Tracking via GitHub Keys  

Time to read: 1 min | 22 April, 2023 | Saksham Anand

Have you ever been in a situation where you are managing a large number of users and one of them has committed sensitive information to a repository on GitHub? The issue is exaggerated even more when the username is ambiguous, the .patch file does not have any helpful information and generally, no solid details are present to find out who made the commit.

Depending on how your organisation works, you may be able to use .key files! If a user has uploaded an SSH keypair to GitHub, you can find out their public SSH keys by appending .keys to the end of their username. For example, if we take Linus Torvalds, their GitHub profile is, and after appending .keys, we can see they have a key pair located at

With the public key we just obtained, we can now enumerate sources to see if the same key exists in internal records. For example, key pairs on bastion servers, internal git instances and any other tool which allows you to easily enumerate through public key pairs. If you get a match, this should hopefully allow you to close in on the culprit.

I do want to note that this technique is a last-case resort and other easier methods should be tried first. The use case detailed here is super specific and only works if you have a record of public keys for your users, and if the user in question has re-used the same SSH key pair.