September 19, 2021

Dedicated Forum to help removing adware, malware, spyware, ransomware, trojans, viruses and more!

Gitformant | by Steven Patterson

Gitformant | by Steven Patterson


by Steven Patterson

Gitformant is an Open Source Intelligence (OSINT) tool developed by Shogun Lab to aid researchers and security professionals in discovering Github repositories that may contain confidential information. It works by searching Github for a keyword (internal URL, project specific acronym or terminology, etc) from code or internal documents. Additional checks can be performed if provided with a second list of keywords for verifying that the repository contents belong to a specific entity (ACME,, Project Roadrunner, etc).


Gitformant can be installed by downloading the zip file here or by cloning the Git repository:

git clone

Gitformant works with Python 2.7.x on any platform.


  • Search Github for keywords belonging to confidential documents and discover leaks.
  • Perform checks on discovered repositories to confirm or deny that they belong to a target organization.
  • Log all results for further investigation and reporting.


To perform a search on Github for an internal keyword, type:

python "<insert internal keyword here>"

To check the returned results for the existence of additional keywords, type:

python "<insert internal keyword here>" "<insert confirmation keywords list here (comma separated)>"

Example Use Case

  1. Alice is hired by ACME Inc. to perform an Open Source Intelligence assessment and find out if confidential ACME code is being leaked online.
  2. She checks multiple search engines to see if the leaked code is being indexed, but doesn’t find anything.
  3. Alice asks the client if there are internal URLs or company keywords that are frequently used in development code.
  4. The client gives Alice “”, the URL for their employee login portal and a link that frequently appears in the clients’ private Github.
  5. Alice performs a search for the keyword using Gitformant:
  • python ""
  1. Alice finds no results, thinking that the keyword may be too specific, she changes the query to “”:
  • python ""
  1. Alice is surprised to find several hundred results, however many of the findings are simply junk that makes reference to “” among many other online portals.
  2. Undeterred, Alice performs additional checks for ACME specific keywords in the repositories discovered using Gitformant:
  • python "" "ACME,,ACME Inc"
  1. Alice discovers that one repository contains “” and also has 32 hits for ACME, 15 hits for and 3 hits for ACME Inc.
  2. Alice investigates the repository and finds that it is source code for an ACME Inc. production website with hardcoded admin login credentials.

Misc. Usage and Performance Notes

  • Dont’ forget to add your Github API key!Find out more here.
  • There is a rate limit on the Github Search API, to avoid going over this limit a delay is built into the calls to Github’s API
    • If the rate limit is hit, the application will sleep and then resume after 10 seconds
  • Each confirmation keyword provided means an additional check is performed on every discovered repo, which means it can get slow FAST!
    • Try to limit confirmation keyword lists to two or three words (or grab a cup of coffee)


Basic usage screen_1

With confirmation keywords list screen_2screen_3


Gitformant was inspired by an excellent OSINT tool, called Datasploit.

The Gitformant OSINT tool is licensed under a GNU General Public License v3.0, you can read it here.

The Gitformant logo is licensed under a Creative Commons Creative Attribution 3.0 United States License. Authored by ProSymbols.

About the Author

Steven Patterson – Vulnerability Researcher at Shogun Lab.

The text originally published at:

The post Gitformant | by Steven Patterson appeared first on eForensics.