All blog posts

CI/CD Goat – A deliberately vulnerable CI/CD environment

Today we are excited to announce the launch of “CI/CD Goat” – a deliberately vulnerable CI/CD environment which allows engineers, security practitioners, and curious hackers to learn and experience the major CI/CD security risks out there.

The motivation behind the CI/CD Goat project

CI/CD has matured tremendously over recent years, completely reshaping organizations’ attack surface. This has created an exponentially growing amount of potential attack vectors for adversaries; 2021 alone was full of high magnitude attacks targeting CI/CD systems and abusing the software delivery chain to execute malicious code within engineering environments (SolarWinds, Codecov, Dependency Confusion and many others). 

In parallel, defenders are facing challenges adapting to this new reality. Successful adaptation requires high familiarity with the characteristics of this new attack surface, extensive knowledge of the nature of CI/CD environments, and a deep understanding of the attacker’s perspective of CI/CD. Unless these exist, the imbalance between CI/CD defenders and attackers will persist, and attackers will continue to have the upper hand.

The “Top 10 CI/CD Security Risks” project has been a significant milestone in empowering defenders to gain a better understanding of the main CI/CD security risks which exist today, their impact and the appropriate countermeasures. But to really understand the attacker’s perspective, it is essential for defenders to understand and practice the exact tactics and techniques used by attackers against CI/CD environments. Having that understanding is crucial to building effective, tailored security measures that optimize CI/CD security. 

For this – we created CI/CD Goat. 

The CI/CD goat project allows engineers and security practitioners to learn and practice CI/CD security through a set of 10 challenges, enacted against a real, full blown CI/CD environment. The scenarios are of varying difficulty levels, with each scenario focusing on one primary attack vector.

The project’s environment is based on Docker images and can be run locally. These images are: 

  1. Gitea (minimal git server)
  2. Jenkins
  3. Jenkins agent
  4. LocalStack (cloud service emulator that runs in a single container)
  5. Lighttpd
  6. CTFd (Capture The Flag framework).

The images are configured to interconnect in a way that creates fully functional pipelines.

The CI/CD Goat challenges

The different challenges listed below, inspired by Alice in Wonderland, expose CI/CD Goat users to risks such as Direct-PPE, Indirect-PPE, Insufficient credential hygiene, Insecure Jenkins system configuration, Dependency chain abuse, 3rd party service compromise, insufficient flow control mechanisms and more. 

  1. White-rabbit
  2. Caterpillar
  3. Mad-hatter
  4. Duchess
  5. Cheshire-cat
  6. Twiddledum
  7. Dodo
  8. Hearts
  9. Dormouse
  10. Mock-turtle

In each challenge, After logging in to CTFd to get the challenge description, users receive a set of credentials for Gitea and Jenkins, which they can then utilize to access the systems and exploit their vulnerabilities. The goal of each challenge is to find the “flag”, which can then be entered in CTFd to determine if the challenge was solved correctly.

Contributing to CI/CD Goat

We hope you enjoy CI/CD Goat and that it will help you gain more knowledge and experience around CI/CD security risks. The CI/CD Goat is open to contribution and expansion – the entire project is configured as code, with automatic tests to ensure that additions and adjustments made to the project are working properly. You are highly welcome to star, fork, and contribute to the project in any way you believe is helpful. Try it out, tell your friends and if you come up with more ideas for challenges, feel free to send them our way!

Cider Security has been acquired by Palo Alto Networks