Jerod Santo

Gitrob: find sensitive information published to your GitHub org before someone else does

It is widely known that sensitive information such as private keys and credentials often get mistakenly pushed to public GitHub repos.

Has it happened to you? Gitrob — a CLI from Michael Henriksen — will do its darnedest to find out for you. How it works:

The first thing the tool does is to collect all public repositories of the organization itself. It then goes on to collect all the organization members and their public repositories, in order to compile a list of repositories that might be related or have relevance to the organization.

When the list of repositories has been compiled, it proceeds to gather all the filenames in each repository and runs them through a series of observers that will flag the files, if they match any patterns of known sensitive files. This step might take a while if the organization is big or if the members have a lot of public repositories.

All of the members, repositories and files will be saved to a PostgreSQL database. When everything has been sifted through, it will start a Sinatra web server locally on the machine, which will serve a simple web application to present the collected data for analysis.

It's probably worth taking a few minutes to run Gitrob and see what it can scrounge up on your GitHub organizations.


Sign in or Join to comment or subscribe

Player art
  0:00 / 0:00