loading
loading
Recon
A tool to automate dorking of GitHub and GitLab.
overview
dorky automates code-hosting reconnaissance: it takes a list of targets and searches GitHub and GitLab for matching usernames, repository names, and organizations. Feed it a list once instead of running platform search queries by hand.
Switches narrow the search. Restrict to usernames, repositories, or organizations, scope to GitHub only or GitLab only with -gh or -gl, and cap results per category with -max so a wide target list stays manageable. -s strips formatting so matches pipe cleanly into the next tool.
In a Trickest workflow dorky reads a target list plus access tokens and writes a folder and a file of matches. Use it to map an organization's public code footprint, then hand discovered repositories to a secret scanner downstream.
source github.com/codingo/dorky
use cases
Search GitHub and GitLab for repositories and organizations tied to a target list, surfacing code that belongs to the org but lives outside its main account.
Enable username search with -u to discover developer accounts associated with an organization, a useful pivot for further OSINT.
Use -s for simple output so matched repositories pipe straight into a credential scanner and leaked keys in public code get caught.
Pass -gh or -gl when you only care about GitHub or GitLab, cutting noise and API spend on the platform you skip.
reference
| Name | Type | Flag | Description |
|---|---|---|---|
| input | FILE | · | List of targets to search for. |
| max | STRING | -max | Maximum search results per category (default 10). |
| username | BOOLEAN | -u | Search for username matches. |
| repository | BOOLEAN | -r | Search for repository names. |
| organization | BOOLEAN | -o | Search for organization names. |
| github-only | BOOLEAN | -gh | Search only GitHub. |
| gitlab-only | BOOLEAN | -gl | Search only GitLab. |
| simple | BOOLEAN | -s | Simple output style for piping to another tool. |
Showing key inputs. dorky exposes 12 inputs in total.
| Name | Type | Flag | Description |
|---|---|---|---|
| max | STRING | -max | maximum search results per category (default 10) |
| input | FILE | · | list of targets |
| simple | BOOLEAN | -s | simple output style for piping to another tool |
| verbose | BOOLEAN | -v | enable verbose mode |
| username | BOOLEAN | -u | search for username matches |
| repository | BOOLEAN | -r | search for repository names |
| github-only | BOOLEAN | -gh | search only GitHub |
| gitlab-only | BOOLEAN | -gl | search only GitLab |
| organization | BOOLEAN | -o | search for organization names |
| clean-input-urls | BOOLEAN | -c | clean input URLs |
| github-access-token | FILE | · | GitHub access token |
| gitlab-access-token | FILE | · | GitLab access token |
example
# dorky: GitHub usernames, repos, and orgs from a target listdorky -u -r -o -gh -max 20 -s targets.txthttps://github.com/example-orghttps://github.com/example-org/web-frontendhttps://github.com/example-org/payments-apihttps://github.com/example-org/infra-terraformhttps://github.com/example-devhttps://github.com/example-dev/ci-runnershttps://github.com/example-test/docs-sitehttps://github.com/example-app/mobile-clientguidance
Use dorky to automate GitHub and GitLab discovery from a target list when you want usernames, repos, or orgs in bulk. To then scan the repositories it finds for leaked credentials, follow it with dora or dumpsterdiver. To enumerate every public repo for known usernames, use enumerepo.
Lists all public repositories for valid GitHub usernames. dorky searches across both GitHub and GitLab for usernames, repos, and orgs.
Scans the repositories you find for exposed keys. A natural next step after dorky.
faq
related
Asynchronous DNS brute-force tool for fast subdomain enumeration.
OWASP Amass: network mapping and external asset discovery.
OWASP Amass intel: find an organization's root domains and ranges.
OWASP Amass enumeration that produces structured JSON output.
Find related domains and subdomains via shared Google Analytics IDs.
Find domains and subdomains potentially related to a given domain.
A target list feeds dorky, which finds matching repositories on GitHub and GitLab and passes them to dora so leaked keys land as a queryable output.
Facts on this page come from the live Trickest tool library.