RailsGoat CI/CD Lab

This free and open-source lab teaches developers and security practitioners how to integrate static and dynamic analysis (SAST and DAST) into a Jenkins CI/CD pipeline. It's based on RailsGoat, an intentionally-vulnerable security training web app.

Thanks to Vagrant and Virtualbox, the lab is cross-platform and runs on your local machine. It's tested against current versions of Linux, Windows, Vagrant, and Virtualbox. It should work on Mac OS as well.

How To Use This Lab

Here are some ways you can use this lab:

Follow the walkthrough. You'll deploy a Jenkins server and use it to automate vulnerability analysis: SAST (with semgrep and brakeman) and DAST (with ZAP).
Adapt the lab's code for your own purposes. It models these DevSecOps patterns:
- Using Ansible to deploy and provision Jenkins (including plugins)
- Using Docker and Docker Compose within declarative Jenkinsfiles to automate vulnerability analysis
Learn by reading the lab's source code (explanatory comments are sprinkled throughout)

Basic Usage

First set up a machine meeting these prerequisites:

Vagrant (install instructions)
Virtualbox (install instructions)
Git (install instructions)
A browser on your Vagrant host machine
~15GB of disk space for the lab VM
6GB+ of physical RAM (8GB+ is better)
Bandwidth to download lab environment components

Then get the code and launch the lab environment:

git clone https://github.com/dachiefjustice/railsgoat-cicd-lab.git
cd railsgoat-cicd-lab
vagrant up

Once vagrant up is done you can access the Jenkins server at http://localhost:8080 (default credentials: admin/admin). Open the lab walkthrough to start performing and automating vulnerability analysis.

Lab Architecture

Lab Tips

💡 Log Into Jenkins 💡

URL: http://localhost:8080

Credentials: admin/admin

💡 Access RailsGoat 💡

Create and run a Jenkins job from the hold-open Jenkinsfile.
Open http://localhost:3002 in your browser (or other HTTP tools)

💡 Adjust RAM 💡

Edit the Vagrantfile:

config.vm.provider "virtualbox" do |vb|
  vb.memory = "6144" # for 6GB of RAM
end

Run vagrant reload after adjusting RAM or other Vagrantfile settings.

You can also adjust CPU and RAM limits in the ZAP job's compose.yaml.

💡 Monitor Resources & Processes 💡

Use htop:

vagrant ssh
htop

Lab Tech Stack

Software	Purpose
Virtualbox	Hypervisor
Vagrant	VM management
Ansible	VM provisioning
Debian Linux	Lab VM OS
Alpine Linux	Support containers
Git	Move code and tools arond
Jenkins	Build/deploy/test RailsGoat
Docker + Docker Compose	Automating pipeline tasks
semgrep, brakeman	Static analysis of RailsGoat
ZAP	Dynamic analysis of RailsGoat

Credits

Special thanks to the authors and contributors of key lab components:

Name		Name	Last commit message	Last commit date
Latest commit History 352 Commits
docs		docs
railsgoat @ 58f4040		railsgoat @ 58f4040
roles		roles
scripts		scripts
sec-tests		sec-tests
vars		vars
.gitignore		.gitignore
.gitmodules		.gitmodules
LICENSE		LICENSE
README.md		README.md
Vagrantfile		Vagrantfile
ansible.cfg		ansible.cfg
playbook-vagrant.yml		playbook-vagrant.yml

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Repository files navigation

RailsGoat CI/CD Lab

How To Use This Lab

Basic Usage

Lab Architecture

Lab Tips

💡 Log Into Jenkins 💡

💡 Access RailsGoat 💡

💡 Adjust RAM 💡

💡 Monitor Resources & Processes 💡

Lab Tech Stack

Credits

About

Releases

Packages

Languages

License

vulnerable-apps/railsgoat-cicd-lab

Folders and files

Latest commit

History

Repository files navigation

RailsGoat CI/CD Lab

How To Use This Lab

Basic Usage

Lab Architecture

Lab Tips

💡 Log Into Jenkins 💡

💡 Access RailsGoat 💡

💡 Adjust RAM 💡

💡 Monitor Resources & Processes 💡

Lab Tech Stack

Credits

About

Resources

License

Stars

Watchers

Forks

Releases

Packages 0

Languages

Packages