Git is a widely-used Version Control System for software development projects. Because of the way Git works, “deleted” secrets don’t disappear from the filesystem. That means when a developer commits encryption keys, production passwords, or other secrets to the repository, removing them in a later commit won’t scrub them from the history. They live on in compressed plaintext on every developers’ machine, unless the history is rewritten.
Grawler is a command line utility written in Bash and Python that crawls the object trees of a Git repository searching for and extracting secrets, passwords, keys, and other sensitive information. It is useful for verifying that history rewriting successfully scrubbed all occurrences of sensitive data using git-log, as well as exposing problems in revision deltas by walking Pack files.
Justin Regele works as a Penetration Tester with Tiro Security, as well as a freelance software engineer, doing full stack, mobile and embedded development. His introduction to computer programming came from Herb Schildt’s “Teach Yourself C,” which he found in a dumpster in 2005.