CI/CD Goat

The “CI/CD Goat” is a deliberately vulnerable Continuous Integration/Continuous Deployment (CI/CD) environment designed to learn about various security risks associated with CI/CD systems.

Learn more

It basically a bunch of a CTF (capture the flag) challenges.

To solve a challenge you have to find the flag and submit it to the CTFd dashboard. Flags takes the form of tokens. So basically a piece of text.

CI/CD Goat is build with a combination open-source tools centered around version control and build pipelines. Pre-existing experience with any of the tools not required to solve the challenges. Though experience will be an advantage.

Prerequisite is experience with git and CI/CD in some form. Whether GitHub Actions, BitBucket Pipelines or something else.

Getting started

Linux & Mac

curl -o cicd-goat/docker-compose.yaml --create-dirs https://raw.githubusercontent.com/cider-security-research/cicd-goat/main/docker-compose.yaml
cd cicd-goat && docker compose up -d

Windows (Powershell)

mkdir cicd-goat; cd cicd-goat
curl -o docker-compose.yaml https://raw.githubusercontent.com/cider-security-research/cicd-goat/main/docker-compose.yaml
get-content docker-compose.yaml | %{$_ -replace "bridge","nat"}
docker compose up -d

Services

Name	Description	URL	Username	Password
CTFd	Challenges	http://localhost:8000	alice	alice
Jenkins	CI Pipelines	http://localhost:8080	alice	alice
Gitea	GitHub like	http://localhost:3000	thealice	thealice

Hints

• Top 10 CI/CD Security Risks
• Jenkins - Handling credentials
• Jenkins - String interpolation
• How to grep (search through) committed code in the Git history
• Gitea - Clone repo using Token
• Jenkins - Pipeline Syntax agent