Skip to content

Implement GitHub Renovate subcommands (enum, autodiscovery, privesc) #469

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Draft
Copilot wants to merge 3 commits into
base: main
Choose a base branch
from
Draft

Implement GitHub Renovate subcommands (enum, autodiscovery, privesc) #469

Copilot wants to merge 3 commits into from

Conversation

Copy link
Contributor

Copilot AI commented Dec 24, 2025
edited
Loading

Adds GitHub support for the three Renovate exploitation commands previously available only for GitLab: enumeration, autodiscovery PoC generation, and privilege escalation.

Changes

Shared Renovate Package

  • pkg/renovate/common.go: Extracted platform-agnostic logic (config detection, autodiscovery parsing, self-hosted options, config extension)

GitHub Implementation

  • pkg/github/renovate/enum: Repository enumeration scanning workflows/configs for Renovate configurations
  • pkg/github/renovate/autodiscovery: PoC repository generation with malicious Gradle wrapper exploit
  • pkg/github/renovate/privesc: Branch monitoring and workflow injection via race condition

CLI Commands

  • internal/cmd/github/renovate/*: Root command with three subcommands matching GitLab functionality
  • Flag adaptations: --gitlab--github, --namespace--org, project → repository terminology

Testing

  • tests/e2e/github/renovate/renovate_test.go: Mock GitHub API tests (6 passing, 1 skipped due to infinite monitoring loop)

Example Usage

# Enumerate owned repositories
pipeleek gh renovate enum --token ghp_xxx --owned --dump

# Create autodiscovery PoC
pipeleek gh renovate autodiscovery --token ghp_xxx --repo-name exploit-repo --username renovate-bot

# Exploit via branch injection
pipeleek gh renovate privesc --token ghp_xxx --repo-name owner/repo

API Compatibility

Fixed GitHub API v3 GetContent() method which returns (string, error) tuple vs direct string in docs.

Original prompt

This section details on the original issue you should resolve

<issue_title>Renovate: Implement GH</issue_title>
<issue_description>Implement the three Gitlab Renovate subcommands as well in the github subcommand. Ensure to extract shared logic in matching package and include it in the commands. gh should support the same renovate commands as gitlab cmd does right now. adapt the flags that are avaialable in gitlab to the github ecosystem directly if possible but adapt them if needed.</issue_description>

Comments on the Issue (you are @copilot in this section)

💬 We'd love your input! Share your thoughts on Copilot coding agent in our 2 minute survey.

Copilot AI and others added 2 commits December 24, 2025 16:00
@frjcomp
Implement GitHub Renovate commands with shared package
34c4d57 
Co-authored-by: frjcomp <107982661+frjcomp@users.noreply.github.com>
@frjcomp
Add e2e tests for GitHub Renovate commands and fix API compatibility …
3a44461 
…issues

Co-authored-by: frjcomp <107982661+frjcomp@users.noreply.github.com>
Copilot AI changed the title [WIP] Implement GitHub support for Renovate subcommands Implement GitHub Renovate subcommands (enum, autodiscovery, privesc) Dec 24, 2025
Copilot AI requested a review from frjcomp December 24, 2025 16:17
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@frjcomp frjcomp Awaiting requested review from frjcomp

Assignees

@frjcomp frjcomp

Copilot code review Copilot

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Renovate: Implement GH

2 participants

@frjcomp