ghscan · PyPI
Skip to main content<br>Switch to mobile version
Warning
You are using an unsupported browser, upgrade to a newer version.
Warning
Some features may not work without JavaScript. Please try enabling it if you encounter problems.
Search PyPI
Search
ghscan 1.1.3
pip install ghscan
Copy PIP instructions
Latest release
Released:<br>Jul 7, 2026
Map out a GitHub org's public footprint (org + contributor repos) and scan it with TruffleHog
Navigation
Verified details
These details have been verified by PyPI<br>Maintainers
magester
Unverified details
These details have not been verified by PyPI
Meta
License: ghscan License (Personal & Internal Use, No Resale)
Requires: Python >=3.9
Report project as malware
Project description
ghscan
A recon/scanning tool for GitHub organizations. Point it at an org and it<br>will:
enumerate every public repo the org owns
figure out who's contributed to those repos (or, in "org-members"<br>mode, pull the org's actual member list instead)
enumerate every public repo each of those people personally owns
dedupe everything into one scan queue
run TruffleHog's<br>--only-verified mode against every repo in that queue
spit out a report of anything it found
An org's real secret-leak exposure isn't just its own repos, it's also<br>every employee's personal side-projects that happen to include a<br>copy-pasted API key or an old .env file. This tool maps that whole<br>footprint and scans it in one pass. Only point it at orgs/repos/accounts<br>you own or are explicitly authorized to test -- see LICENSE.md.
Everything is cached in a local SQLite file as it goes, so a run can be<br>killed (Ctrl-C, a crash, whatever) and picked back up later without<br>re-querying the API or re-scanning repos it already finished.
Requirements
Python 3.9+
TruffleHog installed<br>and on your PATH (or pass --trufflehog-path to point at it)
A GitHub personal access token with at least public read access<br>(optional -- see below)
Install
pip install ghscan
Or from source:
git clone https://github.com/m4gester-bitt/ghscan.git<br>cd ghscan<br>python3 -m venv .venv && source .venv/bin/activate<br>pip install -r requirements.txt
Either way, make sure you cd into the folder you cloned/unzipped<br>before running anything below if you're on the source install -- the<br>commands assume you're already inside it.
Quick start
export GITHUB_TOKEN=ghp_yourtokenhere<br>ghscan --org some-org
That runs with the defaults: skips archived repos and forks, derives<br>contributors from commit history, no volume caps. For a first look at a<br>big org, it's worth doing a dry run first:
ghscan --org some-org --dry-run
This runs discovery, builds the scan queue, prints roughly how many<br>repos it would scan and how many API calls that took, then stops before<br>touching TruffleHog at all.
Running without a token
Don't need GITHUB_TOKEN set anymore to start it up. If it's missing it just asks:
No GITHUB_TOKEN environment variable detected.<br>Would you like to enter one now? [Y/n]
Say yes, type it in (hidden like a password), it carries on. Say no and it checks once more:
Are you sure you want to continue with no GitHub token? [y/N]
Confirm and it runs unauthenticated (60 req/hr cap from GitHub, fine for small orgs, slow for big ones). Only prompts when you're at an actual terminal -- in CI/scripts it just exits and tells you to set GITHUB_TOKEN.
A few tips
Start with --dry-run on any org you haven't scanned before, just to see the queue size before it touches trufflehog.
--exclude-bot-logins is basically free -- always worth passing on org-members mode.
Big org and rate limits hurting? Bump --api-workers down, not up, counterintuitively -- fewer parallel calls means fewer 403s to back off from.
Findings live in the cache even without --save, so if you forgot the flag you can just re-run with it added -- nothing gets rescanned.
Resuming
Everything lands in ghscan_cache.sqlite3 (or wherever --db-path<br>points). Just re-run the same command and it'll pick up where it left<br>off -- already-discovered repos, contributors, and scan results are<br>never redone. Pass --fresh to wipe the cache and start over.
Repos that were already scanned in an earlier run also get automatically<br>checked for new pushes since their last scan (comparing the repo's<br>pushed_at against when the last scan finished) and get requeued if<br>they've changed. So re-running the same command a week later mostly just<br>scans what's new.
Output
By default the full report (summary + findings + skipped/failed repos)<br>just prints to your terminal at the end of the run -- nothing is written<br>to disk unless you pass --save:
ghscan --org some-org --save<br>ghscan --org some-org --save --report-json-path findings.json
All the flags
Filtering
--org -- target org (required)
--include-archived -- include archived repos (default: skipped)
--include-forks -- include forked repos (default: skipped)
--include-forks-if-ahead -- with --include-forks, only scan forks<br>that actually have commits ahead of...