Finding vulnerabilities is step one. Fixing them without breaking the application — that's where it gets interesting.
In this challenge, you'll pick at least 3 vulnerabilities from the code scanning alerts you documented in S-01 and fix them. You've got two powerful tools at your disposal: GitHub Copilot in your editor (ask it to explain the vulnerability, suggest a fix, or review your patch) and Copilot Autofix in the Security tab on github.com (hit "Generate fix" on an alert and let it propose a complete remediation).
Each fix should go into its own pull request with a clear description of what was wrong and how you addressed it. The goal isn't just to make the alert disappear — it's to understand why the code was vulnerable and why your fix actually solves the problem.
Power move: If you've done Challenge C-00, consider creating a security-focused custom agent (.github/agents/) that knows about OWASP patterns and the Juice Shop's vulnerability surface. A well-instructed agent can speed up both diagnosis and remediation.