Welcome to Secure Code Game - Season 1! 👋

To get started, please follow the 🛠️ set up guide (if you haven't already) from the welcome page.

Welcome to Level 1! ♟️

Languages: python3

We welcome contributions for new game levels! Learn more here.

A few days before the massive shopping event Cyber Monday, an electronics shop without an online presence rushed to create a website to reach a broader customer base. As a result, they spent all their budget on development without investing in security. Do you have what it takes to fix the bug and progress to Level 2?

For each level, you will find the same file structure:

• code includes the vulnerable code to be reviewed.
• hack exploits the vulnerabilities in code. Running hack.py will fail initially, your goal is to get this file to pass.
• hint offers a hint if you get stuck.
• solution provides one working solution. There are several possible solutions.
• tests contains the unit tests that should still pass after you have implemented your fix.

1. Review the code in code.py. Can you spot the bug(s)?
2. Try to fix the bug. Ensure that unit tests are still passing 🟢.
3. You successfully completed the level when both hack.py and tests.py pass 🟢.
4. If you get stuck, read the hint in the hint.js file.
5. Compare your solution with solution.py.

If you need assistance, don't hesitate to ask for help in our GitHub Discussions or on our Slack, at the #secure-code-game channel.

You have completed Level 1: Cyber Monday! Welcome to Level 2: Matrix 🎉

Languages: C

We welcome contributions for new game levels! Learn more here.

At the time "The Matrix" was first released in 1999, programming was different. In the movie, a computer programmer named Thomas "Neo" Anderson leads the fight in an underground war against powerful computers who have constructed his entire reality with a system called the Matrix. Do you have what it takes to win that war and progress to Level 3?

For each level, you will find the same file structure:

• code includes the vulnerable code to be reviewed.
• hack exploits the vulnerabilities in code. Running hack.c will fail initially, your goal is to get this file to pass 🟢.
• hint offers a hint if you get stuck.
• solution provides one working solution. There are several possible solutions.
• tests contains the unit tests that should still pass 🟢 after you have implemented your fix.

1. Review the code in code.h. Can you spot the bug(s)?
2. Try to fix the bug. Ensure that unit tests are still passing.
3. The level is completed successfully when both hack.c and tests.c pass 🟢.
4. If you get stuck, read the hint in the hint.txt file.
5. Compare your solution with solution.c.

If you need assistance, don't hesitate to ask for help in our GitHub Discussions or on our Slack, at the #secure-code-game channel.

Nice work finishing Level 2: Matrix! It's now time for Level 3: Social Network ✨

Languages: python3

We welcome contributions for new game levels! Learn more here.

The following fictitious story takes place in the mid-2030s. Authorities worldwide have become more digitized. Various governments are adapting social network technology to fight crime. The goal is to establish local communities that foster collaboration by supporting citizens with government-related questions. Other features include profile pictures, hashtags, real-time support in comments, and public tip sharing. Do you have what it takes to secure the social network and progress to Level 4?

• For Levels 3-5 in Season 1, we encourage you to enable code scanning with CodeQL. For more information about CodeQL, see "About CodeQL." For instructions setting up code scanning, see "Setting up code scanning using starter workflows."

For each level, you will find the same file structure:

• code includes the vulnerable code to be reviewed.
• hack exploits the vulnerabilities in code. Running hack.py will fail initially, your goal is to get this file to pass 🟢.
• hint offers a hint if you get stuck.
• solution provides one working solution. There are several possible solutions.
• tests contains the unit tests that should still pass 🟢 after you have implemented your fix.

1. Review the code in code.py. Can you spot the bug(s)?
2. Try to fix the bug. Open a pull request to main or push your fix to a branch.
3. You successfully completed this level when you (a) resolve all related code scanning alerts and (b) when both hack.py and tests.py pass 🟢.
4. If you get stuck, read the hint and try again.
5. If you need more guidance, read the CodeQL scanning alerts.
6. Compare your solution to solution.py.

If you need assistance, don't hesitate to ask for help in our GitHub Discussions or on our Slack, at the #secure-code-game channel.

Nicely done! Level 3: Social Network from Season 1 is complete. It's time for Level 4: Database 🥳

Languages: python3, sql

We welcome contributions for new game levels! Learn more here.

Databases are essential for our applications. However, malicious actors only need one entry point to exploit a database, so defenders must continuously protect all entry points. Can you secure them all?

For Levels 3-5 in Season 1, we encourage you to enable code scanning with CodeQL. For more information about CodeQL, see "About CodeQL." For instructions setting up code scanning, see "Setting up code scanning using starter workflows."

For each level, you will find the same file structure:

• code includes the vulnerable code to be reviewed.
• hack exploits the vulnerabilities in code. Running hack.py will fail initially, your goal is to get this file to pass 🟢.
• hint offers a hint if you get stuck.
• solution provides one working solution. There are several possible solutions.
• tests contains the unit tests that should still pass 🟢 after you have implemented your fix.

1. Review the code in code.py. Can you spot the bug(s)?
2. Try to fix the bug. Open a pull request to main or push your fix to a branch.
3. You successfully completed this level when you (a) resolve all related code scanning alerts and (b) when both hack.py and tests.py pass 🟢.
4. If you get stuck, read the hint and try again.
5. If you need more guidance, read the CodeQL scanning alerts.
6. Compare your solution to solution.py.

If you need assistance, don't hesitate to ask for help in our GitHub Discussions or on our Slack, at the #secure-code-game channel.

Almost there! One level to go and complete Season 1! ❤️

Languages: python3

We welcome contributions for new game levels! Learn more here.

It's a common myth that passwords should be complex. In reality, it's more important that passwords are long. Some people choose phrases as their passwords. Users should avoid common expressions from movies, books, or songs to safeguard against dictionary attacks. Your password may be strong, but for this exercise, a website you have registered with has made a fatal but quite common mistake. Can you spot and fix the bug? Good luck!

For Levels 3-5 in Season 1, we encourage you to enable code scanning with CodeQL. For more information about CodeQL, see "About CodeQL." For instructions setting up code scanning, see "Setting up code scanning using starter workflows."

For each level, you will find the same file structure:

• code includes the vulnerable code to be reviewed.
• hack exploits the vulnerabilities in code. In this level, this file is inactive.
• hint offers a hint if you get stuck.
• solution provides one working solution. There are several possible solutions.
• tests contains the unit tests that should still pass 🟢 after you have implemented your fix.

1. Review the code in code.py. Can you spot the bug(s)?
2. Try to fix the bug. Open a pull request to main or push your fix to a branch.
3. You successfully completed this level when you (a) resolve all related code scanning alerts and (b) tests.py pass 🟢. Notice that hack.py in this level is inactive.
4. If you get stuck, read the hint and try again.
5. If you need more guidance, read the CodeQL scanning alerts.
6. Compare your solution to solution.py.

If you need assistance, don't hesitate to ask for help in our GitHub Discussions or on our Slack, at the #secure-code-game channel.

Congratulations, you've completed Season 1! Ready for Season 2?

Here's a recap of all the tasks you've accomplished:

• You practiced secure code principles by spotting and fixing vulnerable patterns in real-world code.
• You assessed your solutions against exploits developed by GitHub Security Lab experts.
• You utilized GitHub code scanning features and understood the security alerts generated against your code.

• Follow GitHub Security Lab for the latest updates and announcements about this course.
• Play Season 2 with new levels in javascript, go, python3 and GitHub Actions!
• Contribute new levels to the game in 3 simple steps! Read our Contribution Guideline.
• Share your feedback and ideas in our Discussions and join our community on Slack.
• Take another skills course.
• Read more about code security.
• To find projects to contribute to, check out GitHub Explore.

Get help: Email us at securitylab-social@github.com • Review the GitHub status page

© 2024 GitHub • Code of Conduct • MIT License