Gitrob – OSINT gathering tool for GitHub
michenriksen.comPlease, don't blur if you want to redact. Instead, use a uniform, opaque color. See http://dheera.net/projects/blur and https://news.ycombinator.com/item?id=8078747.
Context: I just looked at some of the screenshots showing example findings. While it is thoughtful to blur some sensitive information, it is clear that blurring is not enough. I hope that we can get this message out.
Looks like the author has since taken your advice although the thumbnails remain uncensored.
The patterns definition file, listing the things that this tool detects as potentially sensitive, is worth a look: https://github.com/michenriksen/gitrob/blob/master/patterns....
Special award for most meta pattern:
"part": "filename",
"type": "regex",
"pattern": "\\A\\.?gitrobrc\\z",
"caption": "Well, this is awkward... Gitrob configuration file",So, I guess the hint here is "Run this on your own organization before someone else does."
Fantastic concept and execution.
I would note that by the time this sensitive code hits Github, its already too late. Criminals who mine PII/secrets use the Github event firehose to analyze code pushes in near-realtime.
It would be great to integrate this code as a pre-commit hook, so that code doesn't even get into the tree if its sensitive.
Excellent point. I wonder if it would be feasible to put this kind of check in a pre-commit pipeline to prevent it actually getting committed in the first place.
Or even better, github could have an opt-in (or even opt-out) server side variant for pushes!