Skip to content

Practical resources for offensive CI/CD security research. Curated the best resources I've seen since 2021.

License

Notifications You must be signed in to change notification settings

TupleType/awesome-cicd-attacks

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

24 Commits
 
 
 
 
 
 
 
 
 
 

Repository files navigation

Awesome CI/CD Attacks Awesome

Offensive research of systems and processes related to developing and deploying code.

Contents

Techniques

A curated list of unique and useful CI/CD attack techniques.

Publicly Exposed Sensitive Data

Initial Code Execution

Post Exploitation

Defense Evasion

Tools

  • ADOKit - Azure DevOps Services Attack Toolkit.
  • Gato - GitHub Attack Toolkit.
  • Gato-X - GitHub Attack Toolkit - Extreme Edition.
  • GH Archive - A project to record the public GitHub timeline, archive it, and make it easily accessible for further analysis.
  • GHTorrent Project - A queryable offline mirror of the GitHub API data. Tutorial.
  • git-dumper - Dump Git repository from a website.
  • GitFive - OSINT tool to investigate GitHub profiles.
  • Grep.app - Search GitHub using regex.
  • Jenkins Attack Framework
  • Nord Stream - A tool to extract secrets stored inside CI/CD environments.
  • pwn_jenkins - Notes about attacking Jenkins servers.
  • Secrets Patterns Database - The largest open-source database for detecting secrets, API keys, passwords, tokens, and more.
  • Sourcegraph - A web-based code search and navigation tool for public repositories.
  • Token-Spray - Automate token validation using Nuclei.

Case Studies

Similar Projects