ZULQURNAIN

GitHub Search Syntax for Finding API Keys/Secrets/Tokens

In the world of security, good reconnaissance is like good coffee — strong, focused, and capable of keeping you awake at night.
With APIs being everywhere these days, keeping tokens and secrets under wraps is a must… unless you enjoy strangers “borrowing” your cloud credits.

Sadly, human error is still a thing. Developers (even the smart ones) sometimes leave their API secrets hardcoded in code and push them to public repos on GitHub — basically gift-wrapping access for attackers.
Since GitHub is the go-to hangout spot for open-source code, it can also accidentally become a goldmine for leaked credentials.

To make hunting for these slip-ups easier (purely for ethical purposes, of course), I’ve put together a powerful search syntax that lets you scan for thousands of leaked keys in one go. Think of it as a Swiss Army knife for security pros… but for GitHub.

Search Syntax:

(path:*.{File_extension1} OR path:*.{File_extension-N}) AND ({Keyname1} OR {Keyname-N}) AND (({Signature/pattern1} OR {Signature/pattern-N}) AND ({PlatformTag1} OR {PlatformTag-N}))

Examples:

1. OpenAI API keys

(path:*.xml OR path:*.json OR path:*.properties OR path:*.sql OR path:*.txt OR path:*.log OR path:*.tmp OR path:*.backup OR path:*.bak OR path:*.enc OR path:*.yml OR path:*.yaml OR path:*.toml OR path:*.ini OR path:*.config OR path:*.conf OR path:*.cfg OR path:*.env OR path:*.envrc OR path:*.prod OR path:*.secret OR path:*.private OR path:*.key) AND (access_key OR secret_key OR access_token OR api_key OR apikey OR api_secret OR apiSecret OR app_secret OR application_key OR app_key OR appkey OR auth_token OR authsecret) AND ("sk-" AND (openai OR gpt))

Pro tip: Use this regex to filter out the fake keys and save yourself some time:

... AND (/sk-[a-zA-Z0-9]{48}/ AND (openai OR gpt))

Shout-out to @fkulakov for the clever contribution.

2. GitHub OAuth/App/Personal/Refresh Access Token

3. Slack Token

4. Google API key

5. Square OAuth/access token

6. Shopify shared secret, access token, private/custom app access token

Parameters Used

File Extensions

File Extension	Description
.xml	XML file format
.json	JSON format
.properties	Configuration properties
.sql	Database queries
.txt	Plain text
.log	Log files
.tmp	Temporary files
.backup	Backup files
.bak	Backup files
.enc	Encrypted files
.yml	YAML config
.yaml	YAML config
.toml	TOML config
.ini	INI config
.config	Configuration files
.conf	Configuration files
.cfg	Configuration files
.env	Environment variables
.envrc	Direnv-specific environment files
.prod	Production config
.secret	Secrets file
.private	Private key file
.key	Key file

Keynames

Keynames	Description
access_key	Access key for a service
secret_key	Authentication or encryption key
access_token	Token to access API or resource
api_key	API access key
apikey	Short form of api_key
api_secret	Secret key for API authentication
apiSecret	Alternate API secret format
app_secret	App authentication key
application_key	App identifier key
app_key	App identifier key
appkey	Short form of app_key
auth_token	Authentication/authorization token
authsecret	Authentication/authorization secret

Other Handy Tools

Online IDE Search: https://redhuntlabs.com/online-ide-search/
Keyhacks on GitHub: https://github.com/streaak/keyhacks
Google Hacking Database: https://www.exploit-db.com/google-hacking-database

Zulqurnain/Github Leaked API Keys and Secrets.md