GitHub Exploit

GitHub Exploit#

Mining git hosts (GitHub, GitLab, Bitbucket, self-hosted) for the secrets developers commit by accident. API keys, cloud-credentials, SSH keys, and database connection strings turn up routinely. The operator’s tooling either scans repositories at scope (TruffleHog, gitleaks, Gitrob) or queries GitHub’s own search for high-yield patterns (Gitrob, GitDorker, GitHub-Dorks).

TruffleHog#

Entropy + regex scanner. The modern v3 release covers ~700 secret detectors and validates credentials against the live provider so the operator’s report does not lead with stale keys.

# Install (Go binary or via package)
$ brew install trufflesecurity/trufflehog/trufflehog
$ # or:  curl -sSfL https://raw.githubusercontent.com/trufflesecurity/trufflehog/main/scripts/install.sh \
$ #         | sh -s -- -b /usr/local/bin

# Scan a remote repository
$ trufflehog git https://github.com/someco/example.git --only-verified

# Scan a local checkout
$ trufflehog filesystem ./example/ --only-verified

# Scan an organisation's public repos
$ trufflehog github --org someco --only-verified

The --only-verified flag keeps the operator’s hit list to credentials that successfully authenticated, not regex matches.

gitleaks#

The other widely-deployed scanner. Faster than TruffleHog on large histories, slightly less coverage. Useful as a second pass.

$ gitleaks detect --source ./example --report-path leaks.json
$ gitleaks detect --source ./example --log-opts="--all"   # scan all branches

References#