CI/CD Goat v1.2.6 releases: deliberately vulnerable CI/CD environment
cicd-goat
The CI/CD Goat project allows engineers and security practitioners to learn and practice CI/CD security through a set of 10 challenges, enacted against a real, full-blown CI/CD environment. The scenarios are of varying difficulty levels, with each scenario focusing on one primary attack vector.
The challenges cover the Top 10 CI/CD Security Risks, including Insufficient Flow Control Mechanisms, PPE (Poisoned Pipeline Execution), Dependency Chain Abuse, PBAC (Pipeline-Based Access Controls), and more.
The different challenges are inspired by Alice in Wonderland, each one is themed as a different character.
The project’s environment is based on Docker images and can be run locally. These images are:
- Gitea (minimal git server)
- Jenkins
- Jenkins agent
- LocalStack (cloud service emulator that runs in a single container)
- Lighttpd
- CTFd (Capture The Flag framework).
The images are configured to interconnect in a way that creates fully functional pipelines.
Changelog v1.2.6
🐛 Bug fixes:
- fixed links to test data in gryphon.md by @yaron-cider in #60
- Update dormouse.md solution by @yaron-cider in #61
- Limit permissions release.yaml by @yaron-cider in #62
- Fix CI and improve run time by @asi-cider in #63
- Update caterpillar.md by @chrisbrown-01 in #64
✏️ More Changes
- update docs & ci config for latest docker engine by @codevbus in #38
- Rebranding by @asi-cider in #66
Install & Use
Copyright (C) 2022 asi-cider, omer-cider, malikashish8, nlahmi