loading
loading
Discovery
Find exposed API keys based on regex and get exploitation methods for the ones found.
overview
dora scans a file or a git repository folder for exposed API keys by matching regular expressions against the content. When it recognizes a key type, it reports how that key could be abused, turning a raw match into something you can triage.
Load your own JSON of regex patterns for credentials specific to your stack, and pass extra arguments straight through to ripgrep for fine-grained control over the search. Debug and verbose modes show what matched so you can tune rules before a wide run.
On Trickest, dora is a Discovery node that takes a folder or a file and writes a folder and a file of results. Run it over cloned repositories or dumped data to flag leaked keys, then route the hits into triage or alerting.
source github.com/sdushantha/dora
use cases
Scan a cloned git folder for credential patterns so cloud and service keys committed by mistake surface before an attacker finds them.
Let dora map recognized key types to exploitation methods, so a finding comes with how the key could be abused rather than only a string match.
Load a JSON regex file with patterns for internal token formats so the scan catches credentials specific to your services.
Pass --rg-arguments to constrain path globs, file types, or case handling when a default sweep is too noisy.
reference
| Name | Type | Flag | Description |
|---|---|---|---|
| git | FOLDER | · | Folder to test |
| file | FILE | · | File to test |
| json-regex | FILE | --json | Load regex data from a valid JSON file |
| rg-arguments | STRING | --rg-arguments | Arguments you want to provide to ripgrep |
| verbose | BOOLEAN | --verbose | Verbose mode |
| debug | BOOLEAN | -d | Debug mode |
| no-color | BOOLEAN | --no-color | No color |
Showing key inputs. dora exposes 7 inputs in total.
example
# scan a cloned repo for exposed keys with verbose match detaildora ./repo --verbose --no-color[+] Scanning ./repo[!] AWS Access Key ID File: ./repo/config/deploy.env:12 Match: AKIAIOSFODNN7EXAMPLE Hint: enumerate IAM with sts:GetCallerIdentity[!] Slack Bot Token File: ./repo/services/notify.py:88 Match: xoxb-000000000000-exampletoken Hint: list channels / post messages via Web API[*] 2 key types matched across 1 pathguidance
Use dora when you have files or repositories to search for leaked API keys and want exploitation context on the hits. For broad secret detection across mixed data types, dumpsterdiver casts a wider net. For ripping a remote .git folder first, run dvcsripper-git, then point dora at the result.
Entropy and rule-based secret hunting across large data volumes. dora focuses on regex key matches with exploitation hints.
Rips a remote .git folder. Pair it before dora to recover the repo, then scan it for keys.
faq
related
Check whether a URL redirects to a masked 404 page.
Append lines to a file only if they are not already there.
Extract URLs and endpoints from Android APK files.
Visual inspection of websites across a large number of hosts.
Find suspicious files across a large set of AWS S3 buckets.
An automated tool that checks for backup artifacts that may disclose a web application's source code.
A git repository feeds dora, which matches its regex set against the content and writes the exposed keys, with exploitation context, as a queryable output.
Facts on this page come from the live Trickest tool library.