GitHub Secrets Recon — Free Recon & Discovery tool · XowiaScan

What is GitHub Secrets Recon?

GitHub Secrets Recon runs the secret-leak dorks that bounty hunters keep in their notes — but indexed against the target you actually care about. You give it an organisation name, a domain or a keyword; it combines that target with high-signal queries (.env, api_key, BEGIN PRIVATE KEY, aws_access_key_id, Authorization: Bearer, generic credentials) and runs them against GitHub’s code-search API.

Every result is then classified by what it likely contains — AWS access key, Google API key, Slack token, GitHub token, Stripe key, private-key block, JWT, bearer token, hardcoded credential — and ordered so the classified secrets float above the keyword matches. Each hit links straight to the offending line in the repo.

It is fully passive: only GitHub’s API is contacted, never your target. When no GitHub PAT is configured on the server, the tool gracefully degrades to a panel of ready-to-click GitHub, GitLab, SourceGraph and grep.app search links — same dorks, your browser is the client.

What it does

6 secret-leak dorks — env files, generic API keys, generic secrets, passwords, private-key blocks, cloud / bearer tokens — combined with your target term.
9 secret classifiers — AWS (AKIA...), Google API keys (AIza...), Slack (xox[baprs]-), GitHub PATs (gh[pousr]_), Stripe (sk_live_ / sk_test_), private-key blocks, JWTs, bearer tokens, hardcoded credentials.
Ranked results — classified secrets first, keyword matches second, capped at 60 hits across all dorks.
Snippet preview — the matched fragment(s) shown inline so you can triage without opening every repo.
Multi-engine fallback — GitHub, GitLab, SourceGraph and grep.app search links pre-built for the same dorks, always available beneath the inline results.
Rate-limit aware — GitHub code search is 10 req/min; the tool caps at 6 queries per run and reports partial results clearly if it hits the limit.

Where it fits in your workflow

→Open every new bug-bounty program here first — leaked secrets in public code are some of the highest-impact, lowest-effort findings.
→After enumeration, search for any unusual subdomain or internal hostname you discovered: developers often paste them into example code or tests.
→Confirm a hit by clicking through to the file on GitHub and checking the commit history — sometimes the secret has been rotated, sometimes it is still live.

Use GitHub Secrets Recon

Run it from your dashboard.

Create free account Sign in Use via API

At a glance

CategoryRecon & Discovery

RunsServer-side

Token cost 4 / run (free tier)

Access Pro

Status● Live

Frequently asked questions

Does this query my target?

No. Only GitHub’s code-search API is contacted (or the public search engines, in fallback mode). Your target sees zero traffic from this tool.

I see only search links, no inline results — why?

The server does not have a GitHub PAT configured. Code search requires authentication — admins can add a token in config.php under tool_secrets.github_token (a classic PAT with no scopes is enough). The links work without any token and use the same dorks.

How do I tell a real leak from a keyword match?

Classified results (AWS, Stripe, JWTs, private keys, etc.) match a regex specific to that credential format, so they are high-signal. “keyword match” results contain the search term but not a recognised secret pattern — still worth a click, often less urgent.

Is it safe / legal to look at these?

Reading public GitHub code is fine. Using a found secret to access systems is not — confirm by checking commit history or asking the program owner; never plug a key into a real service.