GitGoat enables DevOps and Engineering teams to test security products intending to integrate with GitHub

Overview

About GitGoat for GitHub

GitGoat enables DevOps and Engineering teams to test security products intending to integrate with GitHub. GitGoat is a learning and training project that demonstrates common configuration errors that can potentially allow adversaries to introduce code to production.

logo

Introduction

GitGoat was built to enable DevOps and Engineering teams to design and implement a sustainable misconfiguration prevention strategy. It can be used for proof-of-concept projects, such as OpenSSF, Arnica (coming soon), and others.

Important note

Since GitGoat creates misconfigured assets on GitHub, it is warmly recommended to avoid using it in a production organization.

Prerequisites

Here is what you need before kicking off the process:

  • Python3
  • Account on GitHub

Getting started

Create organization

At this point, GitHub does not support the creation of an organization via APIs. Thus, the organization needs to be created via the user interface. Below are the steps to create an organization:

  1. Login to GitHub and navigate to the organization creation page.
  2. Fill the Organization account name (e.g. GitGoat-Demo), "Contact email", and select My personal account under the "This organzation belongs to" section. Click on next and skip the next screen of adding organization members.

Create a Personal Access Token (PAT) to GitHub

A PAT is required to run GitGoat in order to create repositories and teams, and invite members to the organization created in the previous step. To create a PAT, follow these steps:

  1. Go to the new tokens page. If you are redirected to the login page, authenticate yourself.
  2. Fill the fields in the "New personal access token page" and then click on Generate token:
    • Set the expiration time as needed. Since it will be used only to execute GitGoat, a short expiration time is preferred.
    • Select the following scopes: repo, admin:org, and delete_repo.
  3. Make sure to copy your personal access token now. It will be required for the next step.

Run a Docker Container

Clone the docker image:

docker pull ghcr.io/arnica-ext/gitgoat:main

Run the container by injecting the PAT as an environment variable:

docker run -ti --env github_token=[YOUR_PAT] --rm ghcr.io/arnica-ext/gitgoat:main python3 run.py --org [YOUR_ORGANIZATION_NAME]

Additional configurations

GitGoat can be customzed in the config.yaml file. To modify this file or run GitGoat with multiple variations of the config file, please follow the instructions below.

Run Locally

Set the environment variable

Open your preferred terminal, clone this repo and change the directory to the GitGoat folder.

git clone https://github.com/arnica-ext/GitGoat.git GitGoat
cd GitGoat

On Mac/Linux, set the environment variable github_pat using the following command:

export github_pat=[YOUR_PAT]

On Windows, use the following command:

set github_pat=[YOUR_PAT]

Install the requirements

Install the required libraries to run GitGoat with the following command:

python3 -m pip install -r requirements.txt

Run GitGoat

This is the moment of truth, go for it!

python3 run.py --org [YOUR_ORGANIZATION_NAME]

The configuration file config.yaml can be adjusted as needed, or if multiple files are used, add --config [YOUR_CONFIG_FILE.yaml] to the execution path above. In case you'd like to rant and rave about the tokens in this file, these accounts are dummy just to create commits in your organization. Feel free to spend the time to create your accounts, if needed.

Validate the results

If everything went well, you should see the following in your newly created organization:

  • 5 new repositories named Echinacea, Lavender, Chamomile, Calendula, Tarragon (we like the herbs theme).
  • Many teams with the naming convention [repository_name]-[admin | maintain | triage | push | pull]. Each team has a specific permission to the associated repository.
  • 4 users named archie-gg (a.k.a. Archie Tekkt), billdp-gg (a.k.a. Bill De Pipeline), codeyf-gg (a.k.a. Codey Fie) and debu-gg (a.k.a. Deb Ugeen) as members in the organization and the teams.
  • Many commits by the users in the last 12 months. Keep in mind that the commit dates are vary, but there is only a single push by every user to the relevant repository.

Contribute to GitGoat

GitGoat is open sourced to the community in order to encourage everyone to test security products in a rapid fashion without impacting the production operations. In return, please open issues, create pull requests, or simply add us to the watch list to follow our enhancements in this project.

You might also like...
A tool to convert AWS EC2 instances back and forth between On-Demand and Spot billing models.
A tool to convert AWS EC2 instances back and forth between On-Demand and Spot billing models.

ec2-spot-converter This tool converts existing AWS EC2 instances back and forth between On-Demand and 'persistent' Spot billing models while preservin

Iris is a highly configurable and flexible service for paging and messaging.
Iris is a highly configurable and flexible service for paging and messaging.

Iris Iris core, API, UI and sender service. For third-party integration support, see iris-relay, a stateless proxy designed to sit at the edge of a pr

Let's learn how to build, release and operate your containerized applications to Amazon ECS and AWS Fargate using AWS Copilot.
Let's learn how to build, release and operate your containerized applications to Amazon ECS and AWS Fargate using AWS Copilot.

🚀 Welcome to AWS Copilot Workshop In this workshop, you'll learn how to build, release and operate your containerised applications to Amazon ECS and

KivyPassword - A password generator using both Kivy framework and SQL in order to create a local database for users to generate strong passwords and store them pyinfra automates infrastructure super fast at massive scale. It can be used for ad-hoc command execution, service deployment, configuration management and more.
pyinfra automates infrastructure super fast at massive scale. It can be used for ad-hoc command execution, service deployment, configuration management and more.

pyinfra automates/provisions/manages/deploys infrastructure super fast at massive scale. It can be used for ad-hoc command execution, service deployme

Software to automate the management and configuration of any infrastructure or application at scale. Get access to the Salt software package repository here:
Software to automate the management and configuration of any infrastructure or application at scale. Get access to the Salt software package repository here:

Latest Salt Documentation Open an issue (bug report, feature request, etc.) Salt is the world’s fastest, most intelligent and scalable automation engi

Simple, Pythonic remote execution and deployment.

Welcome to Fabric! Fabric is a high level Python (2.7, 3.4+) library designed to execute shell commands remotely over SSH, yielding useful Python obje

Cross-platform lib for process and system monitoring in Python
Cross-platform lib for process and system monitoring in Python

Home Install Documentation Download Forum Blog Funding What's new Summary psutil (process and system utilities) is a cross-platform library for retrie

This repository contains code examples and documentation for learning how applications can be developed with Kubernetes

BigBitBus KAT Components Click on the diagram to enlarge, or follow this link for detailed documentation Introduction Welcome to the BigBitBus Kuberne

Comments
Releases(v1.1.2)
  • v1.1.2(Apr 23, 2022)

    What's Changed

    • Added repositories with different branch protection policies - look at Ginger, Wasabi and Peppermint in config.yaml.
    • Added nested teams - see the "parent_teams" section in config.yaml.
    • Added secrets into source code. Modify "commit_secrets_in_repositories" in config.yaml under each member to configure which members commit secrets in specific repositories.
    Source code(tar.gz)
    Source code(zip)
  • v1.1.1(Dec 28, 2021)

    What's Changed

    • Feature: Users create multiple PRs and get approved by distinct users.
    • Bug fix: GitHub ignored codeowners associations when users were members of the team.
    Source code(tar.gz)
    Source code(zip)
  • v1.1.0(Dec 27, 2021)

    What's Changed

    • GitGoat generates codeowners files and reviews PRs according to the rules, e.g. if codeowners are defined but not enforced, it is demonstrated.
    • PR merging and reviewing members are split to have more diverse data set.
    Source code(tar.gz)
    Source code(zip)
  • v1.0.0(Dec 25, 2021)

Owner
Arnica
Arnica
Autoscaling volumes for Kubernetes (with the help of Prometheus)

Kubernetes Volume Autoscaler (with Prometheus) This repository contains a service that automatically increases the size of a Persistent Volume Claim i

DevOps Nirvana 142 Dec 28, 2022
Organizing ssh servers in one shell.

NeZha (哪吒) NeZha is a famous chinese deity who can have three heads and six arms if he wants. And my NeZha tool is hoping to bring developer such mult

Zilin Zhu 8 Dec 20, 2021
Ansible for DevOps examples.

Ansible for DevOps Examples This repository contains Ansible examples developed to support different sections of Ansible for DevOps, a book on Ansible

Jeff Geerling 6.6k Jan 08, 2023
Emissary - open source Kubernetes-native API gateway for microservices built on the Envoy Proxy

Emissary-ingress Emissary-Ingress is an open-source Kubernetes-native API Gateway + Layer 7 load balancer + Kubernetes Ingress built on Envoy Proxy. E

Emissary Ingress 4k Dec 31, 2022
Micro Data Lake based on Docker Compose

Micro Data Lake based on Docker Compose This is the implementation of a Minimum Data Lake

Abel Coronado 15 Jan 07, 2023
🐳 RAUDI: Regularly and Automatically Updated Docker Images

🐳 RAUDI: Regularly and Automatically Updated Docker Images RAUDI (Regularly and Automatically Updated Docker Images) automatically generates and keep

SecSI 534 Dec 29, 2022
Dockerized iCloud drive

iCloud-drive-docker is a simple iCloud drive client in Docker environment. It uses pyiCloud python library to interact with iCloud

Mandar Patil 376 Jan 01, 2023
NixOps is a tool for deploying to NixOS machines in a network or cloud.

NixOps NixOps is a tool for deploying to NixOS machines in a network or the cloud. Key features include: Declarative: NixOps determines and carries ou

Nix/Nixpkgs/NixOS 1.2k Jan 02, 2023
Oncall is a calendar tool designed for scheduling and managing on-call shifts. It can be used as source of dynamic ownership info for paging systems like http://iris.claims.

Oncall See admin docs for information on how to run and manage Oncall. Development setup Prerequisites Debian/Ubuntu - sudo apt-get install libsasl2-d

LinkedIn 928 Dec 22, 2022
Kubediff: a tool for Kubernetes to show differences between running state and version controlled configuration.

Kubediff: a tool for Kubernetes to show differences between running state and version controlled configuration.

Weaveworks 1.1k Dec 30, 2022
Docker Container wallstreetbets-sentiment-analysis

Docker Container wallstreetbets-sentiment-analysis A docker container using restful endpoints exposed on port 5000 "/analyze" to gather sentiment anal

145 Nov 22, 2022
A little script and trick to make your heroku app run forever without being concerned about dyno hours.

A little script and trick to make your heroku app run forever without being concerned about dyno hours.

Tiararose Biezetta 152 Dec 25, 2022
DataOps framework for Machine Learning projects.

Noronha DataOps Noronha is a Python framework designed to help you orchestrate and manage ML projects life-cycle. It hosts Machine Learning models ins

52 Oct 30, 2022
RMRK spy bot for RMRK hackathon

rmrk_spy_bot RMRK spy bot https://t.me/RMRKspyBot for rmrk hacktoberfest https://rmrk.devpost.com/ Birds and items price and rarity estimation Reports

Victor Ryabinin 2 Sep 06, 2022
MLops tools review for execution on multiple cluster types: slurm, kubernetes, dask...

MLops tools review focused on execution using multiple cluster types: slurm, kubernetes, dask...

4 Nov 30, 2022
Asynchronous parallel SSH client library.

parallel-ssh Asynchronous parallel SSH client library. Run SSH commands over many - hundreds/hundreds of thousands - number of servers asynchronously

1.1k Dec 31, 2022
Nagios status monitor for your desktop.

Nagstamon Nagstamon is a status monitor for the desktop. It connects to multiple Nagios, Icinga, Opsview, Centreon, Op5 Monitor/Ninja, Checkmk Multisi

Henri Wahl 361 Jan 05, 2023
Caboto, the Kubernetes semantic analysis tool

Caboto Caboto, the Kubernetes semantic analysis toolkit. It contains a lightweight Python library for semantic analysis of plain Kubernetes manifests

Michael Schilonka 8 Nov 26, 2022
Ingress patch example by Kustomize

Ingress patch example by Kustomize

Jinu 10 Nov 14, 2022
Flexible and scalable monitoring framework

Presentation of the Shinken project Welcome to the Shinken project. Shinken is a modern, Nagios compatible monitoring framework, written in Python. It

Gabès Jean 1.1k Dec 18, 2022