It's been more than a year since I released the initial version of Gitrob. I haven't had a whole lot of time to expand on it, but now a new and improved version is finally here with a bunch of new features requested by users.
For those who don't know, Gitrob is a command line tool which can help organizations and security professionals find sensitive information lingering in publicly available files on GitHub. The tool will iterate over all public organization and member repositories and match filenames against a range of patterns for files that typically contain sensitive or dangerous information. Head over to my previous post for more details and screenshots, but be sure to come back here to learn about the new features!
The attention the tool has received has been way over my expectations and I want to thank everyone who has helped spread the word about it. With over 1100 Stars on GitHub, a place in ThoughtWorks' Tech Radar and a mention in The Hacker Playbook 2, I will strive to maintain and build upon the tool more frequently from now on.
The old version of Gitrob only allowed to analyze a single GitHub organization at a time, but the new version allows to mix any number of organizations and users in a single assessment. This is great if a company has multiple organizations or if you have identified GitHub users who work for the target company but don't have their membership publicly visible.
The new version has an improved web application which allows users to run a new assessment directly from the web interface. This is very convenient if Gitrob runs on a server accessible to multiple users as they no longer require command line access to manage assessments.
The new version makes it possible to run Gitrob against custom GitHub Enterprise installations by simply providing the location when creating a new assessment. Note: I unfortunately don't have access to a GitHub Enterprise installation, so I would appreciate if anyone could verify if this works and report any bugs!
In the old version it wasn't really easy to continuously monitor an organization, but the new version makes it possible to compare two assessments to quickly identify new or modified files, users and repositories.
In the small improvements category, the new version detects and highlights interesting values such as IP addresses, domains, tokens and email addresses when viewing a file's content. The new version will also attempt to determine if a file is likely test or mock related and make them less visible so they can easily be skipped.
Apart from the new features, Gitrob v1.0.0 is pretty much a complete rewrite
of the first version and some components have been switched out with better and
more stable components. Gitrob now uses sequel
for database communication, github_api
for GitHub API interaction and thor
for the command line interface. The switch to thor also means that the interface
is a little different from the old version.
gitrob -o acme is now
gitrob analyze acme.
The new version also ships with a bunch of new signatures for files that might contain sensitive information:
Check out signatures.json for the full list of file signatures.
If you have a good idea for a new signature, please don't hesitate to make a Pull Request or simply create an Issue with details and I will look into it!
I am very excited about this release and I hope you are too. Hurry up and run Gitrob against your organization before someone else does! Installation and setup instructions can be found in the README on GitHub.
have fun and be responsible!