"The weakest link in security is often not technology — it's humans."
As security professionals, reconnaissance is not just a phase — it's a mindset. With the explosive growth of APIs powering everything from SaaS platforms to AI tools, the protection of access tokens, API keys, and secrets has become more critical than ever.
Yet, despite best practices, automated scanners, and secure vaults, human error still wins.
Developers accidentally hardcode secrets into source code.
They commit .env files.
They push backups.
They forget to rotate credentials.
And all of this often ends up on public GitHub repositories.
This article introduces a powerful GitHub search syntax framework that allows you to hunt for exposed secrets at scale — using advanced dorking techniques to filter out noise and zero in on real leaks.
Why GitHub Dorking Still Works
GitHub's search engine is extremely powerful. When used correctly, it allows you to:
- Filter by file type
- Search specific paths
- Combine keyword logic
- Match token patterns
- Reduce false positives
Most people barely scratch the surface.
By chaining multiple conditions together, we can search for:
- Likely configuration files
- Common variable names used for secrets
- Real token formats
- Platform-specific identifiers
All in a single query.
The Core Search Syntax
This is the base template you can use for almost any platform:
(path:*.{File_extension1} OR path:*.{File_extension-N})
AND ({Keyname1} OR {Keyname-N})
AND (({Signature/pattern1} OR {Signature/pattern-N})
AND ({PlatformTag1} OR {PlatformTag-N}))This structure ensures:
- You're searching the right files
- For the right variables
- With the right token patterns
- For the right service
Real-World Examples
1. OpenAI API Keys
(path:*.xml OR path:*.json OR path:*.properties OR path:*.sql OR path:*.txt OR path:*.log OR path:*.tmp OR path:*.backup OR path:*.bak OR path:*.enc OR path:*.yml OR path:*.yaml OR path:*.toml OR path:*.ini OR path:*.config OR path:*.conf OR path:*.cfg OR path:*.env OR path:*.envrc OR path:*.prod OR path:*.secret OR path:*.private OR path:*.key)
AND (access_key OR secret_key OR access_token OR api_key OR apikey OR api_secret OR apiSecret OR app_secret OR application_key OR app_key OR appkey OR auth_token OR authsecret)
AND ("sk-" AND (openai OR gpt))Improved Version (Regex-Based)
This version filters out most dummy keys:
... AND (/sk-[a-zA-Z0-9]{48}/ AND (openai OR gpt))2. GitHub OAuth / Personal Access Tokens
(path:*.xml OR path:*.json OR path:*.properties OR path:*.sql OR path:*.txt OR path:*.log OR path:*.tmp OR path:*.backup OR path:*.bak OR path:*.enc OR path:*.yml OR path:*.yaml OR path:*.toml OR path:*.ini OR path:*.config OR path:*.conf OR path:*.cfg OR path:*.env OR path:*.envrc OR path:*.prod OR path:*.secret OR path:*.private OR path:*.key)
AND (access_key OR secret_key OR access_token OR api_key OR apikey OR api_secret OR apiSecret OR app_secret OR application_key OR app_key OR appkey OR auth_token OR authsecret)
AND (("ghp_" OR "gho_" OR "ghu_" OR "ghs_" OR "ghr_") AND (Github OR OAuth))3. Slack Tokens
(path:*.xml OR path:*.json OR path:*.properties OR path:*.sql OR path:*.txt OR path:*.log OR path:*.tmp OR path:*.backup OR path:*.bak OR path:*.enc OR path:*.yml OR path:*.yaml OR path:*.toml OR path:*.ini OR path:*.config OR path:*.conf OR path:*.cfg OR path:*.env OR path:*.envrc OR path:*.prod OR path:*.secret OR path:*.private OR path:*.key)
AND (access_key OR secret_key OR access_token OR api_key OR apikey OR api_secret OR apiSecret OR app_secret OR application_key OR app_key OR appkey OR auth_token OR authsecret)
AND (xox AND Slack)4. Google API Keys
(path:*.xml OR path:*.json OR path:*.properties OR path:*.sql OR path:*.txt OR path:*.log OR path:*.tmp OR path:*.backup OR path:*.bak OR path:*.enc OR path:*.yml OR path:*.yaml OR path:*.toml OR path:*.ini OR path:*.config OR path:*.conf OR path:*.cfg OR path:*.env OR path:*.envrc OR path:*.prod OR path:*.secret OR path:*.private OR path:*.key)
AND (access_key OR secret_key OR access_token OR api_key OR apikey OR api_secret OR apiSecret OR app_secret OR application_key OR app_key OR appkey OR auth_token OR authsecret)
AND (AIza AND Google)5. Square OAuth Tokens
(path:*.xml OR path:*.json OR path:*.properties OR path:*.sql OR path:*.txt OR path:*.log OR path:*.tmp OR path:*.backup OR path:*.bak OR path:*.enc OR path:*.yml OR path:*.yaml OR path:*.toml OR path:*.ini OR path:*.config OR path:*.conf OR path:*.cfg OR path:*.env OR path:*.envrc OR path:*.prod OR path:*.secret OR path:*.private OR path:*.key)
AND (access_key OR secret_key OR access_token OR api_key OR apikey OR api_secret OR apiSecret OR app_secret OR application_key OR app_key OR appkey OR auth_token OR authsecret)
AND (("sq0atp-" OR "sq0csp-") AND (square OR OAuth))6. Shopify Secrets & Tokens
(path:*.xml OR path:*.json OR path:*.properties OR path:*.sql OR path:*.txt OR path:*.log OR path:*.tmp OR path:*.backup OR path:*.bak OR path:*.enc OR path:*.yml OR path:*.yaml OR path:*.toml OR path:*.ini OR path:*.config OR path:*.conf OR path:*.cfg OR path:*.env OR path:*.envrc OR path:*.prod OR path:*.secret OR path:*.private OR path:*.key)
AND (access_key OR secret_key OR access_token OR api_key OR apikey OR api_secret OR apiSecret OR app_secret OR application_key OR app_key OR appkey OR auth_token OR authsecret)
AND (("shpss_" OR "shpat_" OR "shpca_" OR "shppa_") AND "Shopify")Why File Extensions Matter
Secrets don't just live in .env files. They hide everywhere.
From .backup files to .log files, developers unintentionally leak credentials in places most scanners ignore.
Your extension filters should always include:
- Config formats:
.json,.yaml,.toml,.ini - Backups:
.bak,.backup,.tmp - Environment files:
.env,.envrc - Secrets:
.secret,.private,.key - Logs:
.log
Responsible Usage & Ethics
This technique is meant for:
✅ Bug bounty hunting ✅ Defensive security research ✅ Internal security audits ✅ Threat modeling ✅ Leak detection
❌ Unauthorized exploitation ❌ Account takeover ❌ Abuse ❌ Data theft
If you find exposed credentials:
- Do not use them.
- Report responsibly.
- Contact the repository owner.
- Follow disclosure guidelines.
Extra Tools You Should Know
- 🔍 Online IDE Search: https://redhuntlabs.com/online-ide-search/
- 🧠 Keyhacks Repository: https://github.com/streaak/keyhacks
- 📚 Google Hacking Database: https://www.exploit-db.com/google-hacking-database
Final Thoughts
Credential leaks are not rare. They are not edge cases. They are not hypothetical.
They happen every single day.
By mastering GitHub's advanced search syntax, you gain a massive advantage in:
- Threat detection
- Attack surface mapping
- Security auditing
- Bug bounty hunting