{"id":50404047,"url":"https://github.com/fevra-dev/gitexpose","last_synced_at":"2026-05-31T01:00:44.869Z","repository":{"id":358382363,"uuid":"1133984655","full_name":"fevra-dev/GitExpose","owner":"fevra-dev","description":"Exposure intelligence for AI and dev infrastructure. Detects exposed credentials, AI-tool configs, supply-chain risk, framework vulns, and invisible Unicode attacks. OWASP LLM + MITRE ATLAS tagged.","archived":false,"fork":false,"pushed_at":"2026-05-28T17:17:07.000Z","size":447,"stargazers_count":3,"open_issues_count":0,"forks_count":0,"subscribers_count":0,"default_branch":"main","last_synced_at":"2026-05-28T19:12:14.056Z","etag":null,"topics":["ai-security","asyncio","cli","credential-scanner","git-security","llm-security","mcp","mitre-atlas","ml-security","offensive-security","owasp-llm","pentesting","python","react2shell","secret-detection","security","security-scanner","supply-chain-security","vulnerability-scanner"],"latest_commit_sha":null,"homepage":"","language":"Python","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"mit","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/fevra-dev.png","metadata":{"files":{"readme":"README.md","changelog":"CHANGELOG.md","contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null,"notice":null,"maintainers":null,"copyright":null,"agents":null,"dco":null,"cla":null}},"created_at":"2026-01-14T04:45:20.000Z","updated_at":"2026-05-28T17:17:12.000Z","dependencies_parsed_at":null,"dependency_job_id":null,"html_url":"https://github.com/fevra-dev/GitExpose","commit_stats":null,"previous_names":["fevra-dev/gitexpose"],"tags_count":1,"template":false,"template_full_name":null,"purl":"pkg:github/fevra-dev/GitExpose","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/fevra-dev%2FGitExpose","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/fevra-dev%2FGitExpose/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/fevra-dev%2FGitExpose/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/fevra-dev%2FGitExpose/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/fevra-dev","download_url":"https://codeload.github.com/fevra-dev/GitExpose/tar.gz/refs/heads/main","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/fevra-dev%2FGitExpose/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":33715211,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2026-05-26T15:22:16.424Z","status":"online","status_checked_at":"2026-05-30T02:00:06.278Z","response_time":92,"last_error":null,"robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":true,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["ai-security","asyncio","cli","credential-scanner","git-security","llm-security","mcp","mitre-atlas","ml-security","offensive-security","owasp-llm","pentesting","python","react2shell","secret-detection","security","security-scanner","supply-chain-security","vulnerability-scanner"],"created_at":"2026-05-31T01:00:44.140Z","updated_at":"2026-05-31T01:00:44.856Z","avatar_url":"https://github.com/fevra-dev.png","language":"Python","funding_links":[],"categories":[],"sub_categories":[],"readme":"# GitExpose\n\n\u003cdiv align=\"center\"\u003e\n\n![Version](https://img.shields.io/badge/version-0.6.0-blue.svg)\n![Python](https://img.shields.io/badge/python-3.9+-green.svg)\n![License](https://img.shields.io/badge/license-MIT-orange.svg)\n\n**Exposure intelligence for AI and dev infrastructure**\n\n*Detect leaked credentials, exposed AI-tool configs, and supply-chain risk in the 2026 threat landscape*\n\n[Features](#features) • [Installation](#installation) • [Quick Start](#quick-start) • [Coverage](docs/COVERAGE.md) • [Documentation](#documentation)\n\n\u003c/div\u003e\n\n---\n\n## Overview\n\nGitExpose finds exposed credentials, sensitive AI-infrastructure configs, and supply-chain compromise indicators across web targets and local repositories.\n\n| Threat Category | What's Detected |\n|-----------------|-----------------|\n| **Credential exposure** | 29-provider matrix: OpenAI, Anthropic, Google, Groq, xAI, Hugging Face, Replicate, Perplexity, Pinecone, LangSmith, Stripe, GitHub, GitLab, Docker Hub, Discord, Slack, Telegram, Twilio, SendGrid, AWS, ElevenLabs, Helicone, Portkey, Voyage, Cohere, Modal, Runpod, plus DB connection strings |\n| **Active verification** (v0.3) | Opt-in `--verify` confirms whether a detected credential is **live** by sending a side-effect-free auth check to the provider — covers 16 providers (LLM tier + GitHub/GitLab/Docker Hub/Slack/AWS) |\n| **Git history scanning** (v0.4) | `git-history` scans all reachable commits for credentials committed and later removed — still in history, often still live. Each secret reported once at its earliest-introducing commit with SHA/author/date. Composes with `--verify`. |\n| **Exposed AI-tool configs** | `.continue/`, `claude/.credentials.json`, MCP configs, LiteLLM proxy configs, CrewAI/AutoGen YAMLs, .NET appsettings build output |\n| **Supply-chain risk** | Unpinned AI middleware, known-malicious package versions (TeamPCP), slopsquatting, `.pth` persistence, AI agent C2 beacons, k8s exfiltration, polyglot files, prompt injection in agent instruction files, malicious agent config payloads |\n| **Live dependency SCA** (v0.5) | Lock-file parsing (Python `requirements`/`poetry.lock`/`Pipfile.lock`, JS `package-lock.json`/`yarn.lock`) + OSV.dev live CVE/GHSA lookups → `vulnerable_dependency` findings, ranked by **exploitability context** (direct/unpinned/fix-available/credential-co-presence), not raw CVSS. Default on; `--offline` for air-gapped use. |\n| **AI-BOM** (v0.5) | CycloneDX 1.6 security BOM (`-o cyclonedx`) with components, dependency-vulnerability VEX (honestly scoped — `exploitable` only when proven), and NTIA minimum elements. |\n| **AI agent exposure** (v0.6) | `agent-audit` flags over-permissioned AI agents — MCP servers wired to shell/exec, `.claude` permission grants like `Bash(*)`/`WebFetch`, and exfil-capable capability chains (OWASP LLM08 / ATLAS AML.T0053 / ATT\u0026CK T1059…) — and detects committed system prompts matching CL4R1T4S known-leak fingerprints (OWASP LLM07 / AML.T0056). |\n| **Compliance metadata** | OWASP LLM Top 10 + MITRE ATLAS + MITRE ATT\u0026CK technique on every finding |\n| **HTTP target scanning** | `.git`, `.env`, source maps, framework misconfigs, exposed configs |\n\nSee [docs/COVERAGE.md](docs/COVERAGE.md) for the full matrix.\n\n---\n\n## Why this matters\n\nIn May 2026, KrebsOnSecurity and GitGuardian reported on a public GitHub\nrepository named `Private-CISA`. The repo, created by a CISA contractor in\nNovember 2025, contained 844 MB of operational material: CI/CD logs,\nKubernetes manifests, Terraform code, GitHub workflows, internal docs, AWS\nGovCloud admin credentials, and plaintext passwords for internal systems.\n\nThis is the threat model GitExpose is built for. GitHub is the production\nperimeter, and one careless commit can publish keys, infrastructure maps, and\noperational secrets to attackers who never needed a zero-day.\n\nGitExpose v0.3 adds **active credential verification** — instead of just\nflagging that a string looks like an OpenAI key or an AWS access key, it\nconfirms whether that credential is live by sending a low-footprint\nauthentication check to the provider. Live keys get flagged as `verified-live`\nin SARIF output and surface as the highest-confidence alerts in GitHub Code\nScanning.\n\nReferences:\n- [KrebsOnSecurity: CISA contractor leak](https://krebsonsecurity.com/) (May 2026)\n- [GitGuardian incident analysis](https://blog.gitguardian.com/)\n\n---\n\n## Features\n\n### Core Scanning\n- **Async HTTP** with configurable concurrency (50-100+ requests)\n- **Signature validation** to reduce false positives\n- **Multiple outputs**: console, JSON, CSV, HTML, **SARIF 2.1.0**\n- **OWASP LLM + MITRE ATLAS metadata** on every finding\n\n### Credential Detection (`gitexpose ...`)\n- 23-provider regex matrix with context-bound patterns where needed\n- Paired-secret cluster detection: when ≥2 distinct secret types appear in the same file, GitExpose emits a single CRITICAL `credential_cluster` finding\n- Multi-provider-key file flagging: known aggregator paths (`OAI_CONFIG_LIST`, `litellm_config.yaml`, `.continue/agents/*.yaml`) get a CRITICAL multi-provider finding when ≥2 secret types are present\n\n### Local Supply-Chain Scanning (`gitexpose supply-chain \u003cpath\u003e`)\n- Unpinned AI middleware (`litellm`, `langchain`, `openai`, etc.) flagged HIGH\n- Known-malicious package versions corpus (TeamPCP/LiteLLM, Telnyx, Xinference, etc.)\n- Slopsquatting detection — known LLM-hallucinated package names (USENIX 2025 research basis)\n- `.pth` persistence pattern (TeamPCP-class post-compromise indicator)\n- AI-agent C2 beacon detection (MITRE ATLAS AML.TA0015)\n- Kubernetes secret-exfiltration patterns\n- **Polyglot file detection** — text-extension files (`.md`, `.yaml`, `.json`, etc.) whose leading bytes are a binary/executable/archive signature (ELF, PE/MZ, ZIP, PDF, Mach-O, gzip). Built-in magic-byte detection — no external dependency.\n- **Prompt injection in agent instruction files** — hidden directives in `CLAUDE.md`, `AGENTS.md`, `GEMINI.md`, `.continue/`, `.cursor/` (OWASP LLM01)\n- **Malicious agent config payloads** — embedded `curl|bash`, `exec`/`eval` in CrewAI/AutoGen/litellm configs (CRITICAL)\n- **LangChain `lc-` key heuristic** — best-effort detection of LangChain-format credentials, motivated by CVE-2025-68664 (LangGrinch); treat as a high-signal lead requiring confirmation\n\n### Git History Scanning (`gitexpose git-history \u003cpath\u003e`, v0.4)\n- Scans **all reachable git history** (`git log -p --all --reverse`) for credentials committed and later removed\n- Full 29-provider credential matrix applied to every diff hunk\n- Each secret deduplicated and reported once at its **earliest-introducing commit** with SHA, author, and date\n- **Composes with `--verify`**: historical secrets are liveness-checked — \"deleted 47 commits ago, confirmed live\"\n- AWS access+secret pairing applies here too, enabling AWS liveness verification on historical findings\n- Flags: `-o/--output {console,json}`, `--out-file`, `--since`, `--max-commits`, plus the full `--verify*` family\n\n### Active Verification (`--verify`, v0.3+)\n- Opt-in liveness check: turns a \"looks like a key\" finding into a **confirmed live / dead** verdict by sending a low-footprint, side-effect-free auth request to the provider\n- Covers 16 providers: OpenAI, Anthropic, Groq, OpenRouter, xAI, Cerebras, Hugging Face, ElevenLabs, Pinecone, LangSmith, GitHub, GitLab, Docker Hub, Slack, and AWS (SigV4 `GetCallerIdentity`)\n- **AWS pairing (v0.4)**: when both `aws_access_key` and `aws_secret_key` are found in the same source, they are paired automatically so the STS liveness check succeeds. Previously AWS always returned `error`. Applies to both `supply-chain` and `git-history`.\n- Conservative by default: a consent banner names every destination host, concurrency is capped, and no raw secret is ever logged (canary-tested). Results surface as `verified` / `dead` / `error` and as `verified-live` SARIF tags for GitHub Code Scanning\n- Status surfaced across JSON, SARIF, HTML, CSV, and console output\n\n### Advanced Modules (in `gitexpose/advanced/`)\n- React2Shell detector (CVE-2025-55182)\n- ML model supply-chain scanner (pickle opcode analysis)\n- LLM/RAG infrastructure exposure scanner\n- Invisible Unicode detector (GlassWorm patterns)\n- Cloud asset scanner (S3 / Azure Blob / GCS)\n- API endpoint discovery\n- WAF detection / stealth mode\n- MCP server (Model Context Protocol)\n\n---\n\n## Installation\n\n```bash\n# Clone repository\ngit clone https://github.com/fevra-dev/GitExpose.git\ncd gitexpose\n\n# Install with pip\npip install -e .\n\n# Or install with advanced dependencies\npip install -e \".[advanced]\"\n```\n\n### Requirements\n- Python 3.9+\n- aiohttp, click, colorama (core)\n- rich, aiofiles, GitPython (advanced, optional)\n\n---\n\n## Quick Start\n\n### Basic Scan\n```bash\n# Single target\ngitexpose example.com\n\n# Multiple targets\ngitexpose example.com api.example.com\n\n# From file\ngitexpose -f targets.txt\n```\n\n### Advanced Scans\n```bash\n# Full security audit (all modules)\ngitexpose scan example.com --full-audit\n\n# React2Shell vulnerability check\ngitexpose react2shell https://nextjs-app.com\n\n# ML model supply chain scan\ngitexpose ml-scan https://api.example.com\n\n# LLM/AI infrastructure exposure\ngitexpose llm-scan https://ai-app.com\n\n# Invisible Unicode detection\ngitexpose unicode-scan --file suspicious.js\n\n# Local supply-chain scan — now with live dependency SCA (OSV.dev, v0.5)\n# Parses lock files, queries OSV for live CVEs/GHSAs, ranks by exploitability.\ngitexpose supply-chain ./my-project\n\n# Air-gapped / offline: skip OSV, use the curated known-bad list only\ngitexpose supply-chain ./my-project --offline\n\n# Export a CycloneDX 1.6 AI-BOM (components + dependency VEX + NTIA elements)\ngitexpose supply-chain ./my-project -o cyclonedx --out-file sbom.cdx.json\n\n# Supply-chain scan with active credential verification (opt-in)\n# Sends a side-effect-free auth check to each provider; prints a consent banner.\ngitexpose supply-chain ./my-project --verify\n\n# Verify only the highest-severity findings, with a tighter timeout\ngitexpose supply-chain ./my-project --verify --verify-only-severity HIGH --verify-timeout 3\n\n# Scan all git history for committed-then-removed secrets, and verify which are still live\ngitexpose git-history . --verify\n\n# Audit AI-agent configs for excessive tool permissions + leaked system prompts (v0.6)\n# Classifies MCP/permission grants against a dangerous-capability taxonomy (OWASP LLM08).\ngitexpose agent-audit ./repo\ngitexpose agent-audit ./repo -o json --out-file agent-findings.json\n```\n\n### Output Formats\n```bash\n# JSON output\ngitexpose example.com -o json --out-file results.json\n\n# HTML report\ngitexpose scan example.com --full-audit -o html --out-file report.html\n\n# CSV for spreadsheets\ngitexpose -f targets.txt -o csv --out-file results.csv\n\n# SARIF 2.1.0 (for GitHub Advanced Security, VS Code, etc.)\ngitexpose example.com -o sarif --out-file results.sarif\n```\n\n---\n\n## Advanced Capabilities\n\n### React2Shell Detection (CVE-2025-55182)\nDetects the critical pre-auth RCE vulnerability affecting React Server Components:\n```python\nfrom gitexpose.advanced import React2ShellDetector\n\ndetector = React2ShellDetector(deep_scan=True)\nfinding = await detector.scan(\"https://nextjs-app.com\")\n\nprint(f\"Status: {finding.status.value}\")  # vulnerable/potentially_vulnerable\nprint(f\"Risk Score: {finding.risk_score}/10.0\")\n```\n\n### ML Model Supply Chain\nScans for exposed models that could execute arbitrary code:\n```python\nfrom gitexpose.advanced import MLModelScanner\n\nscanner = MLModelScanner(deep_analysis=True)\nresult = await scanner.scan(\"https://ml-api.com\")\n\nfor model in result.exposed_models:\n    print(f\"[{model.risk_level}] {model.path}\")\n```\n\n### MCP Server (AI Agent Integration)\n```bash\n# Start MCP server for Claude/GPT integration\ngitexpose mcp\n```\n\n---\n\n## Detection Coverage\n\nSee [docs/COVERAGE.md](docs/COVERAGE.md) for the full detection matrix.\n\n| Category | Examples | Severity |\n|----------|----------|----------|\n| **Git Repositories** | .git/config, HEAD, index | Critical |\n| **Environment Files** | .env, .env.production | Critical |\n| **Configuration** | wp-config.php, settings.py | High |\n| **Backups** | backup.sql, database.dump | Critical |\n| **Source Maps** | *.js.map, webpack bundles | High |\n| **ML Models** | .pkl, .pt, .h5 | Critical |\n| **AI/LLM Configs** | Vector DBs, MCP configs, API keys | Critical |\n| **Supply Chain** | Malicious packages, unpinned deps | High–Critical |\n\n---\n\n## Project Structure\n\n```\ngitexpose/\n├── gitexpose/\n│   ├── __init__.py          # Main package\n│   ├── cli.py               # CLI interface\n│   ├── scanner.py           # Core scanning engine\n│   ├── models.py            # Data models\n│   ├── paths.py             # AI-tool config path detection\n│   ├── signatures.py        # Detection signatures\n│   │\n│   ├── advanced/            # Advanced security modules\n│   │   ├── react2shell_detector.py\n│   │   ├── ml_model_scanner.py\n│   │   ├── llm_exposure_scanner.py\n│   │   ├── invisible_unicode_detector.py\n│   │   ├── supply_chain_patterns.py\n│   │   ├── local_fs_scanner.py\n│   │   ├── credential_cluster.py\n│   │   ├── slopsquatting.py\n│   │   ├── known_bad_versions.py\n│   │   ├── dependency_pinning.py\n│   │   └── mcp_server.py\n│   │\n│   ├── core/                # Core detection engine\n│   ├── git/                 # Git analysis\n│   ├── secrets/             # Credential extraction\n│   └── reporters/           # Output formatters (console, JSON, CSV, HTML, SARIF)\n│\n├── docs/                    # Documentation\n├── tests/                   # Test suite (251 tests)\n└── requirements.txt\n```\n\n\u003e Test suite: ~287 tests as of v0.4.\n\n---\n\n## Roadmap (not yet implemented)\n\nThe following are designed but not yet shipping. Track via GitHub issues.\n\n- Policy engine: configurable severity overrides, allow-list patterns, org-wide suppression rules\n- Classic typosquatting (Levenshtein/Jaro-Winkler/homoglyph/keyboard) against popular-package baselines\n- Lock-file poisoning checks (SRI hash mismatch, ghost deps, off-registry resolved URLs) — v0.5 already captures the integrity hashes + URLs needed\n- Shai-Hulud install-time behavioral analysis (lifecycle hooks, credential-harvest AST, metadata-service SSRF)\n- Go (`go.sum`) and Cargo (`Cargo.lock`) ecosystems for SCA\n- Capability/scope enumeration for verified credentials (AWS IAM perms, GitHub PAT scopes, OpenAI org)\n- Active verification for Tier 3 providers (Helicone, Portkey, Voyage, Cohere, Modal, Runpod — detection-only today) and webhook/DB/JWT classes\n- `--verify` on the web-scan path (currently verification runs on `supply-chain` and `git-history` findings only)\n- ML-powered anomaly detection engine\n- Runtime monitoring proxy (Pipelock-style)\n- Plugin architecture for custom detection rules\n- Web dashboard / REST API\n- Live external threat-intelligence enrichment\n- Audio steganography detection (Telnyx-class)\n- Browser-agent misuse patterns\n\n**Shipped in v0.5:** live dependency SCA — lock-file parsing (Python + JS) + OSV.dev CVE/GHSA lookups (`vulnerable_dependency`, default on, `--offline` opt-out), exploitability-first ranking, and a CycloneDX 1.6 AI-BOM (`-o cyclonedx`) with honestly-scoped VEX — see the [CHANGELOG](CHANGELOG.md).\n\n**Shipped in v0.4:** `git-history` command (all-reachable-commit secret scanning with `--verify` composition), AI-supply-chain signature pack (`polyglot_file`, `skill_prompt_injection`, `agent_config_malicious_content`, `langgrinch_lc_key`), and AWS access+secret pairing for reliable liveness verification — see the [CHANGELOG](CHANGELOG.md).\n\n**Shipped in v0.3:** active credential verification (`--verify`), Tier 3 provider detection, GitHub Actions + pre-commit + Code Scanning integration docs, and the full MITRE ATLAS coverage map — see the [CHANGELOG](CHANGELOG.md).\n\n---\n\n## Documentation\n\n- [docs/COVERAGE.md](docs/COVERAGE.md) — full provider + supply-chain detection matrix\n- [docs/MITRE_ATLAS_COVERAGE.md](docs/MITRE_ATLAS_COVERAGE.md) — per-detection MITRE ATLAS technique mapping\n- [docs/INTEGRATIONS_CICD.md](docs/INTEGRATIONS_CICD.md) — GitHub Actions + pre-commit setup\n- [docs/INTEGRATIONS_CODE_SCANNING.md](docs/INTEGRATIONS_CODE_SCANNING.md) — GitHub Code Scanning (SARIF) setup + `verified-live` tag filtering\n- [docs/README_ADVANCED.md](docs/README_ADVANCED.md) — advanced module reference\n- [CHANGELOG.md](CHANGELOG.md) — release history\n\n---\n\n## Responsible Use\n\nThis tool is intended for:\n- Authorized penetration testing\n- Bug bounty programs (in-scope targets)\n- Security audits with permission\n- Validating your own infrastructure\n\n**Never** use against targets without explicit authorization.\n\n---\n\n## Research Basis\n\nBuilt on current threat intelligence:\n\n| Threat | Source | Impact |\n|--------|--------|--------|\n| React2Shell | CVE-2025-55182 | CVSS 10.0 RCE |\n| ML Poisoning | nullifAI research | Arbitrary code execution |\n| GlassWorm | VS Code supply chain | Self-propagating worm |\n| RAG Poisoning | OWASP LLM Top 10 | AI manipulation |\n| Slopsquatting | USENIX 2025 | LLM-hallucinated package abuse |\n| TeamPCP | Supply-chain incident | .pth persistence + data exfil |\n\n---\n\n## Contributing\n\nContributions welcome! Areas of interest:\n- New detection patterns\n- Framework-specific scanners\n- ML model format analysis\n- Unicode attack patterns\n\n---\n\n## License\n\nMIT License - See [LICENSE](LICENSE) for details.\n\n---\n\n\u003cdiv align=\"center\"\u003e\n\n**Built for security researchers defending AI and developer infrastructure**\n\n\u003c/div\u003e\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Ffevra-dev%2Fgitexpose","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Ffevra-dev%2Fgitexpose","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Ffevra-dev%2Fgitexpose/lists"}