Skip to content

Instantly share code, notes, and snippets.

What would you like to do?
My tips for finding security issues in GitHub projects.

GitHub for Bug Bounty Hunters

GitHub repositories can disclose all sorts of potentially valuable information for bug bounty hunters. The targets do not always have to be open source for there to be issues. Organization members and their open source projects can sometimes accidentally expose information that could be used against the target company. in this article I will give you a brief overview that should help you get started targeting GitHub repositories for vulnerabilities and for general recon.

Mass Cloning

You can just do your research on, but I would suggest cloning all the target's repositories so that you can run your tests locally. I would highly recommend @mazen160's GitHubCloner. Just run the script and you should be good to go.

$ python --org organization -o /tmp/output

Static Analysis

When it comes to static analysis it is very important to start by actually understanding the project you are targeting. Run the project and use the main features. I call this the "Jobert step", because I have heard that Jobert spends the first 30 minutes of every hunt using the project and understanding the target before finding vulnerabilities.

Manual analysis:

This is where the "learn to make it, then break it" mentality comes into play. If you can familiarize yourself with a programming language, you should know the ins and outs of what to do and what not to do in terms of security.

Once you understand the target and its architecture, you can start grepping! Search for keywords that you are interested in, understand best or know that developers tend to mess up. Here is a basic list of some of the keywords I will look for during a general first assessment:

  • API and key. (Get some more endpoints and find API keys.)
  • token
  • secret
  • TODO
  • password
  • vulnerable 😜
  • http:// & https://

Then I will focus on terms that make me smile when developers mess things up:

  • CSRF
  • random
  • hash
  • MD5, SHA-1, SHA-2, etc.
  • HMAC

When you get used to certain vulnerability types, you will start knowing exactly what to look for in a specific language. So for instance, when I want to find a timing leak in Java, I know that Arrays.equals() and HMAC combined causes that issue.

Another vital step is to look through the commit history. You will be amazed at the amount of information you can gather from commits. Sometimes I see contributors thinking they have removed credentials, when they stay in the commit history. I have come across old endpoints that still work thanks to the git history. Aside from current issues, you might discover past issues that could potentially be bypassed thanks to old commits.



Sometimes automating the boring tasks can help give you a basic overview of what to look for. It is important to note, that you should never copy and paste findings from scanners into your reports. You will get a lot of false positives, therefore you must always look into the possible issue manually to ensure exploitability.

When I target Python projects, the main tool that I use is Bandit. Bandit will find common issues, but will often return low hanging fruit or false positives. So be careful when using it. It should definitely not be relied on.

$ bandit -r path/to/your/code -ll

If you want to find outdated Python modules in a project, paste the contents of the requirements.txt in This will show you if there were any security issues in the specified version of the module. is a wonderful tool for checking dependencies. The platform supports a wide variety of languages.


Jacks is a great tool for public Java and JavaScript repositories. It will find issues in all sorts of categories and describe the potential issue in a lot of detail. Please do not just copy and paste the issue descriptions in your reports.


For recon, many researchers suggest using Gitrob. This tool will look for sensitive information in public GitHub repositories.

$ gitrob analyze acme,johndoe,janedoe

For finding high entropy strings (API keys, tokens, passswords, etc.), you can use truffleHog.

$ truffleHog

If you are looking for an all-in-one secrets finder, git-all-secrets by @anshuman_bh is the tool for you. This tool combines multiple open source secrets finders into one big tool.

For Ruby on Rails apps, I recommend Brakeman. Brakeman is a static analysis security scanner that can find a ton of various security issues in code.

Use LinkFinder by Gerben Javado to find endpoints in the JS files of the repository.

$ python -i 'path/to/your/code/*.js' -r ^/api/ -o cli

Social Engineering

OK, seriously do not social engineer the project owners.

Reporting your Findings

As always when it comes to bug bounty hunting, read the program's policy thoroughly. Very rarely does a program accept reports through GitHub. Contact the security team or if possible use a bug bounty platform such as HackerOne or Bugcrowd.

On a side note, a cool thing about white-box testing is that since you have access to the code it can be easier to suggest a fix or submit a patch. 😉

Update: It appears that Jacks does not exist any more.


This comment has been minimized.

Copy link

@0xdevalias 0xdevalias commented Aug 14, 2017

Great little writeup. Thanks for sharing!


This comment has been minimized.

Copy link

@meets2tarun meets2tarun commented Oct 7, 2017

It is Great!! Thanks a lot.


This comment has been minimized.

Copy link

@ErwanLeroux ErwanLeroux commented Oct 7, 2017

Seems like Jacks is no longer available at the url you provided. They may have acquired by someone else


This comment has been minimized.

Copy link
Owner Author

@EdOverflow EdOverflow commented Oct 8, 2017

Thank you for pointing that out, @ErwanLeroux.


This comment has been minimized.

Copy link

@blue-bird1 blue-bird1 commented Oct 14, 2017

It is Great!! Thanks a lot.


This comment has been minimized.

Copy link

@Hasanabas Hasanabas commented Dec 28, 2017

Special thanks for tricks, tools and its use


This comment has been minimized.

Copy link

@Splint3r7 Splint3r7 commented Mar 5, 2018

Thanks ED, <3


This comment has been minimized.

Copy link

@daudmalik06 daudmalik06 commented Mar 20, 2018

thanks :)


This comment has been minimized.

Copy link

@SaFiSec SaFiSec commented Dec 12, 2019

Thanks 🤘


This comment has been minimized.

Copy link

@moodiabdoul3 moodiabdoul3 commented Jan 28, 2020



This comment has been minimized.

Copy link

@dynamo214 dynamo214 commented Jun 18, 2020

Thanks buddy


This comment has been minimized.

Copy link

@tahmidahmed11445 tahmidahmed11445 commented Jul 15, 2020

thanks man!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment