Skip to content

Commit a946ac9

Browse files
authored
Elk (#612)
* Add ELK compose example with automated Kibana dashboard setup
1 parent ae852b7 commit a946ac9

16 files changed

Lines changed: 983 additions & 13 deletions

File tree

docs/guides/gitlab.md

Lines changed: 9 additions & 10 deletions
Original file line numberDiff line numberDiff line change
@@ -49,7 +49,7 @@ pipeleek gl vuln -g https://leakycompany.com -t glpat-[redacted]
4949
2024-11-14T14:29:05+01:00 info Fetching CVEs for this version version=17.5.1-ee
5050
```
5151

52-
## Enumerating CI/CD Variables And Secure Files
52+
## Enumerating Accessible Secrets
5353

5454
If you already have access to projects and groups you can try to enumerate CI/CD variables and use these for potential privilege escalation/lateral movement paths.
5555

@@ -63,10 +63,10 @@ pipeleek gl variables -g https://leakycompany.com -t glpat-[redacted]
6363
pipeleek gl schedule -g https://leakycompany.com -t glpat-[redacted]
6464

6565
# Secure files are an alternative to variables and often times contain sensitive info
66-
pipeleek gl secureFiles --gitlab https://leakycompany.com --token glpat-[redacted]
67-
2024-11-18T15:38:08Z info Fetching project variables
68-
2024-11-18T15:38:09Z warn Secure file content="this is a secure file!!" downloadUrl=https://leakycompany.com/api/v4/projects/60367314/secure_files/9149327/download
69-
2024-11-18T15:38:12Z info Fetched all secure files
66+
pipeleek gl secureFiles -g https://leakycompany.com -t glpat-[redacted]
67+
68+
# Terraform states can contain secrets
69+
pipeleek gl tf --token -g https://leakycompany.com -t glpat-[redacted]
7070
```
7171

7272
## Secret Detection in Source Code
@@ -79,7 +79,7 @@ Use Trufflehog to find hardcoded secrets in the source code:
7979
trufflehog gitlab --token=glpat-[redacted]
8080
```
8181

82-
Note: this only scanned repository you have access to. You can specify single repositories as well.
82+
Note: this only scans repositories you have access to. You can specify single repositories as well.
8383

8484
## Secret Detection in Pipelines And Artifacts
8585

@@ -166,7 +166,7 @@ Review the findings manually and tweak the flags according to your needs.
166166

167167
If you found any valid credentials, e.g. personal access tokens, cloud credentials, and so on, check if you can move laterally or escalate privileges.
168168

169-
### An example of privilege escalation
169+
### An example of lateral movement
170170

171171
Pipeleek identified the following based64 encode secret in the environment variable `CI_REPO_TOKEN`:
172172

@@ -209,11 +209,11 @@ pipeleek gl enum -g https://gitlab.example.com -t glpat-[redacted]
209209
2025-09-29T12:25:52Z info Done
210210
```
211211

212-
Abusing this access token grants you access to the `another-project` repository, thus you escalated privileges to this repository.
212+
Abusing this access token grants you access to the `another-project` repository.
213213

214214
## Attacking Runners
215215

216-
Chances are high that if pipelines are used, custom runners are registered. These come in different flavors. Most of the time the docker executor is used, which allows pipelines to define container images in which their commands are executed. For a full list of possibilities [rtfm](https://docs.gitlab.example.com/runner/executors/).
216+
Chances are high that if pipelines are used, custom runners are registered. These come in different flavors. Often times a container / docker based executor is used, which allows pipelines to define container images in which their commands are executed. For a full list of possibilities [rtfm](https://docs.gitlab.example.com/runner/executors/).
217217

218218
If you can create projects or contribute to existing ones, you can interact with runners. We want to test if it is possible to escape from the runner context e.g. escape from the container to the host machine or if the runner leaks additional privileges e.g. in the form of attached files or environment variables set by the runner config.
219219

@@ -231,7 +231,6 @@ $ pipeleek gl runners --token glpat-[redacted] --gitlab https://gitlab.example.c
231231
2024-09-26T14:26:55+02:00 info group runner description=blue-3.saas-linux-large-amd64.runners-manager.gitlab.example.com/default name=comp-test-ia paused=false runner=gitlab-runner tags=saas-linux-large-amd64 type=instance_type
232232
2024-09-26T14:26:55+02:00 info group runner description=green-1.saas-linux-2xlarge-amd64.runners-manager.gitlab.example.com/default name=comp-test-ia paused=false runner= tags=saas-linux-2xlarge-amd64 type=instance_type
233233
2024-09-26T14:26:55+02:00 info Unique runner tags tags=gitlab-org,saas-linux-large-arm64,windows,gitlab-org-docker,e2e-runner2,saas-macos-large-m2pro,saas-linux-xlarge-amd64,saas-linux-small-amd64,saas-linux-2xlarge-amd64,saas-linux-medium-amd64,saas-windows-medium-amd64,e2e-runner3,saas-linux-medium-arm64,saas-linux-medium-amd64-gpu-standard,saas-macos-medium-m1,shared-windows,saas-linux-large-amd64,windows-1809
234-
2024-09-26T14:26:55+02:00 info Done, Bye Bye 🏳️‍🌈🔥
235234
```
236235

237236
Review the runners and select the interesting ones. The Gitlab Ci/CD config file allows you to select runners by their tags. Thus we create a list of the most interesting tags, printed by the command above.

docs/introduction/configuration.md

Lines changed: 2 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -222,7 +222,8 @@ circle:
222222
project: [my-org/my-repo] # circle scan --project (optional if org is set)
223223
vcs: github # circle scan --vcs
224224
org: my-org # circle scan --org (also enables org-wide discovery when project is omitted)
225-
# --org accepts: my-org, github/my-org, or app URL forms like
225+
# --org accepts: my-org, github/my-org, circleci/my-org (required for native
226+
# CircleCI orgs), or app URL forms like
226227
# https://app.circleci.com/pipelines/github/my-org/my-repo
227228
# Note: org-wide discovery requires token visibility to that org. If not,
228229
# use explicit --project selectors instead.
312 KB
Loading

docs/introduction/logging.md

Lines changed: 25 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -112,3 +112,28 @@ pipeleek gl scan --token glpat-[redacted] --gitlab https://gitlab.example.com -
112112
```
113113

114114
Using Kibana you can filter for interesting messages, based on the JSON attributes of the output.
115+
116+
### ELK Docker Compose Example (Shared Config + One-Shot Jobs)
117+
118+
A Docker Compose example is available in [examples/compose-elk](https://github.com/CompassSecurity/pipeleek/tree/main/examples/compose-elk).
119+
120+
It includes:
121+
122+
- Elasticsearch storage and Kibana visualization
123+
- One shared Pipeleek config file mounted read-only into all scanner containers
124+
- One-shot scanner services for all scan commands (`gl`, `gh`, `bb`, `ad`, `gitea`, `jenkins`)
125+
- Logstash TCP ingestion for Pipeleek JSON lines
126+
127+
Quick start:
128+
129+
```bash
130+
git clone https://github.com/CompassSecurity/pipeleek.git
131+
cd pipeleek/examples/compose-elk
132+
bash start-elk.sh
133+
docker compose --profile gitlab run --rm scan-gitlab
134+
```
135+
136+
Then open Kibana at `http://localhost:5601` and visit the dashboard.
137+
138+
Example after running some scans for a while.
139+
![ELK dashboard](elk-dashboard.png)

docs/social.png

-132 KB
Loading

examples/compose-elk/README.md

Lines changed: 116 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,116 @@
1+
# Pipeleek Compose Example: Shared Config + ELK
2+
3+
This example runs Pipeleek scan jobs as one-shot containers and forwards all JSON logs into Elasticsearch via Logstash. Kibana is provided for querying and dashboards.
4+
5+
## What this setup provides
6+
7+
- One shared Pipeleek config file mounted read-only in every scan-job container.
8+
- One Elasticsearch instance.
9+
- One Kibana instance.
10+
- One Logstash instance that accepts newline-delimited JSON on TCP port 5000 and is tuned to 192MB heap for local/dev environments.
11+
- One service definition per scan job:
12+
- `scan-gitlab`
13+
- `scan-github`
14+
- `scan-bitbucket`
15+
- `scan-devops`
16+
- `scan-gitea`
17+
- `scan-jenkins`
18+
19+
## 1) Prepare shared config
20+
21+
Edit `pipeleek.shared.example.yaml` and fill all token/url placeholders.
22+
23+
The file is mounted into each scanner as:
24+
25+
- Container path: `/config/pipeleek.yaml`
26+
27+
## 2) Start ELK services
28+
29+
Use the automated startup script that starts ELK and configures Kibana automatically:
30+
31+
```bash
32+
bash start-elk.sh
33+
```
34+
35+
This script:
36+
37+
1. Starts Elasticsearch, Logstash, and Kibana
38+
2. Installs an Elasticsearch index template optimized for Pipeleek scan logs
39+
3. Waits for Kibana to be ready
40+
4. Automatically creates and configures the Kibana data view for pipeleek logs
41+
42+
**Manual alternative**:
43+
44+
```bash
45+
docker compose up -d elasticsearch logstash kibana
46+
```
47+
48+
Then manually setup the index template and Kibana data view:
49+
50+
```bash
51+
bash setup-elasticsearch.sh
52+
bash setup-kibana.sh
53+
```
54+
55+
## 3) Run one-shot scan jobs
56+
57+
Run any individual scan job with:
58+
59+
```bash
60+
docker compose --profile gitlab run --rm scan-gitlab
61+
docker compose --profile github run --rm scan-github
62+
docker compose --profile bitbucket run --rm scan-bitbucket
63+
docker compose --profile devops run --rm scan-devops
64+
docker compose --profile gitea run --rm scan-gitea
65+
docker compose --profile jenkins run --rm scan-jenkins
66+
```
67+
68+
Each job:
69+
70+
1. Runs its own scan command using the shared config.
71+
2. Streams each JSON line to Logstash over TCP.
72+
3. Prints periodic progress updates every 30s to the container stderr so you can see it is still running.
73+
74+
## 4) View data in Kibana
75+
76+
Once you've run `bash start-elk.sh`, the Kibana data view is automatically configured. Simply:
77+
78+
1. Open http://localhost:5601
79+
2. Open **Dashboards** and select `Pipeleek - Hit Monitoring`
80+
3. You will see:
81+
82+
- `Pipeleek - High Hits` (count of `scan.confidence: high` hits)
83+
- `Pipeleek - High-Verified Hits` (count of `scan.confidence: high-verified` hits)
84+
- `Pipeleek - Log Intake Over Time` (bar chart over the last 4 hours with fixed 10-minute buckets)
85+
- `Pipeleek - Hits by Asset Type` (pie chart, for example hit logs vs hit artifacts)
86+
- `Pipeleek - Hits by Confidence` (pie chart of confidence ratings)
87+
- `Pipeleek - Last 100 Scan Entries` table (hit-level events only)
88+
- `Pipeleek - Latest 100 Log Entries` table (sorted by newest first, no fixed filter)
89+
90+
4. Use the dashboard filter bar to filter by fields like `scan.platform` and `scan.confidence`
91+
92+
Hit-focused panels use hit events (`level=hit`). If no hits are present in the selected time range, those panels will show no results.
93+
94+
You can also use **Discover** with the same data view for ad-hoc investigation.
95+
96+
For better searchability, logs are also normalized into common fields:
97+
98+
- `scan.platform`
99+
- `scan.level`
100+
- `scan.confidence`
101+
- `scan.job_name`
102+
- `scan.target_url`
103+
- `scan.asset_type`
104+
- `scan.is_hit`
105+
- `secret.rule_name`
106+
- `secret.is_present`
107+
- `event.kind`
108+
- `event.category`
109+
- `event.type`
110+
- `event.outcome`
111+
112+
**If you manually started ELK**, run the setup script:
113+
114+
```bash
115+
bash setup-kibana.sh
116+
```

0 commit comments

Comments
 (0)