import requests # Note: Requires GitHub API token headers = 'Authorization': 'token YOUR_GITHUB_TOKEN' query = "filename:password.txt extension:txt" url = f"https://api.github.com/search/code?q=query" response = requests.get(url, headers=headers) print(response.json())
While GitHub actively scans and blocks certain explicit secrets (like AWS keys), plain text files named password.txt often slip through because they are not automatically malicious. A file named password.txt containing the line MyEmailPassword=ilovecats is not automatically flagged by GitHub’s secret scanning—it is just a text file. passwordtxt github top
In the world of GitHub security, convenience is the enemy of safety. Plain text passwords belong nowhere near a Git repository—public or private. import requests # Note: Requires GitHub API token
# Remove the file from all commits git filter-branch --force --index-filter \ "git rm --cached --ignore-unmatch password.txt" \ --prune-empty --tag-name-filter cat -- --all Plain text passwords belong nowhere near a Git
or similar collections. These are used by security professionals for authorized penetration testing.