Privesc

pipeleek gl renovate privesc

Inject a malicious CI/CD Job into the protected default branch abusing Renovate Bot's access

Synopsis

Inject a job into the CI/CD pipeline of the project's default branch by adding a commit (race condition) to a Renovate Bot branch, which is then auto-merged into the main branch. Assumes the Renovate Bot has owner/maintainer access whereas you only have developer access. See https://blog.compass-security.com/2025/05/renovate-keeping-your-updates-secure/

1	`pipeleek gl renovate privesc [flags]`

Examples

1	`pipeleek gl renovate privesc --token glpat-xxxxxxxxxxx --gitlab https://gitlab.mydomain.com --repo-name mygroup/myproject --renovate-branches-regex 'renovate/.*'`

Options

1
2
3

  -h, --help                             help for privesc
  -b, --renovate-branches-regex string   The branch name regex expression to match the Renovate Bot branch names (default: 'renovate/.*') (default "renovate/.*")
  -r, --repo-name string                 The repository to target

Options inherited from parent commands

      --color              Enable colored log output (auto-disabled when using --logfile) (default true)
  -g, --gitlab string      GitLab instance URL
      --ignore-proxy       Ignore HTTP_PROXY environment variable
      --json               Use JSON as log output format
      --log-level string   Set log level globally (debug, info, warn, error). Example: --log-level=warn
  -l, --logfile string     Log output to a file
  -t, --token string       GitLab API Token
  -v, --verbose            Enable debug logging (shortcut for --log-level=debug)