░██████╗░██╗████████╗░█████╗░░█████╗░██╗░░░░░░█████╗░███╗░░░███╗██████╗░░█████╗░
██╔════╝░██║╚══██╔══╝██╔══██╗██╔══██╗██║░░░░░██╔══██╗████╗░████║██╔══██╗██╔══██╗
██║░░██╗░██║░░░██║░░░██║░░╚═╝██║░░██║██║░░░░░██║░░██║██╔████╔██║██████╦╝██║░░██║
██║░░╚██╗██║░░░██║░░░██║░░██╗██║░░██║██║░░░░░██║░░██║██║╚██╔╝██║██╔══██╗██║░░██║
╚██████╔╝██║░░░██║░░░╚█████╔╝╚█████╔╝███████╗╚█████╔╝██║░╚═╝░██║██████╦╝╚█████╔╝
░╚═════╝░╚═╝░░░╚═╝░░░░╚════╝░░╚════╝░╚══════╝░╚════╝░╚═╝░░░░░╚═╝╚═════╝░░╚════╝░
:: github commit osint ::
Combines several sources, strongest signal first.
GET /users/{u} — fetch profile (display name used for ranking)GET /users/{u}/gpg_keys — user-uploaded PGP keys.
Each UID exposes {email, verified}. This is the strongest
signal: the user uploaded the key themselves, and verified: true
means GitHub confirmed the mailbox. Marked with the gpg verified badge.GET /users/{u}/events/public?per_page=100PushEvent.payload.commits[].author.{email, name}GET /search/commits?q=author:{u}&per_page=100 (paginated, cap ~1000)GET /users/{u}/repos?sort=updated — list non-fork reposGET /repos/{owner}/{repo}/commits?author={u} — commits attributed to this accountWalks every commit reachable from a target (a user or a single repo) and collects author + committer identities.
owner/repoGET /users/{u}/repos?per_page=100&page={n} (paginated, forks optionally skipped)GET /repos/{owner}/{repo}/commits?per_page=100&page={n}commit.author.{email, name} + top-level author.logincommit.committer.{email, name} + top-level committer.loginFor every commit body we also parse well-known git trailers and treat each match as a separate identity:
Signed-off-by: — DCO sign-off (Linux kernel, Docker, k8s, many enterprise projects)Co-authored-by: — GitHub's co-authorship trailer (squash-merged PRs)Reviewed-by:, Tested-by:, Acked-by:, Reported-by:, Suggested-by:, Cc: — patch-review chainsTrailer emails are highly intentional — they are added by tooling
(git commit -s, the GitHub UI, kernel-style patch review) and
typically point to real mailboxes of the people who reviewed, co-authored,
or signed off on the commit. They are merged into the results table by
email, so a single row may have come from author, committer and several
trailer lines at once.
When the checkbox is on, addresses that are obviously machine-generated vendor noreplies are dropped before being recorded:
noreply@* / no-reply@* / donotreply@* from any domain
(e.g. [email protected], [email protected] from
Claude-Code co-author lines, vendor CI bots, etc.){id}+{login}@users.noreply.github.com — generated when a user
enables "Keep my email address private"Git records whatever user.email / user.name is set
locally; GitHub does not verify these for unsigned commits. Anyone can push a
commit claiming to be authored by [email protected] with the
name "Linus Torvalds".
match badge in mode A only means the commit author name
equals the public profile name — still circumstantial.verified status (GPG/SSH/S/MIME signature) is the
proper trust check; this tool does not currently filter on it.TL;DR: anything in a commit field is user-controllable. Treat results as leads, always cross-reference before claiming attribution.