Home
For information on how to install gato, please see the project's README!
Gato, or GitHub Attack TOolkit, is intended for security professionals to evaluate the security of GitHub organizations, focusing on self-hosted runners.
Gato is not intended to be an all-encompassing enumeration tool for GitHub. Secrets stored and utilized for GitHub actions can also be accessed using a compromised PAT that can update workflow code. The topic of secret disclosure from GitHub Actions has been examined by many security researchers, and there are excellent resources that can be found online detailing how a threat actor could gain access to secrets.
During our red team assessments, CI/CD has been the weak link for many organizations. GitHub, in particular, is becoming one of the key players in enterprise SCM solutions as organizations move away from on premises code repositories. We wanted to release a tool that allows organizations to assess the impact of developer credential compromise and provide a valuable tool for red-teamers and penetration testers to evaluate the access gained from GitHub PATs compromised during an engagement.
There is also a very interesting attack surface in the form of public repositories that utilize self-hosted runners. This tool provides some features to speed up the exploration of that attack path.
That is excellent! We welcome new contributions from the security community. Please take a look at our contribution guide and review our project design and coding standards.
The following engineers developed this project:
- Adnan Khan
- Mason Davis
- Matt Jackoski
We thank Kaitlin York for making such an awesome mascot logo.