GitPwn

Advanced detector for exposed .git/.svn/.hg repositories, leaked secrets and sensitive files on websites

Passive scanner for exposed .git repos, .env files, AWS credentials, SSH keys, and 20+ other secrets on the sites you load. GitPwn is a security-research browser extension that passively scans every website you visit for accidentally exposed source-control directories, configuration files, credentials, and other sensitive artifacts that should never be public. Instead of running a dozen scripts manually, every site you load is automatically checked in the background — and the moment something leaks, you'll know. WHAT IT DETECTS Exposed version-control directories • .git repositories (with pack files, refs, config) • .svn working copies • .hg (Mercurial), .bzr (Bazaar), and CVS metadata Leaked configuration & credentials • .env files • AWS credentials (~/.aws/credentials) • Firebase configuration • WordPress wp-config.php backups • .htpasswd and .htaccess • SSH private keys (id_rsa) • .npmrc files containing auth tokens Dev artifacts that shouldn't be public • IDE folders: .idea, .vscode • macOS .DS_Store • Lock files: composer.lock, package-lock.json, yarn.lock • docker-compose.yml • Database dumps (dump.sql, db.sql) • Backup archives (backup.zip, backup.tar.gz) • phpinfo.php • Apache server-status, Spring Boot /actuator endpoints • GraphQL introspection Secrets inside HTTP responses • AWS keys, GCP service accounts, Stripe / Slack / GitHub / Google API tokens, JWTs, private keys, and other high-confidence patterns extracted directly from network responses. KEY FEATURES • Passive monitoring — every site you visit is scanned automatically, with a smart blacklist and per-domain rate-limit so it stays out of your way. • One-click manual scan — Ctrl+Shift+G (Cmd+Shift+G on macOS) triggers a deep scan of the current tab on demand. • Repository download — when an exposed .git is found, you can download the reconstructed repository tree as a ZIP for analysis. • Webhook integration — push findings (with a severity threshold) to Slack, Discord, your own SIEM, or any HTTP endpoint. • Native desktop notifications — instant alert the moment a critical finding lands. • Searchable dashboard — full-text search across every URL, finding type, and detected secret you've collected. • Side panel — keep your findings visible while you browse (Ctrl+Shift+S). • Light and dark themes with a polished UI. • Multi-language: English, Dutch, Turkish. WHO IT'S FOR • Security researchers, penetration testers, and red teamers conducting authorized assessments. • Bug-bounty hunters looking for low-hanging public-facing leaks. • DevSecOps and platform engineers auditing their own infrastructure. • Web developers who want a continuous safety net during deployments. • CTF players and students learning about web-security misconfigurations. PRIVACY • 100% local. No telemetry. No analytics. No remote servers. • All findings and history are stored only in your browser's local storage. PERMISSIONS & WHY THEY'RE NEEDED • webRequest, host_permissions (http/https/ws/wss): to passively check each origin you visit for exposed paths. • storage: to remember scanned domains and findings locally so it doesn't repeatedly hit the same site. • notifications: to alert you when a critical finding is detected. • downloads: to save reconstructed repositories or evidence files when you choose to. • tabs, scripting, sidePanel, contextMenus, alarms: for the popup, side panel, manual-scan command, and the periodic background re-checks. DISCLAIMER GitPwn is intended for security research, authorized penetration testing, and self-auditing of systems you own or have explicit written permission to test. Scanning third-party systems without authorization may be illegal in your jurisdiction. Use at your own risk — the authors accept no responsibility for misuse.