A deliberately vulnerable CI/CD environment. Learn CI/CD security through multiple challenges.
APACHE-2.0 License
Deliberately vulnerable CI/CD environment. Hack CI/CD pipelines, capture the flags. π©
Created by Cider Security (Acquired by Palo Alto Networks).
The CI/CD Goat project allows engineers and security practitioners to learn and practice CI/CD security through a set of 11 challenges, enacted against a real, full blown CI/CD environment. The scenarios are of varying difficulty levels, with each scenario focusing on one primary attack vector.
The challenges cover the Top 10 CI/CD Security Risks, including Insufficient Flow Control Mechanisms, PPE (Poisoned Pipeline Execution), Dependency Chain Abuse, PBAC (Pipeline-Based Access Controls), and more. The different challenges are inspired by Alice in Wonderland, each one is themed as a different character.
The projects environment is based on Docker containers and can be run locally. These containers are:
The images are configured to interconnect in a way that creates fully functional pipelines.
There's no need to clone the repository.
curl -o cicd-goat/docker-compose.yaml --create-dirs https://raw.githubusercontent.com/cider-security-research/cicd-goat/main/docker-compose.yaml
cd cicd-goat && docker compose up -d
mkdir cicd-goat; cd cicd-goat
curl -o docker-compose.yaml https://raw.githubusercontent.com/cider-security-research/cicd-goat/main/docker-compose.yaml
get-content docker-compose.yaml | %{$_ -replace "bridge","nat"}
docker compose up -d
After starting the containers, it might take up to 5 minutes until the containers configuration process is complete.
Login to CTFd at http://localhost:8000 to view the challenges:
alice
alice
Hack:
alice
alice
thealice
thealice
alice
ali12345
Insert the flags on CTFd and find out if you got it right.
Warning: Spoilers! π
See Contributing.