Add learner walkthrough for code scanning (#55192)

Co-authored-by: Joe Clark <31087804+jc-clark@users.noreply.github.com>
Co-authored-by: Laura Coursen <lecoursen@github.com>

Author: 3 people

assets/images/help/repository/code-scanning-alert-details-learners.png

@@ -0,0 +1,81 @@
+---
+title: Finding and fixing your first code vulnerability
+shortTitle: Secure your code
+intro: 'Learn the basics of securing your code by resolving a {% data variables.product.prodname_code_scanning %} alert in a demo repository.'
+versions:
+  fpt: '*'
+topics:
+  - Code Security
+  - Code scanning
+  - Alerts
+---
+
+As you're learning to code, it's normal to accidentally introduce vulnerabilities into your projects. If these security issues aren't addressed before you share your work, attackers can use them to manipulate your code and access sensitive data, so it's important to identify and patch them as soon as possible.
+
+Thankfully, there are tools like {% data variables.product.prodname_code_scanning %} that automatically find, explain, and even fix vulnerabilities in your public repositories. In this tutorial, you'll learn how to keep your work secure with {% data variables.product.prodname_code_scanning %}.
+
+## Setting up the demo repository
+
+Let's get started by forking a demo project with a security vulnerability. This project builds a simple webpage, but since we won't deploy the project, there is **no security risk** in this exercise.
+
+1. Navigate to the [`new2code/code-scanning-demo`](https://github.com/new2code/code-scanning-demo) repository.
+1. In the top right of the page, click {% octicon "repo-forked" aria-hidden="true" %} **Fork**.
+1. In the page that appears, click **Create fork**.
+
+## Finding vulnerabilities in your code
+
+Now that we've set up the project, let's turn on {% data variables.product.prodname_code_scanning %} for your fork to check for vulnerabilities in the code.
+
+1. Back on {% data variables.product.github %}, on the home page of your repository, click {% octicon "shield" aria-hidden="true" %} **Security**.
+1. In the "{% data variables.product.prodname_code_scanning_caps %} alerts" row, click **Set up {% data variables.product.prodname_code_scanning %}**.
+1. In the "Tools" section, next to "{% data variables.product.prodname_codeql %} analysis", select **Set up**, then click **Default**.
+1. In the pop up that appears, click **Enable {% data variables.product.prodname_codeql %}**. This will trigger a {% data variables.product.prodname_actions %} workflow that scans your code for vulnerabilities.
+1. To check the status of your workflow, in the navigation bar, click {% octicon "play" aria-hidden="true" %} **Actions**.
+1. Once the workflow is complete, in the navigation bar, click {% octicon "shield" aria-hidden="true" %} **Security**.
+1. To view the {% data variables.product.prodname_code_scanning %} alert discovered by the workflow, in the side navigation, click {% octicon "codescan" aria-hidden="true" %} **{% data variables.product.prodname_code_scanning_caps %}**, then click **Reflected cross-site scripting**.
+
+## Understanding a {% data variables.product.prodname_code_scanning %} alert
+
+Now that {% data variables.product.prodname_code_scanning %} has identified a vulnerability in the code, let's break down the information provided in the alert.
+
+### Location
+
+The alert shows a small preview of a file, centered on the lines of code creating the vulnerability. In our case, the vulnerability is detected on line 8 of our `index.js` file, where we implement the user-provided input in our site.
+
+If we take a closer look, we can see that the underlying issue occurs on line 7, when we assign `greet` to user input without checking for malicious code. To see a step-by-step view of the vulnerability in our code, in the callout below the vulnerable lines, click **Show paths**.
+
+![Screenshot of the location of a {% data variables.product.prodname_code_scanning %} alert. A "Show paths" button is outlined in orange.](/assets/images/help/repository/code-scanning-alert-location-learners.png)
+
+### Description and recommendation
+
+Below the file preview, {% data variables.product.prodname_code_scanning %} provides a more detailed description of the vulnerability. To see the recommended fix, as well as examples of the vulnerable and fixed code, click **Show more** {% octicon "chevron-down" aria-hidden="true" %}.
+
+![Screenshot of the details of a {% data variables.product.prodname_code_scanning %} alert. A dropdown labeled "Show more" is outlined in orange.](/assets/images/help/repository/code-scanning-alert-details-learners.png)
+
+In our case, the recommendation is to sanitize user input before using it. This means we need to check the input for malicious code, then clean it up if necessary.
+
+> [!TIP] If you don't fully understand the recommended fix, try [asking {% data variables.product.prodname_copilot_chat_short %}](https://github.com/copilot) to explain it.
+
+### Timeline
+
+Finally, you can see the timeline of the alert at the bottom of the page. Our timeline contains the commit where the vulnerability was first detected, and will be updated automatically when we fix the vulnerability.
+
+![Screenshot of the timeline for a {% data variables.product.prodname_code_scanning %} alert.](/assets/images/help/repository/code-scanning-alert-timeline-learners.png)
+
+## Fixing a vulnerability automatically
+
+To secure our project quickly and easily, let's use {% data variables.product.prodname_copilot_autofix %} for {% data variables.product.prodname_code_scanning %}.
+
+1. Below the alert title, in the box suggesting you "Speed up the remediation of this alert using {% data variables.product.prodname_copilot_autofix_short %} for {% data variables.product.prodname_codeql %}", click {% octicon "shield-check" aria-hidden="true" %} **Generate fix**.
+1. After {% data variables.product.prodname_copilot_short %} generates the fix suggestion, it will describe the changes it is suggesting, render a preview of the changes, and call out any added dependencies. Take a moment to read through {% data variables.product.prodname_copilot_short %}'s work.
+1. To create a pull request with the fix, click **Commit to new branch**, then click **Commit change**.
+1. Once the draft pull request is created, at the bottom of the page, click **Ready for review** to make it mergeable.
+1. To apply the fix, click **Merge pull request**, then click **Confirm merge**.
+
+    Once the pull request is merged and the {% data variables.product.prodname_code_scanning %} workflow runs again, the alert will be closed automatically, and the commit fixing the vulnerability will be added to the timeline.
+
+  > [!NOTE] In real projects, you should always review the changes suggested by {% data variables.product.prodname_copilot_short %} before committing them to your code.
+
+## Next steps
+
+Now that you've tried out {% data variables.product.prodname_code_scanning %} on a demo repository, **enable it on your own projects** to quickly find and fix current and future vulnerabilities.

assets/images/help/repository/code-scanning-alert-location-learners.png

@@ -10,6 +10,6 @@ children:
   - /setting-up-copilot-for-learning-to-code
   - /learning-to-debug-with-github-copilot
   - /storing-your-secrets-safely
+  - /finding-and-fixing-your-first-code-vulnerability
 shortTitle: Learn to code
 ---
-

assets/images/help/repository/code-scanning-alert-timeline-learners.png

@@ -166,3 +166,5 @@ Once the workflow has had time to complete, you should see a new comment appear.
 ## Next steps
 
 For a more in-depth dive into secret scanning and push protection, you can complete the [Introduction to secret scanning](https://github.com/skills/introduction-to-secret-scanning/tree/main) course in {% data variables.product.prodname_learning %}.
+
+Another important part of code security is learning how to identify and patch code vulnerabilities in your projects. See [AUTOTITLE](/get-started/learning-to-code/finding-and-fixing-your-first-code-vulnerability).