Advanced GitHub search queries (dorks) for identifying potentially exposed API keys, tokens, and secrets across public repositories. This collection helps security researchers, developers, and organizations identify and remediate leaked credentials.
This tool is intended for educational and security research purposes only. Use these queries responsibly to:
- Audit your own repositories for exposed secrets
- Help organizations identify security vulnerabilities in their codebases
- Conduct authorized security research
DO NOT use these queries to access, exploit, or misuse discovered credentials. Always follow responsible disclosure practices and report findings to the appropriate parties.
Comprehensive search patterns for detecting exposed credentials in configuration files, including:
- API keys and tokens for major cloud providers (AWS, Google Cloud, Azure)
- Authentication tokens for development platforms (GitHub, GitLab)
- Payment gateway credentials (Stripe, Square, PayPal)
- Communication service keys (Slack, Twilio, SendGrid)
- Database connection strings
- Private SSH keys
- JWT secrets
Each query follows this pattern:
(path:*.ext1 OR path:*.ext2 OR ...)
AND
(keyname1 OR keyname2 OR ...)
AND
(("signature" OR "pattern") AND (service))
File Extensions: Configuration files where secrets commonly appear (.env, .json, .yaml, .xml, .properties, etc.)
Key Names: Common variable names used for secrets (api_key, secret_key, access_token, etc.)
Signatures: Unique prefixes or regex patterns specific to each service (sk- for OpenAI, AKIA for AWS, etc.)
- Copy any query from the collection below
- Paste directly into GitHub's search bar at https://github.com/search?type=code
- Review results and report findings responsibly
GitHub code search supports these filters to narrow results:
language:JavaScript # Specific programming language
repo:username/reponame # Specific repository
org:orgname # Organization repositories
user:username # Specific user's repositories
path:src/config/ # Specific directory path
extension:env # Specific file extension
(path:*.env OR path:*.json) AND api_key AND "sk-" AND openai language:JavaScript
Important Note: Date filters like pushed:>2024-01-01, created:>2024-01-01, and stars:>100 do NOT work with code search. These filters only work when searching repositories, not code within files.
AWS Access Keys
(path:*.xml OR path:*.json OR path:*.properties OR path:*.sql OR path:*.txt OR path:*.log OR path:*.tmp OR path:*.backup OR path:*.bak OR path:*.enc OR path:*.yml OR path:*.yaml OR path:*.toml OR path:*.ini OR path:*.config OR path:*.conf OR path:*.cfg OR path:*.env OR path:*.envrc OR path:*.prod OR path:*.secret OR path:*.private OR path:*.key) AND (access_key OR secret_key OR access_token OR api_key OR apikey OR api_secret OR apiSecret OR app_secret OR application_key OR app_key OR appkey OR auth_token OR authsecret) AND (/AKIA[0-9A-Z]{16}/ AND (aws OR amazon))
Google API Keys
(path:*.xml OR path:*.json OR path:*.properties OR path:*.sql OR path:*.txt OR path:*.log OR path:*.tmp OR path:*.backup OR path:*.bak OR path:*.enc OR path:*.yml OR path:*.yaml OR path:*.toml OR path:*.ini OR path:*.config OR path:*.conf OR path:*.cfg OR path:*.env OR path:*.envrc OR path:*.prod OR path:*.secret OR path:*.private OR path:*.key) AND (access_key OR secret_key OR access_token OR api_key OR apikey OR api_secret OR apiSecret OR app_secret OR application_key OR app_key OR appkey OR auth_token OR authsecret) AND (/AIza[0-9A-Za-z\-_]{35}/ AND Google)
OpenAI API Keys
(path:*.xml OR path:*.json OR path:*.properties OR path:*.sql OR path:*.txt OR path:*.log OR path:*.tmp OR path:*.backup OR path:*.bak OR path:*.enc OR path:*.yml OR path:*.yaml OR path:*.toml OR path:*.ini OR path:*.config OR path:*.conf OR path:*.cfg OR path:*.env OR path:*.envrc OR path:*.prod OR path:*.secret OR path:*.private OR path:*.key) AND (access_key OR secret_key OR access_token OR api_key OR apikey OR api_secret OR apiSecret OR app_secret OR application_key OR app_key OR appkey OR auth_token OR authsecret) AND ("sk-" AND (openai OR gpt))
OpenAI API Keys (Regex)
(path:*.xml OR path:*.json OR path:*.properties OR path:*.sql OR path:*.txt OR path:*.log OR path:*.tmp OR path:*.backup OR path:*.bak OR path:*.enc OR path:*.yml OR path:*.yaml OR path:*.toml OR path:*.ini OR path:*.config OR path:*.conf OR path:*.cfg OR path:*.env OR path:*.envrc OR path:*.prod OR path:*.secret OR path:*.private OR path:*.key) AND (access_key OR secret_key OR access_token OR api_key OR apikey OR api_secret OR apiSecret OR app_secret OR application_key OR app_key OR appkey OR auth_token OR authsecret) AND (/sk-[a-zA-Z0-9]{48}/ AND (openai OR gpt))
GitHub Tokens
(path:*.xml OR path:*.json OR path:*.properties OR path:*.sql OR path:*.txt OR path:*.log OR path:*.tmp OR path:*.backup OR path:*.bak OR path:*.enc OR path:*.yml OR path:*.yaml OR path:*.toml OR path:*.ini OR path:*.config OR path:*.conf OR path:*.cfg OR path:*.env OR path:*.envrc OR path:*.prod OR path:*.secret OR path:*.private OR path:*.key) AND (access_key OR secret_key OR access_token OR api_key OR apikey OR api_secret OR apiSecret OR app_secret OR application_key OR app_key OR appkey OR auth_token OR authsecret) AND (("ghp_" OR "gho_" OR "ghu_" OR "ghs_" OR "ghr_") AND (Github OR OAuth))
NPM Tokens
(path:*.xml OR path:*.json OR path:*.properties OR path:*.sql OR path:*.txt OR path:*.log OR path:*.tmp OR path:*.backup OR path:*.bak OR path:*.enc OR path:*.yml OR path:*.yaml OR path:*.toml OR path:*.ini OR path:*.config OR path:*.conf OR path:*.cfg OR path:*.env OR path:*.envrc OR path:*.prod OR path:*.secret OR path:*.private OR path:*.key OR path:*.npmrc) AND (access_key OR secret_key OR access_token OR api_key OR apikey OR api_secret OR apiSecret OR app_secret OR application_key OR app_key OR appkey OR auth_token OR authsecret OR _auth OR _authToken) AND npm
Docker Hub Tokens
(path:*.xml OR path:*.json OR path:*.properties OR path:*.sql OR path:*.txt OR path:*.log OR path:*.tmp OR path:*.backup OR path:*.bak OR path:*.enc OR path:*.yml OR path:*.yaml OR path:*.toml OR path:*.ini OR path:*.config OR path:*.conf OR path:*.cfg OR path:*.env OR path:*.envrc OR path:*.prod OR path:*.secret OR path:*.private OR path:*.key OR path:*.dockercfg) AND (access_key OR secret_key OR access_token OR api_key OR apikey OR api_secret OR apiSecret OR app_secret OR application_key OR app_key OR appkey OR auth_token OR authsecret OR auth) AND docker
Slack Tokens
(path:*.xml OR path:*.json OR path:*.properties OR path:*.sql OR path:*.txt OR path:*.log OR path:*.tmp OR path:*.backup OR path:*.bak OR path:*.enc OR path:*.yml OR path:*.yaml OR path:*.toml OR path:*.ini OR path:*.config OR path:*.conf OR path:*.cfg OR path:*.env OR path:*.envrc OR path:*.prod OR path:*.secret OR path:*.private OR path:*.key) AND (access_key OR secret_key OR access_token OR api_key OR apikey OR api_secret OR apiSecret OR app_secret OR application_key OR app_key OR appkey OR auth_token OR authsecret) AND (("xoxb-" OR "xoxp-" OR "xoxa-" OR "xoxo-" OR "xoxr-") AND Slack)
Slack Tokens (Regex)
(path:*.xml OR path:*.json OR path:*.properties OR path:*.sql OR path:*.txt OR path:*.log OR path:*.tmp OR path:*.backup OR path:*.bak OR path:*.enc OR path:*.yml OR path:*.yaml OR path:*.toml OR path:*.ini OR path:*.config OR path:*.conf OR path:*.cfg OR path:*.env OR path:*.envrc OR path:*.prod OR path:*.secret OR path:*.private OR path:*.key) AND (access_key OR secret_key OR access_token OR api_key OR apikey OR api_secret OR apiSecret OR app_secret OR application_key OR app_key OR appkey OR auth_token OR authsecret) AND (/xox[pboa]-[0-9]{10,}/ AND Slack)
Twilio API Keys
(path:*.xml OR path:*.json OR path:*.properties OR path:*.sql OR path:*.txt OR path:*.log OR path:*.tmp OR path:*.backup OR path:*.bak OR path:*.enc OR path:*.yml OR path:*.yaml OR path:*.toml OR path:*.ini OR path:*.config OR path:*.conf OR path:*.cfg OR path:*.env OR path:*.envrc OR path:*.prod OR path:*.secret OR path:*.private OR path:*.key) AND (access_key OR secret_key OR access_token OR api_key OR apikey OR api_secret OR apiSecret OR app_secret OR application_key OR app_key OR appkey OR auth_token OR authsecret) AND (("SK" OR "AC") AND Twilio)
SendGrid API Keys
(path:*.xml OR path:*.json OR path:*.properties OR path:*.sql OR path:*.txt OR path:*.log OR path:*.tmp OR path:*.backup OR path:*.bak OR path:*.enc OR path:*.yml OR path:*.yaml OR path:*.toml OR path:*.ini OR path:*.config OR path:*.conf OR path:*.cfg OR path:*.env OR path:*.envrc OR path:*.prod OR path:*.secret OR path:*.private OR path:*.key) AND (access_key OR secret_key OR access_token OR api_key OR apikey OR api_secret OR apiSecret OR app_secret OR application_key OR app_key OR appkey OR auth_token OR authsecret) AND ("SG." AND SendGrid)
Stripe Keys
(path:*.xml OR path:*.json OR path:*.properties OR path:*.sql OR path:*.txt OR path:*.log OR path:*.tmp OR path:*.backup OR path:*.bak OR path:*.enc OR path:*.yml OR path:*.yaml OR path:*.toml OR path:*.ini OR path:*.config OR path:*.conf OR path:*.cfg OR path:*.env OR path:*.envrc OR path:*.prod OR path:*.secret OR path:*.private OR path:*.key) AND (access_key OR secret_key OR access_token OR api_key OR apikey OR api_secret OR apiSecret OR app_secret OR application_key OR app_key OR appkey OR auth_token OR authsecret) AND (("sk_live_" OR "pk_live_" OR "sk_test_") AND Stripe)
Square OAuth Tokens
(path:*.xml OR path:*.json OR path:*.properties OR path:*.sql OR path:*.txt OR path:*.log OR path:*.tmp OR path:*.backup OR path:*.bak OR path:*.enc OR path:*.yml OR path:*.yaml OR path:*.toml OR path:*.ini OR path:*.config OR path:*.conf OR path:*.cfg OR path:*.env OR path:*.envrc OR path:*.prod OR path:*.secret OR path:*.private OR path:*.key) AND (access_key OR secret_key OR access_token OR api_key OR apikey OR api_secret OR apiSecret OR app_secret OR application_key OR app_key OR appkey OR auth_token OR authsecret) AND (("sq0atp-" OR "sq0csp-") AND (square OR OAuth))
Shopify Tokens
(path:*.xml OR path:*.json OR path:*.properties OR path:*.sql OR path:*.txt OR path:*.log OR path:*.tmp OR path:*.backup OR path:*.bak OR path:*.enc OR path:*.yml OR path:*.yaml OR path:*.toml OR path:*.ini OR path:*.config OR path:*.conf OR path:*.cfg OR path:*.env OR path:*.envrc OR path:*.prod OR path:*.secret OR path:*.private OR path:*.key) AND (access_key OR secret_key OR access_token OR api_key OR apikey OR api_secret OR apiSecret OR app_secret OR application_key OR app_key OR appkey OR auth_token OR authsecret) AND (("shpss_" OR "shpat_" OR "shpca_" OR "shppa_") AND Shopify)
MailChimp API Keys
(path:*.xml OR path:*.json OR path:*.properties OR path:*.sql OR path:*.txt OR path:*.log OR path:*.tmp OR path:*.backup OR path:*.bak OR path:*.enc OR path:*.yml OR path:*.yaml OR path:*.toml OR path:*.ini OR path:*.config OR path:*.conf OR path:*.cfg OR path:*.env OR path:*.envrc OR path:*.prod OR path:*.secret OR path:*.private OR path:*.key) AND (access_key OR secret_key OR access_token OR api_key OR apikey OR api_secret OR apiSecret OR app_secret OR application_key OR app_key OR appkey OR auth_token OR authsecret) AND (mailchimp AND api_key)
Heroku API Keys
(path:*.xml OR path:*.json OR path:*.properties OR path:*.sql OR path:*.txt OR path:*.log OR path:*.tmp OR path:*.backup OR path:*.bak OR path:*.enc OR path:*.yml OR path:*.yaml OR path:*.toml OR path:*.ini OR path:*.config OR path:*.conf OR path:*.cfg OR path:*.env OR path:*.envrc OR path:*.prod OR path:*.secret OR path:*.private OR path:*.key) AND (access_key OR secret_key OR access_token OR api_key OR apikey OR api_secret OR apiSecret OR app_secret OR application_key OR app_key OR appkey OR auth_token OR authsecret) AND (heroku AND api_key)
Firebase/Google Services
(path:*.xml OR path:*.json OR path:*.properties OR path:*.sql OR path:*.txt OR path:*.log OR path:*.tmp OR path:*.backup OR path:*.bak OR path:*.enc OR path:*.yml OR path:*.yaml OR path:*.toml OR path:*.ini OR path:*.config OR path:*.conf OR path:*.cfg OR path:*.env OR path:*.envrc OR path:*.prod OR path:*.secret OR path:*.private OR path:*.key) AND (access_key OR secret_key OR access_token OR api_key OR apikey OR api_secret OR apiSecret OR app_secret OR application_key OR app_key OR appkey OR auth_token OR authsecret) AND (firebase OR "google-services")
JWT Secrets
(path:*.xml OR path:*.json OR path:*.properties OR path:*.sql OR path:*.txt OR path:*.log OR path:*.tmp OR path:*.backup OR path:*.bak OR path:*.enc OR path:*.yml OR path:*.yaml OR path:*.toml OR path:*.ini OR path:*.config OR path:*.conf OR path:*.cfg OR path:*.env OR path:*.envrc OR path:*.prod OR path:*.secret OR path:*.private OR path:*.key) AND (jwt_secret OR jwtSecret OR jwt_key OR jwtKey OR jwt_token) AND /eyJ[A-Za-z0-9_-]{10,}/
Private SSH Keys
(path:*.pem OR path:*.key OR path:*.ppk OR path:id_rsa OR path:id_dsa OR path:id_ed25519) AND ("BEGIN PRIVATE KEY" OR "BEGIN RSA PRIVATE KEY" OR "BEGIN DSA PRIVATE KEY" OR "BEGIN EC PRIVATE KEY" OR "BEGIN OPENSSH PRIVATE KEY")
Database Connection Strings
(path:*.xml OR path:*.json OR path:*.properties OR path:*.sql OR path:*.txt OR path:*.log OR path:*.tmp OR path:*.backup OR path:*.bak OR path:*.enc OR path:*.yml OR path:*.yaml OR path:*.toml OR path:*.ini OR path:*.config OR path:*.conf OR path:*.cfg OR path:*.env OR path:*.envrc OR path:*.prod OR path:*.secret OR path:*.private OR path:*.key) AND (connection_string OR connectionString OR database_url OR DATABASE_URL) AND (mongodb OR postgresql OR mysql OR redis)
Use this template to build your own search queries:
(path:*.{ext1} OR path:*.{ext2} OR ... OR path:*.{extN})
AND
(keyname1 OR keyname2 OR ... OR keynameN)
AND
(("signature1" OR "signature2") AND (platform1 OR platform2))
File Extensions: Target file types where secrets might be stored
Key Names: Variable names commonly used for credentials
Signatures: Unique patterns or prefixes that identify specific services
Platform Tags: Service names to provide context
- Always obtain proper authorization before testing
- Follow responsible disclosure timelines
- Document findings professionally
- Never exploit discovered vulnerabilities
- Use environment variables for secrets
- Add sensitive files to .gitignore
- Implement pre-commit hooks to detect secrets
- Rotate exposed credentials immediately
- Use secret scanning tools in CI/CD pipelines
- Implement GitHub secret scanning
- Use tools like TruffleHog, GitGuardian, or Gitleaks
- Conduct regular security audits
- Establish incident response procedures
- Educate developers on secure credential management
- git-secrets (AWS Labs)
- TruffleHog
- GitGuardian
- Gitleaks
- detect-secrets (Yelp)
- GitHub Secret Scanning (native)
Add to .gitignore:
.env
.env.local
.env.production
*.key
*.pem
config/secrets.yml
credentials.json
Contributions are welcome. Please submit pull requests with:
- New search patterns for additional services
- Improvements to existing queries
- Documentation updates
- Bug fixes
- Inspired by the original github-dorks project
- GitHub advanced search documentation
- Security research community contributions
- GitHub Advanced Search Syntax
- OWASP Top 10
- Common credential patterns database
- Security disclosure guidelines