DEV.co
Open-Source Security · tillson

git-hound

GitHound is a Go-based tool that scans GitHub's public repositories and Gists for exposed API keys, secrets, and credentials using pattern matching and GitHub's Code Search API. It combines regex rules, entropy analysis, and commit history examination to identify leaked secrets across all of GitHub, not just targeted repos.

Source: GitHub — github.com/tillson/git-hound
1.4k
GitHub stars
204
Forks
Go
Primary language
MIT
License (OSI-approved)

Key facts

Objective fields from the source. Values we can't verify are shown as “Unknown” rather than guessed.

FieldValue
Repositorytillson/git-hound
Ownertillson
Primary languageGo
LicenseMIT — OSI-approved
Stars1.4k
Forks204
Open issues4
Latest releasev3.2 (2025-11-20)
Last updated2026-02-10
Sourcehttps://github.com/tillson/git-hound

What git-hound is

GitHound leverages GitHub's Code Search API with dork-based queries, applies Gitleaks-maintained API key regex patterns, and uses Shannon entropy and dictionary checks to filter false positives. It supports base64 decoding, commit history scanning, custom regex rules, and JSON output for pipeline integration.

Quickstart

Get the git-hound source

Clone the repository and explore it locally.

terminalbash
git clone https://github.com/tillson/git-hound.gitcd git-hound# follow the project's README for install & configuration

Need it deployed, integrated, or customized instead? DEV.co ships production installs.

Best use cases

Bug Bounty & Security Research

Hunt for exposed employee API tokens, internal service credentials, and leaked secrets across GitHub to discover high-impact vulnerabilities in target organizations. Multi-threaded search with commit history digging accelerates reconnaissance.

Corporate Incident Response & Exposure Detection

Proactively search for your organization's exposed API keys, customer credentials, and service tokens on public repositories. Pipe results into custom validation scripts to test key validity and identify at-risk accounts.

DevSecOps Secret Monitoring Pipeline

Integrate GitHound into security workflows via JSON output and custom regex rules to continuously scan for organization-specific secret patterns, enabling automated alerting and remediation workflows.

Implementation considerations

  • GitHub API token must be configured in config.yml or via GITHOUND_GITHUB_TOKEN environment variable; rate limits apply (typically 30 requests per minute for authenticated requests).
  • Commit history and file digging (--dig-commits, --dig-files) are CPU-intensive; adjust --threads parameter (default 20) based on available resources and GitHub API quota.
  • Custom regex rules can be supplied via --rules flag (Gitleaks folder or custom regex file) to target organization-specific secret patterns beyond built-in Gitleaks rules.
  • Results include false positives; scoring system (--no-scoring to disable) filters low-confidence matches using entropy, dictionary checks, and uniqueness calculations.
  • Dashboard integration (--dashboard flag) streams results to GitHound Explore web UI; keep in mind external dependency and data handling implications of cloud dashboard.

When to avoid it — and what to weigh

  • Internal Repository Scanning — GitHound is designed for public GitHub scanning only. It does not scan private repos or on-premise Git systems; use dedicated secret scanning solutions (TruffleHog, git-secrets) for internal CI/CD.
  • Real-Time Prevention Requirement — GitHound is a detection and reconnaissance tool, not a prevention layer. GitHub's native Push Token Scanning detects leaks at commit time; GitHound finds already-exposed secrets after the fact.
  • Zero Development Overhead Needed — Requires API token setup, config file management, and potential GitHub API rate-limit planning. Organizations seeking fully managed SaaS solutions may prefer GitHub's native secret scanning.
  • Compliance-Heavy Environments — Unknown security audit history, code review process, and signed release practices. Requires review before use in regulated environments (healthcare, finance) with strict software provenance requirements.

License & commercial use

MIT License. Permissive open-source license allowing unrestricted commercial use, modification, and distribution with attribution.

MIT is an OSI-approved permissive license. Commercial use is explicitly permitted. No commercial restrictions, licensing fees, or vendor lock-in. Review only if your threat model requires source code escrow or vendor support SLAs.

DEV.co evaluation signals

Editorial assessment — not user reviews. Directional, with an explicit confidence level.

SignalAssessment
MaintenanceActive
DocumentationAdequate
License clarityClear
Deployment complexityLow
DEV.co fitGood
Assessment confidenceHigh
Security considerations

GitHound scans public GitHub content and does not modify repositories; no code execution risk on scanned repos. Requires safeguarding of GitHub API token (risk of exposure via config files or logs). Unknown whether disclosed findings (leaked secrets) are responsibly disclosed to affected parties; operator bears responsibility for ethical use. No audit logging of scan activity in the tool itself.

Alternatives to consider

TruffleHog

Scans Git repositories (local, remote, cloud) with entropy-based detection; supports private repos and on-premise systems. Broader scope but lower GitHub-specific dork coverage.

GitHub Push Token Scanning (native)

Real-time detection of leaked secrets at push time for organizations using GitHub. Prevents leaks; does not hunt already-exposed secrets. No manual scanning or API overhead.

Gitleaks

Standalone secret scanner for local and remote repos with configurable regex rules. Lighter-weight than GitHound; less GitHub-centric reconnaissance capability but suitable for CI/CD pipelines.

Software development agency

Build on git-hound with DEV.co software developers

Download GitHound, configure your GitHub API token, and begin scanning for leaked credentials across public repositories. Integrate into your bug bounty or security research workflow.

Talk to DEV.co

Related open-source tools

Surfaced by semantic similarity across the DEV.co open-source index.

Related on DEV.co

Explore the category and the services that help you build with it.

git-hound FAQ

Does GitHound scan private repositories?
No. GitHound uses GitHub's Code Search API to scan public repositories and Gists only. For private repo scanning, use TruffleHog or git-secrets.
What is a GitHub dork and how do I use it?
A GitHub dork is a custom search query targeting specific file names, extensions, or content patterns. Pass it via --query flag or stdin (e.g., echo 'AKIA' | git-hound). GitHound Explore (https://githoundexplore.com/github-dorks) provides a database of example dorks.
How do I avoid false positives?
GitHound uses adaptive scoring (entropy, dictionary checks, uniqueness) enabled by default. Disable with --no-scoring if needed for comprehensive output. Fine-tune via custom --rules or increase specificity of dorks.
Can I use GitHound in a CI/CD pipeline?
Yes. Use --json flag to output structured results, --query-file to batch multiple searches, and pipe to custom scripts for validation and alerting. Configure GITHOUND_GITHUB_TOKEN environment variable to avoid config file exposure.

Software developers & web developers for hire

Adopting git-hound is usually one piece of a larger software development effort. As a software development agency, DEV.co provides software development services and web development expertise — pairing senior software developers and web developers with your team to design, build, and operate open-source security software in production.

Start Hunting Exposed Secrets on GitHub

Download GitHound, configure your GitHub API token, and begin scanning for leaked credentials across public repositories. Integrate into your bug bounty or security research workflow.