Setting our bait in the Github Events REST API to wait for the secrets to roll in :D
Yes, it's that easy...
git clone https://github.com/Stuub/GitHush && cd GitHush
pip3 install -r requirements.txt
python3 GitHush.py --github-token <Your_Access_Token>
# OR
python3 GitHush.py # Falls back to environment variable for personal access tokenGitHush leverages the GitHub Events API to passively monitor public repository activity for inadvertent exposure of secrets and credentials in near real-time. The tool automates the detection of sensitive information disclosures using targeted regular expression (regex) patterns, fetching content from commits, pull requests, and database files.
-
Polls https://api.github.com/events using a personal access token (PAT), respecting GitHub’s unauthenticated rate limit of 60 req/hr or 5,000 req/hr with a token.
-
Parses PushEvent and PullRequestEvent types, extracting commit and file URLs from payloads.
-
Fetches file content or downloads .db files for SQLite inspection.
-
Uses a curated set of regex signatures to detect:
AWS Auth Keys JWT Tokens OpenAI API Keys SSH Pub & Private keys Plaintext passwords Email Addresses OIDC Tokens Sensitive files (wp-config.php, phpmailer.php, .env, etc.) SMTP Credentials Database connection strings + extracting db info -
Dumps output to JSONL with commit SHA, repo info, file names, and matched secrets.
🔍 High-Signal Filtering: Matches include context-based patterns (e.g., define('DB_USER'...) or $mail->Password = ...)
🗄️ DB-Aware Scanning: Discovered & Extracted DB files are parsed, queried, and analysed dynamically.
🧪 Regex Library: Includes patterns for over 20 common credential formats (feel free to send me more >:D).
📦 JSONL Logging: Structured output allows easy integration with threat intelligence pipelines or SIEMs.
🧰 Language/Framework-Aware: Recognizes secrets in PHP, Python, Node.js, CI/CD files, etc.
If you have any suggestions, regex ideas, or issues, feel free to make a PR or Issue and I'll be sure to check it out.