Secure Code Game

A GitHub Security Lab initiative, providing an in-repo learning experience, where learners secure intentionally vulnerable code. At the same time, this is an open source project that welcomes your contributions as a way to give back to the community.

Welcome

• undefinedWho is this for: Developers, students.
• undefinedWhat you’ll learn: How to spot and fix vulnerable patterns in real-world code, build security into your workflows, and understand security alerts generated against your code.
• undefinedWhat you’ll build: You will develop fixes on functional but vulnerable code.
• undefinedPrerequisites: For the first season, you will need some knowledge of python3 for most levels and C for Level 2. For the second season, you will need some knowledge of GitHub Actions for level 1, go for level 2, python3 for level 3, and javascript for levels 4 and 5.
• undefinedHow long: Each season is five levels long and takes 2-9 hours to complete. The complete course has 2 seasons.

How to start this course

1. Right-click Start course and open the link in a new tab.
2. In the new tab, most of the prompts will automatically fill in for you.
   • For owner, choose your personal account or an organization to host the repository.
   • We recommend creating a public repository, as private repositories will use Actions minutes.
   • Scroll down and click the Create repository button at the bottom of the form.
3. You can now proceed to the 🛠️ set up section.

🛠️ The set up

🖥️ Using codespaces

All levels are configured to run instantly with GitHub Codespaces. If you chose to use codespaces, be aware that this course will count towards your 60 hours of monthly free allowance. For more information about GitHub Codespaces, see the “GitHub Codespaces overview.” If you prefer to work locally, please follow the local installation guide in the next section.

1. To create a codespace, click the Code drop down button in the upper-right of your repository navigation bar.
2. Click Create codespace on main.
3. After creating a codespace, relax and wait for VS Code extensions and background installations to complete. This should take less than three minutes.
4. At this point, you can get started with Season-1 or Season-2 by navigating on the respective folders and reading the README.md file.
5. Once you click on individual levels, a banner might appear on the bottom right asking you if you want to create a virtual environment. Dismiss this notification as you don’t need to create a virtual environment.

Optional: We recommend these free-of-charge additional extensions, but we haven’t pre-installed them for you:

1. github.copilot-chat to receive AI-generated code explanations.
2. alexcvzz.vscode-sqlite to visualize the SQL database created in Season-1/Level-4 and the effects of our exploits on its content.

If you need assistance, don’t hesitate to ask for help in our GitHub Discussions or on our Slack, at the #secure-code-game channel.

💻 Local installation

Please note: You don’t need a local installation if you are using GitHub Codespaces.

The following local installation guide is adapted to Debian/Ubuntu and CentOS/RHEL.

1. Open your terminal.
2. Install OpenLDAP headers needed to compile python-ldap, depending on your Linux distribution. Check by running:

uname -a

• For Debian/Ubuntu, run:

sudo apt-get update
sudo apt-get install libldap2-dev libsasl2-dev

• For CentOS/RHEL, run:

sudo yum install python-devel openldap-devel

• For Archlinux, run:

sudo pacman -Sy libldap libsasl

• Then, for all of the above Linux distributions install pyOpenSSL by running:

pip3 install pyOpenSSL

Once installation has completed, clone your repository to your local machine and install required dependencies.

1. From your repository, click the Code drop down button in the upper-right of your repository navigation bar.
2. Select the Local tab from the menu.
3. Copy your preferred URL.
4. In your terminal, change the working directory to the location where you want the cloned directory.
5. Type git clone and paste the copied URL.

$ git clone https://github.com/YOUR-USERNAME/YOUR-REPOSITORY

6. Press Enter to create your local clone.
7. Change the working directory to the cloned directory.
8. Install dependencies by running:

pip3 install -r requirements.txt

• Programming Languages

1. To play Season 1, you will need to have python3 and c installed.
2. To play Season 2, you will need to have yaml, go, python3 and node installed.

If you are using VS Code locally, you can install the above programming languages through the editor extensions with these identifiers:

1. ms-python.python
2. ms-python.vscode-pylance
3. ms-vscode.cpptools-extension-pack
4. redhat.vscode-yaml
5. golang.go

Please note that for the go programming language, you need to perform an extra step, which is to visit the official website and download the driver corresponding to your operating system.

Now, it’s necessary to install node to get the npm packages we have provided. To do so:

1. Start by installing a package manager like homebrew by running:

/bin/bash -c "$(curl -fsSL https://raw.githubusercontent.com/Homebrew/install/HEAD/install.sh)"

2. Install node:

brew install node

Adapt the command to the package manager you have chosen if it’s not homebrew.

3. The npm packages needed are specified in package.json and package-lock.json. Navigate to the secure-code-game repository and install them by running:

npm install --prefix Season-2/Level-4/ Season-2/Level-4/ && npm install --global mocha

4. At this point, you can get started with Season-1 or Season-2 by navigating on the respective folders and reading the README.md file.

We recommend these free-of-charge additional extensions:

1. github.copilot-chat to receive AI-generated code explanations.
2. alexcvzz.vscode-sqlite to visualize the SQL database created and the effects of our exploits on its content.

For more information about cloning repositories, see “Cloning a repository.”