GitHub-Leaked-API-Keys-and-Secrets.md

This article provides a guide for security professionals to identify leaked API keys and secrets on GitHub by using specific search syntax. It lists search patterns for various services, including OpenAI, GitHub OAuth, Slack, Google, and Square, targeting common file extensions and key identifiers. The document emphasizes that human error often leads developers to accidentally commit sensitive credentials to public repositories, making such reconnaissance valuable for vulnerability detection.

As a security professional, it is important to conduct a thorough reconnaissance. With the increasing use of APIs nowadays, it has become paramount to keep access tokens and other API-related secrets secure in order to prevent leaks. However, despite technological advances, human error remains a factor, and many developers still unknowingly hardcode their API secrets into source code and commit them to public repositories. GitHub, being a widely popular platform for public code repositories, may inadvertently host such leaked secrets. To help identify these vulnerabilities, I have created a comprehensive search list using powerful search syntax that enables the search of thousands of leaked keys and secrets in a single search. path: .{File extension1} OR path: .{File extension-N} AND {Keyname1} OR {Keyname-N} AND {Signature/pattern1} OR {Signature/pattern-N} AND {PlatformTag1} OR {PlatformTag-N} 1. OpenAI API keys path: .xml OR path: .json OR path: .properties OR path: .sql OR path: .txt OR path: .log OR path: .tmp OR path: .backup OR path: .bak OR path: .enc OR path: .yml OR path: .yaml OR path: .toml OR path: .ini OR path: .config OR path: .conf OR path: .cfg OR path: .env OR path: .envrc OR path: .prod OR path: .secret OR path: .private OR path: .key AND access key OR secret key OR access token OR api key OR apikey OR api secret OR apiSecret OR app secret OR application key OR app key OR appkey OR auth token OR authsecret AND "sk-" AND openai OR gpt Update: We can use following refined regular expression to filters out most dummy keys: ... AND /sk- a-zA-Z0-9 {48}/ AND openai OR gpt Special thanks to @fkulakov for the insightful contribution. 2. Github OAuth/App/Personal/Refresh Access Token path: .xml OR path: .json OR path: .properties OR path: .sql OR path: .txt OR path: .log OR path: .tmp OR path: .backup OR path: .bak OR path: .enc OR path: .yml OR path: .yaml OR path: .toml OR path: .ini OR path: .config OR path: .conf OR path: .cfg OR path: .env OR path: .envrc OR path: .prod OR path: .secret OR path: .private OR path: .key AND access key OR secret key OR access token OR api key OR apikey OR api secret OR apiSecret OR app secret OR application key OR app key OR appkey OR auth token OR authsecret AND "ghp " OR "gho " OR "ghu " OR "ghs " OR "ghr " AND Github OR OAuth 3. Slack Token path: .xml OR path: .json OR path: .properties OR path: .sql OR path: .txt OR path: .log OR path: .tmp OR path: .backup OR path: .bak OR path: .enc OR path: .yml OR path: .yaml OR path: .toml OR path: .ini OR path: .config OR path: .conf OR path: .cfg OR path: .env OR path: .envrc OR path: .prod OR path: .secret OR path: .private OR path: .key AND access key OR secret key OR access token OR api key OR apikey OR api secret OR apiSecret OR app secret OR application key OR app key OR appkey OR auth token OR authsecret AND xox AND Slack 4. Google API key path: .xml OR path: .json OR path: .properties OR path: .sql OR path: .txt OR path: .log OR path: .tmp OR path: .backup OR path: .bak OR path: .enc OR path: .yml OR path: .yaml OR path: .toml OR path: .ini OR path: .config OR path: .conf OR path: .cfg OR path: .env OR path: .envrc OR path: .prod OR path: .secret OR path: .private OR path: .key AND access key OR secret key OR access token OR api key OR apikey OR api secret OR apiSecret OR app secret OR application key OR app key OR appkey OR auth token OR authsecret AND AIza AND Google 5. Square OAuth/access token path: .xml OR path: .json OR path: .properties OR path: .sql OR path: .txt OR path: .log OR path: .tmp OR path: .backup OR path: .bak OR path: .enc OR path: .yml OR path: .yaml OR path: .toml OR path: .ini OR path: .config OR path: .conf OR path: .cfg OR path: .env OR path: .envrc OR path: .prod OR path: .secret OR path: .private OR path: .key AND access key OR secret key OR access token OR api key OR apikey OR api secret OR apiSecret OR app secret OR application key OR app key OR appkey OR auth token OR authsecret AND "sq0atp-" OR "sq0csp-" AND square OR OAuth 6. Shopify shared secret, access token, private/custom app access token path: .xml OR path: .json OR path: .properties OR path: .sql OR path: .txt OR path: .log OR path: .tmp OR path: .backup OR path: .bak OR path: .enc OR path: .yml OR path: .yaml OR path: .toml OR path: .ini OR path: .config OR path: .conf OR path: .cfg OR path: .env OR path: .envrc OR path: .prod OR path: .secret OR path: .private OR path: .key AND access key OR secret key OR access token OR api key OR apikey OR api secret OR apiSecret OR app secret OR application key OR app key OR appkey OR auth token OR authsecret AND "shpss " OR "shpat " OR "shpca " OR "shppa " AND "Shopify" - Online IDE Search: https://redhuntlabs.com/online-ide-search/ - Keyhacks on GitHub: https://github.com/streaak/keyhacks - Google Hacking Database: https://www.exploit-db.com/google-hacking-database