Open Source

GitGoat: Misconfigured GitHub Organization (Open Source)

Nir Valtman
July 6, 2022

TL;DR

Here is the link: https://github.com/arnica-ext/GitGoat

GitGoat is an open-source tool that was built to enable DevOps and Engineering teams to design and implement an effective misconfiguration prevention strategy on GitHub. GitGoat can be used to test products with access to GitHub repositories without risk to your production environment.

If you develop a product/script that calls any of the GitHub APIs, or you want to test a new GitHub application without exposing real data, GitGoat can be used to generate dummy activity (e.g., invite users, commit code, review PRs, and much more) quickly and repeatably.

Arnica is now live in Beta!
Arnica is now live. Come see how Arnica is mitigating software supply chain risks.
Get Started Today

What is GitGoat?

Have you ever wanted to test a GitHub application without exposing your production data first? So did we, which is why we started GitGoat – an open-source utility for security, DevOps, and development teams. GitGoat is a compilation of faker data that should raise all sorts of flags in any product looking at access, privileges, or configuration gaps within GitHub – like Arnica, for example.

What data will I find in GitGoat?

GitGoat runs with a GitHub Personal Access Token via Python/Docker CLI, to generate the following data:

  1. Users that will automatically accept the invitation to join as members of your GitHub organization. By default, the users Mike Roservice, Archie Tekkt, Bill De Pipeline, Codey Fie and Deb Ugeen will join.
  2. Repositories with different configurations, such as GitHub Actions enablement, branch protection policies and CODEOWNERS files.
  3. Parent and child Teams, where each team has a different level of permission to each repository or path in a CODEOWNERS file. Direct user permissions are granted as well.
  4. Each user has pre-defined use cases to clone repositories, commit code and secrets, and raise or approve a PR.

Use Cases

Any of these configurations can be modified to fit various needs. In fact, the GitGoat community has already found several creative ways to leverage GitGoat data:

  • Identify excessive permissions in protected branches (e.g. CODEOWNERS and “Restrict Push” settings) and repositories.
  • Identify misconfigured CODEOWNERS settings, such as branches without enforcement to review PRs by the code owners.
  • Identify stale users, which may result in licensing cost savings.  
  • Identify valid secrets in source code.  

As the GitGoat community grows, we are eager to see what additional data can be used to test the effectiveness of GitHub security tooling.

Share Some Love

We developed GitGoat for our own needs, as Arnica develops a product that identifies risks in the software supply chain. But we decided to share our work after experiencing tremendous value by automating everyone’s test data in development.  

Given the ever-evolving nature of software supply chain attacks, we would love your help adding scenarios to GitGoat and improving what is there already. You can help by opening issues, creating pull requests, or simply star the project on GitHub to follow our progress.

Arnica is now live in Beta!
Arnica is now live. Come see how Arnica is mitigating software supply chain risks.
Get Started Today
No items found.