Source: GitHub Blog | Author: Xavier René-Corail
Today at GitHub Satellite, we announced code scanning to enable the power of CodeQL analysis on your repositories and keep them safe—thanks to thousands of community-powered queries! Want to learn about CodeQL or brush up on your existing skills? Join our Capture the Flag (CTF) vulnerability hunting challenge, where you can hone your bug finding skills and learn all about CodeQL’s taint tracking features.
오늘은 수천 개의 커뮤니티에서 제공되는 쿼리 덕분에 GitHub Satellite에서 CodeQL 분석을 통해 저장소를 안전하게 보호할 수 있는 코드 스캔을 발표했습니다! CodeQL에 대해 알아보거나 기존 실력을 늘리고 싶은 시겠습니까? Capture the Flag(CTF) 취약성 사냥 과제에 참여하여 버그 찾기 기술을 습득하고 코드에 대한 모든 것을 배울 수 있음QL의 이상한 추적 기능입니다.
Are you ready for the challenge?
The GitHub Security Lab CTF is a contest where participants are challenged to find a security bug (the flag) in real code. During the challenge, you’ll hunt for a recently identified vulnerability in a popular container management platform that enabled attackers to inject arbitrary Java EL expressions. This ultimately led to a pre-auth Remote Code Execution (RCE) vulnerability.
Using CodeQL to track tainted data from a user-controlled bean property to a custom error message, you’ll learn to fill in any gaps in the taint tracking to carve a full data flow path to the vulnerability.
Interested in learning about CodeQL ahead of the challenge? We also announced GitHub Satellite Workshops to help you find security vulnerabilities with CodeQL.
Learn more about writing CodeQL queries from these helpful resources:
- Introduction to CodeQL
- CodeQL detective tutorials
- Writing a basic CodeQL query for Java
- GitHub’s open source CodeQL Java trainings
- CodeQL Learning Lab (C/C++)
About the GitHub Security Lab
CTF is brought to you by the GitHub Security Lab team. Our mission is to inspire and enable the community to secure the open source software we all depend on. We can’t wait to see how the contest unfolds and help you with CodeQL along the way.