Better Git Hacking: Extracting “Deleted” Secrets from Git Databases with Grawler

Better Git Hacking: Extracting “Deleted” Secrets from Git Databases with Grawler

Git is a widely-used Version Control System for software development projects. Because of the way Git works, “deleted” secrets don’t disappear from the filesystem. That means when a developer commits encryption keys, production passwords, or other secrets to the repository, removing them in a later commit won’t scrub them from the history. They live on in compressed plaintext on every developers’ machine, unless the history is rewritten.

Grawler is a command line utility written in Bash and Python that crawls the object trees of a Git repository searching for and extracting secrets, passwords, keys, and other sensitive information. It is useful for verifying that history rewriting successfully scrubbed all occurrences of sensitive data using git-log, as well as exposing problems in revision deltas by walking Pack files.

Presented by