Ah Shhgit!

Bug hunters and security researchers have been offered a new tool to search for sensitive material that’s inadvertently been published on code repository GitHub.

Launched earlier this month, Shhgit finds secrets and sensitive files across the GitHub code base by listening to the GitHub Events API.

Secrets such as passwords and connections strings end up being published on GitHub because users fail to sanitize app setting and config files within their code, among other security oversights.

Finding secrets in GitHub is nothing new. Tools such as Gitrob, for example, allow red teamers to dig into commit history to find secret tokens from specific repositories, users, or organisations.

GitHub itself is actively scanning for secrets through its Token Scanning project.

This initiative means that, at least in theory, if any AWS secret keys are committed to GitHub, Amazon will be notified and automatically revoke them.

Shhgit differs from other tools because it isn’t necessary for the user to specify any targets. Instead, the tool taps into the GitHub firehose to automatically flag up leaked secrets.

“With some tweaking of the signatures, shhgit would make for a great addition to your bug bounty hunting workflows,” developer Paul Price said in a discussion thread on Reddit.

Price also wrapped the tool in a web front-end, offering a live stream of the utility in action.

“It uses the 120 signature-based checks in the config.yaml file that looks at filename, file extension and regex on the contents,” the developer explained

“To reduce 'false positives', entropy checks are only ran on matching signatures using Shannon.”

Some code with shhgit is borrowed from Gitrob by Michael Henriksen. Price said he would welcome any improvements to the project.


YOU MIGHT ALSO LIKE GitHub platform improvements are helping orgs keep their dependencies in check