Overview

This section provides an overview of common use cases for Gato-X.

For installation instructions, see the Installation Guide. For command usage, see the Command Reference. For advanced topics, see the Advanced Topics.

Available Use Cases

• Scanning for Vulnerabilities - How to effectively scan repositories for GitHub Actions vulnerabilities
• Self-Hosted Runner Takeover - Techniques for exploiting self-hosted runner vulnerabilities
• Post-Compromise Enumeration - How to enumerate resources after obtaining a GitHub PAT

Choosing the Right Approach

The approach you take depends on your specific goals:

1. Security Research: Use the search and enumerate commands to identify vulnerabilities in public repositories, then report them responsibly.

2. Red Team Operations: Use the full suite of tools to simulate attacks against your organization's GitHub infrastructure.

3. Security Assessment: Use Gato-X to assess the security posture of your organization's GitHub Actions workflows.

4. Bug Bounty Hunting: Search for vulnerabilities in bug bounty programs that include GitHub Actions in scope.

Ethical Considerations

Always ensure you have proper authorization before using Gato-X's attack features. The search and enumerate features are safe to use on public repositories, but attack features should only be used with explicit permission.