cicd-goat
github-leak-audit
cicd-goat | github-leak-audit | |
---|---|---|
17 | 1 | |
1,806 | 9 | |
1.2% | - | |
5.0 | 0.0 | |
28 days ago | 12 months ago | |
Python | Python | |
Apache License 2.0 | GNU Affero General Public License v3.0 |
Stars - the number of stars that a project has on GitHub. Growth - month over month growth in stars.
Activity is a relative number indicating how actively a project is being developed. Recent commits have higher weight than older ones.
For example, an activity of 9.0 indicates that a project is amongst the top 10% of the most actively developed projects that we are tracking.
cicd-goat
-
CI/CD Access All Areas?
In this blog post, we want to explore what happens if a development machine gets compromised, granting an attacker write access to source code repositories. To experience this first-hand, we're using CI/CD Goat, and one of the CTF challenges to play through the scenario of an attacker gaining access to sensitive data within build infrastructure.
- New challenge added to the CI/CD Goat CTF
-
DevSecOps Newbie
CI/CD-Goat: https://github.com/cider-security-research/cicd-goat
- CI/CD Goat - A deliberately vulnerable environment made to educate on CI/CD security
github-leak-audit
-
Thinking Like a Hacker: Finding Source Code Leaks on GitHub
One is an app I developed to be published alongside this blog post: https://github.com/lawndoc/github-leak-audit. The app uses GitHub’s API to monitor all your GitHub organization members’ personal public repos for potential leaks. It is specifically targeted for the accidental leak scenario described in this blog post. It will detect previously unknown code and new repos. To set it up in your organization, you’ll need to fork the repo under your organization’s ownership, set up a GitHub app or PAT secret for it, and enable the GitHub Actions workflow. Detailed instructions are in the README.
What are some alternatives?
apicheck - The DevSecOps toolset for REST APIs
WALKOFF - A flexible, easy to use, automation framework allowing users to integrate their capabilities and devices to cut through the repetitive, tedious tasks slowing them down. #nsacyber
dockerfile-security - Static security checker for Dockerfiles
jenkins-update-center - Jenkins mirror update center generator
goose - A robot for mapping github events into actionable HTTP payloads
packj - Packj stops :zap: Solarwinds-, ESLint-, and PyTorch-like attacks by flagging malicious/vulnerable open-source dependencies ("weak links") in your software supply-chain
sbt-dependency-check - SBT Plugin for OWASP DependencyCheck. Monitor your dependencies and report if there are any publicly known vulnerabilities (e.g. CVEs). :rainbow:
git-alerts - Tool to detect and monitor GitHub org users' public repositories for secrets and sensitive files
faraday - Open Source Vulnerability Management Platform