A project for testing continuous integration (CI) or continuous delivery (CD) system security

• Test Your CI/CD - Build this project on your CI/CD server to see if there is room for security improvements.
• Uses Unit-Test Framework - Use unit-tests not to test this code, but let this code's unit tests test your CI/CD
• Simple - The design of this project is to make it simple to test your CI and get clear feedback via PASS/FAIL specs
• Extensible - Add new specs to test for the specific things you want to know about your CI
• Dual-Purpose - Use RottenApple::Audit to audit a CI/CD or Use RottenApple::Attack (disabled by default) to attack a CI/CD

• Fork the project
• Configure/Add the tests you want to run
• Configure your CI/CD to build this project
• Build it
• Check the Unit-test Results for details

This portion of the project is focused on auditing a CI/CD system and is the default name space when the "rake" command is invoked in this project.

Here's the list of audit checks it does right now:

• Is the root user is being to build projects?
• Can malicious code steal your RubyGems API key?
• Could malicious code pivot to private networks?
• Can malicous code authenticate using your GitHub creds?
• Could malicious code receive instructions from a remote party or exfiltrate data from your CI?
• Can malicious code access other projects being built on the same server?
• Can malicious code steal SSH private keys?

Conversely, this is the portion of the project that enables you to actively attack a CI/CD. To change to "attack mode", open the Rakefile and change the default to "attack".

Here's the list of attacks it does right now:

• Steal the RubyGems API key
• Flush IP Tables (aka: drop firewall rules)
• Install Software to aid in the attack process
• Make an unauthorized commit to master
• Perform an NMAP scan of a desired set to targets
• Throw/Shovel a reverse shell to get command-line access to the CI/CD
• Steal SSH private keys

If you are interested in contributing to this project, please see CONTRIBUTING.md

• Attacking Cloud Services w/ Source Code
• Make an Unauthorized Commit to Master using Continous Integration Video
• Pop a Reverse Shell using Continous Integration Video
• Securing Continuous Integration Services

@claudijd is the primary author of this project.

Any additional contributors will be listed here as a sincere thanks for their contributions.