{"id":13530986,"url":"https://github.com/cider-security-research/cicd-goat","last_synced_at":"2025-04-04T14:09:17.657Z","repository":{"id":37373446,"uuid":"474598050","full_name":"cider-security-research/cicd-goat","owner":"cider-security-research","description":"A deliberately vulnerable CI/CD environment. Learn CI/CD security through multiple challenges.","archived":false,"fork":false,"pushed_at":"2024-07-14T11:26:38.000Z","size":70645,"stargazers_count":2043,"open_issues_count":1,"forks_count":339,"subscribers_count":32,"default_branch":"main","last_synced_at":"2025-03-28T13:09:17.912Z","etag":null,"topics":["appsec","cicd","ctf","devops","devsecops","gitlab","infosec","jenkins","security"],"latest_commit_sha":null,"homepage":"","language":"Python","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"apache-2.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/cider-security-research.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":"CONTRIBUTING.md","funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":"CODEOWNERS","security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2022-03-27T10:00:19.000Z","updated_at":"2025-03-27T15:30:15.000Z","dependencies_parsed_at":"2024-07-14T12:45:47.970Z","dependency_job_id":null,"html_url":"https://github.com/cider-security-research/cicd-goat","commit_stats":{"total_commits":60,"total_committers":15,"mean_commits":4.0,"dds":0.65,"last_synced_commit":"0ed10925f3983857cf219b2ac1c327b861fcccca"},"previous_names":[],"tags_count":13,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/cider-security-research%2Fcicd-goat","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/cider-security-research%2Fcicd-goat/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/cider-security-research%2Fcicd-goat/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/cider-security-research%2Fcicd-goat/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/cider-security-research","download_url":"https://codeload.github.com/cider-security-research/cicd-goat/tar.gz/refs/heads/main","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":247190252,"owners_count":20898702,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["appsec","cicd","ctf","devops","devsecops","gitlab","infosec","jenkins","security"],"created_at":"2024-08-01T07:00:58.783Z","updated_at":"2025-04-04T14:09:12.648Z","avatar_url":"https://github.com/cider-security-research.png","language":"Python","funding_links":[],"categories":["DevOps and DevSecOps","Network","Sorted by Technology and Category","Uncategorized","Build techniques","Intentionally Vulnerable Challenges","练习场：实战攻防演练","security","Tools","Python","Playground","DevOps","0x03 靶场 :dart:","Online Platforms"],"sub_categories":["Interesting website","Docker Images for Penetration Testing \u0026 Security","Firmware","Supply chain beyond libraries","2. 主流平台安全专题","Intentionally Vulnerable Applications","ArgoCD","云原生靶场"],"readme":"[![cicd-goat](images/banner.png)](https://www.paloaltonetworks.com/prisma/cloud/cloud-code-security)\n\n[![maintained by](https://img.shields.io/badge/maintained%20by-Palo%20Alto%20Networks-orange)](https://www.paloaltonetworks.com/prisma/cloud/cloud-code-security)\n[![top 10](https://img.shields.io/badge/Top%2010%20Risks-8%2F10-2de4fd)](https://owasp.org/www-project-top-10-ci-cd-security-risks/)\n[![.github/workflows/release.yaml](https://github.com/cider-security-research/cicd-goat/actions/workflows/release.yaml/badge.svg)](https://github.com/cider-security-research/cicd-goat/actions/workflows/release.yaml)\n[![CircleCI](https://circleci.com/gh/cider-security-research/cicd-goat/tree/main.svg?style=svg)](https://circleci.com/gh/cider-security-research/cicd-goat/tree/main)\n![Docker pulls](https://badgen.net/docker/pulls/cidersecurity/goat-jenkins-server)\n![Version](https://img.shields.io/docker/v/cidersecurity/goat-jenkins-server?sort=semver\u0026style=plastic)\n\n\nDeliberately vulnerable CI/CD environment.\nHack CI/CD pipelines, capture the flags. :triangular_flag_on_post:\n\nCreated by Cider Security [(Acquired by Palo Alto Networks)](https://www.paloaltonetworks.com/prisma/cloud/cloud-code-security).\n\n## Table of Contents\n\n* [Description](#Description)\n* [Download \u0026 Run](#Download--Run)\n  * [Linux \u0026 Mac](#Linux--Mac)\n  * [Windows (Powershell)](#Windows-Powershell)\n* [Usage](#Usage)\n  * [Instructions](#Instructions)\n  * [Take the challenge](#Take-the-challenge)\n  * [Troubleshooting](#Troubleshooting)\n* [Solutions](#Solutions)\n* [Contributing](#Contributing)\n\n## Description\nThe CI/CD Goat project allows engineers and security practitioners to learn and practice CI/CD security through a set of 11 challenges, enacted against a real, full blown CI/CD environment. The scenarios are of varying difficulty levels, with each scenario focusing on one primary attack vector.\n\nThe challenges cover the [Top 10 CI/CD Security Risks](https://owasp.org/www-project-top-10-ci-cd-security-risks/), including Insufficient Flow Control Mechanisms, PPE (Poisoned Pipeline Execution), Dependency Chain Abuse, PBAC (Pipeline-Based Access Controls), and more.\\\nThe different challenges are inspired by Alice in Wonderland, each one is themed as a different character.\n\nThe project’s environment is based on Docker containers and can be run locally. These containers are: \n1. Gitea (minimal git server)\n2. Jenkins\n3. Jenkins agent\n4. LocalStack (cloud service emulator that runs in a single container)\n5. Prod - contains Docker in Docker and Lighttpd service \n6. CTFd (Capture The Flag framework)\n7. GitLab\n8. GitLab runner\n9. Docker in Docker\n\nThe images are configured to interconnect in a way that creates fully functional pipelines.\n\n[![cicd-goat](images/diagram.png)](#)\n\n## Download \u0026 Run\n**There's no need to clone the repository.**\n\n### Linux \u0026 Mac\n```sh\ncurl -o cicd-goat/docker-compose.yaml --create-dirs https://raw.githubusercontent.com/cider-security-research/cicd-goat/main/docker-compose.yaml\ncd cicd-goat \u0026\u0026 docker compose up -d\n```\n\n### Windows (Powershell)\n```PowerShell\nmkdir cicd-goat; cd cicd-goat\ncurl -o docker-compose.yaml https://raw.githubusercontent.com/cider-security-research/cicd-goat/main/docker-compose.yaml\nget-content docker-compose.yaml | %{$_ -replace \"bridge\",\"nat\"}\ndocker compose up -d\n```\n\n## Usage\n### Instructions\n* **Spoiler alert!** Avoid browsing the repository files as they contain spoilers.\n* To configure your git client for accessing private repositories we suggest cloning using the http url.\n* In each challenge, find the flag - in the format of _flag#_ (e.g _flag2_), or another format if mentioned specifically.\n* Each challenge stands on its own. Do not use access gained in one challenge to solve another challenge.\n* If needed, use the hints on CTFd.\n* There is no need to exploit CVEs.\n* No need to hijack admin accounts of Gitea or Jenkins (named \"admin\" or \"red-queen\").\n\n### Take the challenge\n1. After starting the containers, it might take up to 5 minutes until the containers configuration process is complete.\n2. Login to CTFd at http://localhost:8000 to view the challenges:\n   * Username: `alice`\n   * Password: `alice`\n\n3. Hack:\n   * Jenkins http://localhost:8080\n     * Username: `alice`\n     * Password: `alice`\n   * Gitea http://localhost:3000\n     * Username: `thealice`\n     * Password: `thealice`\n   * GitLab http://localhost:4000\n     * Username: `alice`\n     * Password: `ali12345`\n\n4. Insert the flags on CTFd and find out if you got it right.\n\n### Troubleshooting\n* If Gitea shows a blank page, refresh the page.\n* When forking a repository, don't change the name of the forked repository.\n* If any of the services doesn't start or is not configured correctly try adding more cpu and memory to the docker engine and update it to the lateset version.\n\n## Solutions\n**Warning:** Spoilers! :see_no_evil:\n\n* See [Solutions](solutions).\n* BSidesLV talk: [Climbing the Production Mountain: Practical CI/CD Attacks Using CI/CD Goat](https://www.youtube.com/watch?v=w-R2PT2jfdU) - Featuring solutions of the Caterpillar, Mock Turtle and Dormouse challenges.  \n\n## Contributing\nSee [Contributing](CONTRIBUTING.md).\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fcider-security-research%2Fcicd-goat","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fcider-security-research%2Fcicd-goat","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fcider-security-research%2Fcicd-goat/lists"}