Git Exposed – Pentesting Git Tools
- 1 Git Summary
- 2 1 – Git-all-secrets
- 3 2 – Repo-security-scanner
- 4 3 – Repo-supervisor
- 5 4 – Shhgit
- 6 5 – Gitleaks
- 7 6 – Gitscraper
- 8 7 – Git-dumper
- 9 8 – DotGit-Expose-Scanner
- 10 9 – Detect-secrets
- 11 10 – Git-secrets
- 12 11 – TruffleHog
- 13 12 – Gittyleaks
- 14 13 – Gitrob
- 15 14 – Git-hound
- 16 15 – GitHound – other version
- 17 16 – Git Scanner Framework
- 18 17 – Gitjacker
- 19 Extra
- 20 Build you own Git scanner
Tools to perform, Bug Hunting, Pentesting and audits in Git, expose bad configurations, secret keys.
Problem: Most developers or companies that carry out version control in Git, sometimes forget that they are exposed some private configurations, that many could use them for their own benefit.
1 – Git-all-secrets
A tool to capture all the git secrets by leveraging multiple open source git searching tools
- Clone multiple public/private github repositories of an organization and scan them,
- Clone multiple public/private github repositories of a user that belongs to an organization and scan them,
- Clone a single public/private repository of an organization and scan it,
- Clone a single public/private repository of a user and scan it,
- Clone a single public/secret gist of a user and scan it
- Clone a team’s repositories in an organization and scan them,
- All of the above together!! Oh yeah!! Simply provide an organization name and get all their secrets. If you also want to get secrets of a team within an organization, just mention the team name along with the org.
- Clone and scan Github Enterprise repositories and gists as well.
2 – Repo-security-scanner
CLI tool that finds secrets accidentally committed to a git repo, eg passwords, private keys.
- CLI tool that finds secrets accidentally committed to a git repo, eg passwords, private keys
- Run it against your entire repo’s history by piping the output from
git log -p
3 – Repo-supervisor
Scan your code for security misconfiguration, search for passwords and secrets.
The Repo-supervisor is a tool that helps you to detect secrets and passwords in your code. It’s as easy to install as adding a new webhook to your Github repository.
4 – Shhgit
Ah shhgit! Find secrets in your code. Secrets detection for your GitHub, GitLab and Bitbucket repositories.
shhgit helps secure forward-thinking development, operations, and security teams by finding secrets across their code before it leads to a security breach.
5 – Gitleaks
Scan git repos (or files) for secrets using regex and entropy.
Gitleaks is a SAST tool for detecting hardcoded secrets like passwords, api keys, and tokens in git repos. Gitleaks is an easy-to-use, all-in-one solution for finding secrets, past or present, in your code.
Introduction video: https://www.youtube.com/watch?v=VUq2eII20S4
6 – Gitscraper
A tool which scrapes public github repositories for common naming conventions in variables, folders and files.
Gitscraper examines PHP files to create SecList / Dictionary files which can be used against any environment ( not just PHP ) for pentesting & bounty hunters.
7 – Git-dumper
A tool to dump a git repository from a website.
The tool will first check if directory listing is available. If it is, then it will just recursively download the .git directory (what you would do with
8 – DotGit-Expose-Scanner
Tool to scan for domains having .git repos exposed publically.
Website hosted from git directory have risk to expose .git repo to public.
This tool will check different domains passed as argument if they have .git
exposed or not.
9 – Detect-secrets
An enterprise friendly way of detecting and preventing secrets in code.
10 – Git-secrets
Prevents you from committing secrets and credentials into git repositories.
git-secrets scans commits, commit messages, and
--no-ff merges to prevent adding secrets into your git repositories. If a commit, commit message, or any commit in a
--no-ff merge history matches one of your configured prohibited regular expression patterns, then the commit is rejected.
11 – TruffleHog
Searches through git repositories for high entropy strings and secrets, digging deep into commit history.
This module will go through the entire commit history of each branch, and check each diff from each commit, and check for secrets.
12 – Gittyleaks
Find sensitive information for a git repo.
Very often it happens that when mocking/just starting out with a new project on github, sensitive data gets added. API keys, usernames, passwords and emails are easily added…. and then forgotten.
13 – Gitrob
Gitrob is a tool to help find potentially sensitive files pushed to public repositories on Github. Gitrob will clone repositories belonging to a user or organization down to a configurable depth and iterate through the commit history and flag files that match signatures for potentially sensitive files. The findings will be presented through a web interface for easy browsing and analysis.
14 – Git-hound
Hound is a Git plugin that helps prevent sensitive data from being committed into a repository by sniffing potential commits against PCRE regular expressions.
15 – GitHound – other version
GitHound pinpoints exposed API keys and other sensitive information across all of GitHub using pattern matching, commit history searching, and a unique result scoring system.
16 – Git Scanner Framework
This tool can scan websites with open
.git repositories for
Pentesting Purposes and can dump the content of the
.git repositories from webservers that found from the scanning method. This tool works with the provided Single target or Mass Target from a file list.
17 – Gitjacker
Gitjacker downloads git repositories and extracts their contents from sites where the
.git directory has been mistakenly uploaded. It will still manage to recover a significant portion of a repository even where directory listings are disabled.
- GitHub for Bug Bounty Hunters: https://gist.github.com/EdOverflow/922549f610b258f459b219a32f92d10b
- Top GitHub Dorks and Tools: https://securitytrails.com/blog/github-dorks
- How to Scan GitHub Repository for Credentials? : https://geekflare.com/github-credentials-scanner/
- GitHub Actions for Security Code Analysis: https://zimmergren.net/github-actions-for-security-code-analysis/
- Git it right—How hackers exploit Git misconfigurations & what to do about it: https://blubracket.com/git-it-right-how-hackers-exploit-git-misconfigurations-what-to-do-about-it/
- About secret scanning : https://docs.github.com/en/code-security/secret-security/about-secret-scanning
- Pwning git: A Proof of Concept (PoC): https://www.pentestpartners.com/security-blog/pwning-git-a-proof-of-concept-poc/
- .git — The Hidden Danger: https://cobalt.io/blog/git-the-hidden-danger
Build you own Git scanner
Building a GitHub Secrets Scanne : https://developer.okta.com/blog/2021/02/01/building-a-github-secrets-scanner by Vickie Li