NullSec RepoRaider

February 27, 2026 · View on GitHub

Git Repository Secret Scanner written in Clojure

Version Language License

Part of the NullSec offensive security toolkit
Twitter: x.com/AnonAntics
Portal: bad-antics.github.io

Overview

RepoRaider is a high-performance secret scanner that detects hardcoded credentials, API keys, and sensitive data in git repositories. Built with Clojure's functional paradigm, it leverages persistent data structures and lazy evaluation for efficient large-scale scanning.

Clojure Features Showcased

  • Persistent Data Structures: Immutable, efficient collections
  • Lazy Sequences: Memory-efficient file traversal
  • Multimethods: Polymorphic dispatch on severity
  • Records: Typed data structures
  • Transducers: Composable, efficient transformations
  • Destructuring: Elegant pattern binding
  • Regular Expressions: First-class regex support

Detected Secrets

PatternSeverityCWE
AWS Access KeyCRITICALCWE-798
AWS Secret KeyCRITICALCWE-798
GitHub TokenCRITICALCWE-798
GitLab TokenCRITICALCWE-798
Private KeysCRITICALCWE-321
Stripe Live KeyCRITICALCWE-798
Slack TokenHIGHCWE-798
Google API KeyHIGHCWE-798
Database URLsHIGHCWE-798
JWT TokensHIGHCWE-798
Generic API KeysMEDIUMCWE-798
Generic SecretsMEDIUMCWE-798
Test KeysLOWCWE-798

Installation

# Clone
git clone https://github.com/bad-antics/nullsec-reporaider.git
cd nullsec-reporaider

# Run with Clojure CLI
clj -M reporaider.clj <path>

# Or with Leiningen
lein run <path>

Dependencies

;; deps.edn
{:deps {org.clojure/clojure {:mvn/version "1.11.1"}}}

Usage

# Scan a repository
clj -M reporaider.clj /path/to/repo

# Run demo mode
clj -M reporaider.clj --demo

# Specify output format
clj -M reporaider.clj -o json /path/to/repo

# Filter by severity
clj -M reporaider.clj -s high /path/to/repo

Options

USAGE:
    reporaider [OPTIONS] <PATH>

OPTIONS:
    -h, --help       Show help
    -o, --output     Output format (text/json/sarif)
    -s, --severity   Minimum severity to report
    -e, --exclude    Patterns to exclude

Sample Output

╔══════════════════════════════════════════════════════════════════╗
║            NullSec RepoRaider - Secret Scanner                   ║
╚══════════════════════════════════════════════════════════════════╝

[Demo Mode]

Scanning repository for secrets...

  [CRITICAL] AWS Access Key
    File:     config/aws.yml:12
    Secret:   AKIA************MPLE
    CWE:      CWE-798

  [CRITICAL] GitHub Token
    File:     scripts/deploy.sh:45
    Secret:   ghp_************xxxx
    CWE:      CWE-798

  [CRITICAL] Private Key
    File:     certs/server.key:1
    Secret:   ----************----
    CWE:      CWE-321

  [HIGH] Slack Token
    File:     .env:8
    Secret:   xoxb************xxxx
    CWE:      CWE-798

═══════════════════════════════════════════

  Summary:
    Secrets Found:  9
    Critical:       4
    High:           3
    Medium:         1
    Low:            1

Code Highlights

Pattern Definition with Metadata

(def secret-patterns
  [{:name "AWS Access Key"
    :pattern #"AKIA[0-9A-Z]{16}"
    :severity :critical
    :cwe "CWE-798"}
   {:name "GitHub Token"
    :pattern #"ghp_[0-9a-zA-Z]{36}"
    :severity :critical
    :cwe "CWE-798"}])

Multimethod Dispatch

(defmulti severity-color :severity)
(defmethod severity-color :critical [_] :red)
(defmethod severity-color :high [_] :red)
(defmethod severity-color :medium [_] :yellow)
(defmethod severity-color :low [_] :cyan)

Lazy File Scanning

(defn scan-repo [path]
  (->> (walk-files path)          ;; Lazy file traversal
       (mapcat #(scan-file %))    ;; Lazy mapping
       (sort-by severity-score))) ;; Sorted results

Finding Records

(defrecord Finding 
  [pattern-name file-path line-number match severity cwe])

Architecture

┌────────────────────────────────────────────────────────────┐
│                  RepoRaider Pipeline                       │
├────────────────────────────────────────────────────────────┤
│                                                            │
│    ┌─────────────┐    ┌─────────────┐    ┌────────────┐   │
│    │  File Tree  │───▶│   Filter    │───▶│  Lazy Seq  │   │
│    │  (Lazy)     │    │ (Predicate) │    │  of Files  │   │
│    └─────────────┘    └─────────────┘    └─────┬──────┘   │
│                                                 │          │
│                                                 ▼          │
│    ┌─────────────┐    ┌─────────────┐    ┌────────────┐   │
│    │   Output    │◀───│  Classify   │◀───│   Scan     │   │
│    │  Formatter  │    │ (Severity)  │    │ (Patterns) │   │
│    └─────────────┘    └─────────────┘    └────────────┘   │
│                                                            │
└────────────────────────────────────────────────────────────┘

Why Clojure?

RequirementClojure Advantage
Pattern MatchingFirst-class regex with metadata
Large ReposLazy sequences minimize memory
Data ProcessingImmutable, thread-safe collections
ExtensibilityMultimethods for custom dispatch
REPL DevelopmentInteractive debugging
JVM EcosystemAccess to Java libraries

License

MIT License - See LICENSE for details.