New Mass GitHub dorking tool

magester3 pts0 comments

ghscan · PyPI

Skip to main content<br>Switch to mobile version

Warning

You are using an unsupported browser, upgrade to a newer version.

Warning

Some features may not work without JavaScript. Please try enabling it if you encounter problems.

Search PyPI

Search

ghscan 1.1.3

pip install ghscan

Copy PIP instructions

Latest release

Released:<br>Jul 7, 2026

Map out a GitHub org's public footprint (org + contributor repos) and scan it with TruffleHog

Navigation

Verified details

These details have been verified by PyPI<br>Maintainers

magester

Unverified details

These details have not been verified by PyPI

Meta

License: ghscan License (Personal & Internal Use, No Resale)

Requires: Python >=3.9

Report project as malware

Project description

ghscan

A recon/scanning tool for GitHub organizations. Point it at an org and it<br>will:

enumerate every public repo the org owns

figure out who's contributed to those repos (or, in "org-members"<br>mode, pull the org's actual member list instead)

enumerate every public repo each of those people personally owns

dedupe everything into one scan queue

run TruffleHog's<br>--only-verified mode against every repo in that queue

spit out a report of anything it found

An org's real secret-leak exposure isn't just its own repos, it's also<br>every employee's personal side-projects that happen to include a<br>copy-pasted API key or an old .env file. This tool maps that whole<br>footprint and scans it in one pass. Only point it at orgs/repos/accounts<br>you own or are explicitly authorized to test -- see LICENSE.md.

Everything is cached in a local SQLite file as it goes, so a run can be<br>killed (Ctrl-C, a crash, whatever) and picked back up later without<br>re-querying the API or re-scanning repos it already finished.

Requirements

Python 3.9+

TruffleHog installed<br>and on your PATH (or pass --trufflehog-path to point at it)

A GitHub personal access token with at least public read access<br>(optional -- see below)

Install

pip install ghscan

Or from source:

git clone https://github.com/m4gester-bitt/ghscan.git<br>cd ghscan<br>python3 -m venv .venv && source .venv/bin/activate<br>pip install -r requirements.txt

Either way, make sure you cd into the folder you cloned/unzipped<br>before running anything below if you're on the source install -- the<br>commands assume you're already inside it.

Quick start

export GITHUB_TOKEN=ghp_yourtokenhere<br>ghscan --org some-org

That runs with the defaults: skips archived repos and forks, derives<br>contributors from commit history, no volume caps. For a first look at a<br>big org, it's worth doing a dry run first:

ghscan --org some-org --dry-run

This runs discovery, builds the scan queue, prints roughly how many<br>repos it would scan and how many API calls that took, then stops before<br>touching TruffleHog at all.

Running without a token

Don't need GITHUB_TOKEN set anymore to start it up. If it's missing it just asks:

No GITHUB_TOKEN environment variable detected.<br>Would you like to enter one now? [Y/n]

Say yes, type it in (hidden like a password), it carries on. Say no and it checks once more:

Are you sure you want to continue with no GitHub token? [y/N]

Confirm and it runs unauthenticated (60 req/hr cap from GitHub, fine for small orgs, slow for big ones). Only prompts when you're at an actual terminal -- in CI/scripts it just exits and tells you to set GITHUB_TOKEN.

A few tips

Start with --dry-run on any org you haven't scanned before, just to see the queue size before it touches trufflehog.

--exclude-bot-logins is basically free -- always worth passing on org-members mode.

Big org and rate limits hurting? Bump --api-workers down, not up, counterintuitively -- fewer parallel calls means fewer 403s to back off from.

Findings live in the cache even without --save, so if you forgot the flag you can just re-run with it added -- nothing gets rescanned.

Resuming

Everything lands in ghscan_cache.sqlite3 (or wherever --db-path<br>points). Just re-run the same command and it'll pick up where it left<br>off -- already-discovered repos, contributors, and scan results are<br>never redone. Pass --fresh to wipe the cache and start over.

Repos that were already scanned in an earlier run also get automatically<br>checked for new pushes since their last scan (comparing the repo's<br>pushed_at against when the last scan finished) and get requeued if<br>they've changed. So re-running the same command a week later mostly just<br>scans what's new.

Output

By default the full report (summary + findings + skipped/failed repos)<br>just prints to your terminal at the end of the run -- nothing is written<br>to disk unless you pass --save:

ghscan --org some-org --save<br>ghscan --org some-org --save --report-json-path findings.json

All the flags

Filtering

--org -- target org (required)

--include-archived -- include archived repos (default: skipped)

--include-forks -- include forked repos (default: skipped)

--include-forks-if-ahead -- with --include-forks, only scan forks<br>that actually have commits ahead of...

ghscan repos scan github include trufflehog

Related Articles