Gitrob - Reconnaissance tool for GitHub organizations
Gitrob is a command line tool that can help organizations and security
professionals find such sensitive information. The tool will iterate
over all public organization and member repositories and match filenames
against a range of patterns for files, that typically contain sensitive
or dangerous information.
How it works
Looking for sensitive information in GitHub repositories is not a new thing, it has been known for a while
that things such as private keys and credentials can be found with
GitHub's search functionality, however Gitrob makes it easier to focus
the effort on a specific organization.
The first thing the tool does is to collect all public repositories
of the organization itself. It then goes on to collect all the
organization members and their public repositories, in order to compile a
list of repositories that might be related or have relevance to the
organization.
When the list of repositories has been compiled, it proceeds to
gather all the filenames in each repository and runs them through a
series of observers that will flag the files, if they match any patterns
of known sensitive files. This step might take a while if the
organization is big or if the members have a lot of public repositories.
All of the members, repositories and files will be saved to a
PostgreSQL database. When everything has been sifted through, it will
start a Sinatra web server locally on the machine, which will serve a
simple web application to present the collected data for analysis.
Gitrob - Reconnaissance tool for GitHub organizations
Reviewed by Zion3R
on
1:34 PM
Rating: