/attack-simulator

Simulate past supply chain attacks such as SolarWinds, Codecov, and ua-parser-js

Primary LanguageJavaScriptApache License 2.0Apache-2.0

Attack Simulator

Maintained by stepsecurity.io License: Apache 2.0

Simulate past supply chain attacks such as SolarWinds, Codecov, and ua-parser-js and see how Harden-Runner stops them. Harden-Runner GitHub Action installs a security agent on the GitHub-hosted runner (Ubuntu VM) to

  • Prevent exfiltration of credentials
  • Detect tampering of source code during build
  • Enable running jobs without sudo access

Weekly instructor-led session

While you can follow the hands-on tutorials on your own, you can also attend a free weekly instructor-led session. Register here.

Attack Simulations

This table lists the different attack methods you can simulate. In each case, you then use Harden-Runner to stop the attack.

Number Attack Simulation Related incidents
1 DNS exfiltration typically used in dependency confusion attacks Dependency confusion
2 Exfiltration of secrets from the CI/ CD pipeline Codecov breach, event-stream incident, VS Code GitHub Bug Bounty Exploit
3 Tampering of source code during build Solar Winds (SUNSPOT) breach
4 Use of compromised dependencies event-stream incident, Embedded malware in ua-parser-js