Welcome to Gitxray
Gitxray (short for Git X-Ray) is a multifaceted security tool designed for use on GitHub repositories. It can serve many purposes, including OSINT and Forensics. gitxray leverages public GitHub REST APIs to gather information that would otherwise be very time-consuming to obtain manually. Additionally, it seeks out information in unconventional places.
| The Octocat getting X-Rayed |     |
|---|---|
 |
  |
What is it for?
- Identifying threat actors in a Repository. You may spot co-owned or shared accounts, as well as inspect public events to spot fake Stargazers.
- Forensics use-cases, such as finding out what else happened on the day of an Incident.
- Finding sensitive information in contributor profiles disclosed by accident within, for example, Armored PGP Keys, or Key Names.
- Collecting email addresses and analyzing contributor accounts belonging to GitHub organizations and repositories.
- Identifying fake or infected Repositories. It can detect tampered commit dates as well as, for example, Release assets updated post-release.
- And so. much. more.
Getting started
Rate Limits and the GitHub API
Gitxray gracefully handles Rate Limits and can work out of the box without a GitHub API key, but you'll likely hit RateLimits pretty fast. This is detailed by GitHub in their documentation here. A simple read-only token created for PUBLIC repositories will however help you increase those restrictions considerably. If you're not in a hurry or can leave gitxray running you'll be able to use its full capacity, as it pauses execution while waiting for the limits to lift.
License
gitxray is provided under the terms and conditions of the GNU Affero GPL v3 License.