Open source tool trawls Github repositories for sensitive data

Michael Henriksen, a member of the SoundCloud security team, has been recently tasked with creating a system that will constantly check the company’s GitHub organizations (i.e. repositories) for unintentionally leaked sensitive information.

He did it, and at the same time has developed an open source, command line tool that can be used for occasional checks of the same nature both by companies’ security personnel and by professional penetration testers looking for an easy way into a target organizations’ networks.

GitHub, an extremely popular collaboration service and online code repository, is often used by companies to host both private and public code repositories used by their employees and outside users.

The former occasionally might publish – whether by accident or because they don’t know better – sensitive information such as credentials, private keys, secret tokens, and so on, which can be harvested by attackers and used to compromise the organizations’ systems.

Henriksen’s tool Gitrob makes it easy to search all the public repositories of a company’s GitHub organization, as well as all the public repositories of the organization’s members (the company’s employees).

“When the list of repositories has been compiled, it proceeds to gather all the file names in each repository and runs them through a series of observers that will flag the files, if they match any patterns of known sensitive files,” he explained.

The files that potentially hold sensitive information are then saved in a PostgreSQL database, and can be analyzed via a simple web application.

Henriksen tested the tool against a number of GitHub organizations belonging to several big and small companies. “The tool found several interesting things ranging from low-level, to bad and all the way to company-destroying kind of information disclosure,” he noted, adding that he notified the companies in question of this so that they can remove the information in question.

Gitrob can be downloaded from here, along with additional information about how to install and use it.

More about

Don't miss