Releases: AdnaneKhan/gato-x
Releases · AdnaneKhan/gato-x
Gato-X Release v1.3.0
Release of version v1.3.0
What's Changed
- Add persistence techniques module for GitHub repository attacks by @Copilot in #188
- Polish minor doc issues by @AdnaneKhan in #189
- Bump astral-sh/ruff-action from 3.5.0 to 3.5.1 by @dependabot[bot] in #193
- Bump actions/download-artifact from 4 to 5 by @dependabot[bot] in #191
- Bump actions/checkout from 4 to 5 by @dependabot[bot] in #190
- Prevent duplicate CI runs by @AdnaneKhan in #198
- Fix self-enumeration to support public_repo scope in addition to repo scope by @Copilot in #195
- ✨ Set up Copilot instructions for Gato-X repository by @Copilot in #197
- Fix TOCTOU False Positive by @AdnaneKhan in #199
- Bump actions/attest-build-provenance from 2 to 3 by @dependabot[bot] in #202
- Bump actions/upload-pages-artifact from 3 to 4 by @dependabot[bot] in #200
- Bump actions/setup-python from 5 to 6 by @dependabot[bot] in #206
- Bump softprops/action-gh-release from 2.3.2 to 2.3.3 by @dependabot[bot] in #204
- feature: Add enumeration capabilities for Fine-Grained GitHub Personal Access Tokens by @AdnaneKhan in #203
- docs: Add missing finegrained enum doc link by @AdnaneKhan in #207
- Bump version for 1.3.0 by @AdnaneKhan in #208
Full Changelog: v1.2.2...v1.3.0
Contributors
AdnaneKhan and dependabot
Assets 6
Gato-X Release v1.2.2
Immutable
release. Only release title and notes can be modified.
Release of version v1.2.2
What's Changed
- Add artifact pollution detection by @AdnaneKhan in #153
- Remove trailing / when listing workflows directory using REST API. by @AdnaneKhan in #156
- Add uses to StepNode by @adrien-f in #159
- Allow extra tags on nodes by @adrien-f in #160
- Bump softprops/action-gh-release from 2.2.2 to 2.3.2 by @dependabot[bot] in #163
- Correctly Handle Reusable Action Positioning in Graph by @AdnaneKhan in #161
- Make sure to print runner information for repos when enumerating an org. by @AdnaneKhan in #166
- fix: Reduce false positives when environment protection rule is calculated using expression by @AdnaneKhan in #167
- Swap YAML library to keep line numbers for Job/Step nodes by @adrien-f in #168
- Bump sigstore/gh-action-sigstore-python from 3.0.0 to 3.0.1 by @dependabot[bot] in #169
- Revert "Swap YAML library to keep line numbers for Job/Step nodes" by @AdnaneKhan in #171
- update(enumeration): Support discord webhooks by @AdnaneKhan in #173
- Add sourcemap of lines to Workflow and Composite models by @adrien-f in #174
- update(enumeration): Push approval gate DFS logic to graph algorithm by @AdnaneKhan in #172
- fix(node): use parent get_repr() method to display line numbers if available by @adrien-f in #177
- fix(enum): Don't build source map for invalid workflows. by @AdnaneKhan in #179
- fix(enum): Reduce number of commit checks for a single repo by @AdnaneKhan in #180
- Bump astral-sh/ruff-action from 3.4.0 to 3.5.0 by @dependabot[bot] in #181
- fix(enum): Don't report only one injection sink per start node. by @AdnaneKhan in #178
- Fix for RoR attack issues in #183 and #176 by @AdnaneKhan in #184
- Bump version 1.2.2 by @AdnaneKhan in #185
Full Changelog: v1.2.1...v1.2.2
Contributors
adrien-f, AdnaneKhan, and dependabot
Assets 7
Gato-X Release v1.2.1
Release of version v1.2.1
What's Changed
- Fix call_get in case of missing response by @adrien-f in #141
- Add enumeration for app private keys by @AdnaneKhan in #135
- Add issue template for new feature and a PR template by @AdnaneKhan in #142
- Rename .github/PULL_REQUEST_TEMPLATE/pull_request_template.md to .git… by @AdnaneKhan in #143
- Fix logic error in Pwn Request visitor leading to false negatives by @AdnaneKhan in #145
- Fix typo in IssueType enum by @adrien-f in #146
- Call correct method for action init by @AdnaneKhan in #147
- Update dispatch visitor to exclude results if sha is required by @AdnaneKhan in #148
- Fix errors with runner-on-runner attack feaures by @AdnaneKhan in #150
- Bump version to 1.2.1 by @AdnaneKhan in #151
Full Changelog: v1.2.0...v1.2.1
Contributors
adrien-f and AdnaneKhan
Assets 6
Gato-X Release v1.2.0
Release of version v1.2.0
What's Changed
- Add Gato-X MCP Server by @AdnaneKhan in #126
- Migrate Wiki to GitBook format in docs folder by @CyrilBaah in #119
- Add SECURITY.MD for project. by @AdnaneKhan in #129
- Fix syntax error with Output singleton by @AdnaneKhan in #130
- Fix secret representation key name by @adrien-f in #136
- Remove unused multiprocessing import by @adrien-f in #137
- feat: handle checks for a specific commit by @swarit-stepsecurity in #133
- update(ci): Add ruff linting as part of pytest workflow by @AdnaneKhan in #139
- Polish docs and add coverage for more use cases by @AdnaneKhan in #131
- Bump version to 1.2.0 by @AdnaneKhan in #140
New Contributors
- @CyrilBaah made their first contribution in #119
- @adrien-f made their first contribution in #136
- @swarit-stepsecurity made their first contribution in #133
Full Changelog: v1.1.1...v1.2.0
Contributors
adrien-f, AdnaneKhan, and 2 other contributors
Assets 6
Gato-X Release v1.1.1
Release of version v1.1.1
What's Changed
- Properly await enum org when running self enum by @AdnaneKhan in #116
- Fix issue with duplicate results when running self enum by @AdnaneKhan in #117
- Use auth if retrieving action 404s by @AdnaneKhan in #120
- Fix error with deepdive by @AdnaneKhan in #122
- Address issue with type when retrieving reusable actions using auth API by @AdnaneKhan in #124
- Handle recursive composite actions by @AdnaneKhan in #121
Full Changelog: v1.1.0...v1.1.1
Contributors
AdnaneKhan
Assets 6
Gato-X Release v1.1.0
Release of version v1.1.0
Gato-X is now build using asyncio. This release doesn't add any new features increases enumeration speed substantially by taking advantage of non-blocking calls when possible and performing graph traversals for each issue class async instead of together.
What's Changed
- Use HTTPX Instead of Requests Throughout by @AdnaneKhan in #102
- Fix regression with httpx switch by @AdnaneKhan in #104
- Fix type error when setting missing workflows by @AdnaneKhan in #105
- Fix issue calling sourcegraph search by @AdnaneKhan in #106
- Convert Gato-X to Asyncio by @AdnaneKhan in #107
- Use better batching with async calls. by @AdnaneKhan in #108
- Fix/minor async regression by @AdnaneKhan in #109
- Fix silly issue again. by @AdnaneKhan in #110
- Properly call slack webhook by @AdnaneKhan in #111
- Fix Httpx Stability Issues by @AdnaneKhan in #113
- Bump softprops/action-gh-release from 2.2.1 to 2.2.2 by @dependabot in #112
- Bump for 1.1 Release by @AdnaneKhan in #115
Full Changelog: v1.0.1...v1.1.0
Contributors
AdnaneKhan and dependabot
Assets 6
Gato-X Release v1.0.1
Release of version v1.0.1
What's Changed
- fix: Handle multiple orgs during self enumeration. by @AdnaneKhan in #95
- fix: missed injection variable issue by @AdnaneKhan in #96
- Fix issue with dispatch TOCTOU regex by @AdnaneKhan in #98
- Bump peter-evans/create-pull-request from 7.0.6 to 7.0.8 by @dependabot in #94
- Bump minor version to 1.0.1 by @AdnaneKhan in #100
Full Changelog: v1.0.0...v1.0.1
Contributors
AdnaneKhan and dependabot
Assets 6
Gato-X Release v1.0.0
Release of version v1.0.0
What's Changed
- Bump psf/black from 24.10.0 to 25.1.0 by @dependabot in #80
- Bump pypa/gh-action-pypi-publish from 1.12.3 to 1.12.4 by @dependabot in #76
- Overhaul Static Analysis Functionality by @AdnaneKhan in #81
- Fix some display bugs with repo level runners (as seen by admin) by @AdnaneKhan in #82
- Pre-1.0 Polishing Pass by @AdnaneKhan in #88
- Add more unit tests and remove magic strings by @AdnaneKhan in #89
- Fix logic error in complexity handling by @AdnaneKhan in #90
- Fix regression on the output yaml feature by @AdnaneKhan in #91
- Add missing print for repo secrets when enumerating org by @AdnaneKhan in #92
- Readme Updates ahead of Version 1.0 Release by @AdnaneKhan in #84
- Bump version to 1.0 for release. by @AdnaneKhan in #93
Full Changelog: v0.6.1...v1.0.0
Contributors
AdnaneKhan and dependabot
Assets 6
Gato-X Release v0.6.1
Release of version v0.6.1
What's Changed
- Bump actions/attest-build-provenance from 1 to 2 by @dependabot in #67
- Bump pypa/gh-action-pypi-publish from 1.12.2 to 1.12.3 by @dependabot in #66
- Bump softprops/action-gh-release from 2.0.9 to 2.1.0 by @dependabot in #60
- Add error handling to address #62. by @AdnaneKhan in #65
- Process potential injection vars with checks for branch names by @AdnaneKhan in #68
- Fix typo in attack helper by @goncalo0domingos in #71
- fix bug in json processing by @jstawinski in #72
- Bump softprops/action-gh-release from 2.1.0 to 2.2.1 by @dependabot in #74
- Bump peter-evans/create-pull-request from 7.0.5 to 7.0.6 by @dependabot in #70
- Enable GitHub Sponsorships by @AdnaneKhan in #75
- fix: Add check for a numeric if condition by @AdnaneKhan in #78
- Bump Version to 0.6.1 by @AdnaneKhan in #79
New Contributors
- @goncalo0domingos made their first contribution in #71
Full Changelog: v0.6.0...v0.6.1
Contributors
AdnaneKhan, dependabot, and 2 other contributors
Assets 6
Gato-X Release v0.6.0
Release of version v0.6.0
This version bump includes bug fixes along with improvements to the Runner-on-Runner attack features. The payload only mode is now more flexible because it will create a C2 repository if one is not specified. This will be useful for manual exploitation scenarios and for red teamers who simply want to use the GitHub Actions runner as a C2 implant.
What's Changed
- Bump actions/setup-python from 4 to 5 by @dependabot in #45
- Bump pypa/gh-action-pypi-publish from 1.10.1 to 1.10.2 by @dependabot in #39
- Bump psf/black from 24.8.0 to 24.10.0 by @dependabot in #55
- Bump pypa/gh-action-pypi-publish from 1.10.2 to 1.12.2 by @dependabot in #59
- Bump softprops/action-gh-release from 2.0.8 to 2.0.9 by @dependabot in #57
- Fix broken windows RoR and improve attack UX. by @AdnaneKhan in #61
- Fix inconsistency with environment enumeration by @AdnaneKhan in #63
- Bump version to 0.6.0 by @github-actions in #64
Full Changelog: v0.5.8...v0.6.0
Contributors
AdnaneKhan and dependabot