{"id":29482809,"url":"https://github.com/AdnaneKhan/gato-x","last_synced_at":"2025-07-15T02:02:24.069Z","repository":{"id":248252681,"uuid":"749160816","full_name":"AdnaneKhan/gato-x","owner":"AdnaneKhan","description":"GitHub Attack Toolkit - Extreme Edition - A static analysis and exploit toolkit for GitHub Actions.","archived":false,"fork":false,"pushed_at":"2025-07-05T14:58:36.000Z","size":6222,"stargazers_count":377,"open_issues_count":12,"forks_count":43,"subscribers_count":10,"default_branch":"main","last_synced_at":"2025-07-11T20:48:05.940Z","etag":null,"topics":["bugbounty","cicd","github","github-actions","hacking","red-team"],"latest_commit_sha":null,"homepage":"https://adnanekhan.github.io/gato-x/","language":"Python","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"apache-2.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/AdnaneKhan.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":"CONTRIBUTING.md","funding":".github/FUNDING.yml","license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":"SECURITY.md","support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null},"funding":{"github":["AdnaneKhan"]}},"created_at":"2024-01-27T18:55:16.000Z","updated_at":"2025-07-10T09:22:20.000Z","dependencies_parsed_at":"2025-02-02T09:02:54.517Z","dependency_job_id":"233f4a43-2931-4d61-8996-131682b6b743","html_url":"https://github.com/AdnaneKhan/gato-x","commit_stats":{"total_commits":127,"total_committers":10,"mean_commits":12.7,"dds":0.2362204724409449,"last_synced_commit":"caced174a64500cb4cbd3c383fae46969cf7befb"},"previous_names":["adnanekhan/gato-x"],"tags_count":18,"template":false,"template_full_name":null,"purl":"pkg:github/AdnaneKhan/gato-x","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/AdnaneKhan%2Fgato-x","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/AdnaneKhan%2Fgato-x/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/AdnaneKhan%2Fgato-x/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/AdnaneKhan%2Fgato-x/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/AdnaneKhan","download_url":"https://codeload.github.com/AdnaneKhan/gato-x/tar.gz/refs/heads/main","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/AdnaneKhan%2Fgato-x/sbom","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":265386079,"owners_count":23756747,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["bugbounty","cicd","github","github-actions","hacking","red-team"],"created_at":"2025-07-15T02:01:46.220Z","updated_at":"2025-07-15T02:02:24.056Z","avatar_url":"https://github.com/AdnaneKhan.png","language":"Python","funding_links":["https://github.com/sponsors/AdnaneKhan"],"categories":["Python"],"sub_categories":[],"readme":"![Supported Python versions](https://img.shields.io/badge/python-3.10+-blue.svg)\n[![Code style: black](https://img.shields.io/badge/code%20style-black-000000.svg)](https://github.com/psf/black)\n\n# Gato (Github Attack TOolkit) - Extreme Edition\n\nGato-X is a _FAST_ scanning and attack tool for GitHub Actions pipelines. You can use it to identify\nPwn Requests, Actions Injection, TOCTOU Vulnerabilities, and Self-Hosted Runner takeover at scale using just a single API token. It will also analyze cross-repository workflows and reusable actions. This surfaces vulnerabilities that other scanners miss because they only scan workflows within a single repository.\n\nGato-X is an operator focused tool that is tuned to avoid false negatives. It will have a higher false positive rate than SAST tools like CodeQL, but Gato-X will give you everything you need to quickly determine if something is a true positive or not!\n\nThe `search` and `enumerate` modes are safe to run on all public repositories, and\nyou will not violate any rules by doing so.\n\nGato-X's attack features should only be used with authorization, and make sure\nto follow responsible disclosure if you find vulnerabilities with Gato-X.\n\n**Gato-X is a powerful tool and should only be used for ethical security research purposes.**\n\n## Documentation\n\nFor comprehensive documentation, please visit the [Gato-X Documentation](https://adnanekhan.github.io/gato-x/) site.\n\n## What is Gato-X?\n\nGato-X is an offensive security tool designed to identify exploitable GitHub Actions misconfigurations or privilege escalation paths. It focuses on several key areas:\n\n* Self-Hosted Runner enumeration using static analysis of workflow files and analysis of workflow run logs\n* Pwn Request and Actions Injection enumeration using static analysis\n* Post-compromise secrets enumeration and exfiltration\n* Public repository self-hosted runner attacks using Runner-on-Runner (RoR) technique\n* Private repository self-hosted runner attacks using RoR technique\n\nThe target audience for Gato-X is Red Teamers, Bug Bounty Hunters, and Security Engineers looking to identify misconfigurations.\n\n## Feature Highlights\n\n### Fast and Comprehensive Scanning\n\nGato-X contains a powerful scanning engine for GitHub Actions vulnerabilities. It is capable of scanning 35-40 *thousand* repositories in 1-2 hours using a single GitHub PAT. Key capabilities include:\n\n* Reachability Analysis\n* Cross-Repository Transitive Workflow and Reusable Action Analysis\n* Parsing and Simulation of \"If Statements\"\n* Gate Check Detection (permission checks, etc.)\n* Lightweight Source-Sink Analysis for Variables\n* MCP Server\n\n## Quick Start\n\n### Search For GitHub Actions Vulnerabilities at GitHub Scale\n\nFirst, create a GitHub PAT with the `repo` scope. Set that PAT to the\n`GH_TOKEN` environment variable.\n\nNext, use the search feature to retrieve a list of candidate repositories:\n\n```\ngato-x s -sg -q 'count:75000 /(issue_comment|pull_request_target|issues:)/ file:.github/workflows/ lang:yaml' -oT checks.txt\n```\n\nFinally, run Gato-X on the list of repositories:\n\n```\ngato-x e -R checks.txt | tee gatox_output.txt\n```\n\nThis will take some time depending on your computer and internet connection speed. Since the results are very long, use `tee` to save them to a file\nfor later review. Gato-X also supports JSON output, but that is intended for further machine analysis.\n\n### Perform Self Hosted Runner Takeover\n\nTo perform a public repository self-hosted runner takeover attack, Gato-X requires a PAT with the following scopes:\n\n`repo`, `workflow`, and `gist`.\n\nThis should be a PAT for an account that is a _contributor_ to the target repository (i.e. submitted a typo fix).\n\n```\ngato-x a --runner-on-runner --target ORG/REPO --target-os [linux,osx,windows] --target-arch [arm,arm64,x64]\n```\nIt is very rare that maintainers select allowing workflows on pull request from all external users without approval,\nbut it has happened.\n\nNext, Gato-X will automatically prepare a C2 repository and begin the operation. Gato-X will monitor each step\nas the attack continues, exiting as gracefully as possible at each phase in case of a failure. If workflow approval\nis required, Gato-X will wait a short period of time before exiting.\n\nIf the full chain succeeds, Gato-X will drop to an interactive prompt. This will execute shell commands on the\nself-hosted runner.\n\nIf the target runner is non-ephemeral, use the `--keep-alive` flag. This will keep the workflow running. GitHub\nActions allows workflow runs on self-hosted runners to run for up to **5 days** (as of writing, this might change - it was 30 days).\n\n### Dump Secrets\n\nIf you have a PAT with write access to the repository along with the `repo` and `workflow` scopes, you can dump all secrets accessible to the repository with a single command:\n\n`gato-x attack --secrets -t targetOrg/targetRepo -d`\n\nSee documentation for additional options such as specifying workflow name, branch name, and more.\n\n## Installation\n\nGato supports OS X and Linux with at least **Python 3.10**.\n\nGato-X is published on PyPi, so you can simply install it with `pip install gato-x`\n\nIn order to install the tool from source, simply clone the repository and use `pip install`. \n\nWe recommend performing this within a virtual environment.\n\n```\ngit clone https://github.com/AdnaneKhan/gato-x\ncd gato-x\npython3 -m venv venv\nsource venv/bin/activate\npip install .\n```\nOR You can use pipx\n```\ngit clone https://github.com/AdnaneKhan/gato-x\ncd gato-x\npipx install .\n```\n\nIf you need to make on-the-fly modifications, then install it in editable mode with `pip install -e`.\n\n## Contributing\n\nContributions are welcome! Please [review](https://adnanekhan.github.io/gato-x/contribution-guide/contributions/) the design methodology before working on a new feature!\n\nAdditionally, if you are proposing significant changes to the tool, please open an issue to start a conversation about the motivation for the changes.\n\n## License\n\nGato-X is licensed under the [Apache License, Version 2.0](LICENSE).\n\n```\nGato-X:\n\nCopyright 2024, Adnan Khan\n\nOriginal Gato Implementation:\n\nCopyright 2023 Praetorian Security, Inc\n\nLicensed under the Apache License, Version 2.0 (the \"License\");\nyou may not use this file except in compliance with the License.\nYou may obtain a copy of the License at\n    http://www.apache.org/licenses/LICENSE-2.0\nUnless required by applicable law or agreed to in writing, software\ndistributed under the License is distributed on an \"AS IS\" BASIS,\nWITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\nSee the License for the specific language governing permissions and\nlimitations under the License.\n```\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2FAdnaneKhan%2Fgato-x","html_url":"https://awesome.ecosyste.ms/projects/github.com%2FAdnaneKhan%2Fgato-x","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2FAdnaneKhan%2Fgato-x/lists"}