https://github.com/cosad3s/sonarleaks

Digging into private data through Sonarcloud public projects
https://github.com/cosad3s/sonarleaks

bugbounty hacking osint sonarqube

Last synced: 8 months ago
JSON representation

Digging into private data through Sonarcloud public projects

• Host: GitHub
• URL: https://github.com/cosad3s/sonarleaks
• Owner: cosad3s
• License: gpl-3.0
• Created: 2024-09-09T11:09:40.000Z (almost 2 years ago)
• Default Branch: main
• Last Pushed: 2024-09-13T16:36:22.000Z (almost 2 years ago)
• Last Synced: 2025-04-06T17:52:37.470Z (about 1 year ago)
• Topics: bugbounty, hacking, osint, sonarqube
• Language: Python
• Homepage:
• Size: 247 KB
• Stars: 9
• Watchers: 1
• Forks: 3
• Open Issues: 0
• Metadata Files:
  • Readme: README.md
  • License: LICENSE

Awesome Lists containing this project

README

          
# Sonarleaks



## Summary

SonarCloud is a SAST SaaS platform built onto SonarQube.

During my DevSecOps journey, I recently discovered that [Sonarcloud](https://sonarcloud.io/) (From SonarSource) offers the possibility to explore public projects.

After working on [Postleaks](https://github.com/cosad3s/postleaks) and popularity of some other similars projects (like [swaggerHole](https://github.com/Liodeus/swaggerHole)) related to public data on SaaS, the `Explore` button triggers my curiosity.

I created this small tool to get basic infos about Sonarcloud projects from the Explore tab.   

**The results from SonarCloud are all marked as public projects, but appear to be related to private source repositories unrelated to SonarCloud. This could be the result of a misconfiguration on the customer side or something intentionally left public.**  

*Reminder: paying SonarCloud customers can [change the visibility](https://docs.sonarsource.com/sonarcloud/administering-sonarcloud/managing-organizations/#allow-only-private-projects) of their projects at any time.*

![alt text](assets/meme.jpg)

## Usage

```bash

❯ sonarleaks -h

usage: sonarleaks [-h] [--top] [--loc LOC] [-k KEYWORD] [-kf KEYWORD_FILE] [--private] [--source]

Sonarleaks 🛰️💧 Search for private code published to Sonarcloud.

options:

  -h, --help        show this help message and exit

  --top             Filter on top public projects

  --loc LOC         Filter on minimum of lines of code

  -k KEYWORD        Keyword (company, project, etc.)

  -kf KEYWORD_FILE  Keywords file

  --private         Only display components linked to potential private repository.

  --source          Only display components with available source code.

```

### Examples

***Top public projects, with minimum 500000 lines of code, with private repository and source code available***

`❯ sonarleaks --top --loc 500000 --source --private`

![alt text](assets/image.png)

***Projects related to keyword `Salesforce`***

`❯ sonarleaks -k salesforce`

![alt text](assets/image2.png)