GitGoat enables DevOps and Engineering teams to test security products intending to integrate with GitHub

Overview

About GitGoat for GitHub

GitGoat enables DevOps and Engineering teams to test security products intending to integrate with GitHub. GitGoat is a learning and training project that demonstrates common configuration errors that can potentially allow adversaries to introduce code to production.

logo

Introduction

GitGoat was built to enable DevOps and Engineering teams to design and implement a sustainable misconfiguration prevention strategy. It can be used for proof-of-concept projects, such as OpenSSF, Arnica (coming soon), and others.

Important note

Since GitGoat creates misconfigured assets on GitHub, it is warmly recommended to avoid using it in a production organization.

Prerequisites

Here is what you need before kicking off the process:

  • Python3
  • Account on GitHub

Getting started

Create organization

At this point, GitHub does not support the creation of an organization via APIs. Thus, the organization needs to be created via the user interface. Below are the steps to create an organization:

  1. Login to GitHub and navigate to the organization creation page.
  2. Fill the Organization account name (e.g. GitGoat-Demo), "Contact email", and select My personal account under the "This organzation belongs to" section. Click on next and skip the next screen of adding organization members.

Create a Personal Access Token (PAT) to GitHub

A PAT is required to run GitGoat in order to create repositories and teams, and invite members to the organization created in the previous step. To create a PAT, follow these steps:

  1. Go to the new tokens page. If you are redirected to the login page, authenticate yourself.
  2. Fill the fields in the "New personal access token page" and then click on Generate token:
    • Set the expiration time as needed. Since it will be used only to execute GitGoat, a short expiration time is preferred.
    • Select the following scopes: repo, admin:org, and delete_repo.
  3. Make sure to copy your personal access token now. It will be required for the next step.

Run a Docker Container

Clone the docker image:

docker pull ghcr.io/arnica-ext/gitgoat:main

Run the container by injecting the PAT as an environment variable:

docker run -ti --env github_token=[YOUR_PAT] --rm ghcr.io/arnica-ext/gitgoat:main python3 run.py --org [YOUR_ORGANIZATION_NAME]

Additional configurations

GitGoat can be customzed in the config.yaml file. To modify this file or run GitGoat with multiple variations of the config file, please follow the instructions below.

Run Locally

Set the environment variable

Open your preferred terminal, clone this repo and change the directory to the GitGoat folder.

git clone https://github.com/arnica-ext/GitGoat.git GitGoat
cd GitGoat

On Mac/Linux, set the environment variable github_pat using the following command:

export github_pat=[YOUR_PAT]

On Windows, use the following command:

set github_pat=[YOUR_PAT]

Install the requirements

Install the required libraries to run GitGoat with the following command:

python3 -m pip install -r requirements.txt

Run GitGoat

This is the moment of truth, go for it!

python3 run.py --org [YOUR_ORGANIZATION_NAME]

The configuration file config.yaml can be adjusted as needed, or if multiple files are used, add --config [YOUR_CONFIG_FILE.yaml] to the execution path above. In case you'd like to rant and rave about the tokens in this file, these accounts are dummy just to create commits in your organization. Feel free to spend the time to create your accounts, if needed.

Validate the results

If everything went well, you should see the following in your newly created organization:

  • 5 new repositories named Echinacea, Lavender, Chamomile, Calendula, Tarragon (we like the herbs theme).
  • Many teams with the naming convention [repository_name]-[admin | maintain | triage | push | pull]. Each team has a specific permission to the associated repository.
  • 4 users named archie-gg (a.k.a. Archie Tekkt), billdp-gg (a.k.a. Bill De Pipeline), codeyf-gg (a.k.a. Codey Fie) and debu-gg (a.k.a. Deb Ugeen) as members in the organization and the teams.
  • Many commits by the users in the last 12 months. Keep in mind that the commit dates are vary, but there is only a single push by every user to the relevant repository.

Contribute to GitGoat

GitGoat is open sourced to the community in order to encourage everyone to test security products in a rapid fashion without impacting the production operations. In return, please open issues, create pull requests, or simply add us to the watch list to follow our enhancements in this project.

You might also like...
A tool to convert AWS EC2 instances back and forth between On-Demand and Spot billing models.
A tool to convert AWS EC2 instances back and forth between On-Demand and Spot billing models.

ec2-spot-converter This tool converts existing AWS EC2 instances back and forth between On-Demand and 'persistent' Spot billing models while preservin

Iris is a highly configurable and flexible service for paging and messaging.
Iris is a highly configurable and flexible service for paging and messaging.

Iris Iris core, API, UI and sender service. For third-party integration support, see iris-relay, a stateless proxy designed to sit at the edge of a pr

Let's learn how to build, release and operate your containerized applications to Amazon ECS and AWS Fargate using AWS Copilot.
Let's learn how to build, release and operate your containerized applications to Amazon ECS and AWS Fargate using AWS Copilot.

🚀 Welcome to AWS Copilot Workshop In this workshop, you'll learn how to build, release and operate your containerised applications to Amazon ECS and

KivyPassword - A password generator using both Kivy framework and SQL in order to create a local database for users to generate strong passwords and store them pyinfra automates infrastructure super fast at massive scale. It can be used for ad-hoc command execution, service deployment, configuration management and more.
pyinfra automates infrastructure super fast at massive scale. It can be used for ad-hoc command execution, service deployment, configuration management and more.

pyinfra automates/provisions/manages/deploys infrastructure super fast at massive scale. It can be used for ad-hoc command execution, service deployme

Software to automate the management and configuration of any infrastructure or application at scale. Get access to the Salt software package repository here:
Software to automate the management and configuration of any infrastructure or application at scale. Get access to the Salt software package repository here:

Latest Salt Documentation Open an issue (bug report, feature request, etc.) Salt is the world’s fastest, most intelligent and scalable automation engi

Simple, Pythonic remote execution and deployment.

Welcome to Fabric! Fabric is a high level Python (2.7, 3.4+) library designed to execute shell commands remotely over SSH, yielding useful Python obje

Cross-platform lib for process and system monitoring in Python
Cross-platform lib for process and system monitoring in Python

Home Install Documentation Download Forum Blog Funding What's new Summary psutil (process and system utilities) is a cross-platform library for retrie

This repository contains code examples and documentation for learning how applications can be developed with Kubernetes

BigBitBus KAT Components Click on the diagram to enlarge, or follow this link for detailed documentation Introduction Welcome to the BigBitBus Kuberne

Comments
Releases(v1.1.2)
  • v1.1.2(Apr 23, 2022)

    What's Changed

    • Added repositories with different branch protection policies - look at Ginger, Wasabi and Peppermint in config.yaml.
    • Added nested teams - see the "parent_teams" section in config.yaml.
    • Added secrets into source code. Modify "commit_secrets_in_repositories" in config.yaml under each member to configure which members commit secrets in specific repositories.
    Source code(tar.gz)
    Source code(zip)
  • v1.1.1(Dec 28, 2021)

    What's Changed

    • Feature: Users create multiple PRs and get approved by distinct users.
    • Bug fix: GitHub ignored codeowners associations when users were members of the team.
    Source code(tar.gz)
    Source code(zip)
  • v1.1.0(Dec 27, 2021)

    What's Changed

    • GitGoat generates codeowners files and reviews PRs according to the rules, e.g. if codeowners are defined but not enforced, it is demonstrated.
    • PR merging and reviewing members are split to have more diverse data set.
    Source code(tar.gz)
    Source code(zip)
  • v1.0.0(Dec 25, 2021)

Owner
Arnica
Arnica
Containerize a python web application

containerize a python web application introduction this document is part of GDSC at the university of bahrain you don't need to follow along, fell fre

abdullah mosibah 1 Oct 19, 2021
ZeroMQ bindings for Twisted

Twisted bindings for 0MQ Introduction txZMQ allows to integrate easily ØMQ sockets into Twisted event loop (reactor). txZMQ supports both CPython and

Andrey Smirnov 149 Dec 08, 2022
Google Kubernetes Engine (GKE) with a Snyk Kubernetes controller installed/configured for Snyk App

Google Kubernetes Engine (GKE) with a Snyk Kubernetes controller installed/configured for Snyk App This example provisions a Google Kubernetes Engine

Pas Apicella 2 Feb 09, 2022
Deploy a simple Multi-Node Clickhouse Cluster with docker-compose in minutes.

Simple Multi Node Clickhouse Cluster I hate those single-node clickhouse clusters and manually installation, I mean, why should we: Running multiple c

Nova Kwok 11 Nov 18, 2022
This projects provides the documentation and the automation(code) for the Oracle EMEA WLA COA Demo UseCase.

COA DevOps Training UseCase This projects provides the documentation and the automation(code) for the Oracle EMEA WLA COA Demo UseCase. Demo environme

Cosmin Tudor 1 Jan 28, 2022
Dockerized service to backup all running database containers

Docker Database Backup Dockerized service to automatically backup all of your database containers. Docker Image Tags: docker.io/jandi/database-backup

Jan Dittrich 16 Dec 31, 2022
CDK Template of Table Definition AWS Lambda for RDB

CDK Template of Table Definition AWS Lambda for RDB Overview This sample deploys Amazon Aurora of PostgreSQL or MySQL with AWS Lambda that can define

AWS Samples 5 May 16, 2022
Copy a Kubernetes pod and run commands in its environment

copypod Utility for copying a running Kubernetes pod so you can run commands in a copy of its environment, without worrying about it the pod potential

Memrise 4 Apr 08, 2022
Azure plugins for Feast (FEAture STore)

Feast on Azure This project provides resources to enable running a feast feature store on Azure. Feast Azure Provider The Feast Azure provider acts li

Microsoft Azure 70 Dec 31, 2022
This repository contains code examples and documentation for learning how applications can be developed with Kubernetes

BigBitBus KAT Components Click on the diagram to enlarge, or follow this link for detailed documentation Introduction Welcome to the BigBitBus Kuberne

51 Oct 16, 2022
🎡 Build Python wheels for all the platforms on CI with minimal configuration.

cibuildwheel Documentation Python wheels are great. Building them across Mac, Linux, Windows, on multiple versions of Python, is not. cibuildwheel is

Python Packaging Authority 1.3k Jan 02, 2023
A job launching library for docker, EC2, GCP, etc.

doodad A library for packaging dependencies and launching scripts (with a focus on python) on different platforms using Docker. Currently supported pl

Justin Fu 55 Aug 27, 2022
a CLI that provides a generic automation layer for assessing the security of ML models

Counterfit About | Getting Started | Learn More | Acknowledgments | Contributing | Trademarks | Contact Us -------------------------------------------

Microsoft Azure 575 Jan 02, 2023
Jenkins-AWS-CICD - Implement Jenkins CI/CD with AWS CodeBuild and AWS CodeDeploy, build a python flask web application.

Jenkins-AWS-CICD - Implement Jenkins CI/CD with AWS CodeBuild and AWS CodeDeploy, build a python flask web application.

Ning 1 Jan 01, 2022
Chef-like functionality for Fabric

/ / ___ ___ ___ ___ | | )| |___ | | )|___) |__ |__/ | __/ | | / |__ -- Chef-like functionality for Fabric About Fabric i

Sébastien Pierre 1.3k Dec 21, 2022
Inferoxy is a service for quick deploying and using dockerized Computer Vision models.

Inferoxy is a service for quick deploying and using dockerized Computer Vision models. It's a core of EORA's Computer Vision platform Vision Hub that runs on top of AWS EKS.

94 Oct 10, 2022
Official Python client library for kubernetes

Kubernetes Python Client Python client for the kubernetes API. Installation From source: git clone --recursive https://github.com/kubernetes-client/py

Kubernetes Clients 5.4k Jan 02, 2023
Hackergame nc 类题目的 Docker 容器资源限制、动态 flag、网页终端

Hackergame nc 类题目的 Docker 容器资源限制、动态 flag、网页终端 快速入门 配置证书 证书用于验证用户 Token。请确保这里的证书文件(cert.pem)与 Hackergame 平台 配置的证书相同,这样 Hackergame 平台为每个用户生成的 Token 才可以通

USTC Hackergame 68 Nov 09, 2022
GitGoat enables DevOps and Engineering teams to test security products intending to integrate with GitHub

GitGoat is an open source tool that was built to enable DevOps and Engineering teams to design and implement a sustainable misconfiguration prevention strategy. It can be used to test with products w

Arnica 149 Dec 22, 2022
Cobbler is a versatile Linux deployment server

Cobbler Cobbler is a Linux installation server that allows for rapid setup of network installation environments. It glues together and automates many

Cobbler 2.4k Dec 24, 2022