Gitxray

Latest version: v1.0.17.3

Safety actively analyzes 714875 Python packages for vulnerabilities to keep your Python projects secure.

Scan your dependencies

Page 2 of 3

1.0.16.3

* Only showing "updated at" for comments if the created_at and updated_at field values differ. This helps place focus on updated comments which could potentially reveal a contributor trying to hide a past comment. GitHub is kind to show an Edit history for said comments as a menu option next to the comment itself.

1.0.16.2

* Added validation against Null values for fields "author" and "uploader" in Releases and Assets. Special thanks to fearcito for reporting the issue.

1.0.16.1

* Fixed a typo in a call to r_log() which led to an uhandled exception when scanning repositories with self-hosted runners. Special thanks to farnaboldi for reporting the issue.

1.0.16

* Added a brand new HTML output format/report by default, making results a lot easier to navigate! Custom search bar instead of relying on DataTables which can be super slow for large HTML files. We're now also groupping results by Category across all contributors and highlighting results which contain a WARNING keyword.
* Added certain association results to Contributor results, not all to prevent extra noise.
* Added the ability to specify a directory for output instead of a file, gitxray creating the filename for you.
* Removed the concept of 'Verbose' results, merging them with the non-verbose categories.
* Removed the need for repositories and organizations to start with https://github.com (Thanks to mattaereal for pointing that out!)

1.0.15

* Added searching for similar repository names in GitHub, Warning if another repository with the same name and better reputation is found.
* Added commit time analysis, grouping commit hours per contributor and calculating the percentage of commits at each hour. This feature provides insights into contributors' activity patterns and helps identify potential anomalies.
* Added new Workflows X-Ray module which contains all Workflow-related logic. Moved in some of the logic that was under the Repository x-Ray.
* Added counts of Workflow Runs to identify when Workflow Runs were DELETED, which may have been the result of an attacker erasing their tracks, or legitimate cleanup.
* Added a series of basic Workflow security checks which might be an indicator of a vulnerable Workflow.
* Added to the Workflows X-Ray the ability to print, for each workflow, how many times it was executed by non-contributors as well as contributors.
* Added to the Workflows X-Ray the ability to parse and print any secret names used in a Workflow.
* Added a display of Progress % for time consuming queries and a time estimate in seconds-left prior to resuming execution.
* Added ability to SKIP heavy querying live by handling CTRL+C, which means we've also removed any caps or limits recently introduced.
* Fixed parsing of dict-formatted results coming from the REST API so that we keep the last key and not the second one.
* Fixed a few exceptions which arise by hitting CTRL+C and skipping or breaking API calls

1.0.14

* Added a new check on workflow runs for accounts which are NOT contributors, presenting a WARNING on screen. This could help identify hack attempts via Workflow runs.
* Added a new check on releases to identify accounts which create releases/upload assets and are NOT contributors, also WARNING on screen.
* Added pulling and analysis of Comments for Commits, Issues and Pull Requests.
* Added messages to point out when comments get updated (Edited) after a day of being created.
* Added parsing of reactions for comments in Commits, Issues and Pulls. We're printing the comment that had the most Positive, Neutral and Negative reactions in Commits, Issues and PRs.
* Added support capped to 5000 Workflow runs for analyzing past workflow runs in a repository. Runs can go very high in the, for example, 50k, which is why we cap.
* Added a limit of 5000 Artifacts inspection to prevent the analysis from being too expensive in really big repositories.
* Added support to get repository labels, pointing out specifically those which are custom.
* Added to the repository summary the printing of stargazers and watchers count even if 0, as it talks about reputation.
* Added code to fetch environment protection rules; but it is commented out because it is seldom used.
* Added to contributors_xray.py, a message to the user on how to use the filtering function in order to filter results for non-contributors.
* Added to gx_context.py, two (2) helper methods, isContributor and areContributors which iterate and check logins against the list of cached repo contributors.
* Added to the UNRELIABLE ACTIVITY message a clarification that the mismatch may be due to a rebased repository.
* Added count of Pull Requests to the output line showing the PR link for a contributor.
* Changed the way we refer to account results in gx_output.py - Instead of stating Contributors we're going to say accounts, as we may have non-contributor results.
* Moved multiple results that were under the "urls" category to the corresponding category instead (eg. commit urls to a commit category). Makes it easier to navigate visually.
* Fixed a visual typo (extra space) when printing 'starred' public events in verbose mode.
* Fixed querying of environments for exceptional repository-cases where the API returns a 404 not found in json format instead of an empty list of results.
* Fixed gh_api code for limiting results count in pagination when the API returns a dict with total_results followed by a list.
* Fixed identifying unreliable dates in commits mismatching account creation dates. Now only checking against 'author', and not checking against 'committer'.

Page 2 of 3

© 2025 Safety CLI Cybersecurity Inc. All Rights Reserved.