Red-teaming for AI and Cloud
Explore the docs »
Report Bug
·
Request Feature
woodpecker is a modular red teaming tool focused for AI and cloud apps. The tool is designed to discover security weaknesses by experimentation.
You can fetch the latest release here, or you can build from source.
To build from source, you'll need to have Go installed.
git clone https://github.com/operantai/woodpecker
cd woodpecker
make buildThe design of woodpecker can be broken down into three concepts:
- Experiments - Experiments actively try to run something to discover if a security weakness is present.
- Verifiers - Verifiers look at the results of an Experiment and reports their outcome.
- Components - Components are additional applications installed on a K8s cluster or in Docker to enable and enhance experiment functionality.
The woodpecker CLI mirrors this, and exposes experiment, and component commands.
To start, you need to run an experiment.
Each experiment is defined by a experiment file which allows you to tweak your experiment parameters to suit your scenarios.
For a full list of experiments available, you can run woodpecker experiment and you'll get a list and a short description of their capabilities.
To get you started you can then run woodpecker experiment snippet -e <experiment-name> and it'll output a template you can start from.
Once you're happy with your template you can run it:
$ woodpecker experiment run -f experiments/host_path_volume.yamlOnce you've successfully run the experiment, you can verify if it was sucessful or not:
$ woodpecker experiment verify -f experiments/host_path_volume.yamlYou can also output in various formats using -o json or -o yaml
Some experiments require additional applications installed to run or enhance their functionality.
These can be added by providing a YAML file, see the components directory for examples.
$ woodpecker component install -f components/woodpecker-ai.yaml
$ woodpecker component uninstall -f components/woodpecker-ai.yamlExperiments that need a component will warn you if it's not deployed when trying to run it.
Please read the contribution guidelines, here.
Distributed under the Apache License 2.0.