Static analysis & exploit toolkit for GitHub Actions pipelines
Top 76.0% on sourcepulse
Gato-X is a static analysis and exploit toolkit designed for identifying and exploiting vulnerabilities within GitHub Actions pipelines. It targets security researchers and operators looking to automate the discovery of issues like Actions Injection, TOCTOU vulnerabilities, and self-hosted runner takeover at scale, offering rapid scanning capabilities.
How It Works
Gato-X automates advanced enumeration and exploitation techniques against GitHub repositories and organizations. It employs a "Runner-on-Runner" (RoR) technique for self-hosted runner takeover, deploying payloads via fork pull requests or push workflows. For vulnerability scanning, it utilizes a sophisticated engine for reachability analysis, cross-repository transitive workflow analysis, and lightweight source-sink analysis of variables within YAML workflow files.
Quick Start & Requirements
pip install gato-x
or pipx install gato-x
repo
, workflow
, and gist
scopes for runner takeover, or repo
scope for vulnerability scanning.GH_TOKEN
environment variable or provide PAT when prompted. Commands include gato-x a
for attacks and gato-x s
for searching.Highlighted Details
Maintenance & Community
Licensing & Compatibility
Limitations & Caveats
The tool is described as an "operator facing tool with rapidly developed features," implying potential bugs, particularly with edge cases in run log formatting or YAML parsing. It may have a higher false positive rate than traditional SAST tools, though it aims to provide contextual information for triage. Analysis of referenced composite actions is not yet implemented.
2 weeks ago
1 day