Gumbler is a tool to dig for sensitive files committed in the history of the project. It uses the .gitignore and a starter file (i.e. files_to_look_for.txt) as a seed list. It then checks every branch and commit to see if that file was committed at some point.
python gumbler.py -r "./projects/[REPO_NAME]" -a -p "[ORG_NAME]/[REPO_NAME]"
python gumbler.py -o server -x "./output"
python gumbler.py -r "./projects/[REPO_NAME]" -a
python gumbler.py -o server -x "./output"
http://localhost:5000/files?file=yml
- Lightweight, portable results (i.e. json, html)
- View and search the results via flask server
- No Github API keys required. It can be used against repo's discovered during OSINT and not tied to Github.
- (Goal) Support svn and mecurial
- Add vulnerability checks through the webserver (e.g. find potential AWS keys)
There are lots of bugs and, quite a few, false negatives. Please create an issue if you find something. The project is being actively maintained.