Code Scanning Alerts & Dependency Alerts on non-default Branches

This is a copy of WebGoatm, a deliberately insecure web application maintained by OWASP designed to teach web application security lessons.

This program is a demonstration of common server-side application flaws. The exercises are intended to be used by people to learn about application security and penetration testing techniques.

WARNING 1: While running this program your machine will be extremely vulnerable to attack. You should disconnect from the Internet while using this program. WebGoat's default configuration binds to localhost to minimize the exposure.

WARNING 2: This program is for educational purposes only. If you attempt these techniques without authorization, you are very likely to get caught. If you are caught engaging in unauthorized hacking, most companies will fire you. Claiming that you were doing security research will not work as that is the first thing that all hackers claim.

In order to install and run it, check out the original demo created by @bas

Workflow with the CodeQL analysis. Runs at 0:00 UTC on Sunday.

You can check the results of its runs on the Security Tab.

Workflow that checks every new PR that changes dependencies files. If the PR introduces dependencies with known vulnerabilities, it fails. PRs that don't change dependencies are not checked.

Uses this Action to perform the analysis on non-default branches. The Action uses GitHub's SecurityVulnerability API