Name: cicd-goat
Author: cider-security-research

Primary Use Case

This tool is used by security engineers and DevSecOps practitioners to learn and improve their skills in securing CI/CD pipelines by exploiting and mitigating real-world vulnerabilities. It provides a practical, challenge-based environment that simulates common CI/CD security risks, enabling users to gain hands-on experience in a safe, controlled setting.

Key Features

11 progressive security challenges focused on CI/CD pipeline vulnerabilities

Covers OWASP Top 10 CI/CD Security Risks including Poisoned Pipeline Execution and Dependency Chain Abuse

Fully functional CI/CD environment using interconnected Docker containers

Includes multiple services: Gitea, Jenkins, Jenkins agent, LocalStack, GitLab, GitLab runner, Docker in Docker, CTFd

Capture the Flag (CTF) style learning with flags to find for each challenge

No need to exploit CVEs or hijack admin accounts to complete challenges

Supports local deployment on Linux, Mac, and Windows via Docker Compose

Maintained by Palo Alto Networks with integration hints for Prisma Cloud Code Security

Insights & Recommendations

Avoid browsing repository files directly as they contain spoilers for the challenges. Each challenge is independent; do not use access from one challenge to solve another. The environment is designed for learning and does not require exploiting CVEs or hijacking default admin accounts. Running requires Docker and Docker Compose installed on the host machine.

Installation

Download the docker-compose.yaml file: curl -o cicd-goat/docker-compose.yaml --create-dirs https://raw.githubusercontent.com/cider-security-research/cicd-goat/main/docker-compose.yaml
Change directory: cd cicd-goat
Start the environment with Docker Compose: docker compose up -d
For Windows Powershell users: mkdir cicd-goat; cd cicd-goat
Download docker-compose.yaml on Windows: curl -o docker-compose.yaml https://raw.githubusercontent.com/cider-security-research/cicd-goat/main/docker-compose.yaml
Replace network mode in docker-compose.yaml for Windows: get-content docker-compose.yaml | %{$_ -replace "bridge","nat"}
Start environment on Windows: docker compose up -d

Usage

curl -o cicd-goat/docker-compose.yaml --create-dirs https://raw.githubusercontent.com/cider-security-research/cicd-goat/main/docker-compose.yaml

Downloads the docker-compose configuration file needed to run the environment.

cd cicd-goat && docker compose up -d

Starts the entire vulnerable CI/CD environment in detached mode.

mkdir cicd-goat; cd cicd-goat

Creates and navigates into the project directory on Windows.

curl -o docker-compose.yaml https://raw.githubusercontent.com/cider-security-research/cicd-goat/main/docker-compose.yaml

Downloads the docker-compose.yaml file on Windows.

get-content docker-compose.yaml | %{$_ -replace "bridge","nat"}

Modifies the network configuration in docker-compose.yaml for Windows compatibility.

docker compose up -d

Launches all containers in the background to start the challenge environment.

Smart Usage Notes

Integrate cicd-goat into purple team exercises to simulate real-world CI/CD pipeline attacks and defenses.Use the environment to validate and tune CI/CD security automation tools such as Prisma Cloud Code Security.Leverage the challenge flags as metrics for continuous security training progress and skill assessment.Extend the tool by adding custom challenges reflecting emerging CI/CD risks and organizational pipeline specifics.Automate capture and analysis of attack techniques during challenges to improve incident response playbooks.

OpenSec Atlas

cicd-goat

About This Tool

Primary Use Case

Key Features

Insights & Recommendations

Installation

Usage

Smart Usage Notes

Security Capability Profile

Tags

You Might Also Like