Home
For information on how to install Gato, please see the project's README!
Gato, or GitHub Attack TOolkit, is intended for security professionals to evaluate the security of GitHub organizations, focusing on self-hosted runners.
For Gato's next release, the intended use will be expanded beyond self-hosted runners to GitHub Actions.
Gato is not intended to be an all-encompassing enumeration tool for GitHub. Gato does not attempt to look for secrets in commits themselves and (for the current release) does not enumerate general permissions to repositories and access to repository and/or organization-level secrets. To look for secrets in commits, we highly recommend checking out Nosey Parker.
In Gato's next release, we will add secret enumeration and reporting write or admin to repositories. This can help evaluate the blast radius of a compromised personal access token.
During our red team assessments, CI/CD has been the weak link for many organizations. GitHub, in particular, is becoming one of the key players in enterprise SCM solutions as organizations move away from on premises code repositories. We wanted to release a tool that allows organizations to assess the impact of developer credential compromise and provide a valuable tool for red-teamers and penetration testers to evaluate the access gained from GitHub PATs compromised during an engagement.
There is also a very interesting attack surface in the form of public repositories that utilize self-hosted runners. This tool provides some features to speed up the exploration of that attack path.
That is excellent! We welcome new contributions from the security community. Please take a look at our contribution guide and review our project design and coding standards.
The following engineers developed this project:
- Adnan Khan
- Mason Davis
- Matt Jackoski
We thank Kaitlin York for making such an awesome mascot logo.