step-security / github-actions-goat Goto Github PK
View Code? Open in Web Editor NEWGitHub Actions Goat: Deliberately Vulnerable GitHub Actions CI/CD Environment
Home Page: https://www.stepsecurity.io
License: Apache License 2.0
GitHub Actions Goat: Deliberately Vulnerable GitHub Actions CI/CD Environment
Home Page: https://www.stepsecurity.io
License: Apache License 2.0
e.g. outbound traffic during test run
I just tried the following tutorial: https://github.com/step-security/attack-simulator/blob/1948a848cc4bdfb224343b29b9ca010da3488c12/docs/DNSExfiltration.md
Here is the fork I created: https://github.com/DataDog/step-security-agent-attack-simulator
At the end I do get the same result as the screenshot in the tutorial, that is, the "build" job is successful but has an "Error: DNS resolution [...] was blocked" annotation.
However, I am quite surprised that the build job is successful if the hardened runner blocked the DNS resolution, right?
Moreover, if I click on the "build" job and expand the "Simulate DNS traffic" section, it looks like the DNS call was successful, meaning that the DNS exfiltration attack would have worked right?
Run domain="${GITHUB_REPOSITORY}.stepsecurity.io"
Server: 127.0.0.53
Address: 127.0.0.53#53
Non-authoritative answer:
Name: DataDog-step-security-agent-attack-simulator.stepsecurity.io
Address: 54.185.253.63
Isn't this "a valid response from the DNS server"?
Basic CI/CD pipelines and GitHub actions knowledge required
Issue created using GitHub Actions workflow
@arjundashrath can we add the nodetest npm package to this repo, in a separate folder?
Issue created using GitHub Actions workflow
Issue created using GitHub Actions workflow
Issue created using GitHub Actions workflow
@arjundashrath this issue is to track the improvements you are planning to make.
You can track tasks here if you want:
Issue created using GitHub Actions workflow
Use ci.yml instead
Issue created using GitHub Actions workflow
Organize the project into two parts
Issue created using GitHub Actions workflow
Issue created using GitHub Actions workflow
e.g. codecov breach
A declarative, efficient, and flexible JavaScript library for building user interfaces.
๐ Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. ๐๐๐
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google โค๏ธ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.