GitGot is a semi-automated, feedback-driven tool that can rapidly search through troves of public data on GitHub for sensitive secrets.
Read Jake Miller's other post explaining the conception of GitGot here.
I built this tool as part of my research on human-in-the-loop (HITL) toolsets. By leveraging the speed of automation with the perspective of a user, GitGot can facilitate testing and improve results.
GitGot uses blacklisting through user-provided string constants (user names, repo names, and file names) and fuzzy matching against similar file contents. The tool leverages the GitHub Search API to perform searches across GitHub, and at the same time uses the blacklist mechanism to prune search results.
The blacklisting model, coupled with an HITL-based user interface, allows a guided scan through GitHub search results, which reduces user fatigue and improves blacklisting through human feedback. Users can pause or resume sessions at any time. Additionally, the session files become a unique collection of blacklist intelligence that can be used on subsequent related searches for the same organization.
Unlike traditional GitHub searches that only produce results for matching query text (e.g., example.com), GitGot performs a list of regex queries for sensitive tokens and keywords across any file that matches the initial query text. This allows users to find secrets hidden in a file that might not be presented as a snippet in the search results.
Create your own regex lists or contribute suggestions to GitGot. Check it out on the Bishop Fox GitHub. Happy hunting!
Subscribe to Bishop Fox's Security Blog
Be first to learn about latest tools, advisories, and findings.
Thank You! You have been subscribed.