I'm excited to introduce Seraphix, a comprehensive, open-source secret scanning toolkit I built to meet the needs of serious security researchers and bug bounty hunters.
Seraphix is designed for speed and scale, moving far beyond basic repository checks. It integrates multiple powerful scanning strategies—from organization-wide audits to finding data thought to be deleted forever—all managed through an efficient, customizable workflow.
Seraphix Core Capabilities: Beyond the Basics
Seraphix is built on four core pillars, giving you flexibility and power for any audit scenario:
1. Massive-Scale Organization Scanning
Seraphix can scan an entire list of GitHub organizations or target a single organization, fetching and processing repositories in parallel. It dynamically calculates the optimal number of workers to use on your system, ensuring scans are completed as quickly as possible.
2. The Force-Push Goldmine
This is our unique advantage. When a developer accidentally commits a secret and then performs a git push --force to delete it, the commit often becomes "dangling" but remains accessible. Seraphix uses a filtered GHArchive dataset to specifically identify these force-pushed commits and uncover secrets that other scanners miss.
To check and verify the integrity and validity of every secret found, Seraphix leverages the power of TruffleHog.
Watch Seraphix in action, hunting for secrets in a force-pushed commit:
💡 The Inspiration: The force-push scanning technique was directly inspired by the groundbreaking work of Sharon Brizinov. You can read the original post detailing how he scanned all of GitHub's "oops" commits and earned bounties here: How I Scanned All of GitHub’s "Oops" Commits for Leaked Secrets.
3. The Bug Bounty Utility
Looking for targets? Seraphix includes a powerful utility to fetch and generate lists of GitHub organizations known to offer bug bounty programs. You can then feed this curated list directly into the mass scanning module, streamlining your hunting workflow.
4. Targeted Repository and Commit Scanning
For focused investigation, you can easily target specific repositories or individual commits for a deep-dive analysis.
Analytics and Real-Time Notifications
Discovering secrets is only the first step. Seraphix ensures you can verify and act on your findings instantly.
Interactive Dashboard
Every scan generates a powerful, interactive web dashboard for visualization and analysis. It provides an at-a-glance view of:
- Secret Statistics: Breakdown of secret types (e.g., AWS keys, tokens).
- Risk Assessment: Severity and calculated risk associated with each finding.
- Verification Status: Track which secrets have been verified as active.
Advanced Alerting System
You can enable real-time notifications to be alerted the moment a secret is found, without having to wait for the scan to finish. Seraphix supports instant alerts via:
- Telegram
- Discord
- Email (Mailgun)
Quick Start: Get Seraphix Running in Minutes
Seraphix is primarily written in Shell and Python, making it highly portable and easy to deploy.
1. Installation
# Clone the repository
git clone https://github.com/AmedeoV/seraphix.git
cd seraphix
# Run the installation script to install dependencies
./install_requirements.sh
2. Choose Your Scanner (Example: Organization Scan)
To scan an organization (e.g., Microsoft) for the top 10 most recent repos, using parallel processing:
cd org-scanner/
./scan_org.sh microsoft --max-repos 10
👉 Check out the full documentation and source code here:
AmedeoV/seraphix on GitHub
I'd love to hear your feedback—let me know what features you'd like to see next in the comments!
Top comments (0)