gitrob2

command module
v0.0.0-...-a914375 Latest Latest
Warning

This package is not in the latest version of its module.

Go to latest
Published: Jul 8, 2026 License: MIT Imports: 7 Imported by: 0

README

gitrob2

gitrob2 — find secrets in public GitHub repos, wired into a full bug-bounty recon chain.

A modernized fork of Gitrob by @michenriksen (MIT).


What is gitrob2?

gitrob2 clones the repositories belonging to a GitHub user or organization, walks their commit history, and flags files that match signatures for secrets and other sensitive data. Findings are served in a web interface for easy triage.

It ships as a single self-contained binary — the web UI is embedded, so there are no extra files and no runtime dependencies. It runs on Linux, macOS and Windows, on both amd64 (Intel) and arm64 (Apple Silicon / ARM servers).

About the name: gitrob2 carries a double meaning. The 2 marks it as a second-generation, modernized take on Gitrob — and read aloud, "gitrob-two" nods to "tool", which is exactly what it is.

What's new vs. the original Gitrob

  • Go modules + native go:embed — no dep, no go-bindata, no code-generation step.
  • Multi-architecture builds — amd64 and arm64 for Linux, macOS and Windows.
  • -version flag and a clearer, example-driven -h help screen.
  • recon.sh — a bug-bounty recon chain that wires gitrob2 together with subfinder, github-subdomains, trufflehog and gitleaks.

Installation

One command installs gitrob2, the reconk recon chain, and all its dependencies (subfinder, github-subdomains, trufflehog, gitleaks). Works on macOS and Kali/Linux:

curl -sSL https://raw.githubusercontent.com/KhitMinnyo/gitrob2/main/install.sh | bash

When it finishes, everything is ready — just run reconk (see Recon chain below). Options:

# only gitrob2 + reconk, skip the external recon tools
curl -sSL .../install.sh | bash -s -- --minimal

Platforms: gitrob2 runs on macOS, Linux and Windows (amd64 + arm64). reconk is aimed primarily at Kali but runs on macOS too — the installer sets up subfinder and the other tools on both, so the experience is the same either way.

If you only want the gitrob2 binary, use one of the methods below.

1. Download a prebuilt binary

Grab the archive for your OS/arch from the releases page, unzip it, and put the binary on your $PATH:

unzip gitrob2_linux_arm64_*.zip
sudo mv gitrob2 /usr/local/bin/
gitrob2 -version

2. Install with Go (>= 1.16)

go install github.com/KhitMinnyo/gitrob2@latest

The binary lands in $(go env GOPATH)/bin; make sure that directory is on your $PATH.

3. Docker

docker run --rm -e GITROB_ACCESS_TOKEN=<token> -p 9393:9393 \
  ghcr.io/KhitMinnyo/gitrob2 acmecorp

Build a multi-arch image yourself:

docker buildx build --platform linux/amd64,linux/arm64 -t gitrob2 .

GitHub access token

gitrob2 needs a GitHub access token. Create a personal access token (no scopes required for public data) and export it:

export GITROB_ACCESS_TOKEN=<your token>

Or pass it per run with -github-access-token <token> (watch your shell history).


Usage

gitrob2 [options] target [target2] ... [targetN]

A target is a GitHub username or organization name.

# Scan a single organization
gitrob2 acmecorp

# Scan a user and save the results for later
gitrob2 -save ~/scan.json octocat

# Re-open a saved session in the web interface
gitrob2 -load ~/scan.json

When a scan finishes, gitrob2 keeps running and serves the results at http://127.0.0.1:9393. Press Ctrl+C to stop. Run gitrob2 -h for all options.


Recon chain (reconk)

For bug-bounty recon, gitrob2 is most useful as one link in a chain. The installer sets up the chain as the reconk command, which orchestrates the whole flow:

subfinder ─┐
           ├─► all-subdomains  ─► (api.* highlighted)
github-subdomains ─┘
           │
           ▼
secret scanning: gitrob2 + trufflehog + gitleaks
           │
           ▼
secret validation (trufflehog --only-verified)
           │
           ▼
report.md

Why this beats gitrob2 alone: subdomain enumeration maps the attack surface (API hosts especially — api., graphql., gateway. are highlighted automatically), while the secret-scan stage checks the org's GitHub footprint for leaked credentials and verifies them so you report real impact, not noise.

Run it

# Run with no arguments to see the help menu
reconk

export GITHUB_TOKEN=ghp_xxx

# Subdomains only
reconk -d example.com --no-secrets

# Full chain: subdomains + verified secrets across two GitHub orgs
reconk -d example.com -g exampleinc -g example-labs

Results are written to recon-<domain>-<timestamp>/, including all-subdomains.txt, api-subdomains.txt, per-org secret findings under secrets/, and a consolidated report.md.

Each tool is optional — if one isn't installed, that stage is skipped with a warning. The one-command installer sets them all up; to install manually: subfinder, github-subdomains, trufflehog, gitleaks.

⚠️ Only run reconk against assets you are explicitly authorized to test. The validation stage sends test requests to third-party APIs using discovered credentials — keep it inside your program's scope.


Building from source

gitrob2 uses Go modules and embeds its web assets with go:embed, so a normal build is all you need:

go build -o gitrob2 .

Release archives for every supported OS/architecture:

./build.sh

Credits & license

gitrob2 is a fork of Gitrob, created by Michael Henriksen (@michenriksen) — all credit for the original tool, signatures and web UI belongs to him. See NOTICE.md.

Licensed under the MIT License (see LICENSE.txt), preserving the original copyright.

Documentation

The Go Gopher

There is no documentation for this package.

Directories

Path Synopsis
This file previously held web UI assets generated by go-bindata.
This file previously held web UI assets generated by go-bindata.

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL