Gitrob – OSINT gathering tool for GitHub (opens in new tab)

(michenriksen.com)

63 pointsneilwillgettoit11y ago7 comments

7 comments

Please, don't blur if you want to redact. Instead, use a uniform, opaque color. See http://dheera.net/projects/blur and https://news.ycombinator.com/item?id=8078747.

Context: I just looked at some of the screenshots showing example findings. While it is thoughtful to blur some sensitive information, it is clear that blurring is not enough. I hope that we can get this message out.

feistyio11y ago

Looks like the author has since taken your advice although the thumbnails remain uncensored.

sjackso11y ago

The patterns definition file, listing the things that this tool detects as potentially sensitive, is worth a look: https://github.com/michenriksen/gitrob/blob/master/patterns....

Special award for most meta pattern:

    "part": "filename",
    "type": "regex",
    "pattern": "\\A\\.?gitrobrc\\z",
    "caption": "Well, this is awkward... Gitrob configuration file",

rcthompson11y ago

So, I guess the hint here is "Run this on your own organization before someone else does."

ceslami11y ago

Fantastic concept and execution.

I would note that by the time this sensitive code hits Github, its already too late. Criminals who mine PII/secrets use the Github event firehose to analyze code pushes in near-realtime.

It would be great to integrate this code as a pre-commit hook, so that code doesn't even get into the tree if its sensitive.

gknoy11y ago

Excellent point. I wonder if it would be feasible to put this kind of check in a pre-commit pipeline to prevent it actually getting committed in the first place.

0x011y ago

Or even better, github could have an opt-in (or even opt-out) server side variant for pushes!

j / k navigate · click thread line to collapse