Today we are announcing the release of GH Navigator. With this addition, alongside our existing KeyChecker project, we now have practical coverage of both the data plane and the control plane of the GitHub environment.
TL;DR
GH Navigator and KeyChecker work together to provide complementary visibility and testing coverage for GitHub. KeyChecker automates SSH key validation and repository access checks to assess the data plane. GH Navigator is a client-side repository browser and bulk token analyzer that inspects token validity and scopes to assess the control plane. Used together they give a practical, repeatable way to evaluate what an attacker can read and what they can change.
Why think in planes
Grouping actions and privileges into two conceptual planes helps clarify attacker capabilities and defender priorities. For a deeper dive into this framing, see our earlier post: Decouple and Conquer: Understanding Control and Data Planes Across Technology.
- Data plane: operations that read, change, or exfiltrate repository contents, artifacts, or secrets — for example, cloning private repos, downloading releases, or reading configuration files.
- Control plane: operations that change configuration or permissions — for example, creating tokens, modifying collaborators, changing repository settings, or adding webhooks.
Treat these as separate but related surfaces when designing tests and controls.
How KeyChecker works (data plane)
KeyChecker automates the manual techniques security teams have used for years: extracting usernames from SSH connection metadata and validating whether an SSH key grants access to a repository by running git ls-remote and related checks. The tool uses a plugin architecture and currently supports multiple SaaS providers so it can be extended to more platforms in the future.
Key takeaways about KeyChecker:
- It converts raw SSH keys into reproducible tests that show exactly which repos a key can access.
- It exposes the true blast radius of a stolen key by automating enumeration and brute-force repository checks.
- It is intended for red teams, incident responders, and defensive validation within authorized engagements.
We wrote a detailed blogpost and also you can access the tool at github or pypi
How GH Navigator works (control plane)
GH Navigator is a pure client-side web application. Open index.html in a modern browser, paste a Personal Access Token (PAT), and the app runs entirely in-memory with no server component.
The project has two distinct parts:
- Navigator UI (repository views): a clean repository browser that lists organizations and repositories visible to the token and lets you view repository contents. It is focused on visibility and exploration. It does not modify settings and it does not enumerate permissions on its own.
- Token Validator (permissions map): a companion tool that validates a single token or a list of tokens, then queries GitHub to build a per-repository map showing what the token can do. Typical output includes whether the token is valid, token scopes, and for each repository the effective permission level such as read, triage, write, maintain, or admin.
Control plane insight comes from the Token Validator output, which summarizes what configuration or management actions are permitted for the token on each repository. The Navigator UI is for viewing what the token can see.
Complementary workflow: data + control
Use KeyChecker and GH Navigator together for full coverage:
- Use KeyChecker to validate SSH keys and enumerate which private repositories they can access. That reveals immediate data-plane exposure.
- Use GH Navigator Token Validator to identify valid PATs, list their scopes, and produce a per-repository permission map.
- Use Navigator UI to quickly open any repository that appears in the permission map to verify visibility and to audit contents as part of the assessment.
- Correlate findings: if KeyChecker shows repo content is accessible and the Token Validator shows write, maintain, or admin permissions for the same repositories, treat that as high impact.
Responsible use and limitations
Both tools are intended for legitimate security work. Rules of use:
- Obtain explicit authorization before testing keys or tokens you do not own.
- Do not perform destructive actions against systems you do not manage.
- Respect GitHub API rate limits and avoid creating noise that could resemble an attack.
Limitations:
- KeyChecker focuses on SSH and repository-level validation; it does not replace a full post-compromise investigation that captures other artifacts such as cached credentials, API tokens, or internal documentation leaks.
- GH Navigator depends on GitHub API responses and the token scopes provided by PATs; it cannot see actions that require elevated platform logging that the API does not expose.
Closing thoughts
Recent malware campaigns have highlighted a consistent theme: attackers are stealing GitHub tokens and SSH keys directly from developer machines. Once exfiltrated, these credentials allow adversaries to pivot into both the data plane and the control plane of GitHub environments. Without a clear way to test exposure, defenders are left guessing what a leaked key or token might enable.
KeyChecker and GH Navigator change that equation. KeyChecker makes it practical to answer “what can be read?” while GH Navigator answers “what can be changed?” Together they let you gauge the potential impact of credential leakage and prioritize remediation.
Use both to produce reports that separate data-plane and control-plane impact and provide clear, prioritized remediation.
<SelfPromotion>
Software Supply Chain is one of our core research areas and we offer various trainings on this Domain. Below are some of our upcoming trainings.
No events are found.
</SelfPromotion>