carlospolop
commented
5 months ago Hi @hugo-syn ! I'm sorry it took so long to get a response! Feel free to send a PR at least to Github and comment it also work with Gitlab and Azure Devops, at least until there are sections for those. Also, next time for faster responses send some PR, I'm more use to look those
Hi,
First, thank you for cloud.hacktricks.xyz this is really awesome ! I would like to contribute by adding new content regarding CI/CD pipeline and more specifically on secret extraction.
We developed a tool called Nord Stream which automate everything to extract secrets that are stored inside CI/CD environments. The tools currently support Azure Devops, GitHub and GitLab. You can found it here: https://github.com/synacktiv/nord-stream. We also have a blog post explaining how secrets are stored in those systems and how we can extract them automatically (https://www.synacktiv.com/publications/cicd-secrets-extraction-tips-and-tricks).
If you are interested I could add this to cloud.hacktricks.xyz. I just don't know where I can add all of this because there are no sections for Azure Devops and GitLab and I don't know If the general Pentesting CI/CD Methodology section is the appropriate place to put all of this.
You can arrange this as you wish, but I could also open a PR if you help me to organize everything :)