Most security breaches do not start with a zero-day.
They often start with something embarrassingly simple:
- a hardcoded AWS key in a public repository
- a GitHub Actions workflow that runs untrusted pull request code with write permissions
- a private key committed years ago and forgotten
- a corporate email address exposed through public commit metadata
- a public login panel nobody remembers deploying
These are not sophisticated attack vectors.
They are things hiding in plain sight.
And in many cases, teams only discover them after someone else finds them first.
That is why I built exposure-check.
What is exposure-check?
exposure-check is a fast, open-source exposure scanner for GitHub organisations, repositories, and domains.
It is designed to answer one simple question:
What can attackers see before you do?
It runs as a single static binary, does not require agents, does not require a SaaS account, and can be used locally, in CI/CD, or through a built-in web dashboard.
What it scans for
exposure-check currently checks for:
Leaked secrets
30+ secret patterns covering AWS, Azure, GCP, GitHub, Stripe, Slack, Twilio, database connection strings, private keys, JWTs, and more.Risky GitHub Actions workflows
Detection forpull_request_targetmisuse, untrusted checkout patterns,permissions: write-all, script injection throughgithub.event.*, and actions pinned to mutable tags instead of commit SHAs.Missing security controls
Checks for missingSECURITY.md, missing licence files, weak repository hygiene, and missing project security signals.Exposed corporate emails
Harvests email addresses from public commit metadata and repository history.Domain exposure
Subdomain enumeration, typosquatting checks, public login panel detection, TLS issues, and basic external exposure indicators.
Every scan produces a posture score from 0 to 100 and a prioritised list of findings that can be acted on immediately.
Quick start
Install with Go:
go install github.com/bariskececi/exposure-check@latest
Scan a GitHub organisation:
exposure-check scan --github-org your-org
Scan a single repository:
exposure-check scan --repo owner/repo
Scan a domain:
exposure-check scan --domain example.com
Generate an HTML report:
exposure-check scan --github-org your-org --format html --output report.html
Use it as a CI gate:
exposure-check scan --repo owner/repo --fail-on high
Built-in web dashboard
exposure-check also includes a local web dashboard:
exposure-check serve
Then open:
http://localhost:3000
From the dashboard, you can scan GitHub organisations, repositories, and domains from the browser without using the CLI.
GitHub Action
You can also run exposure-check directly inside GitHub Actions:
- uses: bariskececi/exposure-check@v0.3
with:
repo: ${{ github.repository }}
fail-on: high
Findings can be exported as SARIF and shown as native GitHub Code Scanning alerts.
No external dashboard is required.
Example output
exposure-check — find what attackers can see before they do
target: acme
scope: org
repos: 14
────────────────────────────────────────────
Posture score: 27/100
CRITICAL 2
HIGH 2
MEDIUM 3
LOW 1
────────────────────────────────────────────
[CRITICAL] Possible AWS Access Key ID in public repository
↳ acme/api/config/prod.env:12
fix: Rotate immediately and purge from git history.
[HIGH] pull_request_target checks out untrusted PR code
↳ acme/api/.github/workflows/ci.yml
fix: Never check out PR head under pull_request_target.
Why I built this
I work in cybersecurity and have spent years analysing credential exposure, external attack surface visibility, and leaked data at scale.
One pattern appears again and again:
Organisations spend significant time and money defending their perimeter, but their public repositories, automation workflows, and forgotten domains often expose risk long before an attacker ever touches the internal network.
The problem is not always that teams ignore security.
The problem is that exposure is fragmented.
Secrets are in one place.
Workflow risks are in another.
Commit metadata is somewhere else.
Domains, subdomains, and public panels are outside the development workflow entirely.
So I built exposure-check as a small, fast tool that brings these signals together and makes them visible early.
Most of these issues are fixable in an afternoon.
But only if you know they are there.
Built with
- Go — single static binary, fast execution, easy deployment
- MIT License — free to use, modify, and extend
- Docker — multi-architecture images available
- SARIF support — integrates with GitHub Code Scanning
- HTML reports — useful for internal reporting and remediation tracking
Who is it for?
exposure-check is useful for:
- security engineers
- DevSecOps teams
- open-source maintainers
- consultants
- red teams
- startups that want a quick external exposure check
- anyone who wants to understand what their public GitHub and domain footprint exposes
Contributions are welcome
The project is intentionally modular.
Each check is small and self-contained, so adding new detections is straightforward.
Ideas, issues, pull requests, and feedback are welcome.
bariskececi
/
exposure-check
Find what attackers can see before they do — open-source exposure scanner for GitHub orgs, repos, and domains
exposure-check
Find what attackers can see before they do.
exposure-check is a fast, open-source exposure scanner for GitHub organisations, repositories and developer security posture. It surfaces the things that quietly leak out of public repos — hard-coded secrets, dangerous GitHub Actions workflows, missing security controls and exposed corporate emails — and turns them into a clear report you can act on.
No agents, no SaaS, no account. One static binary (or a GitHub Action). Scan your own org, get a posture score and a prioritised list of findings, and fix them before someone else finds them first.
Web Dashboard
Run exposure-check serve to launch an interactive web dashboard where you can
scan domains, GitHub orgs and repos from your browser.
exposure-check serve # http://localhost:3000
exposure-check serve --port 8080 # custom port
Install
# Go (any platform)
go install github.com/bariskececi/exposure-check@latest
# Docker (multi-arch: amd64 + arm64)
docker run --rm ghcr.io/bariskececi/exposure-check scan…




Top comments (0)