Skip to main content

Automated tool for detecting dangling commits and secrets in GitHub repos.

Project description

🔍 shadowGIT

Automated detection of dangling commits in Git repositories

Python 3.11+ Version License

Identifies commits that were force-pushed away but remain accessible, potentially exposing sensitive data.


✨ Features

  • 🔎 Repository Scanning - Scan specific repositories for dangling commits
  • 👤 User Activity Analysis - Scan all repositories for a GitHub user
  • 📊 JSON Output - Machine-readable output format
  • 🚀 Fast & Efficient - Quick detection of exposed commits
  • 🔒 Security Focused - Helps identify potential secret leaks

📦 Installation

pip install shadowgit

🚀 Quick Start

Scan a specific repository

shadowGIT github -r owner/repo

Scan all repositories for a user

shadowGIT github -u username

JSON output format

shadowGIT github -r owner/repo --json
shadowGIT github -u username --json

📋 Output Examples

Standard Output

[+] Scanning GitHub repo: owner/repo
[!] Found dangling commit: 0ae67fe748e0b6ca52066e76611f4237a0ace744

JSON Output

{
  "repository": "owner/repo",
  "commit_sha": "0ae67fe748e0b6ca52066e76611f4237a0ace744",
  "author": {
    "name": "Author Name",
    "email": "author@example.com"
  },
  "message": "Commit message",
  "secrets_found": [],
  "url": "https://github.com/owner/repo/commit/0ae67fe748e0b6ca52066e76611f4237a0ace744"
}

🔧 How It Works

shadowGIT analyzes GitHub push events and checks if commits are still accessible via branch history. Commits that were force-pushed away but remain in the repository are flagged as dangling commits.

The tool detects commits that show GitHub's spoofed commit warning, indicating they exist in the repository but are not part of any branch's history.

📋 Requirements

  • Python 3.11 or higher
  • GitHub API access (no authentication required for public repositories)

📝 License

MIT License - see LICENSE file for details

Project details


Download files

Download the file for your platform. If you're not sure which to choose, learn more about installing packages.

Source Distribution

shadowgit-0.1.0.tar.gz (6.8 kB view details)

Uploaded Source

Built Distribution

If you're not sure about the file name format, learn more about wheel file names.

shadowgit-0.1.0-py3-none-any.whl (7.3 kB view details)

Uploaded Python 3

File details

Details for the file shadowgit-0.1.0.tar.gz.

File metadata

  • Download URL: shadowgit-0.1.0.tar.gz
  • Upload date:
  • Size: 6.8 kB
  • Tags: Source
  • Uploaded using Trusted Publishing? No
  • Uploaded via: twine/6.2.0 CPython/3.13.3

File hashes

Hashes for shadowgit-0.1.0.tar.gz
Algorithm Hash digest
SHA256 2b4009a5099e3bf401f156d4b4f8cbb2ce13538930d26e3fe55399c257e108b0
MD5 85492c6943d7161a9e4e17384ff5eb99
BLAKE2b-256 a21c6dcd833e50969953753c7235d3355c69f242851ff5703b1e4d647bc57531

See more details on using hashes here.

File details

Details for the file shadowgit-0.1.0-py3-none-any.whl.

File metadata

  • Download URL: shadowgit-0.1.0-py3-none-any.whl
  • Upload date:
  • Size: 7.3 kB
  • Tags: Python 3
  • Uploaded using Trusted Publishing? No
  • Uploaded via: twine/6.2.0 CPython/3.13.3

File hashes

Hashes for shadowgit-0.1.0-py3-none-any.whl
Algorithm Hash digest
SHA256 bd25994373f7a6981a9065eff3ec83995e1eac3e4c0e2efea3f23efb00593ea3
MD5 df64a42f080a0f000bc1401602285c41
BLAKE2b-256 0dcff2f857d08868f965fb9bbd8dd9fc2ae40ddee30c9bcb70d0e6a4aabffe8f

See more details on using hashes here.

Supported by

AWS Cloud computing and Security Sponsor Datadog Monitoring Depot Continuous Integration Fastly CDN Google Download Analytics Pingdom Monitoring Sentry Error logging StatusPage Status page