Show HN: Nosey Parker, a fast and low-noise secrets detector for textual data

[gopisuvanam]

Can this be used to check if our private keys are saved anywhere (across users and orgs) in github? An employee once accidentally copied some of our private code along with keys into a public repo.

[SnowflakeOnIce]

Yes and no.

On the one hand, Nosey Parker is effectively a special-purpose `grep` with a bunch of security-relevant patterns built-in, including one for PEM-encoded keys: <https://github.com/praetorian-inc/noseyparker/blob/main/data...>

On the other hand, to naively run the check you describe, you would need access to a copy of all of GitHub, which isn't feasible.

What you can do with Nosey Parker is use its GitHub enumeration features to specify your GitHub organization and a list of GitHub usernames you are interested in, and scan against just those. This will implicitly list all the relevant public repositories, clone them, and scan their entire history.

For your use case, another thing you could do is use the new GitHub code search (<https://cs.github.com>) to regex search for particular keys or tokens. That new search seems to cover lots of the public content available on GitHub.

Also, to put some color on this use case: in offensive security engagements (aka "red team" engagements) at Praetorian, we frequently find leaked credentials or tokens on GitHub or elsewhere, which allow us deeper access into the client's systems. It's a significant problem.