TL;DR: I built an ethical, open-source scanner called FleaMarket that finds exposed API keys in fresh GitHub repos. In a recent scan, it discovered live Google/Gemini keys in public .env files โ€” and I helped owners secure them before any abuse occurred.

๐Ÿ•ต๏ธโ€โ™‚๏ธ Why Hunt for Secrets?

API keys in public code are like leaving your house keys under the doormat. Even if you think no one will look โ€” bots do. Thousands of keys are scraped every hour, leading to:

  • Unexpected cloud bills (Stripe, Google Cloud, AWS)
  • Data exfiltration
  • Account takeovers

While GitHubโ€™s native secret scanning blocks many leaks, new keys still slip through โ€” especially in non-standard files like .env.vercel, .env.backup, or examples.

So I built FleaMarket: a lightweight, ethical secret hunter focused on fresh, high-risk repositories.

๐Ÿ› ๏ธ Introducing FleaMarket

FleaMarket is a Python-based scanner that:

โœ… Searches GitHub Code Search API for potential secrets
โœ… Filters false positives (e.g., "your_key_here", test files)
โœ… Ignores stale repositories โ€” only scans repos created โ‰ค30 days and updated โ‰ค7 days
โœ… Detects 30+ key types: Google, AWS, GitHub, OpenAI, Stripe, Pinecone, Census, and more
โœ… Resumes scans after interruption
โœ… Never exploits or stores keys โ€” ethics-first design

๐Ÿ”— GitHub repo (coming soon โ€” but you can build your own!): github.com/toxy4ny/fleamarket

๐Ÿ” How It Works

FleaMarket combines pattern matching, entropy analysis, and context filtering:

  1. Search: Query GitHub for terms like api_key, sk_live_, AIza, etc.
  2. Fetch: Download file content from search results.
  3. Clean: Strip comments (Python, JS, Bash, C-style).
  4. Validate:
    • Is the value high-entropy? (Random-looking strings only)
    • Is it not a placeholder? (Rejects "test", "xxx", "your_key")
    • Is the file not in /test, /example, README.md?
  5. Filter by freshness: Only analyze repos created recently and recently pushed.
  6. Report: Save clean findings to findings.json.

This avoids noise while catching real, actionable leaks.

๐ŸŽฏ Real Findings (Ethically Disclosed)

In a scan with:

python fleamarket.py --query "filename:.env AIza" --repo-age 30

FleaMarket found two live Google/Gemini API keys:

  • In /.env.vercel โ†’ Exposed Google Maps API key
  • In /backend/.env.backup โ†’ Exposed Gemini API key (AIzaSy...)

Both repos were created within the last 30 days โ€” meaning keys were likely still active.

What I Did:

  1. Did not use or test the keys.
  2. Opened polite, constructive GitHub Issues explaining the risk.
  3. Provided step-by-step remediation:
    • Revoke/restrict keys in Google Cloud Console
    • Delete sensitive files
    • Use .gitignore and environment management best practices

Both maintainers responded positively โ€” and the keys were secured.

๐ŸŒŸ This is the goal: not to shame, but to enable better security through collaboration.

๐Ÿงช Try It Yourself (Ethically!)

You can build your own version:

  1. Get a GitHub Personal Access Token (only public_repo scope needed)
  2. Use regex patterns for common secrets (e.g., AIza[0-9A-Za-z\\_\\-]{35})
  3. Add entropy + context filters
  4. Focus on fresh repos โ€” theyโ€™re more likely to contain active leaks
  5. Always disclose responsibly

โš ๏ธ Never scan private repos, self-hosted instances, or non-public data.
โš ๏ธ Never exploit or log actual secrets.
โœ… Treat every finding as a chance to help, not harm.

๐Ÿ”ฎ Whatโ€™s Next?

FleaMarket is just the beginning. Future ideas:

  • Support GitLab, Gist, and public code archives
  • Auto-create GitHub Issues via API
  • Integrate with GitHub Security Lab workflows
  • Publish anonymized trends (e.g., โ€œMost leaked key types this monthโ€)

But the core mission stays the same: make open-source safer, one responsible disclosure at a time.

๐Ÿ’ฌ Final Thought

Finding zero leaks would be ideal.
But until then โ€” tools like FleaMarket, built with ethics and care, can turn researchers into allies.

If you maintain a project: audit your .env files, use secrets managers, and enable GitHub secret scanning.

If youโ€™re a researcher: hunt responsibly.

Together, we keep the ecosystem cleaner โ€” one key at a time.

Have questions? Want the full source code? Let me know in the comments!
Follow me for more on ethical security, red teaming, and offensive tooling.