Skip to content

Contributing

Adnan Khan edited this page Aug 3, 2024 · 3 revisions

How can I contribute to Gato-X?

Report Pwn Req/Injection False Negatives

This is probably the most useful way you can contribute to Gato-X without making changes to the codebase.

My goal with Gato-X is to never miss a reachable GitHub Actions vulnerability that can be exploited in a 0-click manner, where the vulnerability exists entirely within the workflow file. This means a workflow that runs on issue_comment or pull_request_target, or workflow_run (or one of the more obscure ones like fork).

Gato-X currently does not analyze called code within the repository (so if a bash script performs the checkout outside of a run step Gato-X will miss it), but for any vulnerability that can be understood only be looking at yml files, Gato-X should find it. If it does not, then I consider that bug.

Unit Test Coverage

Any new unit tests will be greatly appreciated.

Code Improvements

If you see an opportunity to improve code efficiency or clean up the code feel free to propose changes. I'll be the first to admit that some of Gato-X's codebase has gotten a bit messy.

Report Bugs

Gato-X is a side project. As a result, there are likely edge cases that will trigger errors or crashes. If you encounter any, please report them along with information to reproduce the issue.

Clone this wiki locally