Welcome to Secure Code Game - Season 2! 👋
To get started, please follow the 🛠️ set up guide (if you haven't already) from the welcome page.
Welcome to Level 1! 🤖
Languages: yaml
for GitHub Actions
The author of this level is Deniz Onur Duzgun @dduzgun-security.
You can be next! We welcome contributions for new game levels! Learn more here.
Jarvis, your trusty geek who gets really excited with automating everything, has some tips for you. He has been experimenting lately with GitHub Actions and made several great additions to our CI/CD pipeline. Among other useful additions, he suggested that it would be helpful for our project team to be getting the GitHub status page. What can go wrong? Do you have what it takes to fix the bug and progress to Level 2?
code
normally includes the vulnerable code to be reviewed. For this level, due to the nature ofGitHub Actions
, this file is referencing.github/workflows/jarvis-code.yml
.hack
exploits the vulnerabilities incode
. For this level, this file is referencing.github/workflows/jarvis-hack.yml
. Initially, it fails ❌ upon pushing and the only requirement for you to reach the next level is to get this file to pass 🟢.hint
files offer guidance if you get stuck. We provide 2 hints for this level.solution
offers a working solution. Remember, there are several possible solutions.
- Review the code inside
.github/workflows/jarvis-code.yml
. Can you spot the bug(s)? - Fix the bug and push your solution so that
GitHub Actions
can run. - You successfully completed this level when
.github/workflows/jarvis-hack.yml
passes 🟢. - If you get stuck, read the hint in
hint-1.txt
and try again. - If you need more guidance, read the hint in
hint-2.txt
and try again. - Compare your solution with
solution.yml
. Remember, there are several possible solutions.
If you need assistance, don't hesitate to ask for help in our GitHub Discussions or on our Slack in the #secure-code-game channel.
You have completed Level 1: Jarvis Gone Wrong! Welcome to Level 2: Lumberjack 🎉
Languages: go
The author of this level is Deniz Onur Duzgun @dduzgun-security.
You can be next! We welcome contributions for new game levels! Learn more here.
Welcome to the world of Lumberjack, the "clumsiest service in town", according to the online reviews! Customers have been noticing irregularities in both their site and services. We dumped a few reviews in an AI chatbot to summarize and what we've got back were a few keywords that said it all! Keywords included the words "discrepancies" and "inconsistencies". Something is clearly off here. Do you have what it takes to win this fight against "inconsistencies", "discrepancies" and "irregularities" and progress to Level 3?
- If you are playing the game inside GitHub Codespaces, the
go
programming language extension should be already installed. At times, this is not enough to rungo
files and you have to visit Go's official website and download the driver corresponding to your operating system. - For Levels 2-4 in Season 2, we encourage you to enable code scanning with CodeQL. For more information about CodeQL, see "About CodeQL." For instructions on setting up code scanning, see "Setting up code scanning using starter workflows."
Due to the nature of file conventions in the go
programming language, some file names look different compared to our usual file structure. We have the following:
code
includes the vulnerable code to be reviewed.code_test
contains the unit tests that should still pass 🟢 after you implement your fix.hack_test
exploits the vulnerabilities incode
. Runninghack_test.go
will fail initially and your goal is to get this file to pass 🟢.hint
files offer guidance if you get stuck. We provide 2 hints for this level. Remember that you can also view the CodeQL scanning alerts for guidance.solution
provides one working solution. There are several possible solutions.solution_test
is identical tocode_test
and it's used to test the solution for failing and passing payloads.go.mod
is ago
programming language convention for a module residing at the root of the module's directory hierarchy.
- Review the code in
code.go
. Can you spot the bug(s)? - Try to fix the bug. Open a pull request to
main
or push your fix to a branch. - You successfully completed this level when you (a) resolve all related code scanning alerts and (b) when both
hack_test.go
andcode_test.go
pass 🟢. - If you get stuck, read the hints and try again.
- If you need more guidance, read the CodeQL scanning alerts.
- Compare your solution to
solution/solution.go
.
If you need assistance, don't hesitate to ask for help in our GitHub Discussions or on our Slack in the #secure-code-game channel.
Nice work finishing Level 2: Lumberjack ! It's now time for Level 3: Space-Crossing ✨
Languages: python3
The author of this level is Viral Vaghela.
You can be next! We welcome contributions for new game levels! Learn more here.
Our solar system is 4.6 billion years old and it's constantly expanding. So does human interest around the world with local communities of enthusiasts constantly forming in an increasingly digitized world. Space enthusiasts use the internet as an information bank and to connect with their counterparts. This was exactly what drove a local community of space enthusiasts to create a public website, featuring their meetups, alongside contact information and a simple search bar where users can discover rare facts about planets. Having said that, did you know that ninety-five per cent (95%) of the Universe is invisible? What percentage of security issues is invisible though, and for how long? Do you have what it takes to secure the site and progress to Level 4?
- For Levels 2-4 in Season 2, we encourage you to enable code scanning with CodeQL. For more information about CodeQL, see "About CodeQL." For instructions on setting up code scanning, see "Setting up code scanning using starter workflows."
code
includes the vulnerable code to be reviewed.hack
exploits the vulnerabilities incode
. Runninghack
will fail initially and your goal is to get this file to pass 🟢.hint
offers guidance if you get stuck. Remember that you can also view the CodeQL scanning alerts.solution
provides one working solution. There are several possible solutions.templates/index.html
host a simple front-end to interact with the back-end.tests
contains the unit tests that should still pass 🟢 after you implement your fix.
- Review the code in
code.py
. Can you spot the bug(s)? - Try to fix the bug. Open a pull request to
main
or push your fix to a branch. - You successfully completed this level when you (a) resolve all related code scanning alerts and (b) when both
hack.py
andtests.py
pass 🟢. - If you get stuck, read the hint and try again.
- If you need more guidance, read the CodeQL scanning alerts.
- Compare your solution to
solution.py
.
If you need assistance, don't hesitate to ask for help in our GitHub Discussions or on our Slack in the #secure-code-game channel.
Nicely done! Level 3: Space-Crossing is complete. It's time for Level 4: Planet XMLon 🥳
Languages: javascript
The author of this level is Deniz Onur Duzgun @dduzgun-security.
You can be next! We welcome contributions for new game levels! Learn more here.
Embark on your quest as a daring EXXplorer in the vibrant landscape of the newly discovered Planet XMLon. The alien inhabitants are baffled by mysterious disruptions in their data transmissions, which may have been caused by the main developer E.T. who added more features than intended. Help them decode the extraterrestrial XML signals and unveil the secrets hidden within the starry constellations of tags, attributes and .admin
files. Can you secure them all?
For Levels 2-4 in Season 2, we encourage you to enable code scanning with CodeQL. For more information about CodeQL, see "About CodeQL." For instructions on setting up code scanning, see "Setting up code scanning using starter workflows."
code
includes the vulnerable code to be reviewed.hack
exploits the vulnerabilities incode
. Runninghack
will fail initially and your goal is to get this file to pass 🟢.hack.admin
is a file used by administrators for debugging purposes.hint
offers guidance if you get stuck. Remember that you can also view the CodeQL scanning alerts.package.json
contains all the dependencies required for this level. You can install them by runningnpm install
.package-lock.json
ensures that the same dependencies are installed consistently across different environments.solution
provides one working solution. There are several possible solutions.tests
contains the unit tests that should still pass 🟢 after you implement your fix..env.production
is an internal server-side file containing a secret environment variable.
- Start by installing the dependencies required for this level, by running
npm install
. These dependancies reside insidepackage.json
. - Review the code in
code.js
. Can you spot the bug(s)? - Try to fix the bug. Open a pull request to
main
or push your fix to a branch. - You successfully completed this level when you (a) resolve all related code scanning alerts and (b) when both
hack.js
andtests.js
pass 🟢. - If you get stuck, read the hint and try again.
- If you need more guidance, read the CodeQL scanning alerts.
- Compare your solution to
solution.js
.
If you need assistance, don't hesitate to ask for help in our GitHub Discussions or on our Slack in the #secure-code-game channel.
Almost there... but also, so far away! A special level is awaiting for you to complete Season 2! ❤️
Languages: javascript
The author of this level is the original creator of the game, Joseph Katsioloudes @jkcso.
You can be next! We welcome contributions for new game levels! Learn more here.
'Anarchy' (noun) is the state of disorder due to absence or non-recognition of authority or other controlling systems. This was the first word that came to mind when I finished writing code.js
. Is anarchy exploitable? Can you spot the issues? Good luck, you will need it!
code
includes the vulnerable code to be reviewed.hack
files exploit the vulnerabilities incode
. For this level, the exploits couldn't be automated. To run them, follow the instructions provided inside.hint
files offer guidance if you get stuck.solution
provides one working solution. There are several possible solutions.index
hosts the homepage, featuring a javascript console.
- Review the code in
code.js
. Can you spot the bug(s)? - You successfully completed this level when the exploits inside
hack.js
are unsuccessful. Remember, due to the nature of the exploits, you have to run them manually. - If you get stuck, read the hints.
- Compare your solution to
solution.js
If you need assistance, don't hesitate to ask for help in our GitHub Discussions or on our Slack in the #secure-code-game channel.
Congratulations, you've completed the Secure Code Game!
Here's a recap of all the tasks you've accomplished:
- You practiced secure code principles by spotting and fixing vulnerable patterns in real-world code.
- You assessed your solutions against exploits developed by GitHub Security Lab experts.
- You utilized GitHub code scanning features and understood the security alerts generated against your code.
- Follow GitHub Security Lab for the latest updates and announcements about this course.
- Contribute new levels to the game in 3 simple steps! Read our Contribution Guideline.
- Share your feedback and ideas in our Discussions and join our community on Slack.
- Take another skills course.
- Read more about code security.
- To find projects to contribute to, check out GitHub Explore.
Get help: Email us at securitylab-social@github.com • Review the GitHub status page
© 2023 GitHub • Code of Conduct • MIT License