Skip to content

ghas-bootcamp-resources/javascript-app

BranchesTags
 
 

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

155 Commits
.github
.github
 
 
docs
docs
 
 
public
public
 
 
scripts
scripts
 
 
src
src
 
 
test
test
 
 
views
views
 
 
.gitignore
.gitignore
 
 
LICENSE
LICENSE
 
 
README.md
README.md
 
 
package-lock.json
package-lock.json
 
 
package.json
package.json
 
 

Repository files navigation

GHAS Expense Tracker

GHAS Expense Tracker is a local-only JavaScript application for GitHub Advanced Security training. It is a small Express app that tracks expenses, stores data in SQLite, saves local receipt text files, and exports reports.

This repository intentionally contains vulnerable code, vulnerable dependencies, secret scanning placeholders, and code quality issues for training. Do not deploy it.

Quickstart

npm install
npm test
npm run test:coverage
npm start

Open http://localhost:3000 after starting the app.

What this repo demonstrates

  • Code scanning with CodeQL findings for SQL injection, path traversal, command injection, XSS, prototype pollution, log injection, and missing rate limiting.
  • Dependabot alerts from legitimate, intentionally outdated packages in package.json and package-lock.json.
  • Secret scanning using four placeholder slots in src/security-labs/approvedSecretPlaceholders.js.
  • Code Quality findings in src/code-quality-labs/qualityIssues.js.
  • A test suite with coverage thresholds of at least 80%.

Training docs

Local data

The app writes local runtime data to .expense-tracker-data/. This directory is ignored by Git.

About

GitHub Code Scanning Javascript Tutorial

Resources

Readme

License

MIT license
Activity
Custom properties

Stars

1 star

Watchers

0 watching

Forks

19 forks
Report repository

Releases

No releases published

Packages

 
 
 

Contributors

Languages

  • JavaScript 85.7%
  • EJS 11.7%
  • CSS 2.6%