loading
loading
Recon
Find subdomains belonging to a domain across public GitHub code.
overview
github-subdomains searches public GitHub code for hostnames that reference your target domains. Config files, CI pipelines, Terraform, and committed scripts routinely name staging environments, internal APIs, and retired services that never show up in DNS aggregators or certificate transparency logs. Pointing the tool at a domain pulls those names straight out of indexed source.
Every search hits the GitHub code-search API, so you pass one or more personal access tokens. The tool rotates through them to stretch GitHub's strict rate limit, quick mode (-q) skips the extra per-language and noise queries for a faster sweep, and extended mode (-e) also looks for dummy-prefixed variants of the domain to widen the net.
Reach for it as a second passive source next to subfinder or amass: the hosts it recovers from code join the same subdomain set, and you resolve and probe the merged list downstream. In a Trickest workflow the github-subdomains node reads a file of domains plus your tokens and writes both a file and a folder of discovered subdomains.
use cases
Search public GitHub for a target domain and recover staging hosts, internal APIs, and forgotten services that passive DNS sources and certificate logs never list.
Run github-subdomains beside subfinder and amass, then merge the results so the workflow resolves and probes every name from all three sources, not one.
Feed a comma-separated token list or a token file so the tool spreads requests across keys, keeps searching past a single token's rate limit, and exits cleanly with -k once they are all spent.
Pass the file of found subdomains to a resolver and httpx so only live hosts continue to your scanners downstream.
reference
| Name | Type | Flag | Description |
|---|---|---|---|
| domains | FILE | · | Domains you are looking for, one per line (required). |
| tokens | STRING | -t | GitHub API tokens separated by commas. |
| tokens-file | FILE | -t | A file containing one GitHub token per line. |
| quick | BOOLEAN | -q | Quick mode; skip the extra per-language and noise searches. |
| extended-mode | BOOLEAN | -e | Extended mode; also search for dummy-prefixed variants of the domain. |
| exit-when-tokens-get-limited | BOOLEAN | -k | Exit the program once all tokens have been disabled. |
| raw | BOOLEAN | -raw | Raw output. |
Showing key inputs. github-subdomains exposes 7 inputs in total.
example
# mine public GitHub for a domain's subdomains, two tokens, extended modegithub-subdomains -d example.com -t ghp_TOKEN1,ghp_TOKEN2 -e -o subdomains.txtapi.example.comdev.example.comstaging.example.cominternal-api.example.comjenkins.example.comgrafana.staging.example.comvpn.example.comgitlab-runner.dev.example.coms3-assets.example.comguidance
Use github-subdomains to add a source-code source to subdomain discovery. It needs GitHub API tokens. Run it alongside subfinder and amass for passive coverage, then hand the merged names to a resolver and httpx before scanning.
Passive subdomain discovery from certificate logs and DNS aggregators; a different source for the same goal.
Same author and token model, but harvests endpoints instead of subdomains from public GitHub.
Broad multi-source enumeration; heavier to run, wider coverage than a single source.
faq
related
Asynchronous DNS brute-force tool for fast subdomain enumeration.
OWASP Amass: network mapping and external asset discovery.
OWASP Amass intel: find an organization's root domains and ranges.
OWASP Amass enumeration that produces structured JSON output.
Find related domains and subdomains via shared Google Analytics IDs.
Find domains and subdomains potentially related to a given domain.
A domain list feeds github-subdomains, which mines public GitHub for hostnames and passes them to httpx so only live subdomains land as output.
Facts on this page come from the live Trickest tool library.