
Reconnaissance tool for GitHub organizations - vinnyglennon
https://github.com/michenriksen/gitrob
======
jtfairbank
Would be great if there was a local version available, that can check private
repos. You shouldn't commit AWS credentials, etc even to private repos
(because parts of them might become public in the future, or some developers
should not have access to the live AWS servers).

------
cakeface
This seems genuinely useful, though I'm not exactly sure what criteria the
program uses to determine sensitive information.

~~~
bradleyland
In the README, this description is given of the process:

"When the list of repositories has been compiled, it proceeds to gather all
the filenames in each repository and runs them through a series of observers
that will flag the files, if they match any patterns of known sensitive files.
This step might take a while if the organization is big or if the members have
a lot of public repositories."

Digging in to the source code under `/lib/gitrob/observers/`, you'll find
`sensitive_files.rb` [1]. It looks like this class loads patterns from
`patterns.json` [2]. This file contains patterns that match common sensitive
files like private key files, common configuration files, command history
files, and config files. It has the ability to match by path, filename, or
extension.

No tool can look at a file and say for sure if it contains sensitive
information, but this list looks like a good start for flagging common
mistakes. I'm sure the author would appreciate pull requests to patterns.json
as well.

1:
[https://github.com/michenriksen/gitrob/blob/master/lib/gitro...](https://github.com/michenriksen/gitrob/blob/master/lib/gitrob/observers/sensitive_files.rb)

2:
[https://github.com/michenriksen/gitrob/blob/master/patterns....](https://github.com/michenriksen/gitrob/blob/master/patterns.json)

