{"id":14867406,"url":"https://github.com/tenable/cnappgoat","last_synced_at":"2025-04-06T12:10:53.794Z","repository":{"id":185598070,"uuid":"673793125","full_name":"tenable/cnappgoat","owner":"tenable","description":"CNAPPgoat is an open source project designed to modularly provision vulnerable-by-design components in cloud environments.","archived":false,"fork":false,"pushed_at":"2024-09-04T17:12:55.000Z","size":6467,"stargazers_count":273,"open_issues_count":3,"forks_count":32,"subscribers_count":9,"default_branch":"main","last_synced_at":"2025-03-30T10:08:54.889Z","etag":null,"topics":[],"latest_commit_sha":null,"homepage":null,"language":"Go","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"apache-2.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/tenable.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":"SECURITY.md","support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2023-08-02T12:41:18.000Z","updated_at":"2025-03-14T03:27:14.000Z","dependencies_parsed_at":"2024-01-14T12:17:34.504Z","dependency_job_id":"2a926a1f-a269-4033-acd9-d8ba1944562a","html_url":"https://github.com/tenable/cnappgoat","commit_stats":null,"previous_names":["ermetic-research/cnappgoat","tenable/cnappgoat"],"tags_count":2,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/tenable%2Fcnappgoat","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/tenable%2Fcnappgoat/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/tenable%2Fcnappgoat/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/tenable%2Fcnappgoat/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/tenable","download_url":"https://codeload.github.com/tenable/cnappgoat/tar.gz/refs/heads/main","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":247478324,"owners_count":20945266,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":[],"created_at":"2024-09-20T04:01:29.544Z","updated_at":"2025-04-06T12:10:53.775Z","avatar_url":"https://github.com/tenable.png","language":"Go","funding_links":[],"categories":["others","Intentionally Vulnerable Challenges","Go"],"sub_categories":[],"readme":"\u003cdiv align=\"center\"\u003e\n\u003cimg src=\"images/logo.png\" width=\"40%\" alt=\"CNAPPGoat logo: a smiling goat with a purple cloud background\"\u003e\n\n[![made-with-Go][made-with-go-img]](http://golang.org)\n[![GitHub Release][release-img]][release]\n[![Go Report Card][go-report-img]][go-report]\n[![License: Apache-2.0][license-img]][license]\n\n[![Maintainer][maintainer-1]](mailto:research@ermetic.com)\n\n# CNAPPgoat\n\n\u003c/div\u003e\n\nCNAPPgoat is a multi-cloud, vulnerable-by-design environment deployment tool – specifically engineered to facilitate\npractice arenas for defenders and pentesters. Its main function is to deploy intentionally\nvulnerable environments across multiple cloud service providers, to help you sharpen your skills in exploiting,\ndetecting, and preventing such vulnerabilities.\n\n![Gif demonstrating an example of using AccessUndenied](images/demo.gif)\n\n\u003e **Warning**: CNAPPgoat deploys vulnerable environments. Only use it within safe, controlled sandboxes.\n\n## Getting Started\n\nCNAPPgoat operates as a Command Line Interface (CLI) tool, capable of deploying vulnerable environments to a multitude\nof cloud service providers. Built with Go and utilizing Pulumi and the Pulumi automation API, it ensures seamless\nenvironment deployment. One of its unique features is its modular design, which allows for effortless extension to\nsupport an array of cloud service providers and new vulnerable environments. As of now, CNAPPgoat supports AWS, Azure,\nand GCP.\n\n### Prerequisites for running CNAPPgoat\n\n- [Pulumi](https://www.pulumi.com/docs/get-started/install/)\n- Cloud SDKs for the cloud provider you are using:\n    - [AWS CLI](https://docs.aws.amazon.com/cli/latest/userguide/cli-chap-install.html)\n    - [Azure CLI](https://docs.microsoft.com/cli/azure/install-azure-cli)\n    - [Google Cloud SDK](https://cloud.google.com/sdk/docs/install)\n\nPulumi dependencies and plugins will install in an on-demand basis according to each scenario's requirements\nwhen you provision your first environment. This means the first time provisioning might take a little longer than\nsubsequent\nones.\n\n### Installation\n\n#### Homebrew\n\nCNAPPgoat can be easily installed for macOS users using the Homebrew package manager.\n\n```bash\nbrew tap ermetic-research/cnappgoat\nbrew install cnappgoat\n```\n\n#### Download the release directly for macOS, Linux, and macOS.\n\n1. Download the latest release from [here](https://github.com/ermetic-research/CNAPPgoat/releases/latest).\n\n   ```bash\n   tar -xvf cnappgoat-\u003cversion\u003e.tar.gz\n   cd cnappgoat-\u003cversion\u003e\n   ```\n\n2. (Optional) If you'd like to add the extracted binary to your system's PATH (you don't have to, you can just run it\n   from the local directory as `./cnappgoat`):\n\n**Option A: Move to a directory in your PATH (e.g., `/usr/local/bin` for macOS and Linux)**\n\n   ```bash\n   mv cnappgoat /usr/local/bin/\n   ```\n\n**Option B: Add the directory containing the binary to your PATH**\n\nFor bash:\n\n   ```bash\n   echo 'export PATH=$PATH:\u003cpath_to_directory_containing_cnappgoat\u003e' \u003e\u003e ~/.bashrc\n   source ~/.bashrc\n   ```\n\nFor zsh:\n\n   ```bash\n   echo 'export PATH=$PATH:\u003cpath_to_directory_containing_cnappgoat\u003e' \u003e\u003e ~/.zshrc\n   source ~/.zshrc\n   ```\n\nReplace `\u003cpath_to_directory_containing_cnappgoat\u003e` with the absolute path to the directory where `cnappgoat` binary\nresides.\n\n### Usage\n\n```\nNAME:\n   cnappgoat - A multicloud open-source tool for deploying vulnerable-by-design cloud resources\n\nUSAGE:\n   cnappgoat [global options] command [command options] [arguments...]\n\nVERSION:\n   0.1.0-beta, date: 2023-08-02T13:02:46Z, commit: 6bef61857d9f3cf88215269df8976f96317711dc\n\n\nCOMMANDS:\n   clean      clean and remove all created resources and delete all scenarios and any related files\n   describe   describe a scenario\n   destroy    Destroy CNAPPgoat module scenarios\n   list       List CNAPPgoat module scenarios\n   provision  Provision CNAPPgoat module scenarios\n   help, h    Shows a list of commands or help for one command\n\nGLOBAL OPTIONS:\n   --debug        Enable debug mode (default: false)\n   --help, -h     show help\n   --version, -v  print the version\n```\n\n| Command           | Description                                                                                                          | Usage                                 |\n|-------------------|----------------------------------------------------------------------------------------------------------------------|---------------------------------------|\n| `list`            | Lists all available scenarios for provisioning.                                                                      | `cnappgoat list`                      |\n| `describe`        | Provides detailed information about the specified scenario.                                                          | `cnappgoat describe \u003cscenario name\u003e`  |\n| `provision`       | Provisions the scenario specified by the scenario name. To provision all scenarios, simply use `cnappgoat provision` | `cnappgoat provision \u003cscenario name\u003e` |\n| `destroy`         | Destroys the scenario specified by the scenario name. To destroy all scenarios, simply use `cnappgoat destroy`       | `cnappgoat destroy \u003cscenario name\u003e`   |\n| `clean`           | Cleans up all scenarios and deletes the `.cnappgoat` local directory                                                 | `cnappgoat clean `                    |   \n| `--version`, `-v` | Displays the current version of CNAPPgoat                                                                            | `cnappgoat --version`                 |\n| `--help`, `-h`    | Displays the help menu.                                                                                              | `cnappgoat --help`                    |\n\nYou may use multiple arguments separated by spaces. For example:\n\n```bash\ncnappgoat provision \u003cscenario-1\u003e \u003cscenario-2\u003e \u003cscenario-N\u003e\n```\n\n#### Flags:\n\n- `--module` - Filters scenarios by module (e.g. CSPM, CIEM, CWPP, DSPM, KSPM etc.)\n- `--platform` - Filters scenarios by platform (e.g. AWS, Azure, GCP)\n- `--force` - Enables force mode (unlock locked stacks with pulumi cancel)\n- `--debug` - Enables debug logging.\n\nThese flags are command flags and should be placed after the command. For example:\n\n```bash\ncnappgoat provision --module CSPM --platform AWS\n```\n\nThis command will provision all AWS CSPM scenarios.\n\n## CNAPPgoat Scenarios\n\nCNAPPgoat downloads scenarios from the [cnappgoat-scenarios](https://github.com/ermetic-research/cnappgoat-scenarios)\nrepository at its first run of every day,\nthese scenarios are automatically downloaded when you run CNAPPgoat and are stored in the `~/.cnappgoat/scenarios`\ndirectory.\n\n## Setup and Configuration\n\nBefore you can use CNAPPgoat, you need to set up your cloud credentials for AWS, Azure, and GCP. CNAPPgoat uses the\ndefault credentials for each provider. Follow the steps below to set up your credentials:\n\n### AWS Credentials\n\n1. Install the AWS CLI by following the\n   instructions [here](https://docs.aws.amazon.com/cli/latest/userguide/cli-chap-install.html).\n\n2. Configure your AWS credentials by running:\n\n    ```bash\n    aws configure\n    ```\n\n   You'll be prompted to enter your Access Key ID, Secret Access Key, and default region name.\n\n### Azure Credentials\n\n1. Install the Azure CLI by following the instructions [here](https://docs.microsoft.com/cli/azure/install-azure-cli).\n\n2. Log in to your Azure account by running:\n\n    ```bash\n    az login\n    ```\n\n   This will open a new browser window for you to log in. After logging in, your credentials will be stored for future\n   use.\n\n### GCP Credentials\n\n1. Install the Google Cloud SDK by following the instructions [here](https://cloud.google.com/sdk/docs/install).\n\n2. Authenticate with Google Cloud by running:\n\n    ```bash\n    gcloud auth login\n    ```\n\n   This will open a new browser window for you to log in. After logging in, your credentials will be stored for future\n   use.\n\nBy setting these credentials, you will be able to deploy scenarios on AWS, Azure, and GCP using CNAPPgoat. If you're\nplanning on using CNAPPgoat with a different provider, make sure to configure the credentials accordingly.\n\n## Learn more\n\nTo learn more about CNAPPgoat, check out the post on the Ermetic blog:\nhttps://ermetic.com/blog/cloud/cnappgoat-multicloud-open-source-tool-for-deploying-vulnerable-by-design-cloud-resources/\n\n## Acknowledgements\n\n### Similar projects\n\nCNAPPgoat provisions a breadth of vulnerable scenarios on multiple clouds to test detection and prevention capabilities.\nThere are other great projects out there for vulnerable cloud environments that are focused on different areas, such as\nexploitation, detection, CTF (capture the flag) scenarios, etc. We were inspired by these tools and projects, and we\nrecommend checking them out:\n\n* [Stratus Red Team by DataDog](https://github.com/DataDog/stratus-red-team): a tool that allows users to\n  emulate offensive attack techniques in a granular and self-contained manner\n* [Cloud Goat by Rhino Security Labs](https://github.com/RhinoSecurityLabs/cloudgoat): a \"Vulnerable by Design\" AWS\n  deployment tool. It allows you to hone your cloud cybersecurity skills by creating and completing several \"\n  capture-the-flag\" style scenarios\n* [Kubernetes Goat by Madhu Akula](https://github.com/madhuakula/kubernetes-goat): an intentionally vulnerable cluster\n  environment to learn and practice Kubernetes security\n* [TerraGoat by Bridgecrew](https://github.com/bridgecrewio/terragoat): a \"Vulnerable by Design\" Terraform repository\n* [CloudFoxable by BishopFox](https://github.com/BishopFox/cloudfoxable): a gamified cloud hacking sandbox\n\nMore challenges and tools can be found in\nthe [Awesome Cloud Security Challeges](https://github.com/mikeprivette/awesome-sec-challenges) repo by Mike Privitte,\nour list focused specifically on vulnerable-by-design cloud environments that are deployed by users in their own\nsandbox.\n\n## Contact\n\nTo email the project team, contact [research+cnappgoat@ermetic.com](mailto:research+cnappgoat@ermetic.com)\n\n## Disclaimer\n\n* CNAPPgoat is provided \"as is\" and without any warranty or support.\n* This is a beta version. The project is still in development, so we apologize for any growing pains.\n  We will release a stable version in the coming weeks.\n\n[license-img]:https://img.shields.io/badge/License-Apache%202.0-blue.svg\n[license]: https://github.com/ermetic-research/cnappgoat/blob/main/LICENSE\n[release]: https://github.com/ermetic-research/cnappgoat/releases\n[release-img]: https://img.shields.io/github/release/ermetic-research/cnappgoat.svg?logo=github\n[go-report]: https://goreportcard.com/report/github.com/ermetic-research/cnappgoat\n[go-report-img]: https://goreportcard.com/badge/github.com/ermetic-research/cnappgoat\n[made-with-go-img]: https://img.shields.io/badge/Made%20with-Go-1f425f.svg\n[maintainer-1]: https://img.shields.io/badge/maintainer-Ermetic%20research%20team-purple\n\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Ftenable%2Fcnappgoat","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Ftenable%2Fcnappgoat","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Ftenable%2Fcnappgoat/lists"}