Xavier René-Corail
Sr. Dir, Security Research. Open Source Security at GitHub. I lead the GitHub Security Lab, empowering open source maintainers and developers to ship secure software.
Join our Capture the Flag challenge to use your CodeQL skills or learn new ones.
Today at GitHub Satellite, we announced code scanning to enable the power of CodeQL analysis on your repositories and keep them safe—thanks to thousands of community-powered queries! Want to learn about CodeQL or brush up on your existing skills? Join our Capture the Flag (CTF) vulnerability hunting challenge, where you can hone your bug finding skills and learn all about CodeQL’s taint tracking features.
The GitHub Security Lab CTF is a contest where participants are challenged to find a security bug (the flag) in real code. During the challenge, you’ll hunt for a recently identified vulnerability in a popular container management platform that enabled attackers to inject arbitrary Java EL expressions. This ultimately led to a pre-auth Remote Code Execution (RCE) vulnerability.
Using CodeQL to track tainted data from a user-controlled bean property to a custom error message, you’ll learn to fill in any gaps in the taint tracking to carve a full data flow path to the vulnerability.
Interested in learning about CodeQL ahead of the challenge? We also announced GitHub Satellite Workshops to help you find security vulnerabilities with CodeQL.
Learn more about writing CodeQL queries from these helpful resources:
CTF is brought to you by the GitHub Security Lab team. Our mission is to inspire and enable the community to secure the open source software we all depend on. We can’t wait to see how the contest unfolds and help you with CodeQL along the way.
GitHub had over 14,000 repositories. Fewer than half had clear ownership. Here’s how we gave every active repository a validated owner in under 45 days, archived the rest, and made ownership the foundation for everything that followed.
GitHub had 20,000+ secret scanning alerts across 15,000 repositories. Here’s how we separated signal from noise, built remediation workflows, and reached inbox zero in nine months.
These six free settings will not make your project unhackable. Nothing will. What they will do is close the easy doors. Turn these on, and your project will be meaningfully harder to attack than it was before.