Automated tool for detecting dangling commits and secrets in GitHub repos.
Project description
🔍 shadowGIT
Automated detection of dangling commits in Git repositories
Identifies commits that were force-pushed away but remain accessible, potentially exposing sensitive data.
✨ Features
- 🔎 Repository Scanning - Scan specific repositories for dangling commits
- 👤 User Activity Analysis - Scan all repositories for a GitHub user
- 📊 JSON Output - Machine-readable output format
- 🚀 Fast & Efficient - Quick detection of exposed commits
- 🔒 Security Focused - Helps identify potential secret leaks
📦 Installation
pip install shadowgit
🚀 Quick Start
Scan a specific repository
shadowGIT github -r owner/repo
Scan all repositories for a user
shadowGIT github -u username
JSON output format
shadowGIT github -r owner/repo --json
shadowGIT github -u username --json
📋 Output Examples
Standard Output
[+] Scanning GitHub repo: owner/repo
[!] Found dangling commit: 0ae67fe748e0b6ca52066e76611f4237a0ace744
JSON Output
{
"repository": "owner/repo",
"commit_sha": "0ae67fe748e0b6ca52066e76611f4237a0ace744",
"author": {
"name": "Author Name",
"email": "author@example.com"
},
"message": "Commit message",
"secrets_found": [],
"url": "https://github.com/owner/repo/commit/0ae67fe748e0b6ca52066e76611f4237a0ace744"
}
🔧 How It Works
shadowGIT analyzes GitHub push events and checks if commits are still accessible via branch history. Commits that were force-pushed away but remain in the repository are flagged as dangling commits.
The tool detects commits that show GitHub's spoofed commit warning, indicating they exist in the repository but are not part of any branch's history.
📋 Requirements
- Python 3.11 or higher
- GitHub API access (no authentication required for public repositories)
📝 License
MIT License - see LICENSE file for details
Project details
Release history Release notifications | RSS feed
Download files
Download the file for your platform. If you're not sure which to choose, learn more about installing packages.
Source Distribution
Built Distribution
Filter files by name, interpreter, ABI, and platform.
If you're not sure about the file name format, learn more about wheel file names.
Copy a direct link to the current filters
File details
Details for the file shadowgit-0.1.0.tar.gz.
File metadata
- Download URL: shadowgit-0.1.0.tar.gz
- Upload date:
- Size: 6.8 kB
- Tags: Source
- Uploaded using Trusted Publishing? No
- Uploaded via: twine/6.2.0 CPython/3.13.3
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
2b4009a5099e3bf401f156d4b4f8cbb2ce13538930d26e3fe55399c257e108b0
|
|
| MD5 |
85492c6943d7161a9e4e17384ff5eb99
|
|
| BLAKE2b-256 |
a21c6dcd833e50969953753c7235d3355c69f242851ff5703b1e4d647bc57531
|
File details
Details for the file shadowgit-0.1.0-py3-none-any.whl.
File metadata
- Download URL: shadowgit-0.1.0-py3-none-any.whl
- Upload date:
- Size: 7.3 kB
- Tags: Python 3
- Uploaded using Trusted Publishing? No
- Uploaded via: twine/6.2.0 CPython/3.13.3
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
bd25994373f7a6981a9065eff3ec83995e1eac3e4c0e2efea3f23efb00593ea3
|
|
| MD5 |
df64a42f080a0f000bc1401602285c41
|
|
| BLAKE2b-256 |
0dcff2f857d08868f965fb9bbd8dd9fc2ae40ddee30c9bcb70d0e6a4aabffe8f
|