GitHub Repo Security Auditor

Last updated:

Security audit of any public GitHub repository via bookmarklet. Scans file tree for exposed secrets (API keys, tokens, passwords), checks package dependencies against known vulnerability patterns, detects misconfigured CI/CD pipelines, and identifies sensitive files that should not be in a public repo.

Drag to your bookmarks bar:

🔒 Audit Repo
1
Install — drag the button to your bookmarks bar
2
Navigate to any GitHub repository page
3
Click the bookmarklet — it fetches the repo tree via GitHub API and opens results here

Runs on github.com — requests come from your browser, not MaxIntel's servers.

🔒

Install the bookmarklet above, then use it on github.com

GitHub Repository Security Auditor

Public GitHub repositories frequently contain exposed secrets, misconfigured files, and vulnerable dependencies. This tool uses a bookmarklet that runs on github.com to fetch the repository tree and key files via GitHub's API, then scans them for security issues using pattern matching and heuristic analysis.

Secret Detection

The auditor scans file contents for known secret patterns: AWS access keys, GitHub tokens, Stripe keys, Google API keys, private keys, database connection strings, JWTs, Slack tokens, and generic password/secret assignments. Each match is categorized by severity.

Dangerous File Detection

Certain files should never appear in a public repository: .env files, SSH private keys, database credentials, keystores, and service account files. The tool checks the entire file tree for these patterns.

File Tree Scan
GitHub's Git Trees API returns the entire file structure in one call, enabling comprehensive filename analysis without reading each file individually.
Content Analysis
Key files (package.json, requirements.txt, Dockerfiles, CI configs) are fetched and scanned for secrets and misconfigurations.

🔒 GitHub Repo Security Auditor — FAQ

Does this use my GitHub API quota?

Yes — requests go through your browser to api.github.com. Unauthenticated users get 60 requests/hour. The audit uses about 5-15 requests depending on repo size. If logged into GitHub, your authenticated rate limit (5,000/hr) applies.

Can it scan private repos?

Yes, if you are logged into GitHub in your browser. The bookmarklet inherits your session cookies, so API requests carry your authentication.

Does it check for CVEs in dependencies?

It identifies dependencies from package.json, requirements.txt, and similar files and lists them. Full CVE cross-referencing against vulnerability databases would require additional API calls. The tool focuses on exposed secrets and dangerous files.

Will it detect all secrets?

No secret scanner is 100% comprehensive. The tool uses regex patterns for known key formats. Custom or obfuscated secrets may not be detected. Always pair automated scanning with manual review.

Does it modify anything in the repo?

No. The bookmarklet only performs read operations via the GitHub API. It never pushes, commits, or modifies any repository content.

🐙

GitHub User Profiler

Reconstruct developer persona from GitHub activity.
🧲

Page OSINT Extractor

Extract intelligence from any webpage.
🍪

Cookie & Tracker Exposer

Audit cookies, trackers, and fingerprinting on any site.
💀

Exposed Credentials

Search for leaked credentials in breach databases.