Recover deleted and force-pushed GitHub commits and scan them for live secrets.
Revenant finds secrets in commits that are no longer reachable from any branch: deleted commits, force-pushed history, and dangling objects. In the same run it also scans a repo's reachable history, public gists, and, optionally, the whole of GitHub through code search. Every candidate is verified with TruffleHog, deduplicated, attributed to the author who committed it, and ranked by a blast-radius score.
Revoking a leaked credential without rotating it is not enough. GitHub keeps the commit objects, so the secret stays reachable by its SHA. Revenant is built to find those.
Built and maintained by smakarim.
Secrets get committed by accident constantly. The usual reaction is to delete the offending commit, or force-push over it, and rotate the key "later." That is not enough. GitHub keeps the underlying commit objects, so a deleted or rewritten commit stays reachable by its SHA, and the secret stays valid until the credential is actually rotated. Deleting is not remediation.
Standard secret scanners (TruffleHog, Gitleaks, GitHound) look at the current state of the repositories you already point them at. The higher-value surface goes unscanned: secrets in deleted and force-pushed commits, in gists, and in unrelated repositories scattered across all of GitHub. Covering that surface today means stitching several narrow tools together by hand.
Revenant exists to cover it in one place. It recovers commits that are no longer reachable from any branch, scans current history and gists, searches all of GitHub for a target's leaks, confirms which secrets are still live, attributes each to the developer who committed it, and ranks findings by blast radius. In testing against public GitHub it surfaced live database credentials in unrelated repositories within seconds.
Revenant is a reconnaissance and orchestration layer. It uses TruffleHog as its detection and verification engine and adds the surfaces and correlation that the tools below do not combine on their own. The table reflects each tool's documented, out-of-the-box behavior.
| Capability | Revenant | TruffleHog | Gitleaks | GitHound | GitDorker |
|---|---|---|---|---|---|
| Reachable git history scan | Yes | Yes | Yes | Yes | No |
| Deleted / force-pushed commit recovery | Yes | Yes (1) | No | No | No |
| Live secret verification | Yes (2) | Yes | No | No | No |
| GitHub-wide code-search dorking | Yes | No | No | Yes | Yes |
| Gist scanning | Yes | Yes | No | Yes | No |
| Org member footprint enumeration | Yes | Partial | No | No | No |
| Key scope / permission analysis | Yes (GitHub) | Yes | No | No | No |
| Developer correlation and blast-radius ranking | Yes | No | No | No | No |
- TruffleHog recovers deleted and private commits with its experimental
github-experimental --object-discoverymode. Revenant instead reads the repository activity log, which is immediate and does not brute-force commit hashes. - Revenant does not reimplement detection. It runs TruffleHog for detection and verification, so its value is breadth and correlation rather than better detectors: reachable history, deleted commits, gists, and code-search dorking in one pass, deduplicated, attributed to the author, and ranked.
Point Revenant at an organization, a user, or a list of repositories, and in a single run it will:
- Recover deleted work. Find commits force-pushed or deleted out of history and scan them for secrets, using the repository activity log so it is immediate and does not brute-force commit hashes.
- Scan the whole footprint. Cover each repository's current history and public gists, and
with
--membersenumerate an organization's members and fold in their personal repos and gists. - Search all of GitHub. With
--dork, run a code-search dork corpus across GitHub for the target's leaks and scan every matching file (--domain,--dork-file, and--dork-maxrefine it). - Confirm what is live. Verify each finding with TruffleHog so you see which secrets are
actually active, not just present;
--verified-onlyshows only the live ones. - Measure the blast radius. With
--analyze, report what a verified GitHub token can do (its identity and scopes), and rank every finding by a transparent score. - Attribute and deduplicate. Tie each finding to org, repo, commit, and author with
first/last seen, collapse duplicates, and tag each result by
SOURCE(history, deleted, gist, or dork). Output is a ranked table or JSON.
It is built for real targets: scanning runs concurrently (--concurrency), rotates across
multiple tokens, and backs off on GitHub rate limits.
Requires Go 1.22 or newer and TruffleHog on your PATH.
go install github.com/smakarim/revenant/cmd/revenant@latestOr build from source:
git clone https://github.com/smakarim/revenant
cd revenant
go build -o revenant ./cmd/revenantrevenant --org acme --tokens TOKEN
revenant --user bob --tokens TOKEN --min-score 50
revenant --repos acme/web,acme/api --tokens TOKEN
revenant --org acme --tokens TOKEN -o findings.json
revenant --org acme --tokens TOKEN --dork --analyze --verified-onlyA token is recommended. The activity log used to find deleted commits needs an authenticated request, and code search requires one. Any free personal access token works. Without a token, discovery falls back to the slower public Events API.
SCORE TYPE STATUS SOURCE AUTHORS FIRST_COMMIT
172 AWS VERIFIED deleted 2 03e0f0f5d25c
60 Github VERIFIED history 1 32eaf5a4af9e
22 Stripe unverified gist 1 a1b2c3d4e5f6
With --analyze, verified GitHub tokens get a Key intelligence section:
Key intelligence:
[Github] user:bob; scopes: repo, workflow, admin:org
| Flag | Description |
|---|---|
--org |
Target organization (all of its repos) |
--user |
Target user (all of their repos) |
--repos |
Explicit owner/name repos, comma-separated |
--repos-file |
File of newline-delimited owner/name repos |
--tokens |
GitHub personal access tokens, comma-separated |
--min-score |
Hide findings below this blast-radius score |
--no-history |
Skip scanning each repo's reachable history |
--no-deleted |
Skip mining deleted and force-pushed commits |
--no-gists |
Skip scanning gists (on by default) |
--members |
Enumerate org members and scan their personal repos and gists |
--bruteforce |
Brute-force short SHAs (slow keyless fallback; off by default) |
--dork |
Search all of GitHub for the target's leaks (requires --tokens) |
--domain |
Extra dork search term, such as a company domain |
--dork-file |
Custom dork templates using {term} and {domain} |
--dork-max |
Cap on total dork hits scanned (default 200) |
--analyze |
Report capabilities of verified keys (GitHub tokens) |
--verified-only |
Report only secrets confirmed live |
--concurrency |
Max repos/gists/dork-hits scanned in parallel (default 8) |
-o, --output |
Write JSON findings to a file |
target -> discover -> fetch -> detect -> validate -> correlate -> report
- Discover deleted commits from the repo activity log.
force_pushandbranch_deletionentries carry the overwrittenbeforeSHA. Discovery falls back to the Events API, or to short-SHA probing with--bruteforce. - Fetch each commit through the GitHub commits API, which resolves commits by SHA even when they are unreachable from any branch.
- Detect secrets with TruffleHog over the recovered diff, as well as over reachable history, gists, and dork hits.
- Validate each unique secret once to check whether it is still live.
- Correlate, score, and report the results as a ranked table or as JSON.
- Recent window. The activity log and Events API cover roughly the last 90 days and a few hundred events per repo. Older force-pushes would need a GH Archive backfill, which is not built yet (the parser exists behind an interface for it).
- Repos, gists, and dork hits scan concurrently (default 8 workers; tune with
--concurrency). Brute-force probing within a single repo is still serial, since it is a rate-limited, opt-in fallback. On a single token, high concurrency can cause GitHub to throttle and occasionally skip requests; pass several--tokensor lower--concurrencyfor maximum completeness. - Brute-force is a slow, opt-in fallback. It is rate-limited by GitHub and capped per repo. Prefer a token and the activity tier.
- Live-key intelligence covers GitHub tokens. Other key types are not analyzed yet.
Issues and pull requests are welcome. Keep changes covered by tests (go test ./...) and
gofmt-clean; CI enforces both. Use only synthetic or revoked credentials in test fixtures.
Revenant was designed and built in collaboration with Claude (Anthropic), credited as a
co-author throughout the commit history via Co-authored-by trailers.
For authorized security testing and assets you own or are permitted to test. You are responsible for complying with the terms of service of any platform you target and with applicable law.
GNU GPL v3. See LICENSE.