DEV.co
Open-Source Security · hisxo

gitGraber

gitGraber is a Python-based monitoring tool that searches GitHub in real-time for exposed sensitive data (API keys, secrets, credentials) across 31+ services including AWS, Stripe, Twilio, and Mailgun. It integrates with Slack, Discord, and Telegram for notifications and maintains a local history to avoid duplicate findings.

Source: GitHub — github.com/hisxo/gitGraber
2.3k
GitHub stars
355
Forks
Python
Primary language
GPL-3.0
License (OSI-approved)

Key facts

Objective fields from the source. Values we can't verify are shown as “Unknown” rather than guessed.

FieldValue
Repositoryhisxo/gitGraber
Ownerhisxo
Primary languagePython
LicenseGPL-3.0 — OSI-approved
Stars2.3k
Forks355
Open issues11
Latest releaseUnknown
Last updated2026-03-26
Sourcehttps://github.com/hisxo/gitGraber

What gitGraber is

A Python3 OSINT/red-team tool that queries GitHub's API using regex patterns to detect credential leaks in newly indexed files, with support for multi-token GitHub authentication to manage rate limits, cron-based monitoring, and webhook-driven alerting to Slack/Discord/Telegram endpoints.

Quickstart

Get the gitGraber source

Clone the repository and explore it locally.

terminalbash
git clone https://github.com/hisxo/gitGraber.gitcd gitGraber# follow the project's README for install & configuration

Need it deployed, integrated, or customized instead? DEV.co ships production installs.

Best use cases

Bug Bounty & OSINT Reconnaissance

Security researchers and bug bounty hunters can monitor for exposed credentials tied to target organizations, third-party service providers, or employee repositories to identify initial access vectors or leaked API keys.

Continuous Secrets Monitoring

Red teams and penetration testers can run gitGraber on a 30-minute cron schedule to maintain a real-time alert feed of newly exposed secrets within scope, feeding findings to Slack or Discord war rooms.

Internal Security Posture Assessment

Organizations can monitor their own domain names, service keywords, or employee patterns on GitHub to catch accidental credential commits by internal teams or third-party vendors before external exploitation.

Implementation considerations

  • Requires GitHub Personal Access Tokens (PATs) configured in config.py; store tokens securely (environment variables, secrets manager, not in version control).
  • Relies on regex pattern accuracy; regex list in tokens.py must be manually maintained and updated as service API key formats evolve.
  • Rate limiting: gitGraber handles GitHub API abuse detection by switching between multiple configured tokens; plan for token rotation or quota management if monitoring at scale.
  • Cron scheduling (-m flag) is platform-dependent (Linux/macOS); Windows users require task scheduler or alternative scheduling layer.
  • Webhook URL configuration (Slack, Discord, Telegram) must be created and validated before deployment; misconfigured webhooks silently fail.

When to avoid it — and what to weigh

  • Require Legal Certainty on Credential Use — Using discovered credentials without explicit authorization is illegal in most jurisdictions. This tool is designed for discovery; legal review and proper authorization chains are mandatory before acting on findings.
  • Need High-Precision, Low False-Positive Detection — The README explicitly acknowledges regex-based detection produces false positives. If you need production-grade secret scanning with validated accuracy, consider purpose-built SaaS scanners (e.g., TruffleHog, GitHub's native secret scanning).
  • Require Guaranteed Stability & Release Cycle — No formal releases are documented (latestRelease: null). The tool is community-maintained; breaking changes, unannounced API shifts, or long-term support cannot be guaranteed.
  • Operating Under Strict Compliance Regimes — GPL-3.0 licensing and the tool's offensive nature may conflict with conservative enterprise compliance policies or vendor assessments. Requires legal/procurement review before organizational use.

License & commercial use

Licensed under GPL-3.0 (GNU General Public License v3.0). This is a copyleft open-source license that requires any derivative works or distributed modifications to also be released under GPL-3.0 with source code disclosure.

GPL-3.0 permits commercial use of the software itself, but imposes significant restrictions: (1) you must provide source code to any recipients, (2) modifications must be released under the same license, (3) your proprietary integrations or extensions may be subject to copyleft obligations. Commercial use without distributing the tool is lower-risk; bundling it into a commercial product or SaaS offering requires legal review. No warranty, support, or licensing agreement from authors.

DEV.co evaluation signals

Editorial assessment — not user reviews. Directional, with an explicit confidence level.

SignalAssessment
MaintenanceActive
DocumentationAdequate
License clarityClear
Deployment complexityLow
DEV.co fitPossible
Assessment confidenceMedium
Security considerations

gitGraber discovers and exfiltrates sensitive data (API keys, private keys, tokens). Users are responsible for secure storage, transmission, and handling of findings. The tool is intentionally offensive and may violate terms of service or law if used without proper authorization. No built-in encryption for local storage (rawGitUrls.txt, discovered credentials in logs). Webhook URLs and GitHub tokens in config.py are plain-text secrets requiring protection. Consider air-gapped or isolated deployment if handling production secrets.

Alternatives to consider

TruffleHog (Truffle Security)

Purpose-built secret scanning with entropy detection, regex patterns, and verifiable credential validation. Supports GitHub, GitLab, local repos, and is actively maintained by a security company with higher accuracy and lower false-positive rates.

GitHub's Native Secret Scanning (Advanced Security)

Built into GitHub Enterprise; automatically detects and alerts on leaked secrets without custom regex. Lower operational overhead but higher cost and less flexibility for custom detection patterns.

Gitleaks

Standalone, multi-language credential detector with rule engine, configurable regex, and JSON output. Lighter-weight than gitGraber with no external dependencies, though lacks real-time GitHub monitoring and webhook notifications.

Software development agency

Build on gitGraber with DEV.co software developers

gitGraber is ideal for security teams and bug bounty hunters seeking lightweight, real-time credential discovery. Review the GPL-3.0 license and authorization requirements, then set up GitHub tokens and webhook alerts to start monitoring.

Talk to DEV.co

Related open-source tools

Surfaced by semantic similarity across the DEV.co open-source index.

Related on DEV.co

Explore the category and the services that help you build with it.

gitGraber FAQ

Can I use gitGraber to scan private repositories or repositories I don't own?
No. gitGraber queries GitHub's public search API and respects GitHub's authorization model. Scanning without authorization is a violation of GitHub's ToS and potentially illegal. Always obtain written permission before testing external targets.
What happens if I find a real credential with gitGraber?
Document it responsibly. If it belongs to a target in scope (bug bounty, authorized test), report via the program's vulnerability disclosure policy. If it's a third party or unknown owner, consider notifying GitHub abuse or the affected service provider via responsible disclosure.
Why am I seeing false positives in the regex matches?
The README acknowledges false positives are common. Edit tokens.py to add blacklist patterns (e.g., specific prefixes or strings to exclude). Contribute improvements back to the project or maintain a forked version with better regexes.
Can I run multiple instances of gitGraber concurrently?
Technically yes, but they will share the same GitHub token quota and rawGitUrls.txt file, causing race conditions and duplicate processing. A central message queue or database would be needed for safe distributed deployment (not provided).

Custom software development services

Adopting gitGraber is usually one piece of a larger software development effort. As a software development agency, DEV.co provides software development services and web development expertise — pairing senior software developers and web developers with your team to design, build, and operate open-source security software in production.

Ready to Deploy Real-Time Secret Monitoring?

gitGraber is ideal for security teams and bug bounty hunters seeking lightweight, real-time credential discovery. Review the GPL-3.0 license and authorization requirements, then set up GitHub tokens and webhook alerts to start monitoring.