README
¶
gitrob2 — find secrets in public GitHub repos, wired into a full bug-bounty recon chain.
A modernized fork of Gitrob by @michenriksen (MIT).
What is gitrob2?
gitrob2 clones the repositories belonging to a GitHub user or organization, walks their commit history, and flags files that match signatures for secrets and other sensitive data. Findings are served in a web interface for easy triage.
It ships as a single self-contained binary — the web UI is embedded, so there are no extra files and no runtime dependencies. It runs on Linux, macOS and Windows, on both amd64 (Intel) and arm64 (Apple Silicon / ARM servers).
About the name: gitrob2 carries a double meaning. The 2 marks it as a second-generation, modernized take on Gitrob — and read aloud, "gitrob-two" nods to "tool", which is exactly what it is.
What's new vs. the original Gitrob
- Go modules + native
go:embed— nodep, nogo-bindata, no code-generation step. - Multi-architecture builds — amd64 and arm64 for Linux, macOS and Windows.
-versionflag and a clearer, example-driven-hhelp screen.recon.sh— a bug-bounty recon chain that wires gitrob2 together with subfinder, github-subdomains, trufflehog and gitleaks.
Installation
Install the whole framework (recommended)
One command installs gitrob2, the reconk recon chain, and all its dependencies (subfinder, github-subdomains, trufflehog, gitleaks). Works on macOS and Kali/Linux:
curl -sSL https://raw.githubusercontent.com/KhitMinnyo/gitrob2/main/install.sh | bash
When it finishes, everything is ready — just run reconk (see Recon chain below). Options:
# only gitrob2 + reconk, skip the external recon tools
curl -sSL .../install.sh | bash -s -- --minimal
Platforms:
gitrob2runs on macOS, Linux and Windows (amd64 + arm64).reconkis aimed primarily at Kali but runs on macOS too — the installer sets up subfinder and the other tools on both, so the experience is the same either way.
If you only want the gitrob2 binary, use one of the methods below.
1. Download a prebuilt binary
Grab the archive for your OS/arch from the releases page, unzip it, and put the binary on your $PATH:
unzip gitrob2_linux_arm64_*.zip
sudo mv gitrob2 /usr/local/bin/
gitrob2 -version
2. Install with Go (>= 1.16)
go install github.com/KhitMinnyo/gitrob2@latest
The binary lands in $(go env GOPATH)/bin; make sure that directory is on your $PATH.
3. Docker
docker run --rm -e GITROB_ACCESS_TOKEN=<token> -p 9393:9393 \
ghcr.io/KhitMinnyo/gitrob2 acmecorp
Build a multi-arch image yourself:
docker buildx build --platform linux/amd64,linux/arm64 -t gitrob2 .
GitHub access token
gitrob2 needs a GitHub access token. Create a personal access token (no scopes required for public data) and export it:
export GITROB_ACCESS_TOKEN=<your token>
Or pass it per run with -github-access-token <token> (watch your shell history).
Usage
gitrob2 [options] target [target2] ... [targetN]
A target is a GitHub username or organization name.
# Scan a single organization
gitrob2 acmecorp
# Scan a user and save the results for later
gitrob2 -save ~/scan.json octocat
# Re-open a saved session in the web interface
gitrob2 -load ~/scan.json
When a scan finishes, gitrob2 keeps running and serves the results at http://127.0.0.1:9393. Press Ctrl+C to stop. Run gitrob2 -h for all options.
Recon chain (reconk)
For bug-bounty recon, gitrob2 is most useful as one link in a chain. The installer sets up the chain as the reconk command, which orchestrates the whole flow:
subfinder ─┐
├─► all-subdomains ─► (api.* highlighted)
github-subdomains ─┘
│
▼
secret scanning: gitrob2 + trufflehog + gitleaks
│
▼
secret validation (trufflehog --only-verified)
│
▼
report.md
Why this beats gitrob2 alone: subdomain enumeration maps the attack surface (API hosts especially — api., graphql., gateway. are highlighted automatically), while the secret-scan stage checks the org's GitHub footprint for leaked credentials and verifies them so you report real impact, not noise.
Run it
# Run with no arguments to see the help menu
reconk
export GITHUB_TOKEN=ghp_xxx
# Subdomains only
reconk -d example.com --no-secrets
# Full chain: subdomains + verified secrets across two GitHub orgs
reconk -d example.com -g exampleinc -g example-labs
Results are written to recon-<domain>-<timestamp>/, including all-subdomains.txt, api-subdomains.txt, per-org secret findings under secrets/, and a consolidated report.md.
Each tool is optional — if one isn't installed, that stage is skipped with a warning. The one-command installer sets them all up; to install manually: subfinder, github-subdomains, trufflehog, gitleaks.
⚠️ Only run
reconkagainst assets you are explicitly authorized to test. The validation stage sends test requests to third-party APIs using discovered credentials — keep it inside your program's scope.
Building from source
gitrob2 uses Go modules and embeds its web assets with go:embed, so a normal build is all you need:
go build -o gitrob2 .
Release archives for every supported OS/architecture:
./build.sh
Credits & license
gitrob2 is a fork of Gitrob, created by Michael Henriksen (@michenriksen) — all credit for the original tool, signatures and web UI belongs to him. See NOTICE.md.
Licensed under the MIT License (see LICENSE.txt), preserving the original copyright.
Documentation
¶
There is no documentation for this package.