GitHub Exploit#
Mining git hosts (GitHub, GitLab, Bitbucket, self-hosted) for the secrets developers commit by accident. API keys, cloud-credentials, SSH keys, and database connection strings turn up routinely. The operator’s tooling either scans repositories at scope (TruffleHog, gitleaks, Gitrob) or queries GitHub’s own search for high-yield patterns (Gitrob, GitDorker, GitHub-Dorks).
TruffleHog#
Entropy + regex scanner. The modern v3 release covers ~700 secret detectors and validates credentials against the live provider so the operator’s report does not lead with stale keys.
# Install (Go binary or via package)
$ brew install trufflesecurity/trufflehog/trufflehog
$ # or: curl -sSfL https://raw.githubusercontent.com/trufflesecurity/trufflehog/main/scripts/install.sh \
$ # | sh -s -- -b /usr/local/bin
# Scan a remote repository
$ trufflehog git https://github.com/someco/example.git --only-verified
# Scan a local checkout
$ trufflehog filesystem ./example/ --only-verified
# Scan an organisation's public repos
$ trufflehog github --org someco --only-verified
The --only-verified flag keeps the operator’s hit list to
credentials that successfully authenticated, not regex matches.
gitleaks#
The other widely-deployed scanner. Faster than TruffleHog on large histories, slightly less coverage. Useful as a second pass.
$ gitleaks detect --source ./example --report-path leaks.json
$ gitleaks detect --source ./example --log-opts="--all" # scan all branches
References#
Git for the underlying source-control surface.
GitHub CLI for
gh-side enumeration of org membership and repos the operator can reach with the same credential.