Welcome to Secure Code Game - Season 2! 👋
To get started, please follow the 🛠️ set up guide (if you haven't already) from the welcome page.
Welcome to Level 1! 🤖
Languages: yaml for GitHub Actions
The author of this level is Deniz Onur Duzgun @dduzgun-security.
You can be next! We welcome contributions for new game levels! Learn more here.
Jarvis, your trusty geek who gets really excited with automating everything, has some tips for you. He has been experimenting lately with GitHub Actions and made several great additions to our CI/CD pipeline. Among other useful additions, he suggested that it would be helpful for our project team to be getting the GitHub status page. What can go wrong? Do you have what it takes to fix the bug and progress to Level 2?
codenormally includes the vulnerable code to be reviewed. For this level, due to the nature ofGitHub Actions, this file is referencing.github/workflows/jarvis-code.yml.hackexploits the vulnerabilities incode. For this level, this file is referencing.github/workflows/jarvis-hack.yml. Initially, it fails ❌ upon pushing and the only requirement for you to reach the next level is to get this file to pass 🟢.hintfiles offer guidance if you get stuck. We provide 2 hints for this level.solutionoffers a working solution. Remember, there are several possible solutions.
- Review the code inside
.github/workflows/jarvis-code.yml. Can you spot the bug(s)? - Fix the bug and push your solution so that
GitHub Actionscan run. - You successfully completed this level when
.github/workflows/jarvis-hack.ymlpasses 🟢. - If you get stuck, read the hint in
hint-1.txtand try again. - If you need more guidance, read the hint in
hint-2.txtand try again. - Compare your solution with
solution.yml. Remember, there are several possible solutions.
If you need assistance, don't hesitate to ask for help in our GitHub Discussions or on our Slack in the #secure-code-game channel.
You have completed Level 1: Jarvis Gone Wrong! Welcome to Level 2: Lumberjack 🎉
Languages: go
The author of this level is Deniz Onur Duzgun @dduzgun-security.
You can be next! We welcome contributions for new game levels! Learn more here.
Welcome to the world of Lumberjack, the "clumsiest service in town", according to the online reviews! Customers have been noticing irregularities in both their site and services. We dumped a few reviews in an AI chatbot to summarize and what we've got back were a few keywords that said it all! Keywords included the words "discrepancies" and "inconsistencies". Something is clearly off here. Do you have what it takes to win this fight against "inconsistencies", "discrepancies" and "irregularities" and progress to Level 3?
- If you are playing the game inside GitHub Codespaces, the
goprogramming language extension should be already installed. At times, this is not enough to rungofiles and you have to visit Go's official website and download the driver corresponding to your operating system. - For Levels 2-4 in Season 2, we encourage you to enable code scanning with CodeQL. For more information about CodeQL, see "About CodeQL." For instructions on setting up code scanning, see "Setting up code scanning using starter workflows."
Due to the nature of file conventions in the go programming language, some file names look different compared to our usual file structure. We have the following:
codeincludes the vulnerable code to be reviewed.code_testcontains the unit tests that should still pass 🟢 after you implement your fix.hack_testexploits the vulnerabilities incode. Runninghack_test.gowill fail initially and your goal is to get this file to pass 🟢.hintfiles offer guidance if you get stuck. We provide 2 hints for this level. Remember that you can also view the CodeQL scanning alerts for guidance.solutionprovides one working solution. There are several possible solutions.solution_testis identical tocode_testand it's used to test the solution for failing and passing payloads.go.modis agoprogramming language convention for a module residing at the root of the module's directory hierarchy.
- Review the code in
code.go. Can you spot the bug(s)? - Try to fix the bug. Open a pull request to
mainor push your fix to a branch. - You successfully completed this level when you (a) resolve all related code scanning alerts and (b) when both
hack_test.goandcode_test.gopass 🟢. - If you get stuck, read the hints and try again.
- If you need more guidance, read the CodeQL scanning alerts.
- Compare your solution to
solution/solution.go.
If you need assistance, don't hesitate to ask for help in our GitHub Discussions or on our Slack in the #secure-code-game channel.
Nicely done! Level 2: Lumberjack is complete. It's time for Level 3: Planet XMLon 🥳
Languages: javascript
The author of this level is Deniz Onur Duzgun @dduzgun-security.
You can be next! We welcome contributions for new game levels! Learn more here.
Embark on your quest as a daring EXXplorer in the vibrant landscape of the newly discovered Planet XMLon. The alien inhabitants are baffled by mysterious disruptions in their data transmissions, which may have been caused by the main developer E.T. who added more features than intended. Help them decode the extraterrestrial XML signals and unveil the secrets hidden within the starry constellations of tags, attributes and .admin files. Can you secure them all?
For Levels 2-4 in Season 2, we encourage you to enable code scanning with CodeQL. For more information about CodeQL, see "About CodeQL." For instructions on setting up code scanning, see "Setting up code scanning using starter workflows."
codeincludes the vulnerable code to be reviewed.hackexploits the vulnerabilities incode. Runninghackwill fail initially and your goal is to get this file to pass 🟢.hack.adminis a file used by administrators for debugging purposes.hintoffers guidance if you get stuck. Remember that you can also view the CodeQL scanning alerts.package.jsoncontains all the dependencies required for this level. You can install them by runningnpm install.package-lock.jsonensures that the same dependencies are installed consistently across different environments.solutionprovides one working solution. There are several possible solutions.testscontains the unit tests that should still pass 🟢 after you implement your fix..env.productionis an internal server-side file containing a secret environment variable.
- Start by installing the dependencies required for this level, by running
npm install. These dependancies reside insidepackage.json. - Review the code in
code.js. Can you spot the bug(s)? - Try to fix the bug. Open a pull request to
mainor push your fix to a branch. - You successfully completed this level when you (a) resolve all related code scanning alerts and (b) when both
hack.jsandtests.jspass 🟢. - If you get stuck, read the hint and try again.
- If you need more guidance, read the CodeQL scanning alerts.
- Compare your solution to
solution.js.
If you need assistance, don't hesitate to ask for help in our GitHub Discussions or on our Slack in the #secure-code-game channel.
Nice work finishing Level 3: Planet XMLon! It's now time for Level 4: Space-Crossing ✨
Languages: python3
The author of this level is Viral Vaghela.
You can be next! We welcome contributions for new game levels! Learn more here.
Our solar system is 4.6 billion years old and it's constantly expanding. So does human interest around the world with local communities of enthusiasts constantly forming in an increasingly digitized world. Space enthusiasts use the internet as an information bank and to connect with their counterparts. This was exactly what drove a local community of space enthusiasts to create a public website, featuring their meetups, alongside contact information and a simple search bar where users can discover rare facts about planets. Having said that, did you know that ninety-five per cent (95%) of the Universe is invisible? What percentage of security issues is invisible though, and for how long? Do you have what it takes to secure the site and progress to Level 4?
- For Levels 2-4 in Season 2, we encourage you to enable code scanning with CodeQL. For more information about CodeQL, see "About CodeQL." For instructions on setting up code scanning, see "Setting up code scanning using starter workflows."
codeincludes the vulnerable code to be reviewed.hackexploits the vulnerabilities incode. Runninghackwill fail initially and your goal is to get this file to pass 🟢.hintoffers guidance if you get stuck. Remember that you can also view the CodeQL scanning alerts.solutionprovides one working solution. There are several possible solutions.templates/index.htmlhost a simple front-end to interact with the back-end.testscontains the unit tests that should still pass 🟢 after you implement your fix.
- Review the code in
code.py. Can you spot the bug(s)? - Try to fix the bug. Open a pull request to
mainor push your fix to a branch. - You successfully completed this level when you (a) resolve all related code scanning alerts and (b) when both
hack.pyandtests.pypass 🟢. - If you get stuck, read the hint and try again.
- If you need more guidance, read the CodeQL scanning alerts.
- Compare your solution to
solution.py.
If you need assistance, don't hesitate to ask for help in our GitHub Discussions or on our Slack in the #secure-code-game channel.
Almost there... but also, so far away! A special level is awaiting for you to complete Season 2! ❤️
Languages: javascript
The author of this level is the original creator of the game, Joseph Katsioloudes @jkcso.
You can be next! We welcome contributions for new game levels! Learn more here.
'Anarchy' (noun) is the state of disorder due to absence or non-recognition of authority or other controlling systems. This was the first word that came to mind when I finished writing code.js. Is anarchy exploitable? Can you spot the issues? Good luck, you will need it!
codeincludes the vulnerable code to be reviewed.hackfiles exploit the vulnerabilities incode. For this level, the exploits couldn't be automated. To run them, follow the instructions provided inside.hintfiles offer guidance if you get stuck.solutionprovides one working solution. There are several possible solutions.indexhosts the homepage, featuring a javascript console.
- Review the code in
code.js. Can you spot the bug(s)? - You successfully completed this level when the exploits inside
hack.jsare unsuccessful. Remember, due to the nature of the exploits, you have to run them manually. - If you get stuck, read the hints.
- Compare your solution to
solution.js
If you need assistance, don't hesitate to ask for help in our GitHub Discussions or on our Slack in the #secure-code-game channel.
🎉 Congratulations, you've completed Season 2! 🎉
Here's a recap of all the tasks you've accomplished:
- You practiced secure code principles by spotting and fixing vulnerable patterns in real-world code.
- You assessed your solutions against exploits developed by GitHub Security Lab experts.
- You utilized GitHub code scanning features and understood the security alerts generated against your code.
- Follow GitHub Security Lab for the latest updates and announcements about this course.
- Play Season 3 featuring Artificial Intelligence!
- Contribute new levels to the game in 3 simple steps! Read our Contribution Guideline.
- Share your feedback and ideas in our Discussions and join our community on Slack.
- Take another skills course.
- Read more about code security.
- To find projects to contribute to, check out GitHub Explore.
Get help: Email us at securitylab-social@github.com • Review the GitHub status page
© 2026 GitHub • Code of Conduct • MIT License