osint
OSINT
Passive and semi-passive intelligence gathering focused on code repositories, developer footprints, and exposed secrets across public platforms.
Phases
1. Organization Discovery
- Enumerate GitHub/GitLab/Bitbucket orgs for target company name variants
- Find employee personal accounts linked to the target org
- Identify archived, forked, and deleted repositories
2. Repository Analysis
- Map all repos: tech stack, languages, CI/CD, dependencies
- Identify internal hostnames, IPs, endpoints, environment names
- Check for
.env, config files, secrets in current code
3. Secret & Credential Scanning
- Scan current code with
gitleaks/trufflehog - Scan full git history (secrets removed in commits are still accessible)
- Search with targeted dorks (see
reference/repository-recon.md)
4. Code Intelligence
- Extract API endpoints, auth patterns, internal service names
- Review Dockerfiles, CI configs, IaC for infra details
- Check dependency files for version-specific CVE candidates
Output
data/reconnaissance/repositories.json # Repo inventory + findings
reports/reconnaissance_report.md # OSINT section appended
raw/osint/ # Raw tool outputs
Tools
trufflehog, gitleaks, gitrob, GitHub/GitLab search, gh CLI, git log
Rules
- Passive discovery first (search APIs, public pages) before any cloning
- Scan git history — deleted secrets are still in commit objects
- Check employee personal accounts, not just org accounts
- Document every discovered credential/secret immediately as a finding
- All output saved to
{OUTPUT_DIR}/per CLAUDE.md directory structure
Reference
reference/repository-recon.md- Dorks, tool commands, secret patterns, workflow
More from transilienceai/communitytools
hackerone
HackerOne bug bounty automation - parses scope CSVs, deploys parallel pentesting agents for each asset, validates PoCs, and generates platform-ready submission reports. Use when testing HackerOne programs or preparing professional vulnerability submissions.
49reconnaissance
Domain assessment and web application mapping - subdomain discovery, port scanning, endpoint enumeration, API discovery, and attack surface analysis.
39ai-threat-testing
Offensive AI security testing and exploitation framework. Systematically tests LLM applications for OWASP Top 10 vulnerabilities including prompt injection, model extraction, data poisoning, and supply chain attacks. Integrates with pentest workflows to discover and exploit AI-specific threats.
37social-engineering
Social engineering testing - phishing, pretexting, vishing, and physical security assessment techniques.
36source-code-scanning
Security-focused source code review and SAST. Scans for vulnerabilities (OWASP Top 10, CWE Top 25), CVEs in third-party dependencies/packages, hardcoded secrets, malicious code, and insecure patterns. Use when given source code, a repo path, or asked to "audit", "scan", "review" code security, or "check dependencies for CVEs".
34techstack-identification
OSINT-based technology stack identification. Discovers company tech stacks using passive reconnaissance across 17 intelligence domains. Given a company name (and optional domain hint), infers frontend, backend, infrastructure, and security technologies using publicly available signals.
33