awesome-cicd-attacks
github.com/tupletype/awesome-cicd-attacks ↗Practical resources for offensive CI/CD security research. Curated the best resources I've seen since 2021.
Use this list with your AI agent
Add the Context Awesome MCP server to Claude, Cursor, or any MCP client, then ask:
"Show me defense evasion resources from awesome-cicd-attacks"
Installation instructions →What's inside
Case Studies
- 10 real-world stories of how we've compromised CI/CD pipelines
Examples include exploiting S3 misconfigurations, Jenkins plugin flaws, GitLab runner privilege escalations, Kubernetes pod annotation vulnerabilities, and compromised developer laptops.
- GitHub Actions Attack Diagram
Includes public vulnerability research presented at Black Hat USA 2024 and DEF CON 32.
- Playing with Fire – How We Executed a Critical Supply Chain Attack on PyTorch
Researchers exploited a critical PyTorch vulnerability via a malicious pull request to execute code on self-hosted runners.
Techniques
- Abusing Repository Webhooks to Access Internal CI/CD Systems at ScaleDefense Evasion
Repository webhooks, used to trigger CI/CD pipelines, can be abused to access internal systems.
- ActionsTOCTOU (Time Of Check to Time Of Use)Initial Code Execution
A tool to monitor for an approval event and then quickly replace a file in the PR head with a local file specified as a parameter.
- All the Small Things: Azure CLI Leakage and Problematic Usage PatternsPublicly Exposed Sensitive Data
Azure CLI leaks secrets to CI/CD logs due to usage patterns.
- Anyone can Access Deleted and Private Repository Data on GitHubPublicly Exposed Sensitive Data
As long as it's part of a fork network.
- AWS Targeted by a Package Backfill AttackInitial Code Execution
Scan commit history for internal packages to execute dependency confusion.
- Beyond S3: Exposed Resources on AWSPublicly Exposed Sensitive Data
Public EBS, RDS, AMI and Elasticsearch clusters exposed to the internet.
Tools
- ADOKit
Azure DevOps Services Attack Toolkit.
- Gato
GitHub Attack Toolkit.
- Gato-X
GitHub Attack Toolkit - Extreme Edition.
- GH Archive
A project to record the public GitHub timeline, archive it, and make it easily accessible for further analysis.
- GHTorrent Project
A queryable offline mirror of the GitHub API data.
- git-dumper
Dump Git repository from a website.
Similar Projects
- Common Threat Matrix for CI/CD Pipeline
- Open Software Supply Chain Attack Reference (OSC&R)
- Risk Explorer for Software Supply Chains
- SDLC Infrastructure Threat Framework (SITF)
A comprehensive framework for analyzing and defending against attacks targeting Software Development Life Cycle Infrastructure.
Showing a sample of 88 resources. View the full list on GitHub →