initial commit

Author: Hemavathi15sg

README.md

@@ -73,7 +73,7 @@ By the end of the mandatory track you will have: detected hardcoded secrets with
 
 | Feature | Description |
 |---------|-------------|
-| **Secret Scanning (`#secret-scanning`)** | Scans code for exposed credentials using GitHub's detection patterns |
+| **Secret Scanning (`plugins`)** | Scans code for exposed credentials using GitHub's detection patterns |
 | **VS Code Code Review** | Reviews a selection or uncommitted changes with inline suggestions and one-click fixes |
 | **Copilot Agent (Inline `Ctrl+I`)** | Applies fix patterns across entire files in one agentic step |
 | **Copilot CLI `/review`** | Agentic CLI code review of git changes — no browser required |
@@ -85,12 +85,12 @@ By the end of the mandatory track you will have: detected hardcoded secrets with
 
 ## Getting Started
 
-1. Select use this template to create a new repository
-1. clone and open it in VS Code
+1. Select **use this template** to create a new repository
+1. Clone the repository and open it in VS Code
 1. Ensure **GitHub Copilot** and **GitHub Copilot Chat** extensions are installed and signed in
 1. Open the Copilot Chat panel (`Ctrl+Alt+I`)
 1. Start with [Exercise 01](workshop/exercise-01-setup.md)
 
 ---
 
-> **Instructor Note**: Each exercise has `<!-- Instructor Guide -->` comments visible only in markdown source. Exercises are designed so attendees never need to copy code — they copy **prompts** and let Copilot generate the output. The [`securetrails-vulnerable/VULNERABILITIES.md`](securetrails-vulnerable/VULNERABILITIES.md) file contains exact file paths and line numbers — do not share with attendees before they attempt the exercises.
+> **Instructor Note**: Each exercise has `<!-- Instructor Guide -->` comments visible only in markdown source. Exercises are designed so attendees never need to copy code — they copy **prompts** and let Copilot generate the output. 

workshop/exercise-01-setup.md

@@ -14,8 +14,10 @@ This workshop secures **SecureTrails**, a deliberately vulnerable Flask trail-bo
 
 ## Step 1 — Verify Tools
 
+Open a terminal and run:
+
 ```bash
-code --version
+
 python --version
 git --version
 gh --version
@@ -56,8 +58,9 @@ gh auth status   # expected: Logged in to github.com as <your-username>
 
 ```bash
 cd securetrails-vulnerable
-python database.py   # initialises database.db
 code .
+python database.py   # initialises database.db
+
 ```
 
 In VS Code press `Ctrl+Alt+I` to open Copilot Chat. Confirm it is signed in.

workshop/exercise-02-discover-review.md

@@ -17,14 +17,15 @@ These are different from Copilot Chat: they use specialised models focused on su
 ---
 
 ## Step 1 — Scan for Hardcoded Secrets
+Open copilot chat (`Ctrl+Alt+I`) and use the `/plugin`, from marketplace select `advanced-security` to activate the secret scanning skill. 
 
 Open `config.py` in VS Code. In Copilot Chat (`Ctrl+Alt+I`), type `#secret-scanning` to activate the skill, then paste the prompt below:
 
 ```
 Scan config.py for any hardcoded secrets, API keys, passwords, tokens, or credentials. Use the secret scanning skill to check each value against known secret patterns. List every finding with: variable name | value type | risk level | recommended fix.
 ```
 
-Then repeat for `app.py`:
+Then repeat for `app.py` (optional):
 
 ```
 Scan app.py for hardcoded secrets, JWT tokens, and API keys. List every finding with file, variable name, line number, and the os.environ.get() replacement needed.
@@ -34,7 +35,7 @@ Scan app.py for hardcoded secrets, JWT tokens, and API keys. List every finding
 
 ## Step 2 — Review a Function with VS Code Code Review (Selection Mode)
 
-Open `app.py`. Select the entire `login()` function (lines 23–40).
+Open `app.py`. Select the entire `login()` function (lines 24–41).
 
 **Right-click** the selection → **Copilot** → **Review and Comment**.
 
@@ -70,9 +71,10 @@ Do not commit any changes yet — you will fix them properly in Exercises 03 and
 
 ## Step 5 — Customise Reviews with OWASP Instructions *(Optional)*
 
-To focus every future review on OWASP Top 10 checks, add to `.github/copilot-instructions.md`:
+To focus every future review on OWASP Top 10 checks, create `.github/copilot-instructions.md`, select it as context in chat and then use `/create-instruction` with the following prompt:
 
 ```markdown
+Update the copilot-instructions.md file with the following content:
 When performing a code review, apply the OWASP Top 10 2021 checklist.
 Focus on: A01 Broken Access Control, A02 Cryptographic Failures, A03 Injection, A05 Security Misconfiguration.
 Flag any user input that reaches a database query, file path, or HTML output without sanitisation.
@@ -86,12 +88,13 @@ Flag any user input that reaches a database query, file path, or HTML output wit
 - [ ] Selection review on `login()` flagged the SQL injection f-string
 - [ ] Uncommitted changes review generated inline comments across changed files
 - [ ] You understand the difference between selection review and uncommitted changes review
+- [ ] You understand how to create copilot-instructions for customising reviews
 
 ---
 
 ## Key Takeaway
 
-> Secret scanning finds committed credentials using GitHub's detection engine; VS Code Code Review surfaces broader code quality and security issues inline — both without leaving the editor.
+> Secret scanning finds committed credentials using GitHub's detection engine; VS Code Code Review surfaces broader code quality and security issues inline — both without leaving the editor; Copilot instructions allow you to customise the review focus.
 
 ---
 

workshop/exercise-03-fix-core.md

@@ -9,9 +9,9 @@
 ## Background
 
 These are the most dangerous vulnerabilities in SecureTrails:
-- **SQL Injection** (OWASP A03) — user input is directly concatenated into SQL strings at `app.py` lines 30, 52, 132. Fix: parameterized queries.
-- **Broken Authentication** (OWASP A01) — the `/admin` route accepts any URL parameter as `user_id` with no role check (lines 43–46). Fix: session role validation.
-- **IDOR** (OWASP A01) — `/trail/<trail_id>` has no ownership check and a second SQL injection (line 52). Fix: parameterized query + auth check.
+- **SQL Injection** (OWASP A03) — user input is directly concatenated into SQL strings at `app.py`. Fix: parameterized queries.
+- **Broken Authentication** (OWASP A01) — the `/admin` route accepts any URL parameter as `user_id` with no role check. Fix: session role validation.
+- **IDOR** (OWASP A01) — `/trail/<trail_id>` has no ownership check and a second SQL injection. Fix: parameterized query + auth check.
 
 ---
 
@@ -24,7 +24,7 @@ Find every place in app.py where user input from request.args, request.form, or
 List each as: function name | line number | the vulnerable line of code.
 ```
 
-Expected findings: `login()` line 30, `view_trail()` line 52, `search()` line 132.
+Expected findings: `login()` line 30, `view_trail()` line 53, `search()` line 107.
 
 ---
 
@@ -56,7 +56,7 @@ Rewrite the admin() function so it:
 Show the corrected function.
 ```
 
-Apply the suggested code with `Ctrl+I` on the `admin()` function.
+Apply the suggested code with `Ctrl+enter` on the `admin()` function.
 
 ---
 
@@ -72,7 +72,7 @@ Rewrite it to:
 Return 403 if not authenticated.
 ```
 
-Apply with `Ctrl+I`.
+Apply with `Ctrl+enter`.
 
 ---
 
@@ -88,7 +88,7 @@ Replace it so it:
 Show the corrected block.
 ```
 
-Apply with `Ctrl+I`.
+Apply with `Ctrl+enter`.
 
 ---
 
@@ -103,15 +103,15 @@ Review the updated app.py. Confirm:
 3. The /trail/<id> route requires authentication
 List any remaining issues.
 ```
-
-Commit:
+All these 3 issues are now fixed.
+<!---Commit:
 
 ```bash
 git add app.py
 git commit -m "fix(security): parameterized queries (SQLi x3), admin role check, IDOR auth"
 git push
 ```
-
+--->
 ---
 
 ## Verify

workshop/exercise-04-fix-remaining.md

@@ -10,16 +10,16 @@
 
 After fixing SQL injection and auth in Exercise 03, these vulnerabilities remain:
 
-| Vulnerability | OWASP | File | Line(s) |
-|---------------|-------|------|---------|
-| XSS — unescaped Jinja2 output | A03 | trails.html L12, L13, L17, login.html L11 | |
-| DOM-based XSS — `innerHTML` | A03 | js/app.js L11, trails.html L34 | |
-| `eval()` usage | A03 | js/app.js L2 | |
-| Hardcoded `SECRET_KEY` + `JWT_SECRET` | A02 | app.py L10–11 | |
-| Hardcoded credentials in config | A02 | config.py L6, L12, L17 | |
-| MD5 password hashing | A02 | app.py L63–64 | |
-| Debug mode always on + `/debug` endpoint | A05 | app.py L81 (DEBUG flag), L84–91 (/debug route) | |
-| CORS wildcard `*` | A05 | app.py L14 | |
+| Vulnerability | OWASP | File | 
+|---------------|-------|------|
+| XSS — unescaped Jinja2 output | A03 | trails.html, login.html | 
+| DOM-based XSS — `innerHTML` | A03 | js/app.js, trails.html | 
+| `eval()` usage | A03 | js/app.js | 
+| Hardcoded `SECRET_KEY` + `JWT_SECRET` | A02 | app.py| 
+| Hardcoded credentials in config | A02 | config.py | 
+| MD5 password hashing | A02 | app.py | 
+| Debug mode always on + `/debug` endpoint | A05 | app.py | 
+| CORS wildcard `*` | A05 | app.py | 
 
 ---
 
@@ -32,6 +32,7 @@ The Flask app initialises without explicit autoescaping. Show me how to:
 1. Enable Jinja2 autoescaping for all .html templates in the Flask() constructor call.
 2. Find and remove any {{ variable | safe }} filters in the templates that bypass autoescaping for user-controlled data.
 If autoescape is not set, provide the corrected constructor and list any unsafe | safe usages.
+
 ```
 
 Apply with `Ctrl+I` on the `app = Flask(__name__)` line.

workshop/exercise-05-cli-review-agents.md

@@ -10,6 +10,8 @@
 
 After applying IDE fixes in Exercises 03–04, the CLI provides a second verification layer:
 - **`/review`** — Copilot's built-in `code-review` agent analyses changes directly in the terminal, without a browser tab
+
+!note:"Ensure there are local uncommitted changes before running /review; make a small test edit first if needed."
 - **Custom agents** — `.agent.md` files in `.github/agents/` package specialist security expertise that any developer can invoke by name, reducing dependency on dedicated security team members
 
 ---

workshop/exercise-06-optional-cli-analysis.md

@@ -18,7 +18,7 @@ CLI interactive mode gives you a security consultant in your terminal. Unlike on
 
 ```bash
 cd securetrails-vulnerable
-gh copilot chat
+copilot 
 ```
 
 ---