Plundering treasures with Gitrob

Get Secure

Env != Sane

Gitrob needs at least Go v1.8; my Linux Mint laptop (based on Ubuntu 18.04) carries version 1.6 in its package manager. To remedy this, I installed version 1.8 manually [6], which required the commands in Listing 3, executed as superuser. The tarball is about 85MB compressed.

Listing 3

Go v1.8 Install

$ curl -O # Or your platform's tarball
$ tar -xvf go1.8.linux-amd64.tar.gz # Or your platform's tarball filename
$ mv go /usr/local
$ export PATH=$PATH:/usr/local/go/bin # Add a line to your .bash_profile or .bashrc to add Go permanently to your PATH
$ go version # This should say "go1.8"

Now that Go is working, your next task is to install Gitrob. You can choose the relevant file for your platform from the GitHub releases page [7]. I went with, which is a little more than 6MB in size and 21MB uncompressed. After downloading the file (e.g., with wget), I checked that the binary suited my system by running the ./gitrob binary without any options (Figure 1).

Figure 1: Make sure Gitrob is compatible with your system. Execution success is denoted by a sane response.

You can also build a binary from source with:

$ go get

According to the Gitrob README, this command will "download Gitrob, install its dependencies, compile it and move the Gitrob executable to $GOPATH/bin."

On Your Bike, Fella

As you can see by the response in Figure 1, the last thing you need to do is give Gitrob the credentials to sift through your repos [8]. The note at the top of that page explains that you need tokens when you're using two-factor authentication and to access protected content in an organization that uses SAML single sign-on (SSO). In summary, creating a token requires logging in to GitHub and clicking Settings | Developer Settings | Personal Access Tokens | Generate new token . Figure 2 shows the minimum access I allowed in my case, which is to access only public repos.

Figure 2: I'm only allowing public repo access; everything is locked down.

Next, take a copy of the token and keep it somewhere safe. You'll only see it displayed once, like an AWS secret key, for example. However, pay close attention to the warning on the GitHub help page: "Warning: Treat your tokens like passwords and keep them secret. When working with the API, use tokens as environment variables instead of hardcoding them into your programs."

If you aren't using the token for Gitrob, you would simply use it like a password on the command line (noting the multifactor authentication comment above). The example on the GitHub instructions page is:

$ git clone
Username: <your_username>
Password: <your_token>

Finally, also note that only HTTPS software repos suit tokens. If SSH is in use, then follow the instructions from GitHub on how to change a remote URL from SSH to HTTPS [9].


Now it's time to get to the juicy stuff and target some accessible repositories. Use your token with Gitrob and, as GitHub advised, run the environment variable command (insert your own token, of course):


Now, if you run ./gitrob again on the command line without options, you should see a very welcome piece of ASCII art (Figure 3).

Figure 3: You're all fired up and ready to run Gitrob, as this abbreviated output shows.

Buy this article as PDF

Express-Checkout as PDF
Price $2.95
(incl. VAT)

Buy ADMIN Magazine

Get it on Google Play

US / Canada

Get it on Google Play

UK / Australia

Related content

comments powered by Disqus
Subscribe to our ADMIN Newsletters
Subscribe to our Linux Newsletters
Find Linux and Open Source Jobs

Support Our Work

ADMIN content is made possible with support from readers like you. Please consider contributing when you've found an article to be beneficial.