Secrets in GitHub Repos: How Hackers Find API Keys & Config Files 🔍
🚀 Introduction
GitHub is a goldmine. Not just for developers, but for hackers too. In today’s era of DevOps and fast shipping, developers often unintentionally leave behind sensitive information — API keys, credentials, cloud tokens, and even entire configuration files.
This blog uncovers the real-world techniques hackers use to find those juicy secrets hiding in public repositories. Whether you’re a security researcher 🕵️♂️, bug bounty hunter 💰, or a developer looking to secure your own repos 🧑💻, this is your guide.
✅ Bonus: This blog includes tools, scripts, GitHub search dorks, and real-world examples!
🔍 Why GitHub Is a Hacker’s Playground
GitHub repositories are often misused as personal notepads or backup drives by developers. As a result, it’s not uncommon to find:
.envfiles with secretsAWS/GCP/Azure keys
Private API endpoints
Firebase credentials
Full config files with passwords
Hardcoded passwords/tokens in source code
Even big companies have made these mistakes. Here are some publicly known examples:
🧠 Part 1: How Hackers Use GitHub Dorks
🕵️♀️ What Are GitHub Dorks?
GitHub Dorks are specially crafted search queries using GitHub’s advanced search to find sensitive files.
🔎 Useful GitHub Dork Examples
filename:.env DB_PASSWORD
filename:.git-credentials
filename:config.json AWS
extension:json api_key
extension:yaml password🔥 Full list of GitHub dorks:
📌 Pro Tips:
Use GitHub Search directly.
Use a VPN or multiple accounts for heavy searches.
Add
org:oruser:filters to target specific companies.
🛠 Part 2: Tools Hackers Use
1. GitLeaks — Scan repos for secrets
🔗 https://github.com/gitleaks/gitleaks
2. TruffleHog — Finds secrets in Git history
🔗 https://github.com/trufflesecurity/trufflehog
3. Shhgit — Realtime secret detection from GitHub stream
🔗 https://github.com/eth0izzle/shhgit
4. Gitrob — Find sensitive files across an organization
🔗 https://github.com/michenriksen/gitrob
5. GHunt — OSINT for Google data, can be used for GH too
🔗 https://github.com/mxrch/GHunt
🤖 Part 3: Automating with Python & Bash
You can automate secret hunting using GitHub’s API and your own dorks.
Example Python Script
import requests
from github import Githubg = Github("<your_token>")
query = 'filename:.env DB_PASSWORD'
for repo in g.search_code(query=query):
print(repo.repository.full_name, repo.html_url)Bash + cURL
curl -H "Authorization: token YOUR_TOKEN" \
"https://api.github.com/search/code?q=filename:.env+password"📚 More on API: https://docs.github.com/en/rest
🧯 Part 4: Preventing These Mistakes
✅ 1. Use GitHub Secret Scanning
GitHub’s Secret Scanning :About secret scanning :https://docs.github.com/en/code-security/secret-scanning/introduction/about-secret-scanning
✅ 2. Git Pre-Commit Hooks
Use tools like
pre-commitand GitLeaks in your commit lifecycle.
✅ 3. Avoid committing .env or sensitive files
Add them to
.gitignore
✅ 4. Monitor Your Repos
Schedule scans with tools or use GitHub Actions
💥 Real-World Example Walkthrough
Scenario: Finding a Firebase Key
Search for:
filename:.json "project_id" firebaseioCheck if the repo has
apiKey,authDomain, etc.If exposed, check permissions. Can you read/write? 🔓
Use tools like Firepwn to exploit weak configs.
💡 Bonus Tips
🧠 Use Recon Tools to Expand Targets
👀 Monitor GitHub Public Feeds
📝 Resources & References
GitHub Dorks: https://github.com/techgaun/github-dorks
Secret scanning tools: https://github.com/topics/secret-detection
OSINT links: https://github.com/jivoi/awesome-osint
Recon Handbook: https://github.com/jobertabma/awesome-bugbounty-cheatsheet
✨ Conclusion
Secrets in GitHub are more common than you think. With just a few clever search queries and open-source tools, hackers can uncover sensitive API keys and credentials that lead to full-blown attacks.
Whether you’re a dev, a bug bounty hunter, or a security analyst — knowing how this works is half the battle. The other half is protecting your code from becoming the next case study.
📣 If you liked this blog, share it on Twitter or LinkedIn and drop a comment below!
👋 Stay Connected
If you enjoyed this guide and want more practical tutorials, recon checklists, and hacker strategies, stay in touch:
📬 FREE Newsletter: thehackerslog.substack.com
📸 Twitter (X): @VipulSonule
🧑💼 LinkedIn: Vipul Sonule
✍️ Medium: Vipul Sonule


