Git Hound makes it easy to find exposed APi keys on GitHub using pattern matching, targetted querying, and a scoring system.
This differs from other OSINT GitHub scanners by searching keywords across GitHub rather than targeting specific repositories, exposing a fundamentally different set of results.
GitRob is an excellent tool that specifically targets an organization or user’s owned repositories for secrets. A pattern-matching, batch-catching secret snatcher. This project is intended to be used for educational purposes.
echo "tillsongalloway.com" | python git-hound.py or
--subdomain-file– The file with the subdomains
--api-keys– Enable generic API key searching. This uses common API key patterns and Shannon entropy to find potential exposed API keys.
--output– The output file (default is stdout)
--output-type– The output type (requires output flag to be set; default is flatfile)
--many-results– Use result sorting to scrape more than 100 pages of results
--results-only– Print only regexed results to stdout. Useful for piping into another script
--all– Print all URLs, including ones with no pattern match. Otherwise, the scoring system will do the work.
--regex-file– Supply a custom regex file
--language-file– Supply a custom file with languages to search.
--config-file– Custom config file (default is
--pages– Max pages to search (default is 100, the page maximum)
--silent– Don’t print results to stdout (most reasonably used with –output).
--no-antikeywords– Don’t attempt to filter out known mass scans
--only-filtered– Only search filtered queries (languages, file extensions)
--debug– Print debug messages. Helpful for debugging slow expressions.
- Clone this repo
- Use a Python 3 environment (recommended: virtulenv or Conda)
pip install -r requirements.txt(or
- Set up a
config.ymlfile with GitHub credentials. See config.example.yml for an example. Accounts with 2FA are not currently supported.
echo "tillsongalloway.com" | python git-hound.py