DEV Community

Cover image for I Built an Open-Source Exposure Scanner That Finds What Attackers See Before They Do
barış keçeci
barış keçeci

Posted on

I Built an Open-Source Exposure Scanner That Finds What Attackers See Before They Do

Most security breaches do not start with a zero-day.

They often start with something embarrassingly simple:

  • a hardcoded AWS key in a public repository
  • a GitHub Actions workflow that runs untrusted pull request code with write permissions
  • a private key committed years ago and forgotten
  • a corporate email address exposed through public commit metadata
  • a public login panel nobody remembers deploying

These are not sophisticated attack vectors.

They are things hiding in plain sight.

And in many cases, teams only discover them after someone else finds them first.

That is why I built exposure-check.

What is exposure-check?

exposure-check is a fast, open-source exposure scanner for GitHub organisations, repositories, and domains.

It is designed to answer one simple question:

What can attackers see before you do?

It runs as a single static binary, does not require agents, does not require a SaaS account, and can be used locally, in CI/CD, or through a built-in web dashboard.

What it scans for

exposure-check currently checks for:

  • Leaked secrets

    30+ secret patterns covering AWS, Azure, GCP, GitHub, Stripe, Slack, Twilio, database connection strings, private keys, JWTs, and more.

  • Risky GitHub Actions workflows

    Detection for pull_request_target misuse, untrusted checkout patterns, permissions: write-all, script injection through github.event.*, and actions pinned to mutable tags instead of commit SHAs.

  • Missing security controls

    Checks for missing SECURITY.md, missing licence files, weak repository hygiene, and missing project security signals.

  • Exposed corporate emails

    Harvests email addresses from public commit metadata and repository history.

  • Domain exposure

    Subdomain enumeration, typosquatting checks, public login panel detection, TLS issues, and basic external exposure indicators.

Every scan produces a posture score from 0 to 100 and a prioritised list of findings that can be acted on immediately.

Quick start

Install with Go:

go install github.com/bariskececi/exposure-check@latest
Enter fullscreen mode Exit fullscreen mode

Scan a GitHub organisation:

exposure-check scan --github-org your-org
Enter fullscreen mode Exit fullscreen mode

Scan a single repository:

exposure-check scan --repo owner/repo
Enter fullscreen mode Exit fullscreen mode

Scan a domain:

exposure-check scan --domain example.com
Enter fullscreen mode Exit fullscreen mode

Generate an HTML report:

exposure-check scan --github-org your-org --format html --output report.html
Enter fullscreen mode Exit fullscreen mode

Use it as a CI gate:

exposure-check scan --repo owner/repo --fail-on high
Enter fullscreen mode Exit fullscreen mode

Built-in web dashboard

exposure-check also includes a local web dashboard:

exposure-check serve
Enter fullscreen mode Exit fullscreen mode

Then open:

http://localhost:3000
Enter fullscreen mode Exit fullscreen mode

From the dashboard, you can scan GitHub organisations, repositories, and domains from the browser without using the CLI.

GitHub Action

You can also run exposure-check directly inside GitHub Actions:

- uses: bariskececi/exposure-check@v0.3
  with:
    repo: ${{ github.repository }}
    fail-on: high
Enter fullscreen mode Exit fullscreen mode

Findings can be exported as SARIF and shown as native GitHub Code Scanning alerts.

No external dashboard is required.

Example output

exposure-check — find what attackers can see before they do

target: acme
scope: org
repos: 14

────────────────────────────────────────────

Posture score: 27/100

CRITICAL  2
HIGH      2
MEDIUM    3
LOW       1

────────────────────────────────────────────

[CRITICAL] Possible AWS Access Key ID in public repository
  ↳ acme/api/config/prod.env:12
  fix: Rotate immediately and purge from git history.

[HIGH] pull_request_target checks out untrusted PR code
  ↳ acme/api/.github/workflows/ci.yml
  fix: Never check out PR head under pull_request_target.
Enter fullscreen mode Exit fullscreen mode

Why I built this

I work in cybersecurity and have spent years analysing credential exposure, external attack surface visibility, and leaked data at scale.

One pattern appears again and again:

Organisations spend significant time and money defending their perimeter, but their public repositories, automation workflows, and forgotten domains often expose risk long before an attacker ever touches the internal network.

The problem is not always that teams ignore security.

The problem is that exposure is fragmented.

Secrets are in one place.

Workflow risks are in another.

Commit metadata is somewhere else.

Domains, subdomains, and public panels are outside the development workflow entirely.

So I built exposure-check as a small, fast tool that brings these signals together and makes them visible early.

Most of these issues are fixable in an afternoon.

But only if you know they are there.

Built with

  • Go — single static binary, fast execution, easy deployment
  • MIT License — free to use, modify, and extend
  • Docker — multi-architecture images available
  • SARIF support — integrates with GitHub Code Scanning
  • HTML reports — useful for internal reporting and remediation tracking

Who is it for?

exposure-check is useful for:

  • security engineers
  • DevSecOps teams
  • open-source maintainers
  • consultants
  • red teams
  • startups that want a quick external exposure check
  • anyone who wants to understand what their public GitHub and domain footprint exposes

Contributions are welcome

The project is intentionally modular.

Each check is small and self-contained, so adding new detections is straightforward.

Ideas, issues, pull requests, and feedback are welcome.

GitHub logo bariskececi / exposure-check

Find what attackers can see before they do — open-source exposure scanner for GitHub orgs, repos, and domains

exposure-check

Find what attackers can see before they do.

exposure-check is a fast, open-source exposure scanner for GitHub organisations, repositories and developer security posture. It surfaces the things that quietly leak out of public repos — hard-coded secrets, dangerous GitHub Actions workflows, missing security controls and exposed corporate emails — and turns them into a clear report you can act on.

exposure-check report

No agents, no SaaS, no account. One static binary (or a GitHub Action). Scan your own org, get a posture score and a prioritised list of findings, and fix them before someone else finds them first.

Web Dashboard

Run exposure-check serve to launch an interactive web dashboard where you can scan domains, GitHub orgs and repos from your browser.

exposure-check serve                    # http://localhost:3000
exposure-check serve --port 8080        # custom port
Enter fullscreen mode Exit fullscreen mode

Dashboard — scan form

Dashboard — scanning in progress

Dashboard — results with findings

Install

# Go (any platform)
go install github.com/bariskececi/exposure-check@latest
# Docker (multi-arch: amd64 + arm64)
docker run --rm ghcr.io/bariskececi/exposure-check scan
Enter fullscreen mode Exit fullscreen mode

Top comments (0)