• Stars
    star
    317
  • Rank 132,216 (Top 3 %)
  • Language
    Go
  • License
    MIT License
  • Created over 5 years ago
  • Updated over 2 years ago

Reviews

There are no reviews yet. Be the first to send feedback to the community and the maintainers!

Repository Details

secretz, minimizing the large attack surface of Travis CI

secretz

secretz

License Build Status Go ReportCard

secretz is a tool that minimizes the large attack surface of Travis CI. It automatically fetches repos, builds, and logs for any given organization.

Built during and for our research on TravisCI: https://edoverflow.com/2019/ci-knew-there-would-be-bugs-here/

Usage:

secretz -t Organization [options]

Flags:

Flag Description Example
-t Organization to get repos, builds, and logs for secretz -t ExampleCo
-c Limit the number of workers that are spawned secretz -t ExampleCo -c 3
-delay delay between requests + random delay/2 jitter secretz -t ExampleCo -delay 900
-members [list | scan] Get all GitHub members belonging to Organization and list/scan them secretz -t ExampleCo -members scan
-timeout How long to wait for HTTP Responses from Travis CI secretz -t ExampleCo -timeout 20
-setkey Set API Key for api.travis-ci.org secretz -setkey yourapikey

Installation:

Via go get

go get -u github.com/lc/secretz

Via git clone

go get -u github.com/json-iterator/go
git clone [email protected]:lc/secretz
cd secretz && go build -o secretz main.go

Generate an API-Key:

travis login
travis token --org

Create config file

secretz -setkey <API-KEY>

Note:

Please keep your delay high and your workers low out of respect for TravisCI and their APIs. This will also help you from being rate-limited by them.

More Repositories

1

gau

Fetch known URLs from AlienVault's Open Threat Exchange, the Wayback Machine, and Common Crawl.
Go
3,231
star
2

subjs

Fetches javascript file from a list of URLS or subdomains.
Go
668
star
3

theftfuzzer

TheftFuzzer is a tool that fuzzes Cross-Origin Resource Sharing implementations for common misconfigurations.
Python
297
star
4

230-OOB

An Out-of-Band XXE server for retrieving file contents over FTP.
Python
166
star
5

hacks

Repo of useful scripts
Go
100
star
6

cspparse

A tool to evaluate Content Security Policies.
Go
70
star
7

jenkinz

jenkinz is a tool to retrieve every build for every job ever created and run on a given Jenkins instance.
Go
60
star
8

otxurls

Fetch known urls from AlienVault's Open Threat Exchange for given hosts
Go
58
star
9

brute53

A tool to bruteforce nameservers when working with subdomain delegations to AWS.
Go
58
star
10

DOD-Recon

Recon for Department of Defense HackerOne program
HTML
45
star
11

research

miscellaneous security research stuff
Java
36
star
12

reckdns

A kinda reckless dns resolver. Still under development.
Go
16
star
13

rickrolllogs

tool to rick roll access.logs
Python
14
star
14

sslc2

Simple C&C example in assembly that retrieves commands from the Organizational Unit (OU) field in an SSL certificate
Assembly
9
star
15

rlyCTF

rlyCTF (relay CTF) challenge to emulate real-world SSRF attacks.
HTML
8
star
16

bugbountylink

URL Shortener using Flask & MySQL
HTML
7
star
17

lc.github.io

Information Security blog by Corben Leo @hacker_
HTML
7
star
18

newsletter-code

Repository for any code I send out in newsletters.
Go
6
star
19

ctf-dev

Various CTF's I've created over time
HTML
1
star
20

solidity-by-example

My code for following along with the https://solidity-by-example.org/ course
Solidity
1
star