yar: OSINT tool for reconnaissance of repositories/users/organizations on Github

(Y)et (A)nother (R)obber: Sail ye seas of git for booty is to be found

Yar is a tool for plunderin’ organizations, users and/or repositories…

In all seriousness though, yar is an OSINT tool for reconnaissance of repositories/users/organizations on Github. Yar clones repositories of users/organizations given to it and goes through the whole commit history in order of commit time, in search of secrets/tokens/passwords, essentially anything that shouldn’t be there. Whenever yar finds a secret, it will print it out for you to further assess.

Yar searches either by regex, entropy or both, the choice is yours. You can think of yar as a bigger and better truffleHog, it does everything that truffleHog does and more!

Install

go get github.com/Furduhlutur/yar

Use

Want to search for secrets in an organization?

yar -o orgname

Want to search for secrets in a user’s repository?

yar -u username

Want to search for secrets in a single repository?

yar -r repolink

or if you have already cloned the repository

yar -r repopath

Want to search for secrets in an organization, for a user and a repository?

yar -o orgname -u username -r reponame

Tutorial

Copyright (C) 2019 Furduhlutur