⭐ poutine
FLAGSHIP defensive
Build Pipeline Security Scanner
Detect misconfigurations and vulnerabilities in your CI/CD pipelines. Scans GitHub Actions, GitLab CI, and other build systems for security issues.
$ ls -la /usr/local/bin/
Open Source Tools
Security tools, CTF playgrounds, and knowledge bases built by the team.
## tools
⭐ smokedmeat
FLAGSHIP offensive defensive
Red Team Framework for CI/CD Pipelines
Open-source red team and post-exploitation framework for build pipelines. Walks you through the full attack lifecycle: reconnaissance of GitHub Actions workflows, exploit delivery, in-runner post-exploitation with the Brisket implant, and pivoting into AWS/GCP/Azure via OIDC. Like Metasploit, but for CI/CD.
bagel
RELEASED
Developer Workstation Security Scanner
Open-source CLI that inventories security-relevant metadata on developer workstations. Detects credentials, misconfigurations, and exposed secrets across Git, SSH, cloud providers, and package managers.
gobelin
RELEASED
Go Repojacking Vulnerability Detector
Scan Go project dependencies for potential repojacking vulnerabilities. Detects missing or deleted GitHub accounts that could be hijacked by attackers.
puant
RELEASED
Unicode PUA Obfuscation Detector
Tree-sitter-powered detector for malware hidden using Unicode Private Use Area characters. Catches invisible code obfuscation in JavaScript, Python, Go, and Java.
lev-calc
RELEASED
LEV Vulnerability Exploitability Calculator
Calculate Likely Exploitable Vulnerability scores based on NIST CSWP 41. Predict the probability of vulnerabilities being actively exploited to prioritize patching.
## CTFs
Hands-on playgrounds for practicing CI/CD and supply chain exploitation. Clone, hack, repeat. Only target systems you own or have explicit authorization to test.
Whooli
NEW CTF
Break a fake unicorn before breakfast
Step inside Whooli, a fake billion-dollar tech unicorn we built to get pwned. A full GitHub org stuffed with booby-trapped workflows, leaked deploy keys, hardcoded secrets, and a homebrewed AI triage bot begging to be hijacked. Point smokedmeat at it, walk the full kill chain from a drive-by issue comment to cloud admin, and learn exactly how modern CI/CD gets owned, safely.
MessyPoutine
CTF
Pipeline exploitation challenges
A series of intentionally vulnerable GitHub Actions workflows packaged as CTF challenges. Practice pwn requests, LOTP techniques, confused deputy attacks, and other real-world CI/CD exploitation patterns hands-on.
## Knowledge Bases (KBs)
LOTP
Living Off The PipelineCI/CD Attack Techniques Knowledge Base
Inventory of how development tools (typically CLIs), commonly used in CI/CD pipelines, have lesser-known RCE-by-design features.
Attack Trees
Supply Chain Attack TreesDeciduous-Generated Threat Models
Visual attack trees for supply chain security threats, generated using the Deciduous tool. Covers source code and build system attack scenarios aligned with SLSA.