Added a new "--shush" parameter which turns "shushable" mode on, discarding any progress output from stdout.

Added a new stdout method in gx_output to act as a proxy for print() calls, discarding "shushable" output.
Turned gh_api into a class named GitHubRESTAPI which stores a references to gx_output.
Added a "WARNING" label/prefix on a couple of Workflow findings which deserve an extra highlight.
Added a new finding under the "personal" category which tells if the contributor has enabled "Available for hire" in their profile (docs describe it here: https://docs.github.com/en/account-and-profile/setting-up-and-managing-your-personal-account-on-github/managing-user-account-settings/about-available-for-hire)
Bumping version to 1.0.17

Author: llavarello

CHANGELOG.md

@@ -1,5 +1,12 @@
 # Changelog
 
+## Release v1.0.17 (January 26th, 2025)
+* Added a new "--shush" parameter which turns "shushable" mode on, discarding any progress output from stdout.
+* Added a new stdout method in gx_output to act as a proxy for print() calls, discarding "shushable" output.
+* Turned gh_api into a class named GitHubRESTAPI which stores a references to gx_output.
+* Added a "WARNING" label/prefix on a couple of Workflow findings which deserve an extra highlight.
+* Added a new finding under the "personal" category which tells if the contributor has enabled "Available for hire" in their profile (docs describe it here: https://docs.github.com/en/account-and-profile/setting-up-and-managing-your-personal-account-on-github/managing-user-account-settings/about-available-for-hire)
+
 ## Release v1.0.16.5 (January 18th, 2025)
 * Fixed an error case (an unhandled exception) that showed up when scanning repositories with a very large list of contributors (e.g. torvalds/linux, or MicrosoftDocs/azure-docs), which leads to GitHub REST APIs responding in an undocumented manner, stating that: "The history or contributor list is too large to list contributors for this repository via the API".
 

pyproject.toml

@@ -4,7 +4,7 @@ build-backend = "setuptools.build_meta"
 
 [project]
 name = "gitxray"
-version = "1.0.16.5"
+version = "1.0.17"
 authors = [
   { name="Lucas Lavarello", email="llavarello@kulkan.com" },
 ]

src/gitxray/gitxray.py

@@ -1,6 +1,6 @@
 #!/usr/bin/env python3
 import os, sys, datetime
-from gitxray.include import gh_api, gx_output as gx_output_class, gx_context as gx_context_class, gx_definitions
+from gitxray.include import gh_api as gh_api_class, gx_output as gx_output_class, gx_context as gx_context_class, gx_definitions
 from gitxray.xrays import repository_xray
 from gitxray.xrays import contributors_xray
 from gitxray.xrays import association_xray
@@ -20,7 +20,7 @@ def gitxray_cli():
 ░░██████                                                  ░░██████  
  ░░░░░░                                                    ░░░░░░   
 gitxray: X-Ray and analyze GitHub Repositories and their Contributors. Trust no one!
-v1.0.16.5 - Developed by Kulkan Security [www.kulkan.com] - Penetration testing by creative minds.
+v1.0.17 - Developed by Kulkan Security [www.kulkan.com] - Penetration testing by creative minds.
 """+"#"*gx_definitions.SCREEN_SEPARATOR_LENGTH)
 
     # Let's initialize a Gitxray context, which parses arguments and more.
@@ -29,6 +29,9 @@ def gitxray_cli():
     # Let's initialize our Output object that handles stdout and file writing in text or json
     gx_output = gx_output_class.Output(gx_context)
 
+    # And GitHub's REST API, sharing a ref to the Output object
+    gh_api = gh_api_class.GitHubRESTAPI(gx_output)
+
     # Let's warn the user that unauth RateLimits are pretty low
     if not gx_context.usingToken():
         gx_output.warn(f"{gx_definitions.ENV_GITHUB_TOKEN} environment variable not set, using GitHub RateLimits unauthenticated.")
@@ -50,18 +53,18 @@ def gitxray_cli():
 
     if gx_context.getOrganizationTarget():
         org_repos = gh_api.fetch_repositories_for_org(gx_context.getOrganizationTarget())
-        print("#"*gx_definitions.SCREEN_SEPARATOR_LENGTH)
+        gx_output.stdout("#"*gx_definitions.SCREEN_SEPARATOR_LENGTH)
         if isinstance(org_repos, list) and len(org_repos) > 0: 
             gx_output.notify(f"YOU HAVE EXPANDED THE SCOPE TO AN ORGANIZATION: A list of {len(org_repos)} repositories have been discovered. Sit tight.")
             if gx_context.listAndQuit():
-                gx_output.notify(f"LISTING REPOSITORIES FOR THE ORGANIZATION AND EXITING..")
-                print(", ".join([r.get('full_name') for r in org_repos]))
+                gx_output.notify(f"LISTING REPOSITORIES FOR THE ORGANIZATION AND EXITING..", False)
+                gx_output.stdout(", ".join([r.get('full_name') for r in org_repos]), False)
                 sys.exit()
             gx_context.setRepositoryTargets([r.get('html_url') for r in org_repos])
         else: 
             gx_output.warn("Unable to pull repositories for the organization URL that was provided. Is it a valid Organization URL?")
             if gx_context.debugEnabled():
-                print(org_repos)
+                gx_output.stdout(org_repos, shushable=False)
             sys.exit()
 
     try:
@@ -70,8 +73,8 @@ def gitxray_cli():
             try:
                 repository = gh_api.fetch_repository(repo)
                 gx_output.r_log(f"X-Ray on repository started at: {r_started_at}", repository=repository.get('full_name'), rtype="metrics")
-                print("#"*gx_definitions.SCREEN_SEPARATOR_LENGTH)
-                print("Now verifying repository: {}".format(repository.get('full_name')))
+                gx_output.stdout("#"*gx_definitions.SCREEN_SEPARATOR_LENGTH)
+                gx_output.stdout("Now verifying repository: {}".format(repository.get('full_name')))
             except Exception as ex:
                 print("Unable to pull data for the repository that was provided. Is it a valid repo URL?")
                 if gx_context.debugEnabled():
@@ -87,18 +90,18 @@ def gitxray_cli():
             # Now call our xray modules! Specifically by name, until we make this more plug and play
             # The standard is that a return value of False leads to skipping additional modules
 
-            if not contributors_xray.run(gx_context, gx_output): continue
-            if not repository_xray.run(gx_context, gx_output): continue
-            if not workflows_xray.run(gx_context, gx_output): continue
+            if not contributors_xray.run(gx_context, gx_output, gh_api): continue
+            if not repository_xray.run(gx_context, gx_output, gh_api): continue
+            if not workflows_xray.run(gx_context, gx_output, gh_api): continue
 
             # Now that we're done, let's cross reference everything in the repository.
-            association_xray.run(gx_context, gx_output)
+            association_xray.run(gx_context, gx_output, gh_api)
 
             r_ended_at = datetime.datetime.now()
             gx_output.r_log(f"X-Ray on repository ended at: {r_ended_at} - {((r_ended_at-r_started_at).seconds/60):.2f} minutes elapsed", rtype="metrics")
             gx_output.doOutput()
 
-            print(f"\rRepository has been analyzed.." + " "*40)
+            gx_output.stdout(f"\rRepository has been analyzed.." + " "*40)
 
             # We're resetting our context on every new repo; eventually we'll maintain a context per Org.
             gx_context.reset()