Skip to content

GitGuardian/litellm_analyzer

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

15 Commits
.gitignore
.gitignore
 
 
.pre-commit-config.yaml
.pre-commit-config.yaml
 
 
README.md
README.md
 
 
gather_files.py
gather_files.py
 
 
scan.sh
scan.sh
 
 

Repository files navigation

What this project is

This project is a small util that allow a user that has been infected by the litellm malware to discover which secrets have been compromised and remediate these using GitGuardian.

WARNING: This tool harvests credentials and sensitive files from the machine it runs on. Only run it on machines that are already known to be compromised. Running it on a clean machine will needlessly collect and expose your secrets.

How to use it

First, clone the repository on the infected machine. Then, create a GitGuardian account and start a business trial. After activating your business trial, create a Personal Access Token in Settings > API with the following permissions: scan:create-incidents and sources:write permissions

Requirements

  • Python 3 with pip
  • curl
  • A GitGuardian API token with the scan:create-incidents and sources:write permissions scopes (Personal Access Token from your GitGuardian workspace settings)

Usage

GITGUARDIAN_API_KEY=<token> sh scan.sh --source-name <name> --send [--output <file.zip>]
Option Required Description
--source-name NAME Yes Name of the GitGuardian source to create
--output PATH No Output ZIP path (default: harvested_credentials.zip)
--yes / -y No Skip the confirmation prompt

Examples

Basic run:

GITGUARDIAN_API_KEY=ggtt-xxxxxxxxxxxx sh scan.sh --source-name prod-server-01 --send

Custom output path:

GITGUARDIAN_API_KEY=ggtt-xxxxxxxxxxxx sh scan.sh --source-name prod-server-01 --output /tmp/scan.zip --send

Dry-run (will not send the secrets to GitGuardian)

GITGUARDIAN_API_KEY=ggtt-xxxxxxxxxxxx sh scan.sh --source-name prod-server-01 --output /tmp/scan.zip

Using stored ggshield credentials (interactive auth, no source creation):

sh scan.sh --source-name prod-server-01
# will prompt: ggshield auth login
# note: source creation requires GITGUARDIAN_API_KEY

What it does

  1. Installs ggshield if not already present (pip install ggshield).
  2. Authenticates with GitGuardian — uses the GITGUARDIAN_API_KEY environment variable
  3. Verifies token permissions and sources in the dashboard. Exits with a clear error if any scope is missing.
  4. Creates a source in the GitGuardian dashboard under the name you provide. This associates the scan results with a named, trackable source.
  5. Harvests files by running gather_files.py, which collects credentials, SSH keys, cloud configs, and other sensitive files from the machine into a ZIP archive.
  6. Scans the archive with ggshield secret scan archive --create-incidents, creating incidents in the GitGuardian dashboard for every secret found.

Notes

  • The ZIP archive is not deleted after the scan. Remove it manually if needed.
  • The script is POSIX sh compatible and runs on any Unix-like system.

About

No description, website, or topics provided.

Resources

Readme
Activity
Custom properties

Stars

1 star

Watchers

0 watching

Forks

1 fork
Report repository

Releases

No releases published

Packages

 
 
 

Contributors 1

Languages