You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Gato-X’s workflow parsing was bolted on to the minimal parsing that Gato used to determine if a workflow might use a self-hosted runner.
Now that Gato-X contains a SAST scanning engine for workflows, this approach has grown bloated, messy, and hard to maintain. As a result, it makes it hard to add changes with the purpose of reducing the false positive rate and increasing the accuracy of reports.
It is time to overhaul the workflow representation using a proper Graph library. It must be something that does not require installing a Graph databases and must be Apache 2.0 compatible.
I am currently looking at the NetworkX library.
This way I can represent the relationships between repositories, workflows, jobs, runners, steps, referenced actions in a cleaner manner than “self-rolled” graph that Gato-X currently has. It is likely that this structure will reveal opportunities for some very interesting analyses such as workflow lateral movement opportunities due to shared runners as well as cache poisoning lateral movement opportunities.
The text was updated successfully, but these errors were encountered:
Gato-X’s workflow parsing was bolted on to the minimal parsing that Gato used to determine if a workflow might use a self-hosted runner.
Now that Gato-X contains a SAST scanning engine for workflows, this approach has grown bloated, messy, and hard to maintain. As a result, it makes it hard to add changes with the purpose of reducing the false positive rate and increasing the accuracy of reports.
It is time to overhaul the workflow representation using a proper Graph library. It must be something that does not require installing a Graph databases and must be Apache 2.0 compatible.
I am currently looking at the NetworkX library.
This way I can represent the relationships between repositories, workflows, jobs, runners, steps, referenced actions in a cleaner manner than “self-rolled” graph that Gato-X currently has. It is likely that this structure will reveal opportunities for some very interesting analyses such as workflow lateral movement opportunities due to shared runners as well as cache poisoning lateral movement opportunities.
The text was updated successfully, but these errors were encountered: