This demo code will trigger 3 alerts from code-scanning with CodeQL, and 2 alerts from secret scanning:

Incorrect suffix check. This suffix check is missing a length comparison to correctly handle lastIndexOf returning -1.

Database query built from user-controlled sources. This query depends on a user-provided value.

Missing rate limiting. This route handler performs a database access, but is not rate-limited.