You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: CHANGELOG.md
+7
Original file line number
Diff line number
Diff line change
@@ -1,5 +1,12 @@
1
1
# Changelog
2
2
3
+
## Release v1.0.16 (October 18th, 2024)
4
+
* Added a brand new HTML output format/report by default, making results a lot easier to navigate! Custom search bar instead of relying on DataTables which can be super slow for large HTML files. We're now also groupping results by Category across all contributors and highlighting results which contain a WARNING keyword.
5
+
* Added certain association results to Contributor results, not all to prevent extra noise.
6
+
* Added the ability to specify a directory for output instead of a file, gitxray creating the filename for you.
7
+
* Removed the concept of 'Verbose' results, merging them with the non-verbose categories.
8
+
* Removed the need for repositories and organizations to start with https://github.com (Thanks to @mattaereal for pointing that out!)
9
+
3
10
## Release v1.0.15 (September 20th, 2024)
4
11
5
12
* Added searching for similar repository names in GitHub, Warning if another repository with the same name and better reputation is found.
Copy file name to clipboardExpand all lines: README.md
+34-20
Original file line number
Diff line number
Diff line change
@@ -1,45 +1,52 @@
1
1
# Welcome to Gitxray
2
2
Gitxray (short for Git X-Ray) is a multifaceted security tool designed for use on GitHub repositories. It can serve many purposes, including OSINT and Forensics. `gitxray` leverages public GitHub REST APIs to gather information that would otherwise be very time-consuming to obtain manually. Additionally, it seeks out information in unconventional places.
3
3
4
-
The Octocat getting X-Rayed | [](https://github.com/kulkansecurity/gitxray)[](https://pypi.org/project/gitxray)[](https://pypi.org/project/gitxray)[](https://github.com/kulkansecurity/gitxray/blob/main/LICENSE)
[](https://github.com/kulkansecurity/gitxray)[](https://pypi.org/project/gitxray)[](https://pypi.org/project/gitxray)[](https://github.com/kulkansecurity/gitxray/blob/main/LICENSE)
5
+
---
6
+
![Gitxray HTML Report](https://kulkansecurity.github.io/gitxray/images/html_report_gitxray.png"Gitxray HTML Report")
7
7
<divstyle="clear: both;"></div>
8
8
9
9
# Use cases
10
10
Gitxray can be used to, for example:
11
+
11
12
- Find sensitive information in contributor profiles disclosed by accident within, for example, Armored PGP Keys, or Key Names.
You may also run `gitxray` directly by cloning or downloading its GitHub repository and running.
@@ -68,11 +78,11 @@ python3 -m gitxray.gitxray
68
78
69
79
One of the following must be specified:
70
80
71
-
*`-r, --repository [URL]` - Specify a single repository URL to check. The URL must begin with `https://`. **Example**: `--repository https://github.com/example/repo`
81
+
*`-r, --repository [URL]` - Specify a single repository to check. The URL may optionally begin with `https://github.com/`. **Example**: `--repository https://github.com/example/repo`
72
82
73
83
*`-rf, --repositories-file [FILEPATH]` - Provide a file path containing a list of repositories, each on a new line. The file must exist. **Example**: `--repositories-file ./list_of_repos.txt`
74
84
75
-
*`-o, --organization [URL]` - Specify an organization URL to check all repositories under that organization. The URL must begin with `https://`. **Example**: `--organization https://github.com/exampleOrg`
85
+
*`-o, --organization [URL]` - Specify an organization to check all repositories under that organization. The URL may optionally begin with `https://github.com/`. **Example**: `--organization https://github.com/exampleOrg`
76
86
77
87
### Optional Arguments
78
88
@@ -84,13 +94,17 @@ You'll find these optional but very handy in common gitxray usage.
84
94
85
95
-`-f, --filters [KEYWORDS]` - Comma-separated keywords to filter the results by, such as 'user_input', 'association', or 'mac'. **Example**: `--filters user_input,association,mac`
86
96
87
-
#### Verbose and Debug
88
-
-`-v, --verbose` - Enable verbose output which, for example, provides a detailed list of public events instead of a summary. **Example**: `--verbose`
97
+
#### Output and Formats
98
+
99
+
-`-out, --outfile [FILEPATH]` - Specify the file path for the output log. Cannot be a directory. **Example**: `--outfile ./output.log`
100
+
101
+
-`-outformat, --output-format [FORMAT]` - Set the format for the log file. Supported formats are `html`, `text` and `json`. Default is `html`. **Example**: `--output-format json`
102
+
103
+
#### Debug
89
104
90
105
-`--debug` - Enable Debug mode for a detailed and extensive output. **Example**: `--debug`
91
106
92
-
#### Output and Formats
107
+
#Terms of Use
93
108
94
-
-`-out, --outfile [FILEPATH]` - Specify the file path for the output log. Cannot be a directory. **Example**: `--outfile ./output.log`
109
+
The user is solely responsible for ensuring that this tool is used in compliance with applicable laws and regulations, including obtaining proper authorization for repository scanning and the distribution of any results generated. Unauthorized use or sharing of results may violate local, national, or international laws.
95
110
96
-
-`-outformat, --output-format [FORMAT]` - Set the format for the log file. Supported formats are `text` and `json`. Default is `text`. **Example**: `--output-format json`
Copy file name to clipboardExpand all lines: docs/features.md
+26-22
Original file line number
Diff line number
Diff line change
@@ -2,17 +2,21 @@
2
2
3
3
Because of the amount of data it analyzes, `gitxray` can be a bit overwhelming at first. Let's look at a few examples of potential awesome findings which can better explain why you're here and why `gitxray` is awesome ♥.
4
4
5
+
## A user-friendly HTML report 📊
6
+
7
+
`gitxray` now offers a default output format of `html`, creating a [Bootstrap](https://www.getbootstrap.com)-backed HTML report which offers easy navigation through Repository, Contributor and non-Contributor results.<divstyle="clear: both;"></div> ![Gitxray HTML Report](images/html_report_gitxray.png"HTML Report Gitxray")<divstyle="clear: both;"></div>
8
+
5
9
## Unintended disclosures in Contributor profiles 👀
6
10
7
11
`gitxray` reports under a `user_input` category any user-supplied data that repository Contributors may have exposed via their GitHub accounts inadevertently. This is normally the case of PGP and SSH key name fields, which unfortunately are used by Users to record hostnames, computer models, password locations (e.g. in 1Password), or even the _password itself_ to a given key (which we all know might be the same password used elsewhere). To make things more interesting, `gitxray` also identifies any "excess" data found before, or after, PGP Armored keys published in a User's GitHub account. Wondering what that data normally is? Erroneous copy/pastes from the command line while exporting in ASCII/Armored format their keys. And what might that contain? Most of the times, a shell prompt revealing a local username, a hostname and a directory path. May I remind you all of this data is Public-facing.
8
12
9
13
You may focus specifically on these types of findings by filtering results with:
gitxray -r https://github.com/SampleOrg/SampleRepo -f association
32
36
```
33
37
34
38
### Important
@@ -41,15 +45,17 @@ Associations MUST NOT be directly and blindly used to report fake or shadow acco
41
45
42
46
## Forensics: What happened on the day of an incident? 🔍
43
47
44
-
Because `gitxray` collects data from multiple sources of activity including Commits, Comments, Workflow Runs, Issues, Deployments and more; and because Verbose mode in `gitxray` shows activity in a standarized YYYY-MM-DD format, it becomes possible to use Filtering in order to place focus on specific activity happening at a specific point in time.
48
+
Because `gitxray` collects data from multiple sources of activity including Commits, Comments, Workflow Runs, Issues, Deployments and more; and because `gitxray` shows activity in a standarized YYYY-MM-DD format, it becomes possible to use Filtering in order to place focus on specific activity happening at a specific point in time.
45
49
46
50
For example, by running `gitxray` with the following arguments, only results from that specific date are returned. You may place focus on a day, or even a month:
gitxray -r https://github.com/SampleOrg/SampleRepo -f 2024-08 -outformat text
54
+
gitxray -r https://github.com/SampleOrg/SampleRepo -f 2024-09-01 -outformat text
51
55
```
52
56
57
+
An outformat of type `text` can help in this specific use-case more than the defaul `html` report.
58
+
53
59
## Analyzing Commit Hours to Identify Anomalies 🕛
54
60
55
61
`gitxray` provides a summary of contributor commit hours, allowing you to profile contributor activity and detect potential anomalies. This feature helps you understand typical patterns and flag unusual behavior for further investigation.
* Reclaimed Usernames: Trusted contributors might have had their accounts deleted and then re-registered by malicious actors. GitHub allows a username to be re-released after 90 days, making this a possible attack vector. Learn more about GitHub’s account deletion policy [here](https://docs.github.com/en/account-and-profile/setting-up-and-managing-your-personal-account-on-github/managing-your-personal-account/deleting-your-personal-account#deleting-your-personal-account).
64
70
65
-
Although we always recommend running a full unfiltered verbose X-Ray, it is possible to focus on unreliable historic activity by filtering for Warning keywords:
71
+
It is possible to focus on unreliable historic activity by filtering for Warning keywords:
@@ -93,17 +99,15 @@ Another `gitxray` feature is the ability to list a TOP 3 of GitHub accounts that
93
99
These findings, if any exist, are reported under a `contributors` category along with additional information related to other Repository Contributors. You can focus specifically on findings from the contributors category by filtering for `contributors` with:
## Fake Starring, Private repos gone Public and more 🙈
103
109
104
-
GitHub shares publicly [up to 90 days of past Events](https://docs.github.com/en/rest/activity/events?apiVersion=2022-11-28) for any User account, which include actions such as Repository creation, Watching, Committing, Pull Requesting, and more. `gitxray` summarizes these events for you and prints them out under a `90d_events` category in the results included for each Contributor, summarized in order to reduce the amount of data listed by default.
105
-
106
-
The summary however can be expanded into a full list of Events by merely turning on _Verbose mode_ (the -v flag). Using _Verbose mode_ is convenient in order to get details on **WHAT** was actioned upon.
110
+
GitHub shares publicly [up to 90 days of past Events](https://docs.github.com/en/rest/activity/events?apiVersion=2022-11-28) for any User account, which include actions such as Repository creation, Watching, Committing, Pull Requesting, and more. `gitxray` includes these events under a `90d_events` category in the results included for each Contributor.
107
111
108
112
For example, Events you may come across that would be interesting include:
109
113
@@ -118,9 +122,9 @@ To find Contributors who recently switched from Private to Public a repository o
Copy file name to clipboardExpand all lines: docs/index.md
+1-2
Original file line number
Diff line number
Diff line change
@@ -3,8 +3,7 @@ Gitxray (short for Git X-Ray) is a multifaceted security tool designed for use o
3
3
4
4
The Octocat getting X-Rayed | [](https://github.com/kulkansecurity/gitxray)[](https://pypi.org/project/gitxray)[](https://pypi.org/project/gitxray)[](https://github.com/kulkansecurity/gitxray/blob/main/LICENSE)
* Identifying threat actors in a Repository. [You may spot co-owned or shared accounts](/features/#spotting-shared-co-owned-or-fake-contributors), as well as inspect public events to [spot fake Stargazers](/features/#fake-stars-private-repos-gone-public-and-more).
0 commit comments