Home
For information on how to install Gato, please see the project's README!
Gato, or GitHub Attack TOolkit, is intended for security professionals to evaluate the security of GitHub organizations. It contains both enumeration and attack capabilities against public and private repositories. As of the 1.5 release, Gato can enumerate secrets accessible to a PAT, and, if the PAT has the workflow scope, exfiltrate the secrets using a custom workflow.
Gato, in its current form, is not an all-encompassing enumeration tool for GitHub. Gato does not attempt to look for secrets in commits and does not enumerate general security best practices (such as branch protection settings, PR approval requirements, etc.). To look for secrets in commits, we highly recommend checking out Nosey Parker.
During our Red Ream assessments, CI/CD has been the weak link for many organizations. In particular, GitHub Actions is becoming a key player in enterprise CI/CD solutions as organizations move away from on-premises code repositories and CI/CD solutions. We wanted to release a tool that allows organizations to assess the impact of developer credential compromise and provide a valuable tool for red-teamers and penetration testers to evaluate the access gained from GitHub PATs compromised during an engagement.
There is also a very interesting attack surface in the form of public repositories that utilize self-hosted runners. By default, if a public repository uses a self-hosted runner, any previous contributor can modify workflow files in their pull request, create a PR, and run arbitrary code on attached self-hosted runners. Gato provides an extensive feature set to support that attack path.
That is excellent! We welcome new contributions from the security community. Please take a look at our contribution guide and review our project design and coding standards.
The following engineers developed this project:
- Adnan Khan
- Mason Davis
- Matt Jackoski
We thank Kaitlin York for making such an awesome mascot logo.