A security testbed, vulnerable by design for testing codesec pipeline solutions.
Why "goat"?
A common saying is that if your fence won't hold water, it won't hold a goat. Animals are very creative, and will find a way around your barriers. In the same funny analogy, a goat repo demonstrates creativity and deliberate security issues that you might not expect.
Includes a combination of:
- Secrets, access control, hardcoding across many providers and systems
- 3rd party services
- 3rd party vendors + misconfiguration
- Non programming language assets
- Out of band assets (such as binary data)
- By-design overhead (large projects)
- Developer workflows: CI, pre-commit
- Extensibility and customizations
Designed to test and showcase:
- Coverage and value for sensitive, high risk, access control data
- High cloud services scenarios
- High open source usage integration scenarios
- Code security as a whole (full asset scan)
- Speed and efficiency of complex scans
- Ease of integration and developer experience