able to see an autofix suggestion as a part of the pull request.
-
Navigate to
Copilot Chat
icon in your Visual Studio Code IDE (Codespace) -
Open the
main.go
file undergallery
folder. Navigate to line 309 which represents an injection vulnerability and ask GitHub Copilot Chat to explain the vulnerability
Our sanitization function is limited to the user interface (UI). If we expose the Update method through an API or another medium, we remain susceptible to vulnerabilities. Let's use Copilot to remediate the vulnerability.
-
In Codespaces, use the Sarif Viewer to navigate to the SQL Injection vulnerability located in
gallery/main.go
on line 309. Note if the Sarif Viewer is not loading the correct SARIF you can use the one provided in theuniverse-utils/go.sarif
-
Hover over the alert and select
Fix using Copilot
-
Copilot will propose a fix. Review proposed fix and click
Accept
-
Commit, push the fix, and merge in the PR to resolve the alert
Prompt Engineering involves formulating a prompt to optimize the model's ability to generate the most valuable prediction for the user.
A prompt commonly involves at least one of the following elements:
- Instruction - You can use natural language to provide instructions. However, Github Copilot Chat also offers pre-configured slash command choices as default templates to help steer the Language Model (LLM) more effectively toward your intended goal.
- Context - GitHub Copilot Chat lives in the context of an IDE such as Visual Studio Code (VS Code). This involves having relevant files open in each tab and highlighting the code snippet your interested in
- Examples - Provide examples of the desired output. We saw an example of this when generating regexes for secret scanning. Prompting falls into two broad categories:
- Zero shot prompting: this is when no examples are provided to the model.
- Few-shot prompting: this is when examples are provided to the model , it serves as conditioning for subsequent examples where we would like the model to generate a response.
- Output - Specify the desired output format. Some examples within Copilot instruction include:
/explain
- will output text fileGenerate Docs
- will create comments in the code/fix
- will output code
Scenario
There is a custom codeql query written specifically for finding vue related xss vulnerabilities specific to this codebase. This query can be found in the queries
folder. Use Copilot Chat to better understand this query.
Initially, we want to see what happens when we don’t provide any context to Copilot Chat.
- Close all tabs and open Copilot chat
- Type in the following into the chat
/explain vue-xss.ql
Was this the output you expected? A key factor contributing to occasional inaccuracies in LLM outputs is the absence of context. These models heavily depend on the information provided in the context. When the context is ambiguous or lacks detail, the model might infer assumptions that result in inaccurate responses.
Now let's add in some context. Recall that the context for GitHub Copilot is the IDE.
- Open the
vue-xss.ql
query in a tab and run the prompt from the previous exercise:/explain vue-xss.ql
Was the output different?
The more specific and concise you can be about your problem statement the more accurate the results that will be generated. For example, let’s say that we want to understand the 2 predicates and their regexes between line 42 and line 46.
- Try highlighting between these lines and ask copilot for an explanation.
Let's say you wanted to comment the CodeQL query so that it is easier to understand for new joiners of the repository.
- Highlight the predicate
resolveRefForArraySourceValue
from line 60 to line 100 and use the optionGenerate Docs
Scenario
Threat modelling is often a manual and specialised task conducted by security teams. We can automate some of this process using Copilot.
In this demo we will be using the GitHub Copilot Chat feature from a security practitioner's perspective. We'll observe how leveraging an AI-assisted tool can begin to gain additional context regarding the application's threat boundaries.
-
Let's Ask GitHub Copilot Chat to explain to us the DB interactions in the
gallery
module of the mona gallery application -
In the
storage
module lets ask GitHub Copilot Chat to explain to us the threat landscape of theBlobController.java
code