Xygeni-goat helps to understand DevOps teams the best practices to follow and which issues should be avoided, for having a good security posture, lowering the risk against software supply chain attacks. Looking at the elements reported as security flaws, you may learn about misconfigurations to avoid. IaC templates that contains insecure configurations, hardcoded secrets, unsafe tool configurations, troublesome dependencies and more are covered.
This repository is based on existing "Goat" projects, like OWASP WebGoat.
Shear the (nefarious) goat!
WARNING: This repository is for educational purposes only. Do NOT attempt to use the techniques and items shown for unauthorized hacking. Do NOT deploy assets from this repository this in any environment.
DISCLAIMER: Xygeni-goat comes with no warranties. By using xygeni-goat, you take full responsibility for any outcomes. Xygeni would not be liable of any misuse of the information and assets contained in this repository.
git clone https://github.com/xygeni/xygeni-goat.git
or
gh repo clone xygeni/xygeni-goat
First you will need a bearer (API) token from your Xygeni subscription. [TBD add link]
We assume that you set a TOKEN
environment variable with the token.
Note
|
We do recommend to use API (bearer) token instead of username/password for using Xygeni scanner, although the installation script supports both. |
If you choose to use the Xygeni scanner Docker image, go to next step.
Download the installation script and run it:
Under Linux / macOS (bash):
# Download the install script
curl -L https://get.xygeni.io/latest/scanner/bash -O install.sh
# Check the scanner checksum published in xygeni.io website (separate environment),
# or better review the install script yourself ;)
echo "$(curl https://xygeni.io/hubfs/checksums/latest/scanner/install.sh.sha256) install.sh" | sha256sum --check
# Run the install script, creating the scanner in your chosen directory
$ ./install.sh -o -t $TOKEN --dir $HOME/my-custom-scanner-dir
Under Windows (PowerShell):
# Download the install script (via Invoke-WebRequest)
iwr https://get.xygeni.io/latest/scanner/powershell -useb -OutFile install.ps1
# Check the scanner checksum published in xygeni.io website,
# or better review the install script yourself ;)
(Get-FileHash '.\install.ps1' -Algorithm SHA256).Hash -eq `
(iwr https://xygeni.io/hubfs/checksums/latest/scanner/install.ps1.sha256)
# Run the install script, creating the scanner in your chosen directory
PS .\install.ps1 -q -t $TOKEN --dir ~\my-custom-scanner-dir
See Xygeni Scanner Install for full details.
Run the scan
command over the contents in the vulnerable
directory, or any subdirectory beneath for a partial analysis.
cd $HOME/my-custom-scanner-dir
deps-doctor scan -n <your_project_name> --dir <path_to_analyze> --no-upload
Under Windows (Powershell)
cd ~\my-custom-scanner-dir
deps-doctor.cmd scan -n <your_project_name> --dir <path_to_analyze> --no-upload
Or, if you prefer to run the Xygeni scanner Docker image:
docker compose run depsdoctor scan -n project_to_scan_name --dir /app --no-upload
You may add your own vulnerable items to help others learn about additional security issues, and raise awareness on new potential attacks. We recommend you to keep the existing directory structure for better categorizing those security issues.
In addition, if you want to add a new "capture the flag" (CTF) check, you are welcome!
-
Clone the repository:
git clone https://github.com/xygeni/xygeni-goat.git
or
gh repo clone xygeni/xygeni-goat
Alternatively, you may fork the repo.
-
Create your topic branch
-
Develop your changes
We recommend to follow the existing directory structure for categorizing the security issue.
-
Test your changes
If you developed a new check, test with [TBD].
If you created a new vulnerable element, test it with Xygeni scanner, as shown in the Getting Started section.
-
Push commits to your topic branch.
-
Create a pull request, using
gh pr create
command or the GitHub desktop / web UI.After review, your PR will be merged.
[TBD]
Each CTF challenge has a separate directory in the ctf
directory.
Follow the steps below to add a CTF challenge:
-
Write challenge description.
-
Choose category and difficulty level.
-
Write hints for help.
-
Add a flag. Ensure that it is not accesible when solving other CTF challenges.
-
Write tests.
-
Write the solution.
-
Create a README.md in your CTF directory.