A CI/CD Red Team Framework for demonstrating Build Pipeline security risks.
Discussion Highlights (4 comments)
flexorium
OP here, mini AMA. Two years ago today, our small research team open sourced poutine, a SAST scanner for CI/CD pipelines (very similar to zizmor, but written in Go and customizable using Rego DSL). It finds the vulnerabilities in your build pipelines. As all security engineers know, running SAST and filing a JIRA ticket leads to nowhere. Some weeks ago TeamPCP came on the scene and most were shocked to see the blast radius starting with Trivy then LiteLLM, KICS, etc. Trivy got pwn'd using textbook "pwn request". I've been building SmokedMeat for the past 5 months to level the playing field. It's a Red Team framework for CI/CD pipelines. You scan a GitHub org workflows, pick from a menu of exploitable pipelines, you are guided through an exploitation wizard, wait… and you're in post-exploitation. Secrets already exfiltrated from runner process memory are in the Loot stash, ready to pivot into cloud accounts, private repos, and more. Live attack graph in the browser. To try it: git clone https://github.com/boostsecurityio/smokedmeat.git cd smokedmeat make quickstart Then you target the whooli GitHub org ( https://github.com/whooli ) a CTF playground to exploit (hint the final flag is in a Google Cloud Storage Bucket) Happy to answer questions about the ethics, architecture, implant design, or CI/CD attack techniques.
gepeto42
The last year has shown that this vector is getting weaponized for real so it's great to see more tools to help defenders! Is this something only companies with public repos should be worried about?
bavarianbob
I think this is a killer project that's very needed to accelerate the learning of how to defend against the deluge of nascent CI/CD risks. Kudos Boost team!
mrene
That's pretty useful to get a clear picture of lingering threats that aren't immediately visible from existing scanning tools.
Related Discussions
Found 5 related stories in 63.2ms across 4,686 title embeddings via pgvector HNSW
Discussion Highlights (4 comments)
flexorium
OP here, mini AMA. Two years ago today, our small research team open sourced poutine, a SAST scanner for CI/CD pipelines (very similar to zizmor, but written in Go and customizable using Rego DSL). It finds the vulnerabilities in your build pipelines. As all security engineers know, running SAST and filing a JIRA ticket leads to nowhere. Some weeks ago TeamPCP came on the scene and most were shocked to see the blast radius starting with Trivy then LiteLLM, KICS, etc. Trivy got pwn'd using textbook "pwn request". I've been building SmokedMeat for the past 5 months to level the playing field. It's a Red Team framework for CI/CD pipelines. You scan a GitHub org workflows, pick from a menu of exploitable pipelines, you are guided through an exploitation wizard, wait… and you're in post-exploitation. Secrets already exfiltrated from runner process memory are in the Loot stash, ready to pivot into cloud accounts, private repos, and more. Live attack graph in the browser. To try it: git clone https://github.com/boostsecurityio/smokedmeat.git cd smokedmeat make quickstart Then you target the whooli GitHub org ( https://github.com/whooli ) a CTF playground to exploit (hint the final flag is in a Google Cloud Storage Bucket) Happy to answer questions about the ethics, architecture, implant design, or CI/CD attack techniques.
gepeto42
The last year has shown that this vector is getting weaponized for real so it's great to see more tools to help defenders! Is this something only companies with public repos should be worried about?
bavarianbob
I think this is a killer project that's very needed to accelerate the learning of how to defend against the deluge of nascent CI/CD risks. Kudos Boost team!
mrene
That's pretty useful to get a clear picture of lingering threats that aren't immediately visible from existing scanning tools.