Resolve GitHub issues using GitHub Copilot

GitHub issues are a powerful way to track bugs, enhancements, and tasks for a project.

In this exercise, you use GitHub Copilot to help you analyze and resolve GitHub issues that relate to security vulnerabilities in an e-commerce application.

This exercise should take approximately 40 minutes to complete.

IMPORTANT: To complete this exercise, you must provide your own GitHub account and GitHub Copilot subscription. If you don’t have a GitHub account, you can sign up for a free individual account and use a GitHub Copilot Free plan to complete the exercise. If you have access to a GitHub Copilot Pro, GitHub Copilot Pro+, GitHub Copilot Business, or GitHub Copilot Enterprise subscription from within your lab environment, you can use your existing GitHub Copilot subscription to complete this exercise.

Before you start

Your lab environment must include the following: Git 2.48 or later, .NET SDK 9.0 or later, Visual Studio Code with the C# Dev Kit extension, and access to a GitHub account with GitHub Copilot enabled.

If you’re using a local PC as a lab environment for this exercise:

For help with configuring your local PC as your lab environment, open the following link in a browser: Configure your lab environment resources.
For help with enabling your GitHub Copilot subscription in Visual Studio Code, open the following link in a browser: Enable GitHub Copilot within Visual Studio Code.

If you’re using a hosted lab environment for this exercise:

For help with enabling your GitHub Copilot subscription in Visual Studio Code, paste the following URL into a browser’s site navigation bar: Enable GitHub Copilot within Visual Studio Code.
To ensure that the .NET SDK is configured to use the official NuGet.org repository as a source for downloading and restoring packages:

Open a command terminal and then run the following command:
```
  dotnet nuget add source https://api.nuget.org/v3/index.json -n nuget.org
```
To ensure that Git is configured to use your name and email address:

Update the following commands with your information, and then run the commands:
```
  git config --global user.name "John Doe"
```
```
  git config --global user.email johndoe@example.com
```

Exercise scenario

You’re a software developer working for a consulting firm. Your clients need help with resolving issues in their GitHub repositories. You need to ensure that all issues are addressed and closed. You use Visual Studio Code and GitHub Copilot as your development environment. You’re assigned to the following app:

ContosoShopEasy: ContosoShopEasy is an e-commerce application that contains multiple security vulnerabilities. The vulnerabilities represent common security issues found in real-world applications.

This exercise includes the following tasks:

Import the ContosoShopEasy repository.
Review the issues in GitHub.
Clone the repository and review the codebase.
Analyze issues using GitHub Copilot’s Ask mode.
Resolve issues using GitHub Copilot’s Agent mode.
Test and verify the refactored code.
Commit changes and close issues.

NOTE: To save time during this training exercise, you resolve a group of issues and push updates in a single commit. Processing issues in batches isn’t a recommended best practice. Microsoft and GitHub recommend resolving each issue individually with separate commits rather than batch processing. Resolving issues individually provides better traceability, easier code reviews, and safer rollback options if problems arise.

Import the ContosoShopEasy repository

GitHub Importer allows you to create a copy of an existing repository in your own GitHub account, giving you full control over the imported copy. Although GitHub Importer doesn’t migrate Issues, PRs, or Discussions, it does import GitHub Actions workflows. The repository that you import includes a GitHub Actions workflow that creates issues associated with the codebase.

In this task, you import the ContosoShopEasy repository and run a workflow to create GitHub issues for the security vulnerabilities included in the codebase.

Use the following steps to complete this task:

Open a browser window and navigate to GitHub.com.
Sign in to your GitHub account.
Open your repositories tab.

You can open your repositories tab by clicking on your profile icon in the top-right corner, then selecting Repositories.
On the Repositories tab, select the New button.
Under the Create a new repository section, select Import a repository.

The Import your project to GitHub page appears.
On the Import your project to GitHub page, under Your source repository details, enter the following URL for the source repository:
```
 https://github.com/MicrosoftLearning/resolve-github-issues-lab-project
```
Under the Your new repository details section, in the Owner dropdown, select your GitHub username.
In the Repository name field, enter ResolveGitHubIssues and then select Begin import.

GitHub creates the new repository in your account with the ContosoShopEasy project files.

NOTE: It can take a minute or two to import the repository.
Wait for the import process to complete, then open your new repository.
Open the Actions tab of your repository.
On the left side under All workflows, select the Create ContosoShopEasy Training Issues workflow, and then select Run workflow.
In the workflow dialog that appears, type CREATE and then select Run workflow.
Monitor the onscreen progress of the workflow.

After a moment, the page will refresh and display a progress bar. The workflow should complete successfully in less than a minute.
Ensure that the workflow completes successfully before proceeding.

A checkmark in a green circle to the left of the workflow name indicates that the workflow ran successfully.

If you see an X in a red circle to the left of the workflow name, it means that the workflow failed. If the workflow fails to run successfully, ensure that you selected your account when you imported the repository and that your account has read and write permissions. You can use GitHub’s Chat with Copilot feature to help diagnose the issue.

Review the issues in GitHub

GitHub issues serve as a centralized tracking system for bugs, security vulnerabilities, and enhancement requests. Each issue provides context about the problem, its severity, and potential impact on the application. Understanding these issues before diving into the code helps establish priorities and ensures comprehensive remediation.

In this task, you review the GitHub issues and examine the security vulnerabilities that need to be addressed.

Use the following steps to complete this task:

Select the Issues tab of your repository, and then take a minute to review the Issues page.

You should see 10 issues listed. Notice that the issues are defined as bugs and that they’ve been assigned a priority level.
To display only the critical issues, select the Labels dropdown, and then select the critical label.

The issues list filters to show only the critical issues.
- 🔐 Fix Credit Card Data Storage Violations
- 🔐 Remove Hardcoded Admin Credentials
To display only the high-priority issues, select the Labels dropdown, deselect critical, and then select the high-priority label.

The issues list filters to show only the high-priority issues.
- 🔐 Fix Input Validation Security Bypass
- 🔐 Remove Sensitive Data from Debug Logging
- 🔐 Fix SQL Injection Vulnerability in Product Search
- 🔐 Replace MD5 Password Hashing with Secure Alternative
Select the Fix SQL Injection Vulnerability in Product Search issue.
Take a minute to review the issue details.

Issue details should describe the problem and the expected fix.

NOTE: The process used to generate issues, including manual versus automated processes, affects the overall quality and accuracy of the issue descriptions. The issues included in this training were written using GitHub Copilot’s Agent mode after the agent reviewed the codebase. GitHub Copilot generated highly detailed descriptions of the vulnerabilities, code locations, examples of the vulnerable code, security risks, and acceptance criteria for fixes.
Notice that no one is assigned to the issue.
Navigate back to the Issues tab and clear the filters.
Select all of the issues, and then use the Assign dropdown to assign them to yourself.

Assigning issues to yourself helps track your progress as you work through the remediation process.

Clone the repository and review the codebase

Understanding the structure and functionality of an existing codebase is essential before implementing security fixes. The ContosoShopEasy application follows a layered architecture typical of enterprise applications, with clear separation between models, services, data access, and security components. Reviewing the code structure and running the application helps establish a baseline for testing after implementing security improvements.

In this task, you clone the ContosoShopEasy repository, examine the project structure, observe the application’s current behavior, and review security vulnerabilities.

Use the following steps to complete this task:

Open the Code tab of your repository.
Clone the ResolveGitHubIssues repository to your local development environment.

For example, you can use the following steps to clone the repository using Git CLI:
1. Copy the repository URL by selecting the Code button and then copying the HTTPS URL.
2. Open a terminal window, navigate to the directory where you want to clone the repository, and run the following command (replacing your-username with your GitHub username):
```
 git clone https://github.com/your-username/ResolveGitHubIssues.git
```
Open the cloned repository in Visual Studio Code.

Navigate to the repository folder and open it in Visual Studio Code. Ensure that you have the GitHub Copilot and GitHub Copilot Chat extensions installed and enabled.
Examine the project structure in the EXPLORER view.

The ContosoShopEasy application follows a layered architecture with the following components:
- Models/: Contains data models for Category.cs, Order.cs, Product.cs, and User.cs.
- Services/: Contains business logic in OrderService.cs, PaymentService.cs, ProductService.cs, and UserService.cs.
- Data/: Contains data repositories in OrderRepository.cs, ProductRepository.cs, and UserRepository.cs.
- Security/: Contains security validation logic in SecurityValidator.cs
- Program.cs: Main application entry point with dependency injection setup
- README.md: Documentation explaining the application’s purpose and vulnerabilities
Build and run the application to observe its current behavior.

Run the following commands in the terminal:
```
 cd ContosoShopEasy
 dotnet build
 dotnet run
```
The application runs an e-commerce workflow simulation that exposes security vulnerabilities through detailed console logging.
Review the console output.

Notice that the application logs sensitive information such as passwords, credit card numbers, admin credentials, and internal system details. This output provides clear evidence of the security issues that need to be addressed.

NOTE: Code logic and logging in this app are designed to expose security vulnerabilities. Although the implementation is contrived, the logs highlight security issues that are common in real-world applications.
To begin a review process that identifies security vulnerabilities in the codebase, expand the Models folder, and then open the Order.cs file.
Scroll down to find the PaymentInfo class.

Notice the comments regarding the CardNumber and CVV properties. This code is related to the “Fix Credit Card Data Storage Violations” issue.
Expand the Security folder and then open the SecurityValidator.cs file.
Take a minute to locate the following security issues:
- Near the top of the file, notice the comment related to the admin credential constants (lines 7-9). This code is related to the “Remove Hardcoded Admin Credentials” issue.
- Locate the ValidateInput method and review the comments describing security vulnerabilities. This code is related to the “Fix Input Validation Security Bypass” issue.
- Locate the ValidateEmail method and review the comments describing security vulnerabilities. This code is related to the “Improve Email Validation Security” issue.
- Locate the ValidatePasswordStrength method and review the comments describing security vulnerabilities. This code is related to the “Strengthen Password Security Requirements” issue.
- Locate the GenerateSessionToken method and review the comments describing security vulnerabilities. This code is related to the “Fix Predictable Session Token Generation” issue.
- Locate the RunSecurityAudit method and review the comments describing security vulnerabilities. This code is related to the “Reduce Information Disclosure in Error Messages” issue.
Expand the Services folder and then open the UserService.cs file.
Take a minute to locate the following security issues:
- Locate the RegisterUser, LoginUser, and ValidateUserInput methods and review the comments describing security vulnerabilities. This code is related to the “Remove Sensitive Data from Debug Logging” issues.
- Locate the GetMd5Hash method and review the comments describing security vulnerabilities. This code is related to the “Replace MD5 Password Hashing with Secure Alternative” issue.
Open the PaymentService.cs file.
Take a minute to review the comments describing security vulnerabilities.

This code is related to the “Remove Sensitive Data from Debug Logging” issue.
Open the ProductService.cs file.
Take a minute to review the SearchProducts method.

This code is related to the “Fix SQL Injection Vulnerability in Product Search” issue.

Analyze issues using GitHub Copilot’s Ask mode

GitHub Copilot’s Ask mode provides intelligent code analysis capabilities that can help identify security vulnerabilities, understand their potential impact, and suggest remediation strategies. By systematically analyzing each security issue, you can develop a comprehensive understanding of the problems before implementing fixes. This approach ensures that solutions address root causes rather than just symptoms.

In this task, you use GitHub Copilot’s Ask mode to systematically analyze the security vulnerabilities.

Use the following steps to complete this task:

Open the GitHub Copilot Chat view and ensure that Ask mode is selected.

If the Chat view isn’t already open, select the Chat icon at the top of the Visual Studio Code window. Verify that the chat mode is set to Ask and you’re using the GPT-4.1 model.
Open the ProductService.cs file, and then locate the SearchProducts method.
In the code editor, select the entire SearchProducts method.

Selecting code in the editor focuses the Chat context. GitHub Copilot uses the selected code to provide relevant analysis and recommendations.

Ask GitHub Copilot to analyze the the code for SQL injection vulnerability.

For example, you can submit the following prompt:

 Analyze the SearchProducts method for security vulnerabilities. What makes this code susceptible to SQL injection attacks, and what are the potential consequences if an attacker exploits this vulnerability?

Review GitHub Copilot’s analysis and then ask for specific remediation guidance.

For example, after reviewing the initial analysis, you can submit the following prompt:
```
 How can I modify this method to prevent SQL injection attacks? What secure coding practices should I implement to safely handle user input in database queries?
```
Take a minute to review GitHub Copilot’s remediation suggestions.
Open the UserService.cs file, and then locate the GetMd5Hash method.
In the code editor, select the entire GetMd5Hash method.

Ask GitHub Copilot to analyze the weak password hashing vulnerability.

For example, you can submit the following prompt:

 Why is MD5 hashing unsuitable for password storage? What are the security risks of using MD5 for passwords, and what stronger alternatives should I use instead?

Review GitHub Copilot’s analysis and then ask for specific remediation guidance.

For example, after reviewing the initial analysis, you can submit the following prompt:
```
 Show me how to implement secure password hashing using bcrypt or PBKDF2. What additional security measures should I implement for password handling?
```
Take a minute to review GitHub Copilot’s remediation suggestions.
In the UserService.cs file, locate the RegisterUser and LoginUser methods.

These methods log user information. Logging sensitive information is a security vulnerability.
In the code editor, select both methods.

Ask GitHub Copilot to analyze the sensitive data logging vulnerability.

For example, you can submit the following prompt:

 What sensitive information is being logged in the user registration and login methods? Why is logging passwords and user data a security risk?

Review GitHub Copilot’s analysis and then ask for specific remediation guidance.

For example, after reviewing the initial analysis, you can submit the following prompt:
```
 How can I modify these methods to prevent sensitive data logging? What secure logging practices should I implement to protect user information?
```
Take a minute to review GitHub Copilot’s remediation suggestions.
Open the PaymentService.cs file, and then locate the ProcessPayment method.
In the code editor, select the entire ProcessPayment method.

Ask GitHub Copilot to analyze the logging of sensitive payment data.

For example, you can submit the following prompt:

 What sensitive payment information is being logged in this method? Why is logging credit card numbers and CVV codes a security risk?

Open the SecurityValidator.cs file, and then locate the admin credential constants near the top of the file.
In the code editor, select the hardcoded admin credential constants.

Ask GitHub Copilot to analyze the hardcoded credentials vulnerability.

For example, you can submit the following prompt:

 What security risks are created by hardcoding admin credentials in source code? How should application credentials be managed securely in production environments?

Review GitHub Copilot’s analysis and then ask for specific remediation guidance.

For example, after reviewing the initial analysis, you can submit the following prompt:
```
 What are best practices for managing application credentials securely? How can I implement secure credential management in this application?
```
Take a minute to review GitHub Copilot’s remediation suggestions.
In the SecurityValidator.cs file, locate the ValidateInput method.
In the code editor, select the entire ValidateInput method.

Ask GitHub Copilot to analyze the input validation bypass vulnerability.

For example, you can submit the following prompt:

 What makes this input validation method ineffective? Why does it detect dangerous input but still return true, and how should proper input validation work?

Review GitHub Copilot’s analysis and then ask for specific remediation guidance.

For example, after reviewing the initial analysis, you can submit the following prompt:

 How can I modify this method to implement effective input validation? What secure coding practices should I follow to prevent input validation bypass vulnerabilities?

Take a minute to review GitHub Copilot’s remediation suggestions.
In the SecurityValidator.cs file, locate the GenerateSessionToken method.
In the code editor, select the entire GenerateSessionToken method.

Ask GitHub Copilot to analyze the predictable session token generation vulnerability.

For example, you can submit the following prompt:

 Why are predictable session tokens based on username and timestamp a security risk? How should secure, unpredictable session tokens be generated?

Review GitHub Copilot’s analysis and then ask for specific remediation guidance.

For example, after reviewing the initial analysis, you can submit the following prompt:
```
 How can I modify this method to generate secure, unpredictable session tokens? What cryptographic techniques should I use to enhance session token security?
```
Take a minute to review GitHub Copilot’s remediation suggestions.
In the SecurityValidator.cs file, locate the ValidateEmail method.
In the code editor, select the entire ValidateEmail method.

Ask GitHub Copilot to analyze the weak email validation vulnerability.

For example, you can submit the following prompt:

 What makes this email validation insufficient? What are the security risks of weak email validation, and how should proper email validation be implemented?

Review GitHub Copilot’s analysis and then ask for specific remediation guidance.

For example, after reviewing the initial analysis, you can submit the following prompt:
```
 How can I modify this method to implement robust email validation? What techniques should I use to ensure email addresses are properly validated?
```
In the SecurityValidator.cs file, locate the ValidatePasswordStrength method.
In the code editor, select the entire ValidatePasswordStrength method.

Ask GitHub Copilot to analyze the insufficient password requirements vulnerability.

For example, you can submit the following prompt:

 Why are these password requirements insufficient for security? What are proper password complexity requirements, and how should password strength be validated?

Review GitHub Copilot’s analysis and then ask for specific remediation guidance.

For example, after reviewing the initial analysis, you can submit the following prompt:
```
 How can I modify this method to enforce strong password requirements? What best practices should I follow for password strength validation?
```
Take a minute to review GitHub Copilot’s remediation suggestions.
Under the Models folder, open the Order.cs file, and then locate the PaymentInfo class.
In the code editor, select the CardNumber and CVV properties within the PaymentInfo class.

Ask GitHub Copilot to analyze the credit card data storage violations.

For example, you can submit the following prompt:

 Why is storing full credit card numbers and CVV codes a PCI DSS compliance violation? What are the proper ways to handle payment card data securely?

Return to the SecurityValidator.cs file, and then locate the RunSecurityAudit method.
In the code editor, select the entire RunSecurityAudit method.

Ask GitHub Copilot to analyze the information disclosure vulnerability.

For example, you can submit the following prompt:

 How does the security audit method create information disclosure vulnerabilities? What information should never be exposed in logs or error messages?

Document the analysis results for reference during the remediation phase.

Take notes on GitHub Copilot’s recommendations for each vulnerability category. This documentation will guide your implementation of security fixes in the next task.

Resolve issues using GitHub Copilot’s Agent mode

GitHub Copilot’s Agent mode enables autonomous implementation of complex security fixes across multiple files and methods. Unlike Ask mode, which provides analysis and recommendations, Agent mode can directly modify code to implement security improvements. This approach is particularly effective for systematic security remediation, where multiple related vulnerabilities need to be addressed consistently.

In this task, you use GitHub Copilot’s Agent mode to implement comprehensive security fixes for all identified vulnerabilities in the ContosoShopEasy application.

Use the following steps to complete this task:

Switch GitHub Copilot Chat to Agent mode.

Agent mode allows GitHub Copilot to make direct code modifications based on your instructions. Agent mode works to establish an appropriate context by reviewing relevant files in the codebase. You can add files and folders to the context manually to ensure that the agent has the necessary information to perform complex tasks.
Take a minute to consider your remediation strategy.

Based on your analysis using GitHub Copilot’s Ask mode, plan your approach to addressing the security vulnerabilities.

The GitHub issues, in order starting with the most critical, are as follows:
1. 🔐 Fix SQL Injection Vulnerability in Product Search
2. 🔐 Replace MD5 Password Hashing with Secure Alternative
3. 🔐 Remove Sensitive Data from Debug Logging
4. 🔐 Remove Hardcoded Admin Credentials
5. 🔐 Fix Credit Card Data Storage Violations
6. 🔐 Fix Input Validation Security Bypass
7. 🔐 Fix Predictable Session Token Generation
8. 🔐 Improve Email Validation Security
9. 🔐 Strengthen Password Security Requirements
10. 🔐 Reduce Information Disclosure in Error Messages
These issues are associated with specific files and methods in the codebase. When organized by file association, the issues are as follows:
- ProductService.cs: Issue #1
- UserService.cs: Issues #2 and #3
- PaymentService.cs: Issue #3
- SecurityValidator.cs: Issues #4, #6, #7, #8, #9, and #10
- Models/Order.cs: Issue #5
Your remediation strategy should involve addressing each issue systematically, ensuring that fixes are implemented correctly and consistently.
Close all open files in the code editor to start with a clean context.
Add the ProductService.cs file to the chat context.

The SQL injection issue is associated with the ProductService.cs file, and the SearchProducts method in particular.
Ask GitHub Copilot to address the SQL injection vulnerability first.

Your analysis using GitHub Copilot’s Ask mode revealed that the method constructs SQL queries using user input without proper sanitization.

Your analysis can be used to construct a clear instruction for the agent to remediate the vulnerability. For example, you can assign the following task to the agent:
```
 Fix the SQL injection vulnerability in the SearchProducts method. Remove the simulated SQL query logging that demonstrates the vulnerability, and implement proper input sanitization to safely handle search terms. Ensure the method still functions correctly for legitimate searches while preventing malicious input.
```
Monitor the agent’s progress.

The agent will modify the code to remove vulnerable logging and implement safer input handling.
Take a minute to review the proposed changes, and then select Keep in the Chat view.

Always review GitHub Copilot’s suggested edits in the code editor. Ensure that they maintain functionality while addressing the security concern.

In a production environment, your team should complete the following checklist before moving on to the next issue:
- Code no longer contains the vulnerability.
- Application still functions correctly.
- Security best practices are implemented and no new security issues are introduced.
- Automated tests (if available) pass successfully.
- Code updates are clearly documented.
- Changes are committed with descriptive messages and peer-reviewed before merging and closing the issue.

Implement secure password hashing.

Focus on the UserService.cs file and use the following prompt:

 Replace the MD5 password hashing with bcrypt or PBKDF2. Update the GetMd5Hash method to use a cryptographically secure hashing algorithm with proper salt generation. Ensure compatibility with existing user authentication while improving security.

Review and test the password hashing changes.

The agent will implement stronger password hashing. Test the changes by running the application to ensure user registration and login still function correctly.

Address sensitive data logging (Issue #3).

Focus on the PaymentService.cs and UserService.cs files and instruct the agent:

 Fix sensitive data logging throughout the application. Remove logging of passwords, full credit card numbers, CVV codes, and other sensitive information. Implement secure logging that masks sensitive data while maintaining useful operational information.

Remove hardcoded admin credentials (Issue #4).

Focus on the SecurityValidator.cs file and use this prompt:

 Remove hardcoded admin credentials from the SecurityValidator class. Replace the hardcoded ADMIN_USERNAME and ADMIN_PASSWORD constants with a secure configuration approach using environment variables while maintaining the functionality for educational demonstration purposes.

Fix credit card data storage violations (Issue #5).

Focus on the Models/Order.cs file and instruct the agent:

 Fix PCI DSS compliance violations in the Order model. Remove or modify the CardNumber and CVV properties to avoid storing full credit card numbers and CVV codes. Implement secure payment data handling that stores only last 4 digits for display purposes.

Fix input validation bypass (Issue #6).

Instruct the agent to fix the input validation vulnerability:

 Fix the ValidateInput method in SecurityValidator that currently always returns true despite detecting threats. Implement proper input validation that actually rejects dangerous content when SQL injection, XSS, or other malicious patterns are detected.

Implement secure session token generation (Issue #7).

Focus on the session token vulnerability:

 Replace the predictable session token generation in GenerateSessionToken method with a cryptographically secure random token generator. Remove the username and timestamp-based pattern and implement unpredictable tokens with sufficient entropy.

Strengthen email validation (Issue #8).

Address the weak email validation:

 Fix the ValidateEmail method that only checks for '@' and '.' characters. Implement proper email format validation using regex or built-in validation methods. Remove email logging and add appropriate length restrictions.

Improve password requirements (Issue #9).

Focus on the password strength validation:

 Strengthen the ValidatePasswordStrength method that currently only requires 4 characters. Implement proper password complexity requirements including minimum 8 characters, uppercase, lowercase, numbers, and special characters. Remove password logging.

Reduce information disclosure (Issue #10).

Address the debug logging and security audit issues:

 Fix information disclosure vulnerabilities by removing or restricting the RunSecurityAudit method and reducing verbose error messages throughout the application. Remove sensitive system information from logs while maintaining useful debugging capabilities.

Test the application.

After the agent implements fixes for each vulnerability category, run the application to ensure functionality is preserved:
```
 dotnet build
 dotnet run
```
Verify that security improvements don’t break core functionality.

Ensure that product search, user registration, payment processing, and other core features continue to work correctly after implementing security fixes.

Test and verify the refactored code

Comprehensive testing after security remediation ensures that vulnerability fixes don’t introduce functional regressions while confirming that security improvements are effective. This verification process should test both the security aspects and the business functionality of the application. Proper testing validates that the application maintains its intended behavior while being more secure.

In this task, you systematically test the updated ContosoShopEasy application to verify that security issues have been resolved and that core functionality remains intact.

Use the following steps to complete this task:

Build the application and resolve any compilation errors.

Run the following command to ensure the code compiles successfully:
```
 dotnet build
```
If there are compilation errors, use GitHub Copilot to help identify and resolve any issues introduced during the security fixes.
Run the complete application to observe the overall behavior.

Execute the application and review the console output:
```
 dotnet run
```
Compare the output with your notes from the original application run. You should see significantly less sensitive information being logged.
Test the SQL injection fix (Issue #1).

Verify that the SearchProducts method no longer logs vulnerable SQL queries and that search functionality still works correctly for legitimate search terms.
Verify password security improvements (Issue #2).

Check that user registration and login processes no longer log plaintext passwords and that stronger password hashing is implemented. The application should still authenticate users correctly.
Confirm sensitive data logging fixes (Issue #3).

Ensure that payment processing and user operations no longer log passwords, full credit card numbers, or CVV codes while maintaining the ability to process transactions successfully.
Validate hardcoded credential removal (Issue #4).

Verify that hardcoded admin credentials are no longer displayed in logs or security audits, while admin functionality remains accessible through secure configuration.
Test credit card storage compliance (Issue #5).

Confirm that the Order model no longer stores full credit card numbers or CVV codes, and that only masked payment information is retained for display purposes.
Verify input validation fixes (Issue #6).

Confirm that the improved ValidateInput method now properly rejects dangerous input instead of just logging warnings and returning true.
Check session token security (Issue #7).

If session tokens are generated during application execution, confirm that they appear random and unpredictable rather than following the previous username-timestamp pattern.
Test email validation improvements (Issue #8).

Verify that the email validation now properly rejects invalid email formats instead of accepting any string with “@” and “.” characters.
Validate password requirement enhancements (Issue #9).

Test that password validation now enforces proper complexity requirements instead of accepting any 4-character string.
Review information disclosure fixes (Issue #10).

Check that the security audit method is removed or restricted and that verbose error messages no longer expose sensitive system information.
Compare the overall security posture with the original version.

Run the application and compare the console output with your initial observations. The application should show significantly improved security while maintaining all core functionality.
Document any remaining issues or areas for improvement.

Note any security concerns that may require additional attention or any functional issues that need to be addressed.

Commit changes and close issues

Proper version control practices ensure that security improvements are properly documented and tracked. Commit messages should clearly describe the security fixes implemented, making it easy for team members to understand what changes were made and why. Closing GitHub issues with descriptive commit messages creates a clear audit trail of security remediation efforts.

In this task, you commit your security improvements to the repository and close the corresponding GitHub issues.

Use the following steps to complete this task:

Review all changes made to the codebase.

Use Git to see what files have been modified:
```
 git status
 git diff
```
Stage all security-related changes for commit.

Add the modified files to the staging area:
```
 git add .
```

Commit all security fixes with a comprehensive message that references all GitHub issues.

Create a single commit that addresses all security vulnerabilities identified in the training exercise:

 git commit -m "Fix all ContosoShopEasy security vulnerabilities

 Security improvements implemented:
 - Fix SQL injection in ProductService SearchProducts method
 - Replace MD5 with secure password hashing (bcrypt/PBKDF2)
 - Remove sensitive data from debug logging (passwords, card numbers, CVV)
 - Remove hardcoded admin credentials, use environment variables
 - Fix PCI DSS violations in Order model (remove full card storage)
 - Fix input validation bypass to properly reject dangerous input
 - Implement secure session token generation with crypto randomness
 - Strengthen email validation with proper format checking
 - Improve password requirements (8+ chars, complexity rules)
 - Reduce information disclosure from security audit and debug logs

 Fixes #1 #2 #3 #4 #5 #6 #7 #8 #9 #10"

NOTE: In a production environment, each issue would typically be addressed in separate commits with individual testing and code review. This single commit approach is used here only to save time during the training exercise.

Push the changes to your GitHub repository.
```
 git push origin main
```
Verify that the GitHub issues are automatically closed.

Navigate to your repository on GitHub and check that the issues are marked as closed due to the commit messages that referenced them.
Review the commit history to ensure all security fixes are properly documented.

Verify that the commit messages clearly describe the security improvements and provide a good audit trail for future reference.

Clean up

Now that you’ve finished the exercise, take a minute to ensure that you haven’t made changes to your GitHub account or GitHub Copilot subscription that you don’t want to keep. For example, you might want to delete the ResolveGitHubIssues repository. If you’re using a local PC as your lab environment, you can archive or delete the local clone of the repository created for this exercise.