Github search is quite powerful and useful feature and can be used to search sensitive data on the repositories. Collection of github dorks that can reveal sensitive personal and/or organizational information such as private keys, credentials, authentication tokens, etc.

This list is supposed to be useful for assessing security and performing pen-testing of systems. is a simple python tool that can search through your repository or your organization/user repositories. Its not a perfect tool at the moment but provides a basic functionality to automate the search on your repositories against the dorks specified in text file.


This tool uses to talk with GitHub Search API.

Clone this repository and run:

pip install -r requirements.txt

Also Read – Trivy : Simple & Comprehensive Vulnerability Scanner


GH_USER – Environment variable to specify github user
GH_PWD – Environment variable to specify password
GH_TOKEN – Environment variable to specify github token
GH_URL – Environment variable to specify GitHub Enterprise base URL

Some example usages are listed below:

python -r techgaun/github-dorks
# search single repo

python -u techgaun
# search all repos of user

python -u dev-nepal
# search all repos of an organization

GH_USER=techgaun GH_PWD=<mypass> python -u dev-nepal
# search as authenticated user

GH_TOKEN=<github_token> python -u dev-nepal
# search using auth token

GH_URL= python -u dev-nepal
# search a GitHub Enterprise instance


  • Authenticated requests get a higher rate limit. But, since this tool waits for the api rate limit to be reset (which is usually less than a minute), it can be slightly slow.
  • Output formatting is not great. PR welcome
  • Handle rate limit and retry. PR welcome

List of Dorks

I am not categorizing at the moment. Instead I am going to just the list of dorks with a description. Many of the dorks can be modified to make the search more specific or generic. You can see more options here.

filename:.npmrc _authnpm registry authentication data
filename:.dockercfg authdocker registry authentication data
extension:pem privateprivate keys
extension:ppk privateputtygen private keys
filename:id_rsa or filename:id_dsaprivate ssh keys
extension:sql mysql dumpmysql dump
extension:sql mysql dump passwordmysql dump look for password; you can try varieties
filename:credentials aws_access_key_idmight return false negatives with dummy values
filename:.s3cfgmight return false negatives with dummy values
filename:wp-config.phpwordpress config files
filename:.htpasswdhtpasswd files
filename:.env DB_USERNAME NOT homesteadlaravel .env (CI, various ruby based frameworks too)
filename:.env smtp configuration (try different smtp services too)
filename:.git-credentialsgit credentials store, add NOT username for more valid results
PT_TOKEN language:bashpivotaltracker tokens
filename:.bashrc passwordsearch for passwords, etc. in .bashrc (try with .bash_profile too)
filename:.bashrc mailchimpvariation of above (try more variations)
filename:.bash_profile awsaws access and secret keys passwordAmazon RDS possible credentials
extension:json api.forecast.iotry variations, find api keys/secrets
extension:json mongolab.commongolab credentials in json configs
extension:yaml mongolab.commongolab credentials in yaml configs (try with yml)
jsforce extension:js conn.loginpossible salesforce credentials in nodejs projects
SF_USERNAME salesforcepossible salesforce credentials
filename:.tugboat NOT _tugboatDigital Ocean tugboat config
HEROKU_API_KEY language:shellHeroku api keys
HEROKU_API_KEY language:jsonHeroku api keys in json files
filename:.netrc passwordnetrc that possibly holds sensitive credentials
filename:_netrc passwordnetrc that possibly holds sensitive credentials
filename:hub oauth_tokenhub config that stores github tokens
filename:robomongo.jsonmongodb credentials file used by robomongo
filename:filezilla.xml Passfilezilla config file with possible user/pass to ftp
filename:recentservers.xml Passfilezilla config file with possible user/pass to ftp
filename:config.json authsdocker registry authentication data
filename:idea14.keyIntelliJ Idea 14 key, try variations for other versions
filename:config irc_passpossible IRC config
filename:connections.xmlpossible db connections configuration, try variations to be specific
filename:express.conf path:.openshiftopenshift config, only email and server thou
filename:.pgpassPostgreSQL file which can contain passwords
filename:proftpdpasswdUsernames and passwords of proftpd created by cpanel
filename:ventrilo_srv.iniVentrilo configuration
[WFClient] Password= extension:icaWinFrame-Client infos needed by users to connect toCitrix Application Servers
filename:server.cfg rcon passwordCounter Strike RCON Passwords
JEKYLL_GITHUB_TOKENGithub tokens used for jekyll
filename:.bash_historyBash history file
filename:.cshrcRC file for csh shell
filename:.historyhistory file (often used by many tools)
filename:.sh_historykorn shell history
filename:sshd_configOpenSSH server config
filename:dhcpd.confDHCP service config
filename:prod.exs NOT prod.secret.exsPhoenix prod configuration file
filename:prod.secret.exsPhoenix prod secret
filename:configuration.php JConfig passwordJoomla configuration file
filename:config.php dbpasswdPHP application database password (e.g., phpBB forum software)
path:sites databases passwordDrupal website database credentials
shodan_api_key language:pythonShodan API keys (try other languages too)
filename:shadow path:etcContains encrypted passwords and account information of new unix systems
filename:passwd path:etcContains user account information including encrypted passwords of traditional unix systems
extension:avastlic “”Contains license keys for Avast! Antivirus
filename:dbeaver-data-sources.xmlDBeaver config containing MySQL Credentials
filename:.esmtprc passwordesmtp configuration
extension:json googleusercontent client_secretOAuth credentials for accessing Google APIs
HOMEBREW_GITHUB_API_TOKEN language:shellGithub token usually set by homebrew users
xoxp OR xoxbSlack bot and private tokens passwordMLAB Hosted MongoDB Credentials
filename:logins.jsonFirefox saved password collection (key3.db usually in same repo)
filename:CCCam.cfgCCCam Server config file
msg nickserv identify filename:configPossible IRC login passwords SECRET_KEYDjango secret keys (usually allows for session hijacking, RCE, etc)
filename:secrets.yml passwordUsernames/passwords, Rails applications
filename:master.key path:configRails master key (used for decrypting credentials.yml.enc for Rails 5.2+)
filename:deployment-config.jsonCreated by sftp-deployment for Atom, contains server details and credentials
filename:.ftpconfigCreated by remote-ssh for Atom, contains SFTP/SSH server details and credentials
filename:.remote-sync.jsonCreated by remote-sync for Atom, contains FTP and/or SCP/SFTP/SSH server details and credentials
filename:sftp.json path:.vscodeCreated by vscode-sftp for VSCode, contains SFTP/SSH server details and credentails
filename:sftp-config.jsonCreated by SFTP for Sublime Text, contains FTP/FTPS or SFTP/SSH server details and credentials
filename:WebServers.xmlCreated by Jetbrains IDEs, contains webserver credentials with encoded passwords (not encrypted!)