📣 SEASON 2 JUST DROPPED! READY TO PLAY? 📣
A GitHub Security Lab initiative, providing an in-repo learning experience, where learners secure intentionally vulnerable code. At the same time, this is an open source project that welcomes your contributions as a way to give back to the community.
- Who is this for: Developers, students.
- What you'll learn: How to spot and fix vulnerable patterns in real-world code, build security into your workflows, and understand security alerts generated against your code.
- What you'll build: You will develop fixes on functional but vulnerable code.
- Prerequisites: For the first season, you will need some knowledge of
python3
for most levels andC
for Level 2. For the second season, you will need some knowledge ofGitHub Actions
for level 1,go
for level 2,python3
for level 3, andjavascript
for levels 4 and 5. - How long: Each season is five levels long and takes 2-9 hours to complete. The complete course has 2 seasons.
- Right-click Start course and open the link in a new tab.
- In the new tab, most of the prompts will automatically fill in for you.
- For owner, choose your personal account or an organization to host the repository.
- We recommend creating a public repository, as private repositories will use Actions minutes.
- Scroll down and click the Create repository button at the bottom of the form.
- After your new repository is created and our GitHub Actions workflow has completed, you will notice a ❌ sign next to the initial commit, indicating a failing check. This is normal and you can ignore it. You will understand in Season-2/Level-1 why this happens.
- You can now proceed to the 🛠️ set up section.
All levels are configured to run instantly with GitHub Codespaces. If you chose to use codespaces, be aware that this course will count towards your 60 hours of monthly free allowance. For more information about GitHub Codespaces, see the "GitHub Codespaces overview." If you prefer to work locally, please follow the local installation guide in the next section.
- To create a codespace, click the Code drop down button in the upper-right of your repository navigation bar.
- Click Create codespace on main.
- After creating a codespace, relax and wait for VS Code extensions and background installations to complete. This should take less than three minutes.
- At this point, you can get started with Season-1 or Season-2 by navigating on the respective folders and reading the
README.md
file.
Optional: We recommend these free-of-charge additional extensions, but we haven't pre-installed them for you:
github.copilot-labs
to receive AI-generated code explanations.alexcvzz.vscode-sqlite
to visualize the SQL database created in Season-1/Level-4 and the effects of our exploits on its content.
If you need assistance, don't hesitate to ask for help in our GitHub Discussions or on our Slack, at the #secure-code-game channel.
Please note: You don't need a local installation if you are using GitHub Codespaces.
The following local installation guide is adapted to Debian/Ubuntu and CentOS/RHEL.
- Open your terminal.
- Install OpenLDAP headers needed to compile
python-ldap
, depending on your Linux distribution. Check by running:
uname -a
- For Debian/Ubuntu, run:
sudo apt-get update
sudo apt-get install libldap2-dev libsasl2-dev
- For CentOS/RHEL, run:
sudo yum install python-devel openldap-devel
- For Archlinux, run:
sudo pacman -Sy libldap libsasl
- Then, for all of the above Linux distributions install
pyOpenSSL
by running:
pip3 install pyOpenSSL
Once installation has completed, clone your repository to your local machine and install required dependencies.
- From your repository, click the Code drop down button in the upper-right of your repository navigation bar.
- Select the
Local
tab from the menu. - Copy your preferred URL.
- In your terminal, change the working directory to the location where you want the cloned directory.
- Type
git clone
and paste the copied URL.
$ git clone https://github.com/YOUR-USERNAME/YOUR-REPOSITORY
- Press Enter to create your local clone.
- Change the working directory to the cloned directory.
- Install dependencies by running:
pip3 install -r requirements.txt
- Programming Languages
- To play Season 1, you will need to have
python3
andc
installed. - To play Season 2, you will need to have
yaml
,go
,python3
andnode
installed.
If you are using VS Code locally, you can install the above programming languages through the editor extensions with these identifiers:
ms-python.python
ms-python.vscode-pylance
ms-vscode.cpptools-extension-pack
redhat.vscode-yaml
golang.go
Please note that for the go
programming language, you need to perform an extra step, which is to visit the official website and download the driver corresponding to your operating system.
Now, it's necessary to install node
to get the npm
packages we have provided. To do so:
- Start by installing a package manager like
homebrew
by running:
/bin/bash -c "$(curl -fsSL https://raw.githubusercontent.com/Homebrew/install/HEAD/install.sh)"
- Install
node
:
brew install node
Adapt the command to the package manager you have chosen if it's not homebrew.
- The
npm
packages needed are specified inpackage.json
andpackage-lock.json
. Navigate to thesecure-code-game
repository and install them by running:
npm install --prefix Season-2/Level-4/ Season-2/Level-4/ && npm install --global mocha
- At this point, you can get started with Season-1 or Season-2 by navigating on the respective folders and reading the
README.md
file.
We recommend these free-of-charge additional extensions:
github.copilot-labs
to receive AI-generated code explanations.alexcvzz.vscode-sqlite
to visualize the SQL database created and the effects of our exploits on its content.
For more information about cloning repositories, see "Cloning a repository."
Get help: Email us at securitylab-social@github.com • Review the GitHub status page
© 2024 GitHub • Code of Conduct • MIT License