GitGoat: Intentionally (Riskless) Misconfigured GitHub Orgs, Open Source

Introducing GitGoat: Intentionally Misconfigured GitHub Organizations, without the risk

Have you ever wanted to test a GitHub application without exposing your production data first? So did we, which is why we started GitGoat – an open-source utility for security, DevOps, and development teams. GitGoat is a compilation of faker data that should raise all sorts of flags in any product looking at access, privileges, or configuration gaps within GitHub – like Arnica, for example.

What type of data will I find in GitGoat?

GitGoat runs with a GitHub Personal Access Token via Python/Docker CLI, to generate the following data:

1. Users that will automatically accept the invitation to join as members of your GitHub organization. By default, the users Mike Roservice, Archie Tekkt, Bill De Pipeline, Codey Fie and Deb Ugeen will join.
2. Repositories with different configurations, such as GitHub Actions enablement, branch protection policies and CODEOWNERS files.
3. Parent and child Teams, where each team has a different level of permission to each repository or path in a CODEOWNERS file. Direct user permissions are granted as well.
4. Each user has pre-defined use cases to clone repositories, commit code and secrets, and raise or approve a PR.

Use Cases for misconfigured GitHub organization and data

Any of these configurations can be modified to fit various needs. In fact, the GitGoat community has already found several creative ways to leverage GitGoat data:

• Identify excessive permissions in protected branches (e.g. CODEOWNERS and “Restrict Push” settings) and repositories.
• Identify misconfigured CODEOWNERS settings, such as branches without enforcement to review PRs by the code owners.
• Identify stale users, which may result in licensing cost savings.  
• Identify valid secrets in source code.  

As the GitGoat community grows, we are eager to see what additional data can be used to test the effectiveness of GitHub security tooling.

Share Some Love for GitGoat!

We developed GitGoat for our own needs, as Arnica develops a product that identifies risks in the software supply chain. But we decided to share our work after experiencing tremendous value by automating everyone’s test data in development.

Given the ever-evolving nature of software supply chain attacks, we would love your help adding scenarios to GitGoat and improving what is there already. You can help by opening issues, creating pull requests, or simply star the project on GitHub to follow our progress.