Dimension scores are derived from public data and fields; weighted into the composite. Reference only.
Gitxray, or Git X-Ray, is a multi-purpose security tool for GitHub repositories, positioned for OSINT, forensics, and open source supply chain risk analysis. It uses the public GitHub REST API to collect information that would otherwise require extensive manual searching, and attempts to uncover suspicious signals in contributor profiles, commit history, workflows, Release assets, and public events from the past 90 days.
In terms of protection type, Gitxray is more of a “GitHub repository risk X-ray” than a traditional runtime protection product. It can identify accidental leaks in contributor profiles, such as PGP/SSH key names, hostnames, directory paths, and even mistakenly entered sensitive information. It can also use clues such as key fingerprints, account creation dates, and commit signatures to flag shared, jointly managed, or potentially fake accounts. The tool also supports duplicate repository name checks, abnormal commit timing detection, timezone inference, suspected commit date tampering, recycled usernames, indicators of malicious Release assets, and anonymous contributor analysis.
Deployment is primarily command-line based. By default, it can generate Bootstrap-supported HTML reports, and it can also output text for date-based event forensics. It can run without a GitHub API key, but will quickly run into Rate Limits; using a read-only public repository token can significantly raise the limits, and the tool will pause and wait for recovery when limits are triggered.
The text indicates that Gitxray is provided under the GNU Affero GPL v3 License, with no commercial edition, SaaS subscription, or paid support disclosed. For management, it offers category filtering, such as user_input, association, commits, contributors, releases, and anonymous, making it suitable for investigators who want to focus on specific issues. However, there is no mention of a centralized console, real-time alerts, ticket notifications, or enterprise permission management. Its integration capabilities mainly revolve around the GitHub REST API, covering public data such as Commits, Comments, Workflow Runs, Issues, Deployments, Releases, user events, and PGP/SSH keys.
Its strengths are broad analysis coverage, open source auditability, and user-friendly reports. It is especially suitable for open source project maintainers, security researchers, and supply chain security teams conducting repository trust assessments, event-day retrospectives, and contributor profiling. Its limitations are also clear: it is not a complete Workflow Security Scanner, and automatically correlated findings cannot directly determine whether an account is malicious. Beginners may find it complex when the data volume is large, and it depends on GitHub public data and API limits.
Accessibility of the website and GitHub API from mainland China is not specified in the text, so it is rated as unknown. Actual use may be affected by GitHub network stability; no payment information is disclosed. If alternatives or supplements are needed, it can be used alongside GitHub’s native security features, SCA/code scanning tools, and dedicated GitHub Actions workflow security scanners.
⚠ This review is compiled from public sources and does not constitute a purchase recommendation. Verify all facts on the vendor's official site. Verify on gitxray.com official site.
gitxray.com is an Unknown Security provider. TG4G tracks its product information, an overall rating of 7.0/10, and a China-accessibility score of China direct-connect friendly. Click "Visit Official Site" to reach gitxray.com directly.