-
Notifications
You must be signed in to change notification settings - Fork 16
Home
Refer to the project's README for installation instructions from source or from PyPi.
Gato-X is an offensive security tool designed to identify exploitable GitHub Actions misconfigurations or privilege escalation paths. It focuses on several key areas:
- Self-Hosted Runner enumeration using static analysis of workflow files and analysis of workflow run logs.
- Pwn Request and Actions Injection enumeration using static analysis.
- Post-compromise secrets enumeration and exfiltration.
- Public repository self-hosted runner attacks using Runner-on-Runner (RoR) technique.
- Private repository self-hosted runner attacks using RoR technique.
The target audience for Gato-X is Red Teamers, Bug Bounty Hunters, and Security Engineers looking to identify misconfigurations. I've personally used Gato-X to earn multiple five-figure bug bounties. I am making it public to empower ethical hackers to report these issues to open-source projects.
You can find the slides for the BlackHat 24 and DEF CON 32 talks where John Stawinski and I demonstrated Gato-X along with GitHub Actions TTPs below:
Khan_Stawinski_GrandTheftActions_PDFSlides.pdf
I led the development of Gato while at my previous employer. Outside of the initial development sprint leading up to the original tool release, my previous employer didn't fund (read: provide overhead time) development of the tool. As such, the original tool is not actively maintained. As of now, the only reason to use the original Gato is if you need to run it on an older Python version because Gato-X requires Python 3.10 or greater.
Gato-X is NOT a holistic tool to evaluate the GitHub Actions security posture of a repository. Gato-X does not check check for best practices like GitHub Actions version pinning, branch protection, secure defaults, and other controls that are important but not directly exploitable. Gato-X's enumeration features focus on identifying exploitable issues in a GitHub repository. Exploitable issues mean an issue that can be exploited without any interaction from the maintainer (such as a Pwn Request), or an issue that can be exploited with mild social engineering (such as a GitHub Actions TOCTOU issue).
For general posture evaluation, there are better tools for the job like OpenSSF ScoreCard.