Spectatorguy's Newsletter
Posts
GitHub Dorks: Unearthing Hidden Gems in Code Repositories

GitHub Dorks: Unearthing Hidden Gems in Code Repositories

Spectat0r Guy
January 25, 2025

Welcome to BitPanic!

Today, we dive into GitHub dorks, a powerful yet often overlooked tool for bug hunters, penetration testers, and developers looking to secure their codebases.

GitHub dorks are specially crafted search queries that help find sensitive information accidentally left in public repositories. By leveraging GitHub’s search functionality with specific operators, you can locate exposed credentials, API keys, configuration files, or even potential vulnerabilities.

Using these queries responsibly is essential, as GitHub dorks can be a double-edged sword—use them to secure your code, but always respect ethical boundaries.

Top 50+ GitHub Dorks for Bug Bounty Hunters and Security Professionals

Below is a curated list of dorks you can use to enhance your bug bounty hunting process or secure your projects:

1. filename:".env" password

2. filename:"config.json" api_key

3. filename:"settings.py" secret_key

4. filename:"database.yml" password

5. extension:sql mysql dump

6. extension:json apiKey

7. extension:yaml aws_access_key_id

8. extension:ini aws_secret_access_key

9. filename:"wp-config.php" database

10. filename:"config.php" dbpassword

11. extension:log password

12. filename:"id_rsa"

13. filename:"authorized_keys"

14. filename:"known_hosts"

15. extension:pem private

16. extension:key private

17. filename:".ftpconfig"

18. filename:".dockercfg"

19. filename:"Dockerfile" password 

20. filename:"bash_history"

21.filename:".bash_profile"

22. filename:".bashrc"

23. filename:".zshrc"

24. filename:".npmrc" //registry.npmjs.org/:_authToken

25. filename:".netrc"

26. extension:php pass 

27. extension:php pwd 

28. extension:php dbhost 

29. filename:"shadow" 

30. filename:"passwd" 

31. filename:"sshd_config" 

32. filename:"config" password

33. filename:"web.config" connectionString
 
34. filename:"app.config" connectionString

35. extension:xml credentials 

36. extension:ini password 

37. extension:properties password 

38. filename:"settings.xml" server 

39. filename:"settings.gradle" password 

40. filename:"key.json" 

41. filename:"client_secret.json" 

42. extension:sql password 

43. filename:"composer.json" password 

44. filename:"secrets.yml" 

45. extension:env DATABASE_URL 

46. filename:"config.ini" password 

47. extension:js apiKey 

48. filename:".aws/credentials" 

49. extension:txt password 

50. filename:".azure" 

51. filename:"pip.conf" password 

52. filename:"config.js" dbPassword 

53. filename:"config.rb" password 

54. filename:"config.groovy" password

55. filename:".git-credentials"

How to Use GitHub Dorks ?

1. Visit GitHub’s search page.

2. Use the above dorks in the search bar.

3. Refine results with filters like :

org:<organization> or
repo:<repository>

For Targeted Searches.

Disclaimer

This post is for educational purposes only. Always follow ethical guidelines and only use these dorks on your own projects or with explicit permission.

Stay secure,

The Bitpanic Team