This tool analyzes a given Github repository and searches for dangling or force-pushed commits, containing potential secret or interesting information.
- Python3
- requests
git clone https://github.com/neodyme-labs/github-secrets.gitTo get a list of basic options and switches use:
python3 github_scanner.py -hYou can run this script either completely unauthenticated, with rather low Github API rate limits, or your export a generated API token.
The tokens need no privileges at all and are only used, for authentication against the API. A fine-grained personal access token is required for this project without any additional permissions.
To export the token use:
export GITHUB_ACCOUNT_TOKEN=<your_secret_api_token>To run the script and scan a repository:
python3 github_scanner.py <username/repository>To run the script and scan all of a specific users repositories:
python3 github_scanner.py -u <username>To run the script and scan all repositories of an organization:
python3 github_scanner.py -o <organization>To test the script against trending repositories:
# Scan the default number of trending repos (100)
python3 github_scanner.py -t
# Scan a custom number of trending repos
python3 github_scanner.py -t 25To check your current API rate limits and usage with token:
curl -s -H "Authorization: token $GITHUB_ACCOUNT_TOKEN" https://api.github.com/rate_limit | jq -r '.resources.core | "Used: \(.used)/\(.limit) | Remaining: \(.remaining) | Resets: \(.reset)"' | sed "s/Resets: \([0-9]*\)/Resets: $(date -d @$(curl -s -H "Authorization: token $GITHUB_ACCOUNT_TOKEN" https://api.github.com/rate_limit | jq '.resources.core.reset') 2>/dev/null)/"Without token:
curl -s https://api.github.com/rate_limit | jq -r '.resources.core | "Used: \(.used)/\(.limit) | Remaining: \(.remaining) | Resets: \(.reset)"' | sed "s/Resets: \([0-9]*\)/Resets: $(date -d @$(curl -s https://api.github.com/rate_limit | jq '.resources.core.reset') 2>/dev/null)/"Licensed under either of
- Apache License, Version 2.0, (LICENSE-APACHE or http://www.apache.org/licenses/LICENSE-2.0)
- MIT license (LICENSE-MIT or http://opensource.org/licenses/MIT)
at your option.
Unless you explicitly state otherwise, any contribution intentionally submitted for inclusion in the work by you, as defined in the Apache-2.0 license, shall be dual licensed as above, without any additional terms or conditions.