Releases: kulkansecurity/gitxray
Releases · kulkansecurity/gitxray
1.0.18
Release v1.0.18 (August 20th, 2025)
- New 'host_refs' section/feature! Uses the GitHub Code search API to search for http(s) hosts (domains or IP addresses). It also searches inside Workflows. It can definitely help at the time of mapping infrastructure of a target, or for checking your own repositories for potential malicious activity. Only works if a GH_ACCESS_TOKEN is set, due to Code search API restrictions.
- New integration with the VirusTotal API, which can be activated by setting VT_API_KEY to your VirusTotal API Key! It will populate results in a new 'host_refs_vt' section for any hosts that were previously identified in host_refs.
- Merged the 'urls' section for contributors and repository with 'profiling' - only kept it for non-contributors.
- Fixed the sidebar menu in the HTML report so that the first click collapses a collapsable item directly; and also fixed indentation for subitems.
- Added an inline description to categories in the HTML report explaining why and how the data of the category can be useful.
1.0.17.4
Release v1.0.17.4 (April 27th, 2025)
- Removed external links to Bootstrap CSS, JavaScript, and the Gitxray logo; now all assets (styles, scripts, images) are embedded so HTML reports are fully self-contained.
- Merged a PR by satoridev01 which prevents Gitxray from printing stars, watchers, created, updated, contributors and anonymous if they were not found, as opposed to stating "0".
1.0.17.3
Release v1.0.17.3 (March 2nd, 2025)
- Added handling of Blocked repositories. The GitHub API presents a different error than for not-found repos, and includes a reason; which we now include in our reports. Thanks to satoridev01 for reporting the behavior.
1.0.17.2
Release v1.0.17.2 (February 16th, 2025)
- Added a Highlighted findings section to the HTML report. Special thanks to Viktor and Darin from DevOps Paradox for their feedback.
- Added to every table in the HTML report the ability to collapse and expand.
- Merged the finding on similar repository names with the finding on the repository being the most starred.
- Improved the introduction section of the HTML report to guide users with sample use-cases for Gitxray.
1.0.17.1
Release v1.0.17.1 (January 30th, 2025)
- Fixed parsing of legacy workflows which include an empty path attribute.
- Fixed parsing of broken armored PGP keys which appear to be accepted by GitHub when being added to a user's profile.
1.0.17
Release v1.0.17 (January 26th, 2025)
- Added a new "--shush" parameter which turns "shushable" mode on, discarding any progress output from stdout.
- Added a new finding under the "personal" category which tells if the contributor has enabled "Available for hire" in their profile (docs describe it here: https://docs.github.com/en/account-and-profile/setting-up-and-managing-your-personal-account-on-github/managing-user-account-settings/about-available-for-hire)
- Added a "WARNING" label/prefix on a couple of Workflow findings which deserve an extra highlight.
- Turned gh_api into a class named GitHubRESTAPI which stores a reference to gx_output.
- Added a new stdout method in gx_output to act as a proxy for print() calls, discarding "shushable" output.
1.0.16.5
Release v1.0.16.5 (January 18th, 2025)
- Fixed an error case (an unhandled exception) that showed up when scanning repositories with a very large list of contributors (e.g. torvalds/linux, or MicrosoftDocs/azure-docs), which leads to GitHub REST APIs responding in an undocumented manner, stating that: "The history or contributor list is too large to list contributors for this repository via the API".
1.0.16.4
Release v1.0.16.4 (October 30th, 2024)
- Fixed an error case that should be fixed in gh_api.py eventually: GitHub returning unexpected error responses when querying for certain releases while being unauthenticated. Thank you once again fearcito for your input and testing.
1.0.16.3
Release v1.0.16.3 (October 28th, 2024)
- Only showing "updated at" for comments if the created_at and updated_at field values differ. This helps place focus on updated comments which could potentially reveal a contributor trying to hide a past comment. GitHub is kind to show an Edit history for said comments as a menu option next to the comment itself.
1.0.16.2
Release v1.0.16.2 (October 25th, 2024)
- Added validation against Null values for fields "author" and "uploader" in Releases and Assets. Special thanks to fearcito for reporting the issue.