GitHub Actions Goat - a Deliberately Vulnerable GitHub Actions CI/CD Environment

We're thrilled to present GitHub Actions Goat, an educational project that simulates common security attacks and vulnerabilities in a GitHub Actions CI/CD environment and shows how to defend against such attacks.

This project is designed to be hands-on and interactive, offering ten meticulously crafted tutorials for security practitioners and developers. You can delve into the intricacies of GitHub Actions Security by forking the 'Goat' project and learning by doing. All you need to follow the hands-on tutorials is your GitHub Account.

The importance of CI/CD Security has been underlined by guidance from the Cybersecurity & Infrastructure Security Agency (CISA) and the National Security Agency (NSA). As per their document Defending Continuous Integration/Continuous Delivery (CI/CD) Environments:

CI/CD environments have become attractive targets for malicious cyber actors (MCAs) aiming to introduce malicious code, steal intellectual property, or cause denial of service attacks against applications.

The project delves deeper into GitHub Actions CI/CD Security by exploring the three major threat scenarios outlined in the CISA/NSA guidance and applying these potential risks to GitHub Actions, a leading CI/CD platform. The project explains these concepts using real-world security incidents related to CI/CD pipelines.

Following this, GitHub Actions Goat integrates best practices recommended by both the CISA/ NSA for CI/CD Security and GitHub's Security Hardening for GitHub Actions guide. This is done to demonstrate efficient ways of mitigating these threats within both GitHub Actions Hosted-Runners and self-hosted Actions Runner Controller (ARC) environments.

Kickstarting the 'GitHub Actions Goat' project is a stimulating puzzle designed to get your analytical gears turning. Here, you'll encounter a GitHub Actions workflow, and the network events it generates. Your task? Determine whether the outbound traffic during the workflow run is expected or if it suggests a more sinister motive.

Encompassing the spirit of community and collaboration, GitHub Actions Goat is an open-source initiative welcoming contributions from across the globe. Are you intrigued and want to try GitHub Actions Goat? Access the GitHub repository here and start your journey into secure GitHub Actions CI/CD practices today.