GitGoat: An Open Source Project of Intentionally (Riskless) Misconfigured GitHub Organizations

Nir Valtman
CEO & Co-Founder
June 27, 2022
Nir is an experienced information & application security leader, most recently as VP security at Finastra and CISO at Kabbage. Nir is a frequent public speaker at leading conferences globally, including Black Hat, Defcon, BSides, and RSA.


Here is the link:

GitGoat is an open-source tool that was built to enable DevOps and Engineering teams to design and implement an effective misconfiguration prevention strategy on GitHub. GitGoat can be used to test products with access to GitHub repositories without risk to your production environment.

If you develop a product/script that calls any of the GitHub APIs, or you want to test a new GitHub application without exposing real data, GitGoat can be used to generate dummy activity (e.g., invite users, commit code, review PRs, and much more) quickly and repeatably.


Introducing GitGoat: Intentionally Misconfigured GitHub Organizations, without the risk

Have you ever wanted to test a GitHub application without exposing your production data first? So did we, which is why we started GitGoat – an open-source utility for security, DevOps, and development teams. GitGoat is a compilation of faker data that should raise all sorts of flags in any product looking at access, privileges, or configuration gaps within GitHub – like Arnica, for example.

What type of data will I find in GitGoat?

GitGoat runs with a GitHub Personal Access Token via Python/Docker CLI, to generate the following data:

  1. Users that will automatically accept the invitation to join as members of your GitHub organization. By default, the users Mike Roservice, Archie Tekkt, Bill De Pipeline, Codey Fie and Deb Ugeen will join.
  2. Repositories with different configurations, such as GitHub Actions enablement, branch protection policies and CODEOWNERS files.
  3. Parent and child Teams, where each team has a different level of permission to each repository or path in a CODEOWNERS file. Direct user permissions are granted as well.
  4. Each user has pre-defined use cases to clone repositories, commit code and secrets, and raise or approve a PR.

Use Cases for misconfigured GitHub organization and data

Any of these configurations can be modified to fit various needs. In fact, the GitGoat community has already found several creative ways to leverage GitGoat data:

  • Identify excessive permissions in protected branches (e.g. CODEOWNERS and “Restrict Push” settings) and repositories.
  • Identify misconfigured CODEOWNERS settings, such as branches without enforcement to review PRs by the code owners.
  • Identify stale users, which may result in licensing cost savings.  
  • Identify valid secrets in source code.  

As the GitGoat community grows, we are eager to see what additional data can be used to test the effectiveness of GitHub security tooling.

Share Some Love!

We developed GitGoat for our own needs, as Arnica develops a product that identifies risks in the software supply chain. But we decided to share our work after experiencing tremendous value by automating everyone’s test data in development.  

Given the ever-evolving nature of software supply chain attacks, we would love your help adding scenarios to GitGoat and improving what is there already. You can help by opening issues, creating pull requests, or simply star the project on GitHub to follow our progress.


More from our blog

More to come very soon on this subject!