-
Notifications
You must be signed in to change notification settings - Fork 23
Contributing
This is probably the most useful way you can contribute to Gato-X without making changes to the codebase.
My goal with Gato-X is to never miss a reachable GitHub Actions vulnerability that can be exploited in a 0-click manner, where the vulnerability exists entirely within the workflow file. This means a workflow that runs on issue_comment or pull_request_target, or workflow_run (or one of the more obscure ones like fork).
Gato-X currently does not analyze called code within the repository (so if a bash script performs the checkout outside of a run step Gato-X will miss it), but for any vulnerability that can be understood only be looking at yml files, Gato-X should find it. If it does not, then I consider that bug.
Any new unit tests will be greatly appreciated.
If you see an opportunity to improve code efficiency or clean up the code feel free to propose changes. I'll be the first to admit that some of Gato-X's codebase has gotten a bit messy.
Gato-X is a side project. As a result, there are likely edge cases that will trigger errors or crashes. If you encounter any, please report them along with information to reproduce the issue.