Skip to content

Privesc

pipeleak gl renovate privesc

Inject a malicious CI/CD Job into the protected default branch abusing Renovate Bot's access

Synopsis

Inject a job into the CI/CD pipeline of the project's default branch by adding a commit (race condition) to a Renovate Bot branch, which is then auto-merged into the main branch. Assumes the Renovate Bot has owner/maintainer access whereas you only have developer access. See https://blog.compass-security.com/2025/05/renovate-keeping-your-updates-secure/

1
pipeleak gl renovate privesc [flags]

Examples

1
pipeleak gl renovate privesc --token glpat-xxxxxxxxxxx --gitlab https://gitlab.mydomain.com --repoName mygroup/myproject --renovateBranchesRegex 'renovate/.*'

Options

1
2
3
  -h, --help                           help for privesc
  -b, --renovateBranchesRegex string   The branch name regex expression to match the Renovate Bot branch names (default: 'renovate/.*') (default "renovate/.*")
  -r, --repoName string                The repository to target

Options inherited from parent commands

1
2
3
4
5
6
      --coloredLog       Output the human-readable log in color (default true)
  -g, --gitlab string    GitLab instance URL
      --json             Use JSON as log output format
  -l, --logfile string   Log output to a file
  -t, --token string     GitLab API Token
  -v, --verbose          Verbose logging

SEE ALSO