Created
December 7, 2023 19:06
-
-
Save RoseSecurity/cbb8ddc122dec65abddd69fb2285b726 to your computer and use it in GitHub Desktop.
A down and dirty script for finding GitHub PATs in public repositories
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
#!/usr/bin/env python3 | |
# -*- coding: utf-8 -*- | |
# Run script from command line via python3 find_pats.py | |
import click | |
import datetime | |
import time | |
from github import Github | |
from github.GithubException import RateLimitExceededException | |
from tqdm import tqdm | |
def search_github(auth: Github): | |
"""Search the GitHub API for repositories with exposed PATs. | |
Args: | |
auth: A Github authenticate object. | |
Returns: | |
A nested list of GitHub repositories returned with exposed PATs. Each result list contains the repository name, | |
url, and description. | |
""" | |
# set-up query | |
query = r'^github_pat_[A-Za-z0-9_]+$' | |
results = auth.search_code(query) | |
# print results | |
print(f'Found {results.totalCount} repo(s)') | |
for result in tqdm(results, total=results.totalCount, desc='Processing Results'): | |
try: | |
# Access result attributes as needed | |
repo_name = result.repository.full_name | |
file_path = result.path | |
# Print or process the information | |
print(f"Repository: {repo_name}, File: {file_path}") | |
time.sleep(2) | |
except RateLimitExceededException: | |
time.sleep(60) | |
print("Rate limit exceeded, waiting for 60 seconds...") | |
@click.command() | |
@click.option('--token', prompt='Please enter your GitHub Access Token') | |
def main(token: str) -> None: | |
# initialize and authenticate GitHub API | |
auth = Github(token) | |
# search repositories on GitHub | |
search_github(auth) | |
if __name__ == '__main__': | |
main() |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment