

Gitrob – OSINT gathering tool for GitHub - neilwillgettoit
http://michenriksen.com/blog/gitrob-putting-the-open-source-in-osint/

======
dj-wonk
Please, don't blur if you want to redact. Instead, use a uniform, opaque
color. See [http://dheera.net/projects/blur](http://dheera.net/projects/blur)
and
[https://news.ycombinator.com/item?id=8078747](https://news.ycombinator.com/item?id=8078747).

Context: I just looked at some of the screenshots showing example findings.
While it is thoughtful to blur some sensitive information, it is clear that
blurring is not enough. I hope that we can get this message out.

~~~
feistyio
Looks like the author has since taken your advice although the thumbnails
remain uncensored.

------
sjackso
The patterns definition file, listing the things that this tool detects as
potentially sensitive, is worth a look:
[https://github.com/michenriksen/gitrob/blob/master/patterns....](https://github.com/michenriksen/gitrob/blob/master/patterns.json)

Special award for most meta pattern:

    
    
        "part": "filename",
        "type": "regex",
        "pattern": "\\A\\.?gitrobrc\\z",
        "caption": "Well, this is awkward... Gitrob configuration file",

------
rcthompson
So, I guess the hint here is "Run this on your own organization before someone
else does."

------
ceslami
Fantastic concept and execution.

I would note that by the time this sensitive code hits Github, its already too
late. Criminals who mine PII/secrets use the Github event firehose to analyze
code pushes in near-realtime.

It would be great to integrate this code as a pre-commit hook, so that code
doesn't even get into the tree if its sensitive.

~~~
gknoy
Excellent point. I wonder if it would be feasible to put this kind of check in
a pre-commit pipeline to prevent it actually getting committed in the first
place.

~~~
0x0
Or even better, github could have an opt-in (or even opt-out) server side
variant for pushes!

