xygeni-goat - Vulnerable repository against supply chain attacks

Contents

• Introduction
• Getting Started
• Contributing
• Support

A deliberately vulnerable repository against software supply chain attacks, by Xygeni.

Introduction

Xygeni-goat helps to understand DevOps teams the best practices to follow and which issues should be avoided, for having a good security posture, lowering the risk against software supply chain attacks. Looking at the elements reported as security flaws, you may learn about misconfigurations to avoid. IaC templates that contains insecure configurations, hardcoded secrets, unsafe tool configurations, troublesome dependencies and more are covered.

This repository is based on existing "Goat" projects, like OWASP WebGoat.

Shear the (nefarious) goat!

WARNING: This repository is for educational purposes only. Do NOT attempt to use the techniques and items shown for unauthorized hacking. Do NOT deploy assets from this repository this in any environment.

DISCLAIMER: Xygeni-goat comes with no warranties. By using xygeni-goat, you take full responsibility for any outcomes. Xygeni would not be liable of any misuse of the information and assets contained in this repository.

Getting Started

Clone the repo, or download

git clone https://github.com/xygeni/xygeni-goat.git

or

gh repo clone xygeni/xygeni-goat

Get bearer token

First you will need a bearer (API) token from your Xygeni subscription. [TBD add link]

We assume that you set a TOKEN environment variable with the token.

Note	We do recommend to use API (bearer) token instead of username/password for using Xygeni scanner, although the installation script supports both.

Install Xygeni scanner

If you choose to use the Xygeni scanner Docker image, go to next step.

Download the installation script and run it:

Under Linux / macOS (bash):

# Download the install script
curl -L https://get.xygeni.io/latest/scanner/bash -O install.sh

# Check the scanner checksum published in xygeni.io website (separate environment),
# or better review the install script yourself ;)
echo "$(curl https://xygeni.io/hubfs/checksums/latest/scanner/install.sh.sha256) install.sh" | sha256sum --check

# Run the install script, creating the scanner in your chosen directory
$ ./install.sh -o -t $TOKEN --dir $HOME/my-custom-scanner-dir

Under Windows (PowerShell):

# Download the install script (via Invoke-WebRequest)
iwr https://get.xygeni.io/latest/scanner/powershell -useb -OutFile install.ps1

# Check the scanner checksum published in xygeni.io website,
# or better review the install script yourself ;)
(Get-FileHash '.\install.ps1' -Algorithm SHA256).Hash -eq `
  (iwr https://xygeni.io/hubfs/checksums/latest/scanner/install.ps1.sha256)

# Run the install script, creating the scanner in your chosen directory
PS .\install.ps1 -q -t $TOKEN --dir ~\my-custom-scanner-dir

See Xygeni Scanner Install for full details.

Run the scanner

Run the scan command over the contents in the vulnerable directory, or any subdirectory beneath for a partial analysis.

cd $HOME/my-custom-scanner-dir
deps-doctor scan -n <your_project_name> --dir <path_to_analyze> --no-upload

Under Windows (Powershell)

cd ~\my-custom-scanner-dir
deps-doctor.cmd scan -n <your_project_name> --dir <path_to_analyze> --no-upload

Or, if you prefer to run the Xygeni scanner Docker image:

docker compose run depsdoctor scan -n project_to_scan_name --dir /app --no-upload

Contributing

You may add your own vulnerable items to help others learn about additional security issues, and raise awareness on new potential attacks. We recommend you to keep the existing directory structure for better categorizing those security issues.

In addition, if you want to add a new "capture the flag" (CTF) check, you are welcome!

Development

1. Clone the repository:

   git clone https://github.com/xygeni/xygeni-goat.git

   or

   gh repo clone xygeni/xygeni-goat

   Alternatively, you may fork the repo.

2. Create your topic branch

3. Develop your changes

   We recommend to follow the existing directory structure for categorizing the security issue.

4. Test your changes

   If you developed a new check, test with [TBD].

   If you created a new vulnerable element, test it with Xygeni scanner, as shown in the Getting Started section.

5. Push commits to your topic branch.

6. Create a pull request, using gh pr create command or the GitHub desktop / web UI.

   After review, your PR will be merged.

Add a new Capture The Flag challenge

[TBD]

Each CTF challenge has a separate directory in the ctf directory. Follow the steps below to add a CTF challenge:

1. Write challenge description.

2. Choose category and difficulty level.

3. Write hints for help.

4. Add a flag. Ensure that it is not accesible when solving other CTF challenges.

5. Write tests.

6. Write the solution.

7. Create a README.md in your CTF directory.

Support

[TBD]