Git Exposed – Pentesting Git Tools

Tools to perform, Bug Hunting, Pentesting and audits in Git, expose bad configurations, secret keys.
Problem: Most developers or companies that carry out version control in Git, sometimes forget that they are exposed some private configurations, that many could use them for their own benefit.

1 – Git-all-secrets

A tool to capture all the git secrets by leveraging multiple open source git searching tools

  • Clone multiple public/private github repositories of an organization and scan them,
  • Clone multiple public/private github repositories of a user that belongs to an organization and scan them,
  • Clone a single public/private repository of an organization and scan it,
  • Clone a single public/private repository of a user and scan it,
  • Clone a single public/secret gist of a user and scan it
  • Clone a team’s repositories in an organization and scan them,
  • All of the above together!! Oh yeah!! Simply provide an organization name and get all their secrets. If you also want to get secrets of a team within an organization, just mention the team name along with the org.
  • Clone and scan Github Enterprise repositories and gists as well.

Source: https://github.com/anshumanbh/git-all-secrets

2 – Repo-security-scanner

CLI tool that finds secrets accidentally committed to a git repo, eg passwords, private keys.

  • CLI tool that finds secrets accidentally committed to a git repo, eg passwords, private keys
  • Run it against your entire repo’s history by piping the output from git log -p

Source: https://github.com/UKHomeOffice/repo-security-scanner

3 – Repo-supervisor

Scan your code for security misconfiguration, search for passwords and secrets.

The Repo-supervisor is a tool that helps you to detect secrets and passwords in your code. It’s as easy to install as adding a new webhook to your Github repository.

Source: https://github.com/auth0/repo-supervisor

Explained: https://auth0.engineering/detecting-secrets-in-source-code-bd63b0fe4921

4 – Shhgit

Ah shhgit! Find secrets in your code. Secrets detection for your GitHub, GitLab and Bitbucket repositories.

shhgit helps secure forward-thinking development, operations, and security teams by finding secrets across their code before it leads to a security breach.

Source: https://github.com/eth0izzle/shhgit

5 – Gitleaks

Scan git repos (or files) for secrets using regex and entropy.

Gitleaks is a SAST tool for detecting hardcoded secrets like passwords, api keys, and tokens in git repos. Gitleaks is an easy-to-use, all-in-one solution for finding secrets, past or present, in your code.

Source: https://github.com/zricethezav/gitleaks

Introduction video: https://www.youtube.com/watch?v=VUq2eII20S4

6 – Gitscraper

A tool which scrapes public github repositories for common naming conventions in variables, folders and files.

Gitscraper examines PHP files to create SecList / Dictionary files which can be used against any environment ( not just PHP ) for pentesting & bounty hunters.

Source: https://github.com/adamtlangley/gitscraper

7 – Git-dumper

A tool to dump a git repository from a website.

The tool will first check if directory listing is available. If it is, then it will just recursively download the .git directory (what you would do with wget).

Source: https://github.com/arthaud/git-dumper

8 – DotGit-Expose-Scanner

Tool to scan for domains having .git repos exposed publically.

Website hosted from git directory have risk to expose .git repo to public.
This tool will check different domains passed as argument if they have .git
exposed or not.

Source: https://github.com/shubham0d/dotGit-Expose-Scanner

9 – Detect-secrets

An enterprise friendly way of detecting and preventing secrets in code.

Source: https://github.com/Yelp/detect-secrets

10 – Git-secrets

Prevents you from committing secrets and credentials into git repositories.

git-secrets scans commits, commit messages, and --no-ff merges to prevent adding secrets into your git repositories. If a commit, commit message, or any commit in a --no-ff merge history matches one of your configured prohibited regular expression patterns, then the commit is rejected.

Source: https://github.com/awslabs/git-secrets

11 – TruffleHog

Searches through git repositories for high entropy strings and secrets, digging deep into commit history.

This module will go through the entire commit history of each branch, and check each diff from each commit, and check for secrets.

Source: https://github.com/dxa4481/truffleHog

12 – Gittyleaks

Find sensitive information for a git repo.

Very often it happens that when mocking/just starting out with a new project on github, sensitive data gets added. API keys, usernames, passwords and emails are easily added…. and then forgotten.

Source: https://github.com/kootenpv/gittyleaks

13 – Gitrob

Gitrob is a tool to help find potentially sensitive files pushed to public repositories on Github. Gitrob will clone repositories belonging to a user or organization down to a configurable depth and iterate through the commit history and flag files that match signatures for potentially sensitive files. The findings will be presented through a web interface for easy browsing and analysis.

Source: https://github.com/michenriksen/gitrob

14 – Git-hound

Hound is a Git plugin that helps prevent sensitive data from being committed into a repository by sniffing potential commits against PCRE regular expressions.

Source: https://github.com/ezekg/git-hound

15 – GitHound – other version

GitHound pinpoints exposed API keys and other sensitive information across all of GitHub using pattern matching, commit history searching, and a unique result scoring system. 

Source: https://github.com/tillson/git-hound

16 – Git Scanner Framework

This tool can scan websites with open .git repositories for Bug HuntingPentesting Purposes and can dump the content of the .git repositories from webservers that found from the scanning method. This tool works with the provided Single target or Mass Target from a file list.

Source: https://github.com/HightechSec/git-scanner

17 – Gitjacker

Gitjacker downloads git repositories and extracts their contents from sites where the .git directory has been mistakenly uploaded. It will still manage to recover a significant portion of a repository even where directory listings are disabled.

Source: https://github.com/liamg/gitjacker

Explained: https://www.zdnet.com/article/new-gitjacker-tool-lets-you-find-git-folders-exposed-online/

Extra

Build you own Git scanner

Building a GitHub Secrets Scanne : https://developer.okta.com/blog/2021/02/01/building-a-github-secrets-scanner by Vickie Li