> For the complete documentation index, see [llms.txt](https://sarpers-organization.gitbook.io/ctftricks/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://sarpers-organization.gitbook.io/ctftricks/_chapter-intro-6/git/history-analysis/trick-0127.md).

# Find Api Key In Git History

***

Analyze a target's public Git repository history for accidentally committed secrets, such as API keys. Developers sometimes commit sensitive data before realizing and removing it in later commits. Focus your analysis on early commits, particularly ones titled "Initial commit", or commits just before known sensitive files were deleted. The secret will remain visible in the historical diffs. If found, note how it's used; for example, it might be required in a specific HTTP header like `X-THM-API-Key` for authentication.

Command-line tools can be highly effective for pattern matching within repository files or the output of Git commands. For instance, the `grep` utility is powerful for searching text. You can use it to scan files for specific strings or patterns that might indicate secrets, such as 'API\_KEY', 'PASSWORD', or specific key formats. A basic approach involves recursively searching files within a directory:

```bash
grep -r "API_KEY" .
```

More advanced usage can involve piping the output of `git log` or `git diff` commands to `grep` to search specifically within commit messages or diff contents across history. Alternatively, Git provides its own built-in search utility, `git grep`, which is optimized for searching within the repository. It searches for the pattern in the files in the named trees. For example, to look for a line matching `foo()` in all `.c` files in the current tree:

```bash
git grep 'foo()' -- '*.c'
```

To search for the same pattern in all `.c` files in the latest commit on branch `maint` and in all commits that are reachable from `topic` but not from `maint`:

```bash
git grep 'foo()' maint topic ^maint -- '*.c'
```

Another powerful Git command for finding commits that introduced or removed a specific string is `git log -S`. This is often referred to as the "pickaxe" option. To see the object IDs of commits where the string "magnetic" was added or removed:

```bash
git log -p -S magnetic --pretty=format:%H
```

Beyond general-purpose tools like `grep` and `git grep`, specialized secret detection tools are designed specifically for scanning code repositories. Tools such as `ggshield` can scan commits, branches, or entire repositories to identify various types of hardcoded secrets with high accuracy. These tools often recognize patterns for specific services (AWS keys, database credentials, API tokens) and can scan historical commits, which is crucial for finding secrets that were committed and later removed but still exist in the history. To scan a local Git repository's history, you might use a command like:

```bash
ggshield scan repo .
```

This command analyzes the repository for potential secrets, providing a structured output of any findings, including the commit where the secret was introduced. Other tools include `detect-secrets`, which can be installed via pip:

```bash
pip install detect-secrets
```

And used to scan a directory:

```bash
detect-secrets scan .
```

Another option is `git-secrets`, which can be cloned and installed:

```bash
git clone https://github.com/awslabs/git-secrets.git && cd git-secrets && sudo make install
```

Then used to scan:

```bash
git secrets --scan
```

Utilizing such tools automates the process of sifting through extensive Git history, making it more efficient to uncover sensitive information that was inadvertently exposed.
