Top Related Projects
Find, verify, and analyze leaked credentials
Protect and discover secrets using Gitleaks 🔑
Prevents you from committing secrets and credentials into git repositories
Find, verify, and analyze leaked credentials
Using a pre-commit hook, Talisman validates the outgoing changeset for things that look suspicious — such as tokens, passwords, and private keys.
Quick Overview
Gitrob is a tool for scanning GitHub repositories for sensitive information and potentially exposed secrets. It helps security professionals and developers identify files that may contain passwords, API keys, or other confidential data that shouldn't be publicly accessible on GitHub.
Pros
- Automated scanning of multiple repositories
- Customizable pattern matching for identifying sensitive information
- Generates comprehensive reports of findings
- Integrates well with CI/CD pipelines for continuous security checks
Cons
- May produce false positives, requiring manual review of results
- Limited to scanning GitHub repositories only
- Requires careful configuration to avoid over-scanning and API rate limiting
- Not actively maintained (last update was in 2019)
Getting Started
To get started with Gitrob:
- Install Gitrob:
go get github.com/michenriksen/gitrob
-
Set up a GitHub access token with the necessary permissions.
-
Run Gitrob:
gitrob -github-access-token <YOUR_GITHUB_TOKEN> <TARGET_GITHUB_USER_OR_ORG>
- Review the generated report for potential security issues.
Note: Always ensure you have permission to scan repositories before using Gitrob.
Competitor Comparisons
Find, verify, and analyze leaked credentials
Pros of Trufflehog
- More actively maintained with frequent updates
- Supports scanning multiple repositories and organizations
- Includes advanced features like regex pattern matching and entropy analysis
Cons of Trufflehog
- May produce more false positives due to its aggressive scanning approach
- Requires more configuration to fine-tune results effectively
- Can be slower when scanning large repositories or organizations
Code Comparison
Gitrob (Ruby):
def scan_repository(repository)
repository.commits.each do |commit|
scan_commit(commit)
end
end
Trufflehog (Python):
def scan_repo(repo_path):
for commit in repo.iter_commits():
diff = commit.diff(commit.parents[0])
for blob in diff:
scan_blob(blob)
Both tools iterate through commits and scan for sensitive information, but Trufflehog's implementation allows for more granular analysis of file changes between commits.
Protect and discover secrets using Gitleaks 🔑
Pros of Gitleaks
- Actively maintained with regular updates and improvements
- Supports scanning local repositories, GitHub, and GitLab
- Highly customizable with extensive configuration options
Cons of Gitleaks
- Focuses primarily on secret detection, while Gitrob offers broader reconnaissance capabilities
- May require more setup and configuration for optimal results
Code Comparison
Gitleaks (Go):
func (d *Detector) Detect() ([]Report, error) {
var reports []Report
for _, f := range d.files {
for _, r := range d.rules {
if r.Match(f.Content) {
reports = append(reports, NewReport(f, r))
}
}
}
return reports, nil
}
Gitrob (Ruby):
def scan_file(blob)
@signatures.each do |signature|
if signature.match(blob)
@findings << Finding.new(
:caption => signature.caption,
:description => signature.description,
:file_name => blob.path,
:commit => blob.owner
)
end
end
end
Both tools use similar approaches for scanning files and matching against predefined patterns. Gitleaks uses Go for better performance, while Gitrob is written in Ruby, which may be easier for some users to customize.
Prevents you from committing secrets and credentials into git repositories
Pros of git-secrets
- Lightweight and easy to integrate into existing Git workflows
- Focuses specifically on preventing secrets from being committed
- Can be used as a pre-commit hook for immediate feedback
Cons of git-secrets
- Limited to scanning local repositories
- Requires manual setup and configuration for each repository
- Less comprehensive in terms of overall security analysis
Code Comparison
git-secrets:
#!/usr/bin/env bash
git secrets --scan "$@"
Gitrob:
module Gitrob
class CLI < Thor
desc "analyze TARGETS", "Analyze one or more organizations or users"
def analyze(*targets)
# Analysis logic here
end
end
end
Key Differences
- git-secrets is primarily a command-line tool, while Gitrob offers a more comprehensive web interface
- Gitrob performs broader analysis of GitHub organizations and users, while git-secrets focuses on preventing secret leaks in local repositories
- git-secrets is more suitable for individual developers and small teams, whereas Gitrob is better suited for larger organizations with multiple repositories
Both tools serve important roles in securing Git repositories, with git-secrets excelling at preventing accidental commits of sensitive information and Gitrob providing a more comprehensive security analysis of GitHub organizations.
Find, verify, and analyze leaked credentials
Pros of Trufflehog
- More actively maintained with frequent updates
- Supports scanning multiple repositories and organizations
- Includes advanced features like regex pattern matching and entropy analysis
Cons of Trufflehog
- May produce more false positives due to its aggressive scanning approach
- Requires more configuration to fine-tune results effectively
- Can be slower when scanning large repositories or organizations
Code Comparison
Gitrob (Ruby):
def scan_repository(repository)
repository.commits.each do |commit|
scan_commit(commit)
end
end
Trufflehog (Python):
def scan_repo(repo_path):
for commit in repo.iter_commits():
diff = commit.diff(commit.parents[0])
for blob in diff:
scan_blob(blob)
Both tools iterate through commits and scan for sensitive information, but Trufflehog's implementation allows for more granular analysis of file changes between commits.
Using a pre-commit hook, Talisman validates the outgoing changeset for things that look suspicious — such as tokens, passwords, and private keys.
Pros of Talisman
- Pre-commit hook integration, preventing sensitive data from being committed
- Customizable rules and configurations for specific project needs
- Supports multiple version control systems (Git, Mercurial)
Cons of Talisman
- Requires installation on each developer's machine
- May slow down the commit process due to pre-commit checks
- Limited to scanning only staged changes, not the entire repository history
Code Comparison
Talisman (Go):
func addFileNamePattern(pattern string) (FileNamePattern, error) {
regex, err := regexp.Compile(pattern)
if err != nil {
return FileNamePattern{}, err
}
return FileNamePattern{regex}, nil
}
Gitrob (Ruby):
def analyze
repo_observer = Gitrob::ObserverFactory.create(:repo)
blob_observer = Gitrob::ObserverFactory.create(:blob)
@repositories.each do |repository|
analyze_repository(repository, repo_observer, blob_observer)
end
end
Both tools aim to detect sensitive information in repositories, but they approach the task differently. Talisman focuses on preventing sensitive data from being committed, while Gitrob scans entire repositories for potential security issues. The code snippets show Talisman's pattern matching functionality and Gitrob's repository analysis process.
Convert designs to code with AI
Introducing Visual Copilot: A new AI model to turn Figma designs to high quality code using your components.
Try Visual CopilotREADME
Gitrob: Putting the Open Source in OSINT
Gitrob is a tool to help find potentially sensitive files pushed to public repositories on Github. Gitrob will clone repositories belonging to a user or organization down to a configurable depth and iterate through the commit history and flag files that match signatures for potentially sensitive files. The findings will be presented through a web interface for easy browsing and analysis.
Usage
gitrob [options] target [target2] ... [targetN]
Options
-bind-address string
Address to bind web server to (default "127.0.0.1")
-commit-depth int
Number of repository commits to process (default 500)
-debug
Print debugging information
-github-access-token string
GitHub access token to use for API requests
-load string
Load session file
-no-expand-orgs
Don't add members to targets when processing organizations
-port int
Port to run web server on (default 9393)
-save string
Save session to file
-silent
Suppress all output except for errors
-threads int
Number of concurrent threads (default number of logical CPUs)
Saving session to a file
By default, gitrob will store its state for an assessment in memory. This means that the results of an assessment is lost when Gitrob is closed. You can save the session to a file by using the -save
option:
gitrob -save ~/gitrob-session.json acmecorp
Gitrob will save all the gathered information to the specified file path as a special JSON document. The file can be loaded again for browsing at another point in time, shared with other analysts or parsed for custom integrations with other tools and systems.
Loading session from a file
A session stored in a file can be loaded with the -load
option:
gitrob -load ~/gitrob-session.json
Gitrob will start its web interface and serve the results for analysis.
Installation
A precompiled version is available for each release, alternatively you can use the latest version of the source code from this repository in order to build your own binary.
Make sure you have a correctly configured Go >= 1.8 environment and that $GOPATH/bin
is in your $PATH
$ go get github.com/michenriksen/gitrob
This command will download gitrob, install its dependencies, compile it and move the gitrob
executable to $GOPATH/bin
.
Github access token
Gitrob will need a Github access token in order to interact with the Github API. Create a personal access token and save it in an environment variable in your .bashrc
or similar shell configuration file:
export GITROB_ACCESS_TOKEN=deadbeefdeadbeefdeadbeefdeadbeefdeadbeef
Alternatively you can specify the access token with the -github-access-token
option, but watch out for your command history!
Top Related Projects
Find, verify, and analyze leaked credentials
Protect and discover secrets using Gitleaks 🔑
Prevents you from committing secrets and credentials into git repositories
Find, verify, and analyze leaked credentials
Using a pre-commit hook, Talisman validates the outgoing changeset for things that look suspicious — such as tokens, passwords, and private keys.
Convert designs to code with AI
Introducing Visual Copilot: A new AI model to turn Figma designs to high quality code using your components.
Try Visual Copilot