Living Off the Pipeline (LOTP)

Introduction

The idea of the LOTP project is to inventory how development tools (typically CLIs), commonly used in CI/CD pipelines, have lesser-known RCE-By-Design features ("foot guns"), or more generally, can be used to achieve arbitrary code execution by running on untrusted code changes or following a workflow injection.

Contributions

We welcome contributions submitted as Pull Requests with new tool contributions or simply Issues for new ideas.

License

Released under Apache 2.0 by @boostsecurityio.

Prior art / Credits

This project is largely inspired from previous projects such as:

• https://gtfobins.github.io
• https://lolbas-project.github.io
• https://github.com/rotem-cider/cicd-lamb