Skip to content

x41sec/force-push-scanner

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

1 Commit
.gitignore
.gitignore
 
 
.python-version
.python-version
 
 
LICENSE
LICENSE
 
 
README.md
README.md
 
 
force_push_scanner.py
force_push_scanner.py
 
 
pyproject.toml
pyproject.toml
 
 
uv.lock
uv.lock
 
 

Repository files navigation

Force Push Scanner

Scan GitHub repositories for force pushes and extract the erased commit history. When developers force push to rewrite history, the "deleted" commits remain accessible on GitHub - this tool finds them and generates diffs showing what was removed.

Installation

Requires Python 3.9+ and uv. No other setup needed.

# Install uv if you don't have it
curl -LsSf https://astral.sh/uv/install.sh | sh

Usage

uv run force_push_scanner.py owner/repo [output_dir]

Examples

# Scan a repo, output to ./output/octocat_hello-world/
uv run force_push_scanner.py octocat/hello-world

# Specify custom output directory
uv run force_push_scanner.py octocat/hello-world ./output

# Increase parallelism
uv run force_push_scanner.py octocat/hello-world -p 8

Authentication

For public repos, no authentication is needed. For private repos or higher rate limits, set a GitHub token:

export GITHUB_TOKEN=ghp_xxxxx
uv run force_push_scanner.py owner/repo

Output

For each force push, generates a diff file named {erased_sha}_to_{new_sha}.diff:

output/
├── 026dc1ff..._to_20d2d3b6....diff
└── 0823b47c..._to_2d3969dd....diff

Each diff shows the difference between the erased commit history and the new history, including:

  • Commit metadata (SHA, author, date, message)
  • Full patches for each commit

How It Works

  1. Queries GitHub's Activity API for force push events
  2. Clones the repository (partial clone for speed)
  3. Fetches the orphaned "before" commits by SHA (GitHub retains these)
  4. Generates git log --patch for both old and new history
  5. Diffs the two histories

Limitations

  • GitHub's Activity API returns ~90 days of history
  • Very old orphaned commits may be garbage collected
  • Requires git to be installed

Use Cases

  • Security audits: Find secrets that were "deleted" via force push
  • Forensics: Investigate what was removed from a repository
  • Compliance: Audit history rewrites in regulated environments

Secret Scanning

Pipe output to TruffleHog for automated secret detection:

uv run force_push_scanner.py owner/repo ./diffs
trufflehog filesystem ./diffs/

Comparison with TruffleHog Force Push Scanner

This Tool TruffleHog Scanner
Data source GitHub Activity API (real-time) GHArchive/BigQuery (historical)
Scope All force pushes Only zero-commit force pushes
Scale Per-repo Org/user-wide
Output Full history diffs Secret detection results
Setup Just uv + git BigQuery or gated SQLite DB
History ~90 days Back to 2015

The tools are complementary - this one for quick investigation, TruffleHog's for bulk scanning.

Author

Markus Vervier

License

GPL-3.0

About

No description, website, or topics provided.

Resources

Readme

License

GPL-3.0 license
Activity
Custom properties

Stars

0 stars

Watchers

0 watching

Forks

0 forks
Report repository

Releases

No releases published

Packages

No packages published

Languages