gato-x  by AdnaneKhan

Static analysis & exploit toolkit for GitHub Actions pipelines

created 1 year ago
381 stars

Top 76.0% on sourcepulse

GitHubView on GitHub
1 Expert Loves This Project
Project Summary

Gato-X is a static analysis and exploit toolkit designed for identifying and exploiting vulnerabilities within GitHub Actions pipelines. It targets security researchers and operators looking to automate the discovery of issues like Actions Injection, TOCTOU vulnerabilities, and self-hosted runner takeover at scale, offering rapid scanning capabilities.

How It Works

Gato-X automates advanced enumeration and exploitation techniques against GitHub repositories and organizations. It employs a "Runner-on-Runner" (RoR) technique for self-hosted runner takeover, deploying payloads via fork pull requests or push workflows. For vulnerability scanning, it utilizes a sophisticated engine for reachability analysis, cross-repository transitive workflow analysis, and lightweight source-sink analysis of variables within YAML workflow files.

Quick Start & Requirements

  • Installation: pip install gato-x or pipx install gato-x
  • Prerequisites: Python 3.10+, GitHub Personal Access Token (PAT) with repo, workflow, and gist scopes for runner takeover, or repo scope for vulnerability scanning.
  • Usage: Set GH_TOKEN environment variable or provide PAT when prompted. Commands include gato-x a for attacks and gato-x s for searching.
  • Documentation: Wiki

Highlighted Details

  • Automates "Runner-on-Runner" (RoR) technique for self-hosted runner takeover, providing an interactive webshell upon success.
  • Scans 35-40k repositories per hour for Actions Injection and Pwn Request vulnerabilities using a single GitHub PAT.
  • Features include reachability analysis, transitive workflow analysis, and parsing of conditional statements within workflows.
  • Future features include composite action analysis and LLM-augmented result analysis for identifying injection points.

Maintenance & Community

  • Maintained by @AdnaneKhan.
  • Associated with BlackHat USA 2024 and DEF CON 32 talks.
  • Contributions are welcome; review design methodology before proposing changes.

Licensing & Compatibility

  • Licensed under the Apache License, Version 2.0.
  • Permits commercial use and linking with closed-source projects.

Limitations & Caveats

The tool is described as an "operator facing tool with rapidly developed features," implying potential bugs, particularly with edge cases in run log formatting or YAML parsing. It may have a higher false positive rate than traditional SAST tools, though it aims to provide contextual information for triage. Analysis of referenced composite actions is not yet implemented.

Health Check
Last commit

2 weeks ago

Responsiveness

1 day

Pull Requests (30d)
9
Issues (30d)
5
Star History
74 stars in the last 90 days

Explore Similar Projects

Starred by Boris Cherny Boris Cherny(Creator of Claude Code; MTS at Anthropic), Georgios Konstantopoulos Georgios Konstantopoulos(CTO, General Partner at Paradigm), and
2 more.

gosec by securego

0.2%
8k
Go security checker for scanning Go AST and SSA code
created 9 years ago
updated 5 days ago
Feedback? Help us improve.