Skip to content

A GitHub Security Lab initiative, providing an in-repo learning experience, where learners secure intentionally vulnerable code.

License

Notifications You must be signed in to change notification settings

magnologan/secure-code-game

 
 

Repository files navigation

Secure Code Game

📣 SEASON 2 JUST DROPPED! READY TO PLAY? 📣

A GitHub Security Lab initiative, providing an in-repo learning experience, where learners secure intentionally vulnerable code. At the same time, this is an open source project that welcomes your contributions as a way to give back to the community.

Welcome

  • Who is this for: Developers, students.
  • What you'll learn: How to spot and fix vulnerable patterns in real-world code, build security into your workflows, and understand security alerts generated against your code.
  • What you'll build: You will develop fixes on functional but vulnerable code.
  • Prerequisites: For the first season, you will need some knowledge of python3 for most levels and C for Level 2. For the second season, you will need some knowledge of GitHub Actions for level 1, go for level 2, python3 for level 3, and javascript for levels 4 and 5.
  • How long: Each season is five levels long and takes 2-9 hours to complete. The complete course has 2 seasons.

How to start this course

start-course

  1. Right-click Start course and open the link in a new tab.
  2. In the new tab, most of the prompts will automatically fill in for you.
    • For owner, choose your personal account or an organization to host the repository.
    • We recommend creating a public repository, as private repositories will use Actions minutes.
    • Scroll down and click the Create repository button at the bottom of the form.
  3. After your new repository is created and our GitHub Actions workflow has completed, you will notice a ❌ sign next to the initial commit, indicating a failing check. This is normal and you can ignore it. You will understand in Season-2/Level-1 why this happens.
  4. You can now proceed to the 🛠️ set up section.

🛠️ The set up

🖥️ Using codespaces

All levels are configured to run instantly with GitHub Codespaces. If you chose to use codespaces, be aware that this course will count towards your 60 hours of monthly free allowance. For more information about GitHub Codespaces, see the "GitHub Codespaces overview." If you prefer to work locally, please follow the local installation guide in the next section.

  1. To create a codespace, click the Code drop down button in the upper-right of your repository navigation bar.
  2. Click Create codespace on main.
  3. After creating a codespace, relax and wait for VS Code extensions and background installations to complete. This should take less than three minutes.
  4. At this point, you can get started with Season-1 or Season-2 by navigating on the respective folders and reading the README.md file.

Optional: We recommend these free-of-charge additional extensions, but we haven't pre-installed them for you:

  1. github.copilot-labs to receive AI-generated code explanations.
  2. alexcvzz.vscode-sqlite to visualize the SQL database created in Season-1/Level-4 and the effects of our exploits on its content.

If you need assistance, don't hesitate to ask for help in our GitHub Discussions or on our Slack, at the #secure-code-game channel.

💻 Local installation

Please note: You don't need a local installation if you are using GitHub Codespaces.

The following local installation guide is adapted to Debian/Ubuntu and CentOS/RHEL.

  1. Open your terminal.
  2. Install OpenLDAP headers needed to compile python-ldap, depending on your Linux distribution. Check by running:
uname -a
  • For Debian/Ubuntu, run:
sudo apt-get update
sudo apt-get install libldap2-dev libsasl2-dev
  • For CentOS/RHEL, run:
sudo yum install python-devel openldap-devel
  • For Archlinux, run:
sudo pacman -Sy libldap libsasl
  • Then, for all of the above Linux distributions install pyOpenSSL by running:
pip3 install pyOpenSSL

Once installation has completed, clone your repository to your local machine and install required dependencies.

  1. From your repository, click the Code drop down button in the upper-right of your repository navigation bar.
  2. Select the Local tab from the menu.
  3. Copy your preferred URL.
  4. In your terminal, change the working directory to the location where you want the cloned directory.
  5. Type git clone and paste the copied URL.
$ git clone https://github.com/YOUR-USERNAME/YOUR-REPOSITORY
  1. Press Enter to create your local clone.
  2. Change the working directory to the cloned directory.
  3. Install dependencies by running:
pip3 install -r requirements.txt
  • Programming Languages
  1. To play Season 1, you will need to have python3 and c installed.
  2. To play Season 2, you will need to have yaml, go, python3 and node installed.

If you are using VS Code locally, you can install the above programming languages through the editor extensions with these identifiers:

  1. ms-python.python
  2. ms-python.vscode-pylance
  3. ms-vscode.cpptools-extension-pack
  4. redhat.vscode-yaml
  5. golang.go

Please note that for the go programming language, you need to perform an extra step, which is to visit the official website and download the driver corresponding to your operating system.

Now, it's necessary to install node to get the npm packages we have provided. To do so:

  1. Start by installing a package manager like homebrew by running:
/bin/bash -c "$(curl -fsSL https://raw.githubusercontent.com/Homebrew/install/HEAD/install.sh)"
  1. Install node:
brew install node

Adapt the command to the package manager you have chosen if it's not homebrew.

  1. The npm packages needed are specified in package.json and package-lock.json. Navigate to the secure-code-game repository and install them by running:
npm install --prefix Season-2/Level-4/ Season-2/Level-4/ && npm install --global mocha
  1. At this point, you can get started with Season-1 or Season-2 by navigating on the respective folders and reading the README.md file.

We recommend these free-of-charge additional extensions:

  1. github.copilot-labs to receive AI-generated code explanations.
  2. alexcvzz.vscode-sqlite to visualize the SQL database created and the effects of our exploits on its content.

For more information about cloning repositories, see "Cloning a repository."


Get help: Email us at [email protected]Review the GitHub status page

© 2024 GitHub • Code of ConductMIT License

About

A GitHub Security Lab initiative, providing an in-repo learning experience, where learners secure intentionally vulnerable code.

Resources

License

Code of conduct

Security policy

Stars

Watchers

Forks

Releases

No releases published

Packages

No packages published

Languages

  • Python 40.7%
  • JavaScript 22.3%
  • Go 17.6%
  • C 10.1%
  • HTML 9.3%