A tool for testing continuous integration (CI) or continuous delivery (CD) system security
Switch branches/tags
Nothing to show
Clone or download
Fetching latest commit…
Cannot retrieve the latest commit at this time.
Failed to load latest commit information.


Rotten Apple Logo

Rotten Apple

A project for testing continuous integration (CI) or continuous delivery (CD) system security

Key Benefits

  • Test Your CI/CD - Build this project on your CI/CD server to see if there is room for security improvements.
  • Uses Unit-Test Framework - Use unit-tests not to test this code, but let this code's unit tests test your CI/CD
  • Simple - The design of this project is to make it simple to test your CI and get clear feedback via PASS/FAIL specs
  • Extensible - Add new specs to test for the specific things you want to know about your CI
  • Dual-Purpose - Use RottenApple::Audit to audit a CI/CD or Use RottenApple::Attack (disabled by default) to attack a CI/CD

Here's how it works

  • Fork the project
  • Configure/Add the tests you want to run
  • Configure your CI/CD to build this project
  • Build it
  • Check the Unit-test Results for details


This portion of the project is focused on auditing a CI/CD system and is the default name space when the "rake" command is invoked in this project.

Here's the list of audit checks it does right now:

  • Is the root user is being to build projects?
  • Can malicious code steal your RubyGems API key?
  • Could malicious code pivot to private networks?
  • Can malicous code authenticate using your GitHub creds?
  • Could malicious code receive instructions from a remote party or exfiltrate data from your CI?
  • Can malicious code access other projects being built on the same server?
  • Can malicious code steal SSH private keys?


Conversely, this is the portion of the project that enables you to actively attack a CI/CD. To change to "attack mode", open the Rakefile and change the default to "attack".

Here's the list of attacks it does right now:

  • Steal the RubyGems API key
  • Flush IP Tables (aka: drop firewall rules)
  • Install Software to aid in the attack process
  • Make an unauthorized commit to master
  • Perform an NMAP scan of a desired set to targets
  • Throw/Shovel a reverse shell to get command-line access to the CI/CD
  • Steal SSH private keys


If you are interested in contributing to this project, please see CONTRIBUTING.md



@claudijd is the primary author of this project.

Any additional contributors will be listed here as a sincere thanks for their contributions.