Welcome to Gitxray

Gitxray (short for Git X-Ray) is a multifaceted security tool designed for use on GitHub repositories. It can serve many purposes, including OSINT and Forensics. gitxray leverages public GitHub REST APIs to gather information that would otherwise be very time-consuming to obtain manually. Additionally, it seeks out information in unconventional places.

The Octocat getting X-Rayed

What is it for?

• Finding sensitive information in contributor profiles disclosed by accident within, for example, Armored PGP Keys, or Key Names.
• Identifying threat actors in a Repository. You may spot co-owned or shared accounts, as well as inspect public events to spot fake Stargazers.
• Collecting email addresses and analyzing contributor accounts belonging to GitHub organizations and repositories.
• Identifying fake or infected Repositories. It can detect tampered commit dates as well as, for example, Release assets updated post-release.
• Forensics use-cases, such as finding out what else happened on the day of an Incident.
• And so. much. more.

Getting started

• Installing Gitxray
• Awesome Features 💫
• More Features 🦾

Rate Limits and the GitHub API

Gitxray gracefully handles Rate Limits and can work out of the box without a GitHub API key, but you'll likely hit RateLimits pretty fast. This is detailed by GitHub in their documentation here. A simple read-only token created for PUBLIC repositories will however help you increase those restrictions considerably. If you're not in a hurry or can leave gitxray running you'll be able to use its full capacity, as it pauses execution while waiting for the limits to lift.

License

gitxray is provided under the terms and conditions of the GNU Affero GPL v3 License.