This demo deploys a container image with reachable vulnerabilities from Damn Vulnerable GraphQL Application.
- Azure Kubernetes Service (AKS) Cluster to run the container in.
- Azure Container Registry (ACR) with an admin account.
- Connection between AKS cluster and ACR.
- Endor Labs license.
- Sign up for a free trial here.
- Defender CSPM license.
- Connector for Endor Labs in Defender for Cloud. Learn how to create the connector here.
- Clone this repository in Azure DevOps.
- Create a service connection in Azure DevOps to Docker. Select 'Other' when you have to specify the type of connection. Here you must specify the container registry login server, username, and password that come from access keys in Azure Container Registry.
- Create a service connection in Azure DevOps to Azure Resource Manager. Ensure that you give the service connection permissions to the relevant subscription and resource group that hosts your Kubernetes cluster.
- Create a variable group in Azure Pipelines called 'tenant-variables'. This is where you should store your ENDOR_API_CREDENTIALS_KEY, ENDOR_API_SECRET, and NAMESPACE information that you get from Endor Labs. For more guidance, see Endor Labs documentation.
- Create a new pipeline using the existing file located at AzurePipeline/azure-pipelines.yml.
- Add the following variables to the pipeline: clusterName (name of the Kubernetes cluster to deploy the container on), containerRegistry (login server name for the Azure Container Registry, e.g., reachability.azurecr.io), dockerConnection (name of the service connection to Docker to push image to Azure Container Registry), resourceGroup (resource group that hosts the Kubernetes cluster), and subscription (name of the service connection name to Azure Resource Manager).
- Save and run the pipeline.
- Clone this repository in GitHub.
- Navigate to Settings > Secrets and Variables > Actions in the GitHub repository.
- Create secrets for your ACR_USERNAME and ACR_PASSWORD. These come from Access Keys in ACR.
- Create a variable for the ACR login server name (e.g., reachability.azurecr.io).
- Configure authentication from GitHub to Endor Labs to send results
- Create a new workflow using the existing file located at .github/workflows/containermapping.yml.
- Save and run the workflow.
- Deploy the container image from ACR to your AKS cluster in the Azure Portal. The easiest way to do this is to navigate to the AKS cluster and select Create > Create a quickstar application. Note that your registry and Kubernetes cluser must be linked for this to work. To see the attack path, the container should be exposed via a service in Kubernetes. It is not recommended to do this in production tenants.
This container image is highly insecure, and as such, should not be deployed on internet facing servers in production environments. By default, the application is listening on 127.0.0.1 to avoid misconfigurations.
The container image is intentionally flawed and vulnerable, as such, it comes with no warranties. By using it, you take full responsibility for using it.
The container image is distributed under the MIT License. See LICENSE for more information.