Skip to content

Instantly share code, notes, and snippets.

@win3zz
Last active June 22, 2024 09:55
Show Gist options
  • Save win3zz/0a1c70589fcbea64dba4588b93095855 to your computer and use it in GitHub Desktop.
Save win3zz/0a1c70589fcbea64dba4588b93095855 to your computer and use it in GitHub Desktop.

GitHub Search Syntax for Finding API Keys/Secrets/Tokens

As a security professional, it is important to conduct a thorough reconnaissance. With the increasing use of APIs nowadays, it has become paramount to keep access tokens and other API-related secrets secure in order to prevent leaks. However, despite technological advances, human error remains a factor, and many developers still unknowingly hardcode their API secrets into source code and commit them to public repositories. GitHub, being a widely popular platform for public code repositories, may inadvertently host such leaked secrets. To help identify these vulnerabilities, I have created a comprehensive search list using powerful search syntax that enables the search of thousands of leaked keys and secrets in a single search.

Search Syntax:

(path:*.{File_extension1} OR path:*.{File_extension-N}) AND ({Keyname1} OR {Keyname-N}) AND (({Signature/pattern1} OR {Signature/pattern-N}) AND ({PlatformTag1} OR {PlatformTag-N}))

Examples:

1. OpenAI API keys

(path:*.xml OR path:*.json OR path:*.properties OR path:*.sql OR path:*.txt OR path:*.log OR path:*.tmp OR path:*.backup OR path:*.bak OR path:*.enc OR path:*.yml OR path:*.yaml OR path:*.toml OR path:*.ini OR path:*.config OR path:*.conf OR path:*.cfg OR path:*.env OR path:*.envrc OR path:*.prod OR path:*.secret OR path:*.private OR path:*.key) AND (access_key OR secret_key OR access_token OR api_key OR apikey OR api_secret OR apiSecret OR app_secret OR application_key OR app_key OR appkey OR auth_token OR authsecret) AND ("sk-" AND (openai OR gpt))

Update: We can use following refined regular expression to filters out most dummy keys:

... AND (/sk-[a-zA-Z0-9]{48}/ AND (openai OR gpt))

Special thanks to @fkulakov for the insightful contribution.

Screeenshot:

GithubOpenAIAPIkeysSearch

2. Github OAuth/App/Personal/Refresh Access Token

(path:*.xml OR path:*.json OR path:*.properties OR path:*.sql OR path:*.txt OR path:*.log OR path:*.tmp OR path:*.backup OR path:*.bak OR path:*.enc OR path:*.yml OR path:*.yaml OR path:*.toml OR path:*.ini OR path:*.config OR path:*.conf OR path:*.cfg OR path:*.env OR path:*.envrc OR path:*.prod OR path:*.secret OR path:*.private OR path:*.key) AND (access_key OR secret_key OR access_token OR api_key OR apikey OR api_secret OR apiSecret OR app_secret OR application_key OR app_key OR appkey OR auth_token OR authsecret) AND (("ghp_" OR "gho_" OR "ghu_" OR "ghs_" OR "ghr_") AND (Github OR OAuth))

3. Slack Token

(path:*.xml OR path:*.json OR path:*.properties OR path:*.sql OR path:*.txt OR path:*.log OR path:*.tmp OR path:*.backup OR path:*.bak OR path:*.enc OR path:*.yml OR path:*.yaml OR path:*.toml OR path:*.ini OR path:*.config OR path:*.conf OR path:*.cfg OR path:*.env OR path:*.envrc OR path:*.prod OR path:*.secret OR path:*.private OR path:*.key) AND (access_key OR secret_key OR access_token OR api_key OR apikey OR api_secret OR apiSecret OR app_secret OR application_key OR app_key OR appkey OR auth_token OR authsecret) AND (xox AND Slack)

4. Google API key

(path:*.xml OR path:*.json OR path:*.properties OR path:*.sql OR path:*.txt OR path:*.log OR path:*.tmp OR path:*.backup OR path:*.bak OR path:*.enc OR path:*.yml OR path:*.yaml OR path:*.toml OR path:*.ini OR path:*.config OR path:*.conf OR path:*.cfg OR path:*.env OR path:*.envrc OR path:*.prod OR path:*.secret OR path:*.private OR path:*.key) AND (access_key OR secret_key OR access_token OR api_key OR apikey OR api_secret OR apiSecret OR app_secret OR application_key OR app_key OR appkey OR auth_token OR authsecret) AND (AIza AND Google)

5. Square OAuth/access token

(path:*.xml OR path:*.json OR path:*.properties OR path:*.sql OR path:*.txt OR path:*.log OR path:*.tmp OR path:*.backup OR path:*.bak OR path:*.enc OR path:*.yml OR path:*.yaml OR path:*.toml OR path:*.ini OR path:*.config OR path:*.conf OR path:*.cfg OR path:*.env OR path:*.envrc OR path:*.prod OR path:*.secret OR path:*.private OR path:*.key) AND (access_key OR secret_key OR access_token OR api_key OR apikey OR api_secret OR apiSecret OR app_secret OR application_key OR app_key OR appkey OR auth_token OR authsecret) AND (("sq0atp-" OR "sq0csp-") AND (square OR OAuth))

6. Shopify shared secret, access token, private/custom app access token

(path:*.xml OR path:*.json OR path:*.properties OR path:*.sql OR path:*.txt OR path:*.log OR path:*.tmp OR path:*.backup OR path:*.bak OR path:*.enc OR path:*.yml OR path:*.yaml OR path:*.toml OR path:*.ini OR path:*.config OR path:*.conf OR path:*.cfg OR path:*.env OR path:*.envrc OR path:*.prod OR path:*.secret OR path:*.private OR path:*.key) AND (access_key OR secret_key OR access_token OR api_key OR apikey OR api_secret OR apiSecret OR app_secret OR application_key OR app_key OR appkey OR auth_token OR authsecret) AND (("shpss_" OR "shpat_" OR "shpca_" OR "shppa_") AND "Shopify")

Parameters Used

File Extensions

File Extension Description
.xml XML file format
.json JSON (JavaScript Object Notation) file format
.properties Properties file format used for configuration settings
.sql SQL (Structured Query Language) file format used for database queries
.txt Plain text file format
.log Log file format used for recording events or activities
.tmp Temporary file format
.backup Backup file format
.bak Backup file format
.enc Encrypted file format
.yml YAML (YAML Ain't Markup Language) file format used for configuration settings
.yaml YAML (YAML Ain't Markup Language) file format used for configuration settings
.toml TOML (Tom's Obvious, Minimal Language) file format used for configuration settings
.ini INI (Initialization) file format used for configuration settings
.config Configuration file format
.conf Configuration file format
.cfg Configuration file format
.env Environment file format
.envrc Environment file format specific to the Direnv tool
.prod Production file format
.secret Secret file format
.private Private file format
.key Key file format

Keynames

Keynames Description
access_key Variable name to store the key used for accessing a resource or service
secret_key Variable name to store the key used for authentication or encryption
access_token Variable name to store the token used for accessing an API or resource
api_key Variable name to store the key used for accessing an API or service
apikey Shortened version of "api_key"
api_secret Variable name to store the secret key used for API authentication
apiSecret An alternate of "api_secret"
app_secret Variable name to store the secret key used for application authentication
application_key Variable name to store the key used for identifying an application
app_key Variable name to store the key used for identifying an application
appkey Shortened version of "app_key"
auth_token Variable name to store the token used for authentication or authorization
authsecret Variable name to store the secret key used for authentication or authorization

Other Useful Tools:

@uttarkhandcool
Copy link

nice

@sinalalebakhsh
Copy link

Thanks for this

@Steiner-254
Copy link

Great, thanks <3

@IhwanID
Copy link

IhwanID commented Jun 19, 2023

thanks

@sondt1337
Copy link

thx!!!

@accessor-io
Copy link

accessor-io commented Oct 14, 2023

returns error exceeds 256 characters /more that 5 operators disallowed

@lolminerxmrig
Copy link

hi.
very good.
can help me more page limited 5 pages.
thanks.

@win3zz
Copy link
Author

win3zz commented Dec 6, 2023

returns error exceeds 256 characters /more that 5 operators disallowed

@accessor-io I just tried it and no such errors were found. Please try again, and make sure you are using the operators correctly.

@win3zz
Copy link
Author

win3zz commented Dec 6, 2023

hi. very good. can help me more page limited 5 pages. thanks.

@lolminerxmrig The 5-page limit is a known issue on GitHub, and the GitHub development team is aware of it and is actively working to address the issue. You can review the ongoing discussions about this matter on the GitHub community forum.

It should have been fixed earlier, but I don't know why they're taking this much time.

@lolminerxmrig
Copy link

can sort last update?

@fkulakov
Copy link

For openai api_keys, you can use this regular expression to filter out most dummies:

AND (/sk-[a-zA-Z0-9]{48}/ AND (openai OR gpt))

instead of

AND ("sk-" AND (openai OR gpt))

@win3zz
Copy link
Author

win3zz commented Dec 29, 2023

@fkulakov That's c00l! Thank you for sharing. I updated this gist.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment