SmokedMeat — a framework for CI/CD pipeline security assessment

A post‑exploitation framework that demonstrates the risks of CI/CD environment compromise. Designed to test pipeline resilience against supply‑chain attacks.

Features: 📍 Analyzes GitHub Actions for injections, unsafe triggers, and insecure checkout patterns (powered by the SAST scanner poutine). 📍 Injects a loader via available GitHub mechanisms and executes payloads on the build server. 📍 Extracts secrets from the build environment. 📍 Enables lateral movement using captured credentials — access to AWS, GCP, Azure, and private repositories. 📍 Terminal interface for managing attack stages.

Compared to poutine (a SAST scanner by the same authors), SmokedMeat not only identifies vulnerabilities but also demonstrates their exploitation and impact. Unlike classic frameworks such as Metasploit, it focuses solely on CI/CD chains and is not intended for EDR evasion.

📎 Tool: https://github.com/boostsecurityio/smokedmeat

💬 Discuss