If you want to dive deep into the world of Continuous Integration/Continuous Deployment (CICD) security, the CICD Goat project is an ideal place to start. Designed as a deliberately vulnerable environment, it allows engineers and security practitioners to learn through doing, posing challenges inspired by the whimsical atmosphere of Alice in Wonderland. Below, we’ll guide you through how to set up this environment, tackle its challenges, and troubleshoot common issues.
Description
The CICD Goat project presents a real, fully functional CICD environment with 11 distinct challenges of varying difficulty levels. These challenges focus on the Top 10 CICD Security Risks such as Insufficient Flow Control Mechanisms, Dependency Chain Abuse, and more. Each challenge introduces a unique scenario aimed at exploring specific attack vectors. Think of it as a themed journey through the land of vulnerabilities, where each scenario brings you closer to mastering CICD security.
Download & Run
No need to clone the repository before running this environment. Here’s how you can download and start the CICD Goat on your system:
Linux & Mac
-
Open your terminal and run:
curl -o cicd-goat/docker-compose.yaml --create-dirs https://raw.githubusercontent.com/cider-security-research/cicd-goat/main/docker-compose.yaml cd cicd-goat docker compose up -d
Windows (Powershell)
-
Open PowerShell and type the following commands:
mkdir cicd-goat; cd cicd-goat curl -o docker-compose.yaml https://raw.githubusercontent.com/cider-security-research/cicd-goat/main/docker-compose.yaml get-content docker-compose.yaml %$_ -replace bridge,nat docker compose up -d
Usage
Instructions
- Spoiler alert! Avoid browsing the repository files as they contain spoilers.
- To configure your git client for accessing private repositories, clone using the HTTP URL.
- In each challenge, aim to discover the flag indicated in the format _flag#_ (e.g., _flag2_), or another format if specified.
- Each challenge is independent; do not use information gained from one to complete another.
- Use hints available in CTFd as needed.
- Exploiting CVEs or hijacking admin accounts is not necessary for these challenges.
Take the Challenge
- Once you start the containers, it might take up to 5 minutes for configuration to complete.
- Login to CTFd at http://localhost:8000 using the credentials:
- Username: alice
- Password: alice
- Access the following services with their respective credentials:
- Jenkins: http://localhost:8080
- Username: alice
- Password: alice
- Gitea: http://localhost:3000
- Username: thealice
- Password: thealice
- GitLab: http://localhost:4000
- Username: alice
- Password: ali12345
- Jenkins: http://localhost:8080
- Submit the flags in CTFd to verify your progress.
Troubleshooting
- If Gitea displays a blank page, refreshing the page may help.
- When forking a repository, ensure you do not rename the forked repository.
- If any services fail to start properly, try increasing the CPU and memory allocated to the Docker engine and ensure it is updated to the latest version.
For more insights, updates, or to collaborate on AI development projects, stay connected with fxis.ai.
Solutions
Warning: Spoilers!
- For detailed solutions, see the Solutions section.
- Check out the BSidesLV talk on Climbing the Production Mountain: Practical CICD Attacks Using CICD Goat, which outlines solutions for the Caterpillar, Mock Turtle, and Dormouse challenges.
At fxis.ai, we believe that such advancements are crucial for the future of AI, as they enable more comprehensive and effective solutions. Our team is continually exploring new methodologies to push the envelope in artificial intelligence, ensuring that our clients benefit from the latest technological innovations.