Adnan Khan

> It's basically a TOCTOU vulnerability Ended up writing a tool + demo repo to make this easy to exploit (https://github.com/AdnaneKhan/ActionsTOCTOU/)

> Are there additional significant details within the protection rules, @AdnaneKhan ? If there are, we should consider representing them as individual nodes; otherwise, I agree we can track them...

Also, curious about where in the code it would be best to add the query to the environments API endpoint? Should Raven make the call when it is creating a...

> In the current architecture of raven, the Github API queries only take place in the `downloader`, so it should take place when it pulls the workflow. > > If...

> An actual vuln GHSA [GHSA-h52q-xhg2-6jw8](https://github.com/espressif/arduino-esp32/security/advisories/GHSA-h52q-xhg2-6jw8) Hey that’s pretty cool! GHSL has been doing some amazing work reporting issues to OSS projects.

This is definitely a useful gadget in a CI/CD scenario with cache poisoning where there is a call to git checkout _after_ a cache restore step. For GitHub Actions at...

This relates to #51, but it could be something like the following enumeration profiles: `--zoomies`: Skip run logs, skip branch protection rules. YML-based enumeration only for the entire search set...

The solution here would be the following: * If the workflow runs and requires approval, Gato should report this. Optionally, there could be a flag to close the PR if...

> Can you please give more details about what problem this update is solving? The artifact uploaded on a `pull_request` workflow can be modified so that it contains a PR...

Ditto - this broke a security tool I maintain that allows users to monitor for runner group misconfigurations among other issues (such as an unexpected org-level runner suddenly picking up...