Gato-X

Overview

Gato-X (GitHub Attack Toolkit - Extreme Edition) is a fast scanning and attack tool for GitHub Actions pipelines. It identifies Pwn Requests, Actions Injection, TOCTOU vulnerabilities, and Self-Hosted Runner takeover at scale using just a single API token.

Why Gato-X?

Unlike other scanners that only analyze workflows within a single repository, Gato-X analyzes cross-repository workflows and reusable actions. This surfaces vulnerabilities that other tools miss entirely.

Gato-X is operator-focused and tuned to avoid false negatives. While it may have a higher false positive rate than SAST tools like CodeQL, it provides everything you need to quickly determine if something is a true positive.

Key Features

• Fast Scanning: Scan 35-40 thousand repositories in 1-2 hours using a single GitHub PAT
• Comprehensive Detection: Identifies Pwn Requests, Actions Injection, TOCTOU vulnerabilities
• Cross-Repository Analysis: Analyzes reusable actions and cross-repository workflows
• Self-Hosted Runner Attacks: Automated takeover of vulnerable self-hosted runners
• Secret Dumping: Extract secrets from repositories with write access
• Scale: Search and enumerate modes are safe to run on all public repositories

Target Audience

• Red Teamers
• Bug Bounty Hunters
• Security Engineers
• DevSecOps Teams

Quick Start

# Install from PyPI
pip install gato-x

# Set your GitHub PAT
export GH_TOKEN=your_token_here

# Search for vulnerable repositories
gato-x search --query "your_search_query"

# Scan repositories
gato-x enum -R repos.txt

Responsible Use

Gato-X is a powerful tool intended for ethical security research only. The search and enumerate modes are safe to run on public repositories. Attack features should only be used with proper authorization. Always follow responsible disclosure when finding vulnerabilities.

Documentation

For comprehensive documentation, visit the Gato-X Documentation.