A CI/CD Red Team Framework for demonstrating Build Pipeline security risks.
Comments
flexorium•1h ago
OP here, mini AMA.
Two years ago today, our small research team open sourced poutine, a SAST scanner for CI/CD pipelines (very similar to zizmor, but written in Go and customizable using Rego DSL). It finds the vulnerabilities in your build pipelines. As all security engineers know, running SAST and filing a JIRA ticket leads to nowhere.
Some weeks ago TeamPCP came on the scene and most were shocked to see the blast radius starting with Trivy then LiteLLM, KICS, etc. Trivy got pwn'd using textbook "pwn request".
I've been building SmokedMeat for the past 5 months to level the playing field. It's a Red Team framework for CI/CD pipelines. You scan a GitHub org workflows, pick from a menu of exploitable pipelines, you are guided through an exploitation wizard, wait… and you're in post-exploitation. Secrets already exfiltrated from runner process memory are in the Loot stash, ready to pivot into cloud accounts, private repos, and more. Live attack graph in the browser.
Then you target the whooli GitHub org (https://github.com/whooli) a CTF playground to exploit (hint the final flag is in a Google Cloud Storage Bucket)
Happy to answer questions about the ethics, architecture, implant design, or CI/CD attack techniques.
gepeto42•1h ago
The last year has shown that this vector is getting weaponized for real so it's great to see more tools to help defenders!
Is this something only companies with public repos should be worried about?
flexorium•1h ago
Absolutely not. The same TTPs apply almost 1-to-1 for Insider Threat scenarios. We've built the Deciduous Attack Trees (shout out to Kelly) for insider threats last year. It overlaps. So either you start with Initial Access that's purely public and pivot deeper or you already have a modest foothold (like intern with read only access) and off to the races.
bavarianbob•1h ago
I think this is a killer project that's very needed to accelerate the learning of how to defend against the deluge of nascent CI/CD risks. Kudos Boost team!
flexorium•1h ago
Thanks! I got tired of talking about it to defenders. I wanted to talk to Red Teamers too and SOC / detection engineering people. I wanted to build a tool that someone can just have the CISO try it directly.
flexorium•1h ago
Two years ago today, our small research team open sourced poutine, a SAST scanner for CI/CD pipelines (very similar to zizmor, but written in Go and customizable using Rego DSL). It finds the vulnerabilities in your build pipelines. As all security engineers know, running SAST and filing a JIRA ticket leads to nowhere.
Some weeks ago TeamPCP came on the scene and most were shocked to see the blast radius starting with Trivy then LiteLLM, KICS, etc. Trivy got pwn'd using textbook "pwn request".
I've been building SmokedMeat for the past 5 months to level the playing field. It's a Red Team framework for CI/CD pipelines. You scan a GitHub org workflows, pick from a menu of exploitable pipelines, you are guided through an exploitation wizard, wait… and you're in post-exploitation. Secrets already exfiltrated from runner process memory are in the Loot stash, ready to pivot into cloud accounts, private repos, and more. Live attack graph in the browser.
To try it: git clone https://github.com/boostsecurityio/smokedmeat.git cd smokedmeat make quickstart
Then you target the whooli GitHub org (https://github.com/whooli) a CTF playground to exploit (hint the final flag is in a Google Cloud Storage Bucket)
Happy to answer questions about the ethics, architecture, implant design, or CI/CD attack techniques.