Skip to content

CI/CD lab demonstrating static and dynamic security analysis of RailsGoat app

License

Notifications You must be signed in to change notification settings

vulnerable-apps/railsgoat-cicd-lab

 
 

Repository files navigation

RailsGoat CI/CD Lab

This free and open-source lab teaches developers and security practitioners how to integrate static and dynamic analysis (SAST and DAST) into a Jenkins CI/CD pipeline. It's based on RailsGoat, an intentionally-vulnerable security training web app.

Thanks to Vagrant and Virtualbox, the lab is cross-platform and runs on your local machine. It's tested against current versions of Linux, Windows, Vagrant, and Virtualbox. It should work on Mac OS as well.

How To Use This Lab

Here are some ways you can use this lab:

  • Follow the walkthrough. You'll deploy a Jenkins server and use it to automate vulnerability analysis: SAST (with semgrep and brakeman) and DAST (with ZAP).
  • Adapt the lab's code for your own purposes. It models these DevSecOps patterns:
    • Using Ansible to deploy and provision Jenkins (including plugins)
    • Using Docker and Docker Compose within declarative Jenkinsfiles to automate vulnerability analysis
  • Learn by reading the lab's source code (explanatory comments are sprinkled throughout)

Basic Usage

First set up a machine meeting these prerequisites:

Then get the code and launch the lab environment:

git clone https://github.com/dachiefjustice/railsgoat-cicd-lab.git
cd railsgoat-cicd-lab
vagrant up

Once vagrant up is done you can access the Jenkins server at http://localhost:8080 (default credentials: admin/admin). Open the lab walkthrough to start performing and automating vulnerability analysis.

Lab Architecture

Lab diagram

Lab Tips

💡 Log Into Jenkins 💡

URL: http://localhost:8080

Credentials: admin/admin

💡 Access RailsGoat 💡

  1. Create and run a Jenkins job from the hold-open Jenkinsfile.
  2. Open http://localhost:3002 in your browser (or other HTTP tools)

💡 Adjust RAM 💡

Edit the Vagrantfile:

config.vm.provider "virtualbox" do |vb|
  vb.memory = "6144" # for 6GB of RAM
end

Run vagrant reload after adjusting RAM or other Vagrantfile settings.

You can also adjust CPU and RAM limits in the ZAP job's compose.yaml.

💡 Monitor Resources & Processes 💡

Use htop:

vagrant ssh
htop

Lab Tech Stack

Software Purpose
Virtualbox Hypervisor
Vagrant VM management
Ansible VM provisioning
Debian Linux Lab VM OS
Alpine Linux Support containers
Git Move code and tools arond
Jenkins Build/deploy/test RailsGoat
Docker + Docker Compose Automating pipeline tasks
semgrep, brakeman Static analysis of RailsGoat
ZAP Dynamic analysis of RailsGoat

Credits

Special thanks to the authors and contributors of key lab components:

About

CI/CD lab demonstrating static and dynamic security analysis of RailsGoat app

Resources

License

Stars

Watchers

Forks

Releases

No releases published

Packages

No packages published

Languages

  • Groovy 68.1%
  • Dockerfile 17.7%
  • Shell 14.2%