GitMAD is a full stack application that monitors Github for a given keyword(s) or domain. GitMAD searches code hosted on Github for a matching keyword. On finding a match, GitMAD will clone the repository and search through the files for a series of configurable regular expressions. GitMAD then takes those results and inserts them into a database for later viewing. These results can also be sent as email alerts. GitMAD runs continuously to discover new repositories matching the input keyword.
GitMAD searches Github for a keyword or domain. The user can also configure the maximum amount of results per search, the amount of time between searches, and the maximum size of a repository to clone. There are two modes, Monitor and Discovery. Discovery mode pulls out and searches new results with each run. Monitor mode will download all matches of a given keyword / domain first, search them, and then continue to search for new results.
GitMAD takes the results from above and searches the Git history of the repository. The history is searched for a set of configurable regular expressions. GitMAD can also break up each line of a history file and search this for matches in Shannon entropy.
This is the location to put keywords and regular expressions to search within the content of a repository, just add a dictionary to the list below:
to_match = [
{'match_regex': r'password', 'match_type': 'Password Match'},
{'match_regex': r'\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}', 'match_type': 'IP Match'},
{'match_regex': r'username', 'match_type': 'Username Match'},
{'match_regex': r'\b[\w.]*@[\w]*\.[\w.]*\b', 'match_type': 'Email Match'}
]
This is the location to remove items the Entropy feature is matching that you do not want. Just add a dictionary to the list below:
r_whitelist = [{'regex':r'\b[A-Za-z][a-z]+([A-Z][a-z]*)+\b'}] # Camel Case
GitMAD takes the results above and inserts them into a database which contains information on the file the match was found, as well as information about the repository. It also inserts the string that was matched and the line of the match. These results are available via an email alert, in the database, and via the web application.
Running web_home.py will open a web application on port 5000. There is a 'Monitor' section which allows a user to view and filter on individual matches within a repository. The 'Repo Info' section allows a user to view and filter on the repository matches themselves.
Allows a user to view either the first 100 most recent repositories, or to use various filters to search for a given repo or set of repos.
A GET request with no parameters to /api/repos will return the 100 most recent results.
GET http://localhost:5000/api/repos
Content-Type: application/json
A POST request allows a user to filter for a specific repo or repos.
Send a JSON object (Content-Type: application/json) with at least one of the following keys:
POST data example (at least one of these keys must be used):
POST http://localhost:5000/api/repos
Content-Type: application/json
{
"page": 1,
"repo_user": "<Username of the repository>",
"repo_name": "<Name of the repository>",
"repo_cloned": "<cloned|not_cloned>",
"repo_desc": "<text string to search for in the repository description>"
}
Allows a user to view either the first 100 most recent results, or to use various filters to search for a given match or set of matches.
A GET request with no parameters to /api/repos will return the 100 most recent results.
GET http://localhost:5000/api/results
Content-Type: application/json
A POST request allows a user to filter for a specific match or type of match.
Send a JSON object (Content-Type: application/json) with at least one of the following keys:
POST data example (at least one of these keys must be used):
POST http://localhost:5000/api/repos
Content-Type: application/json
{
"page": 2,
"match_type": "<type of match>",
"match_string": "<item that was matched>",
"match_location": "<file location where item was matched>",
"match_line": "<match something on the line of the initial match>",
"match_update_type": "<['+','-'] addition or deletion to/from repo>",
"match_author": "<commit author>",
"match_message": "<commit message>"
}
This project is in active development
GitMAD was originally written in Python3.6 on Windows. It has also been tested on Ubuntu 18.04.
Python 3.6+ (f-strings are used in this project, which requires Python 3.6)
Pip for Python3
Git
MySQL 8.0
For MySQL 8.0 on Windows, you should be able to download from the Oracle Website.For Ubuntu 18.04, the default version is still 5.7, so you will have to change the version:
wget -c https://dev.mysql.com/get/mysql-apt-config_0.8.12-1_all.deb
sudo dpkg -i mysql-apt-config_0.8.12-1_all.deb
#select version 8.0
sudo apt update
sudo apt install mysql-server
sudo mysql_secure_installation
git clone https://github.com/deepdivesec/GitMAD.git
cd GitMAD
pip3 install -r requirements.txt
$sudo mysql -u username -p
mysql> source /<path-to-gitmad>/GitMAD/github_search_db.sql
python3 /<path-to-gitmad>/GitMAD/main.py -q <keyword-to-search> [see other options below]
python3 /<path-to-gitmad>/GitMAD/web_home.py
https://dev.mysql.com/downloads/workbench/
https://github.com/deepdivesec/GitMAD/tree/master/GitMAD-install
GitMAD是一个用于发现Github上的敏感信息和数据泄漏的工具。通过给定关键字或域,GitMAD便会搜索Github上托管的代码,以查找是否存在匹配项。一旦找到了匹配项,GitMAD将克隆存储库并在文件中搜索一系列可配置的正则表达式。然后,GitMAD会获取这些结果,并将它们插入到数据库中供后续的查看使用。这些结果也可作为邮件警报发送。另外,GitMAD将持续运行以发现与输入关键字匹配的新存储