Hacker News new | ask | show | jobs
Gitrob – OSINT gathering tool for GitHub (michenriksen.com)
63 points by neilwillgettoit 4171 days ago
4 comments
dj-wonk 4171 days ago
Please, don't blur if you want to redact. Instead, use a uniform, opaque color. See http://dheera.net/projects/blur and https://news.ycombinator.com/item?id=8078747.

Context: I just looked at some of the screenshots showing example findings. While it is thoughtful to blur some sensitive information, it is clear that blurring is not enough. I hope that we can get this message out.

link
feistyio 4170 days ago
Looks like the author has since taken your advice although the thumbnails remain uncensored.
link
sjackso 4171 days ago
The patterns definition file, listing the things that this tool detects as potentially sensitive, is worth a look: https://github.com/michenriksen/gitrob/blob/master/patterns....

Special award for most meta pattern:

    "part": "filename",
    "type": "regex",
    "pattern": "\\A\\.?gitrobrc\\z",
    "caption": "Well, this is awkward... Gitrob configuration file",
link
rcthompson 4171 days ago
So, I guess the hint here is "Run this on your own organization before someone else does."
link
ceslami 4171 days ago
Fantastic concept and execution.

I would note that by the time this sensitive code hits Github, its already too late. Criminals who mine PII/secrets use the Github event firehose to analyze code pushes in near-realtime.

It would be great to integrate this code as a pre-commit hook, so that code doesn't even get into the tree if its sensitive.

link
gknoy 4171 days ago
Excellent point. I wonder if it would be feasible to put this kind of check in a pre-commit pipeline to prevent it actually getting committed in the first place.
link
0x0 4171 days ago
Or even better, github could have an opt-in (or even opt-out) server side variant for pushes!
link