A Go-based tool for scanning GitHub repositories for leaked API keys and security credentials.
- Scans GitHub repositories for common patterns of sensitive information
- Supports multiple types of credentials:
- API Keys
- Secret Keys
- AWS Access Keys
- AWS Secret Keys
- Slack Tokens
- GitHub Tokens
- Private Keys
- Database URLs
- JWT Tokens
- Email Passwords
- Uses GitHub's search API for efficient scanning
- Configurable search patterns
- Environment-based configuration
- Sensitive data redaction
- Rate limiting
- Progress tracking
- File size and extension filtering
- Scan statistics
- Make sure you have Go 1.21 or later installed
- Clone this repository
- Install dependencies:
go mod download
The tool can be configured using environment variables or a .env file. Create a .env file in the project root with the following variables:
# GitHub API Configuration
GITHUB_TOKEN=your_github_token_here
# Rate Limiting
RATE_LIMIT=30
# Output Configuration
OUTPUT_FILE=findings.json
OUTPUT_FORMAT=json # or 'text'
# Logging Configuration
LOG_LEVEL=info
LOG_FORMAT=json
# Security Settings
ENABLE_REDACTION=true
REDACTION_PATTERN=****
# File Filtering
MAX_FILE_SIZE=1048576 # 1MB in bytes
FILE_EXTENSIONS=py,js,json,env # Comma-separated list
# Progress Display
SHOW_PROGRESS=true| Variable | Description | Default |
|---|---|---|
| GITHUB_TOKEN | GitHub personal access token | (required) |
| RATE_LIMIT | Maximum requests per minute | 30 |
| OUTPUT_FILE | Output file for findings | findings.json |
| OUTPUT_FORMAT | Output format (json/text) | json |
| LOG_LEVEL | Logging level (debug, info, warn, error) | info |
| LOG_FORMAT | Log format (json, text) | json |
| ENABLE_REDACTION | Enable redaction of sensitive data | true |
| REDACTION_PATTERN | Pattern to use for redaction | **** |
| HTTP_TIMEOUT | HTTP client timeout | 30s |
| MAX_FILE_SIZE | Maximum file size to scan (bytes) | 1048576 (1MB) |
| FILE_EXTENSIONS | Comma-separated list of file extensions to scan | (all files) |
| SHOW_PROGRESS | Show progress during scan | true |
- Create a GitHub Personal Access Token with
reposcope - Set up your
.envfile or environment variables - Run the tool:
go run main.go -query "your search query"
Search for potential API keys in Python files:
go run main.go -query "filename:*.py"Search in specific file extensions:
# In .env file:
FILE_EXTENSIONS=py,js,jsonLimit file size:
# In .env file:
MAX_FILE_SIZE=524288 # 512KBThe tool provides:
- Real-time progress display
- Scan statistics:
- Total files found
- Files scanned
- Files skipped
- Total findings
- Scan duration
- Findings saved to file in JSON or text format
- Never commit your
.envfile or any files containing sensitive information - The
.gitignorefile is configured to exclude sensitive files - Enable redaction in production environments
- Use appropriate rate limiting to avoid API abuse
- Review and validate findings before taking action
MIT License