Gitrob – OSINT gathering tool for GitHub

Gitrob – OSINT gathering tool for GitHub(michenriksen.com)

63 points by neilwillgettoit 11 years ago | 7 comments

dj-wonk 11 years ago |

Please, don't blur if you want to redact. Instead, use a uniform, opaque color. See http://dheera.net/projects/blur and https://news.ycombinator.com/item?id=8078747.

Context: I just looked at some of the screenshots showing example findings. While it is thoughtful to blur some sensitive information, it is clear that blurring is not enough. I hope that we can get this message out.

feistyio 11 years ago | |

Looks like the author has since taken your advice although the thumbnails remain uncensored.

sjackso 11 years ago |

The patterns definition file, listing the things that this tool detects as potentially sensitive, is worth a look: https://github.com/michenriksen/gitrob/blob/master/patterns....

Special award for most meta pattern:

    "part": "filename",
    "type": "regex",
    "pattern": "\\A\\.?gitrobrc\\z",
    "caption": "Well, this is awkward... Gitrob configuration file",

rcthompson 11 years ago |

So, I guess the hint here is "Run this on your own organization before someone else does."

ceslami 11 years ago |

Fantastic concept and execution.

I would note that by the time this sensitive code hits Github, its already too late. Criminals who mine PII/secrets use the Github event firehose to analyze code pushes in near-realtime.

It would be great to integrate this code as a pre-commit hook, so that code doesn't even get into the tree if its sensitive.

gknoy 11 years ago | |

Excellent point. I wonder if it would be feasible to put this kind of check in a pre-commit pipeline to prevent it actually getting committed in the first place.

0x0 11 years ago | | |

Or even better, github could have an opt-in (or even opt-out) server side variant for pushes!