Deliberately vulnerable CI/CD environment. Hack CI/CD pipelines, capture the flags.
Created by Cider Security.
The CI/CD Goat project allows engineers and security practitioners to learn and practice CI/CD security through a set of 10 challenges, enacted against a real, full blown CI/CD environment. The scenarios are of varying difficulty levels, with each scenario focusing on one primary attack vector.
The challenges cover the Top 10 CI/CD Security Risks, including Insufficient Flow Control Mechanisms, PPE (Poisoned Pipeline Execution), Dependency Chain Abuse, PBAC (Pipeline-Based Access Controls), and more.
The different challenges are inspired by Alice in Wonderland, each one is themed as a different character.
The projectβs environment is based on Docker images and can be run locally. These images are:
The images are configured to interconnect in a way that creates fully functional pipelines.
There's no need to clone the repository.
curl -o cicd-goat/docker-compose.yaml --create-dirs https://raw.githubusercontent.com/cider-security-research/cicd-goat/main/docker-compose.yaml
cd cicd-goat && docker-compose up -d
mkdir cicd-goat; cd cicd-goat
curl -o docker-compose.yaml https://raw.githubusercontent.com/cider-security-research/cicd-goat/main/docker-compose.yaml
get-content docker-compose.yaml | %{$_ -replace "bridge","nat"}
docker-compose up -d
After starting the containers, it might take up to 5 minutes until the containers configuration process is complete.
Login to CTFd at http://localhost:8000 to view the challenges:
alice
alice
Hack:
alice
alice
thealice
thealice
Insert the flags on CTFd and find out if you got it right.
Warning: Spoilers!
See Solutions.
Clone the repository.
Rename .git folders to make them usable:
python3 rename.py git
Install testing dependencies:
pip3 install pipenv==2022.8.30
pipenv install --deploy
Run the development environment to experiment with new changes:
rm -rf tmp tmp-ctfd/
cp -R ctfd/data/ tmp-ctfd/
docker-compose -f docker-compose-dev.yaml up -d
Make the desired changes:
Shutdown the environment, move changes made in CTFd and rebuild it:
docker-compose -f docker-compose-dev.yaml down
./apply.sh # save CTFd changes
docker-compose -f docker-compose-dev.yaml up -d --build
Run tests:
pytest tests/
Rename .git folders to allow push:
python3 rename.py notgit
Commit and push!
Follow the checklist below to add a challenge: