CI/CD Goat: deliberately vulnerable CI/CD environment

by ddos ·

cicd-goat

The CI/CD Goat project allows engineers and security practitioners to learn and practice CI/CD security through a set of 10 challenges, enacted against a real, full-blown CI/CD environment. The scenarios are of varying difficulty levels, with each scenario focusing on one primary attack vector.

The challenges cover the Top 10 CI/CD Security Risks, including Insufficient Flow Control Mechanisms, PPE (Poisoned Pipeline Execution), Dependency Chain Abuse, PBAC (Pipeline-Based Access Controls), and more.
The different challenges are inspired by Alice in Wonderland, each one is themed as a different character.

The project’s environment is based on Docker images and can be run locally. These images are:

  1. Gitea (minimal git server)
  2. Jenkins
  3. Jenkins agent
  4. LocalStack (cloud service emulator that runs in a single container)
  5. Prod – contains Docker in Docker and Lighttpd service
  6. CTFd (Capture The Flag framework)
  7. GitLab
  8. GitLab runner
  9. Docker in Docker

The images are configured to interconnect in a way that creates fully functional pipelines.

Install & Use

Copyright (C) 2022 asi-cider, omer-cider, malikashish8, nlahmi

Tags: CI/CD Goat