├── .github ├── ISSUE_TEMPLATE.md └── workflows │ ├── PRTargetWorkflow.yml │ ├── anomalous-outbound-calls.yaml │ ├── arc-codecov-simulation.yml │ ├── arc-secure-by-default.yml │ ├── arc-solarwinds-simulation.yml │ ├── arc-zero-effort-observability.yml │ ├── baseline_checks.yml │ ├── block-dns-exfiltration.yaml │ ├── changed-files-vulnerability-with-hr.yml │ ├── changed-files-vulnerability-without-hr.yml │ ├── hosted-file-monitor-with-hr.yml │ ├── hosted-file-monitor-without-hr.yml │ ├── hosted-https-monitoring-hr.yml │ ├── hosted-network-filtering-hr.yml │ ├── hosted-network-monitoring-hr.yml │ ├── hosted-network-without-hr.yml │ ├── publish.yml │ ├── secret-in-build-log.yml │ ├── self-hosted-file-monitor-with-hr.yml │ ├── self-hosted-network-filtering-hr.yml │ ├── self-hosted-network-monitoring-hr.yml │ ├── tj-actions-changed-files-incident.yaml │ ├── toc-tou.yml │ └── unexpected-outbound-calls.yml ├── .gitignore ├── LICENSE ├── README.md ├── docs ├── Solutions │ ├── AuditGitHubActionsSecrets.md │ ├── Dependabot.md │ ├── FixGITHUB_TOKENPermissions.md │ ├── ForensicAnalysis.md │ ├── IntegrateSecurity.md │ ├── MonitorSourceCode.md │ ├── PinGitHubActions.md │ ├── RestrictOutboundTraffic.md │ └── ReviewGitHubActions.md └── Vulnerabilities │ ├── ExfiltratingCICDSecrets.md │ ├── OverprivilegedGITHUB_TOKEN.md │ └── TamperingDuringBuild.md ├── images ├── ActionsList2.png ├── ActionsSecrets2.png ├── BuildLog.png ├── Checksum.png ├── DNSExfilBlocked.png ├── DNSExfiltration.png ├── EnableActions.png ├── InsightsLink.png ├── Logo.png ├── OutboundCallBlockedNode.png ├── ProcessInsight.png ├── Provenance.png ├── Puzzle4.png ├── RestrictOutboundCall.png ├── RestrictOutboundTraffic.png ├── RunCIWorkflows.png ├── RunLintWorkflow.png ├── SetTokenPermissions.png ├── SourceChangeDetected1.png ├── SourceCodeOverwriteDetected.png ├── Threats.png ├── TokenPermissions.png ├── VerifiedChecksum.png ├── banner.png ├── harden-runner │ ├── ActionLog.png │ ├── HardenRunnerGIFV.gif │ ├── OutboundCall.png │ ├── OutboundCalls2.png │ ├── RecomPolicy.png │ ├── RecomPolicy1.png │ └── SourceCodeOverwrite.png ├── secure-repo.gif └── secure-workflows │ ├── SecureWorkflows.png │ ├── SecureWorkflows2.gif │ ├── SecureWorkflows3.gif │ ├── SecureWorkflows4.gif │ └── SecureWorkflowsIntegration.png └── src ├── backdoor-demo ├── Dockerfile ├── index.js └── package.json ├── exfiltration-demo ├── Dockerfile ├── index.js └── package.json └── malware-simulators ├── backdoor-simulator ├── app.js ├── compile.js └── package.json └── exfiltration-simulator ├── app.js ├── compile.js └── package.json /.github/ISSUE_TEMPLATE.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/step-security/github-actions-goat/HEAD/.github/ISSUE_TEMPLATE.md -------------------------------------------------------------------------------- /.github/workflows/PRTargetWorkflow.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/step-security/github-actions-goat/HEAD/.github/workflows/PRTargetWorkflow.yml -------------------------------------------------------------------------------- /.github/workflows/anomalous-outbound-calls.yaml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/step-security/github-actions-goat/HEAD/.github/workflows/anomalous-outbound-calls.yaml -------------------------------------------------------------------------------- /.github/workflows/arc-codecov-simulation.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/step-security/github-actions-goat/HEAD/.github/workflows/arc-codecov-simulation.yml -------------------------------------------------------------------------------- /.github/workflows/arc-secure-by-default.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/step-security/github-actions-goat/HEAD/.github/workflows/arc-secure-by-default.yml -------------------------------------------------------------------------------- /.github/workflows/arc-solarwinds-simulation.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/step-security/github-actions-goat/HEAD/.github/workflows/arc-solarwinds-simulation.yml -------------------------------------------------------------------------------- /.github/workflows/arc-zero-effort-observability.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/step-security/github-actions-goat/HEAD/.github/workflows/arc-zero-effort-observability.yml -------------------------------------------------------------------------------- /.github/workflows/baseline_checks.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/step-security/github-actions-goat/HEAD/.github/workflows/baseline_checks.yml -------------------------------------------------------------------------------- /.github/workflows/block-dns-exfiltration.yaml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/step-security/github-actions-goat/HEAD/.github/workflows/block-dns-exfiltration.yaml -------------------------------------------------------------------------------- /.github/workflows/changed-files-vulnerability-with-hr.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/step-security/github-actions-goat/HEAD/.github/workflows/changed-files-vulnerability-with-hr.yml -------------------------------------------------------------------------------- /.github/workflows/changed-files-vulnerability-without-hr.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/step-security/github-actions-goat/HEAD/.github/workflows/changed-files-vulnerability-without-hr.yml -------------------------------------------------------------------------------- /.github/workflows/hosted-file-monitor-with-hr.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/step-security/github-actions-goat/HEAD/.github/workflows/hosted-file-monitor-with-hr.yml -------------------------------------------------------------------------------- /.github/workflows/hosted-file-monitor-without-hr.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/step-security/github-actions-goat/HEAD/.github/workflows/hosted-file-monitor-without-hr.yml -------------------------------------------------------------------------------- /.github/workflows/hosted-https-monitoring-hr.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/step-security/github-actions-goat/HEAD/.github/workflows/hosted-https-monitoring-hr.yml -------------------------------------------------------------------------------- /.github/workflows/hosted-network-filtering-hr.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/step-security/github-actions-goat/HEAD/.github/workflows/hosted-network-filtering-hr.yml -------------------------------------------------------------------------------- /.github/workflows/hosted-network-monitoring-hr.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/step-security/github-actions-goat/HEAD/.github/workflows/hosted-network-monitoring-hr.yml -------------------------------------------------------------------------------- /.github/workflows/hosted-network-without-hr.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/step-security/github-actions-goat/HEAD/.github/workflows/hosted-network-without-hr.yml -------------------------------------------------------------------------------- /.github/workflows/publish.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/step-security/github-actions-goat/HEAD/.github/workflows/publish.yml -------------------------------------------------------------------------------- /.github/workflows/secret-in-build-log.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/step-security/github-actions-goat/HEAD/.github/workflows/secret-in-build-log.yml -------------------------------------------------------------------------------- /.github/workflows/self-hosted-file-monitor-with-hr.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/step-security/github-actions-goat/HEAD/.github/workflows/self-hosted-file-monitor-with-hr.yml -------------------------------------------------------------------------------- /.github/workflows/self-hosted-network-filtering-hr.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/step-security/github-actions-goat/HEAD/.github/workflows/self-hosted-network-filtering-hr.yml -------------------------------------------------------------------------------- /.github/workflows/self-hosted-network-monitoring-hr.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/step-security/github-actions-goat/HEAD/.github/workflows/self-hosted-network-monitoring-hr.yml -------------------------------------------------------------------------------- /.github/workflows/tj-actions-changed-files-incident.yaml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/step-security/github-actions-goat/HEAD/.github/workflows/tj-actions-changed-files-incident.yaml -------------------------------------------------------------------------------- /.github/workflows/toc-tou.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/step-security/github-actions-goat/HEAD/.github/workflows/toc-tou.yml -------------------------------------------------------------------------------- /.github/workflows/unexpected-outbound-calls.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/step-security/github-actions-goat/HEAD/.github/workflows/unexpected-outbound-calls.yml -------------------------------------------------------------------------------- /.gitignore: -------------------------------------------------------------------------------- 1 | 2 | .DS_Store 3 | -------------------------------------------------------------------------------- /LICENSE: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/step-security/github-actions-goat/HEAD/LICENSE -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/step-security/github-actions-goat/HEAD/README.md -------------------------------------------------------------------------------- /docs/Solutions/AuditGitHubActionsSecrets.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/step-security/github-actions-goat/HEAD/docs/Solutions/AuditGitHubActionsSecrets.md -------------------------------------------------------------------------------- /docs/Solutions/Dependabot.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/step-security/github-actions-goat/HEAD/docs/Solutions/Dependabot.md -------------------------------------------------------------------------------- /docs/Solutions/FixGITHUB_TOKENPermissions.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/step-security/github-actions-goat/HEAD/docs/Solutions/FixGITHUB_TOKENPermissions.md -------------------------------------------------------------------------------- /docs/Solutions/ForensicAnalysis.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/step-security/github-actions-goat/HEAD/docs/Solutions/ForensicAnalysis.md -------------------------------------------------------------------------------- /docs/Solutions/IntegrateSecurity.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/step-security/github-actions-goat/HEAD/docs/Solutions/IntegrateSecurity.md -------------------------------------------------------------------------------- /docs/Solutions/MonitorSourceCode.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/step-security/github-actions-goat/HEAD/docs/Solutions/MonitorSourceCode.md -------------------------------------------------------------------------------- /docs/Solutions/PinGitHubActions.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/step-security/github-actions-goat/HEAD/docs/Solutions/PinGitHubActions.md -------------------------------------------------------------------------------- /docs/Solutions/RestrictOutboundTraffic.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/step-security/github-actions-goat/HEAD/docs/Solutions/RestrictOutboundTraffic.md -------------------------------------------------------------------------------- /docs/Solutions/ReviewGitHubActions.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/step-security/github-actions-goat/HEAD/docs/Solutions/ReviewGitHubActions.md -------------------------------------------------------------------------------- /docs/Vulnerabilities/ExfiltratingCICDSecrets.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/step-security/github-actions-goat/HEAD/docs/Vulnerabilities/ExfiltratingCICDSecrets.md -------------------------------------------------------------------------------- /docs/Vulnerabilities/OverprivilegedGITHUB_TOKEN.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/step-security/github-actions-goat/HEAD/docs/Vulnerabilities/OverprivilegedGITHUB_TOKEN.md -------------------------------------------------------------------------------- /docs/Vulnerabilities/TamperingDuringBuild.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/step-security/github-actions-goat/HEAD/docs/Vulnerabilities/TamperingDuringBuild.md -------------------------------------------------------------------------------- /images/ActionsList2.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/step-security/github-actions-goat/HEAD/images/ActionsList2.png -------------------------------------------------------------------------------- /images/ActionsSecrets2.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/step-security/github-actions-goat/HEAD/images/ActionsSecrets2.png -------------------------------------------------------------------------------- /images/BuildLog.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/step-security/github-actions-goat/HEAD/images/BuildLog.png -------------------------------------------------------------------------------- /images/Checksum.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/step-security/github-actions-goat/HEAD/images/Checksum.png -------------------------------------------------------------------------------- /images/DNSExfilBlocked.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/step-security/github-actions-goat/HEAD/images/DNSExfilBlocked.png -------------------------------------------------------------------------------- /images/DNSExfiltration.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/step-security/github-actions-goat/HEAD/images/DNSExfiltration.png -------------------------------------------------------------------------------- /images/EnableActions.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/step-security/github-actions-goat/HEAD/images/EnableActions.png -------------------------------------------------------------------------------- /images/InsightsLink.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/step-security/github-actions-goat/HEAD/images/InsightsLink.png -------------------------------------------------------------------------------- /images/Logo.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/step-security/github-actions-goat/HEAD/images/Logo.png -------------------------------------------------------------------------------- /images/OutboundCallBlockedNode.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/step-security/github-actions-goat/HEAD/images/OutboundCallBlockedNode.png -------------------------------------------------------------------------------- /images/ProcessInsight.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/step-security/github-actions-goat/HEAD/images/ProcessInsight.png -------------------------------------------------------------------------------- /images/Provenance.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/step-security/github-actions-goat/HEAD/images/Provenance.png -------------------------------------------------------------------------------- /images/Puzzle4.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/step-security/github-actions-goat/HEAD/images/Puzzle4.png -------------------------------------------------------------------------------- /images/RestrictOutboundCall.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/step-security/github-actions-goat/HEAD/images/RestrictOutboundCall.png -------------------------------------------------------------------------------- /images/RestrictOutboundTraffic.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/step-security/github-actions-goat/HEAD/images/RestrictOutboundTraffic.png -------------------------------------------------------------------------------- /images/RunCIWorkflows.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/step-security/github-actions-goat/HEAD/images/RunCIWorkflows.png -------------------------------------------------------------------------------- /images/RunLintWorkflow.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/step-security/github-actions-goat/HEAD/images/RunLintWorkflow.png -------------------------------------------------------------------------------- /images/SetTokenPermissions.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/step-security/github-actions-goat/HEAD/images/SetTokenPermissions.png -------------------------------------------------------------------------------- /images/SourceChangeDetected1.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/step-security/github-actions-goat/HEAD/images/SourceChangeDetected1.png -------------------------------------------------------------------------------- /images/SourceCodeOverwriteDetected.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/step-security/github-actions-goat/HEAD/images/SourceCodeOverwriteDetected.png -------------------------------------------------------------------------------- /images/Threats.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/step-security/github-actions-goat/HEAD/images/Threats.png -------------------------------------------------------------------------------- /images/TokenPermissions.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/step-security/github-actions-goat/HEAD/images/TokenPermissions.png -------------------------------------------------------------------------------- /images/VerifiedChecksum.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/step-security/github-actions-goat/HEAD/images/VerifiedChecksum.png -------------------------------------------------------------------------------- /images/banner.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/step-security/github-actions-goat/HEAD/images/banner.png -------------------------------------------------------------------------------- /images/harden-runner/ActionLog.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/step-security/github-actions-goat/HEAD/images/harden-runner/ActionLog.png -------------------------------------------------------------------------------- /images/harden-runner/HardenRunnerGIFV.gif: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/step-security/github-actions-goat/HEAD/images/harden-runner/HardenRunnerGIFV.gif -------------------------------------------------------------------------------- /images/harden-runner/OutboundCall.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/step-security/github-actions-goat/HEAD/images/harden-runner/OutboundCall.png -------------------------------------------------------------------------------- /images/harden-runner/OutboundCalls2.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/step-security/github-actions-goat/HEAD/images/harden-runner/OutboundCalls2.png -------------------------------------------------------------------------------- /images/harden-runner/RecomPolicy.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/step-security/github-actions-goat/HEAD/images/harden-runner/RecomPolicy.png -------------------------------------------------------------------------------- /images/harden-runner/RecomPolicy1.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/step-security/github-actions-goat/HEAD/images/harden-runner/RecomPolicy1.png -------------------------------------------------------------------------------- /images/harden-runner/SourceCodeOverwrite.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/step-security/github-actions-goat/HEAD/images/harden-runner/SourceCodeOverwrite.png -------------------------------------------------------------------------------- /images/secure-repo.gif: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/step-security/github-actions-goat/HEAD/images/secure-repo.gif -------------------------------------------------------------------------------- /images/secure-workflows/SecureWorkflows.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/step-security/github-actions-goat/HEAD/images/secure-workflows/SecureWorkflows.png -------------------------------------------------------------------------------- /images/secure-workflows/SecureWorkflows2.gif: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/step-security/github-actions-goat/HEAD/images/secure-workflows/SecureWorkflows2.gif -------------------------------------------------------------------------------- /images/secure-workflows/SecureWorkflows3.gif: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/step-security/github-actions-goat/HEAD/images/secure-workflows/SecureWorkflows3.gif -------------------------------------------------------------------------------- /images/secure-workflows/SecureWorkflows4.gif: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/step-security/github-actions-goat/HEAD/images/secure-workflows/SecureWorkflows4.gif -------------------------------------------------------------------------------- /images/secure-workflows/SecureWorkflowsIntegration.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/step-security/github-actions-goat/HEAD/images/secure-workflows/SecureWorkflowsIntegration.png -------------------------------------------------------------------------------- /src/backdoor-demo/Dockerfile: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/step-security/github-actions-goat/HEAD/src/backdoor-demo/Dockerfile -------------------------------------------------------------------------------- /src/backdoor-demo/index.js: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/step-security/github-actions-goat/HEAD/src/backdoor-demo/index.js -------------------------------------------------------------------------------- /src/backdoor-demo/package.json: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/step-security/github-actions-goat/HEAD/src/backdoor-demo/package.json -------------------------------------------------------------------------------- /src/exfiltration-demo/Dockerfile: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/step-security/github-actions-goat/HEAD/src/exfiltration-demo/Dockerfile -------------------------------------------------------------------------------- /src/exfiltration-demo/index.js: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/step-security/github-actions-goat/HEAD/src/exfiltration-demo/index.js -------------------------------------------------------------------------------- /src/exfiltration-demo/package.json: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/step-security/github-actions-goat/HEAD/src/exfiltration-demo/package.json -------------------------------------------------------------------------------- /src/malware-simulators/backdoor-simulator/app.js: -------------------------------------------------------------------------------- 1 | console.log("hello world") -------------------------------------------------------------------------------- /src/malware-simulators/backdoor-simulator/compile.js: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/step-security/github-actions-goat/HEAD/src/malware-simulators/backdoor-simulator/compile.js -------------------------------------------------------------------------------- /src/malware-simulators/backdoor-simulator/package.json: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/step-security/github-actions-goat/HEAD/src/malware-simulators/backdoor-simulator/package.json -------------------------------------------------------------------------------- /src/malware-simulators/exfiltration-simulator/app.js: -------------------------------------------------------------------------------- 1 | console.log("hello world"); 2 | -------------------------------------------------------------------------------- /src/malware-simulators/exfiltration-simulator/compile.js: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/step-security/github-actions-goat/HEAD/src/malware-simulators/exfiltration-simulator/compile.js -------------------------------------------------------------------------------- /src/malware-simulators/exfiltration-simulator/package.json: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/step-security/github-actions-goat/HEAD/src/malware-simulators/exfiltration-simulator/package.json --------------------------------------------------------------------------------