GitGot is a semi-automated, feedback-driven tool to empower users to rapidly search through troves of public data on GitHub for sensitive secrets.
During search sessions, users will provide feedback to GitGot about search results to ignore, and GitGot prunes the set of results. Users can blacklist files by filename, repository name, username, or a fuzzy match of the file contents.
Blacklists generated from previous sessions can be saved and reused against similar queries (e.g.,
Example Org). Sessions can also be paused and resumed at any time.
Read more about the semi-automated, human-in-the-loop design here: https://know.bishopfox.com/blog/going-semi-automated-in-an-automated-world-using-human-in-the-loop-workflows-to-improve-our-security-tools
 Install the
ssdeep dependency for fuzzy hashing.
Ubuntu/Debian (or equivalent for your distro):
apt-get install libfuzzy-dev ssdeep
or, for Mac OSX:
brew install ssdeep
For Windows or *nix distributions without the
ssdeep package, please see the ssdeep installation instructions.
 After installing
ssdeep, install the Python dependencies using
pip3 install -r requirements.txt
gitgot-docker.sh to build the GitGot docker image (if it doesn't already exist) and execute the dockerized version of the GitGot tool.
gitgot-docker.sh will create and mount
states directories from the host's current working directory. If this
gitgot-docker.sh is executed from the GitGot project directory it will update the docker container with changes to
./gitgot-docker.sh -q example.com
gitgot-docker.sh for specific docker commands)
GitHub requires a token for rate-limiting purposes. Create a GitHub API token with no permissions/no scope. This will be equivalent to public GitHub access, but it will allow access to use the GitHub Search API. Set this token at the top of
gitgot.py as shown below:
ACCESS_TOKEN = "<NO-PERMISSION-GITHUB-TOKEN-HERE>"
(Alternatively, this token can be set as the
GITHUB_ACCESS_TOKEN environment variable)
After adding the token, you are ready to go:
# Default RegEx list and logfile location (/logs/<query>.log) are used when no others are specified. # Query for the string "example.com" using default GitHub search behavior (i.e., tokenization). # This will find com.example (e.g., Java) or example.com (Website) ./gitgot.py -q example.com # Query for the exact string "example.com". See Query Syntax in the next section for more details. ./gitgot.py -q '"example.com"' # Query through GitHub gists ./gitgot.py --gist -q CompanyName # Using GitHub advanced search syntax ./gitgot.py -q "org:github cats" # Custom RegEx List and custom log files location ./gitgot.py -q example.com -f checks/default.list -o example1.log # Recovery from existing session ./gitgot.py -q example.com -r example.com.state # Using an existing session (w/blacklists) for a new query ./gitgot.py -q "Example Org" -r example.com.state
GitGot queries are fed directly into the GitHub code search API, so check out GitHub's documentation for more advanced query syntax.