Gitxray: a security X-Ray for GitHub repositories
We’re releasing Gitxray 🩻, an open-source security tool tailored for GitHub repositories. gitxray can scan any public Organization, Repository, and associated Contributor on GitHub and identify Information Disclosure as well as help you detect Suspicious behavior. gitxray leverages GitHub public REST APIs and can work out of the box without a GitHub API key.
Creating in GitHub a read-only token for Public repositories is recommended in order to prevent hitting RateLimits constantly, and then loading it in GH_ACCESS_TOKEN safely with (prevents disclosing your token contents in your shell history):
1. Unintended Disclosures in Contributor Profiles 🤦 Gitxray meticulously scans for inadvertent disclosures in contributor profiles. From PGP and SSH key names containing Notes-to-self, to accidental shell prompts embedded in ASCII/Armored key exports.
2. Spotting Shared, Co-Owned, or Fake Contributors 👻 Amid rising concerns over security in open-source projects, gitxray can help identify suspicious associations between GitHub accounts. By analyzing SSH and PGP Key fingerprints, Account and Key creation times, and more.
/cdn.vox-cdn.com/uploads/chorus_asset/file/23932924/acastro_STK108__02.jpg)
