Skip to main content

Search syntax

Explore uses a powerful query language to search through public GitHub commits and patches. This guide covers the essential syntax for building effective searches to find secrets related to your organization.

Basic search concepts

Enter a term in the search bar to search across all indexed fields:

yourcompany

Boolean operators

Combine terms using boolean operators:

  • AND - Both terms must be present
  • OR - At least one term must be present
  • NOT - Exclude a term

⚠️ Boolean operators MUST be in CAPITAL LETTERS.

yourcompany AND database
yourcompany OR yourdomain
yourcompany AND NOT test

For complex queries mixing operators, use parentheses:

(yourcompany OR yourdomain.com) AND database AND NOT test

Field-specific searches

Target specific types of information by specifying which field to search:

Common search fields

FieldQuery termDescription
Patch contentfile.patchSearch within the actual code changes
Author emailcommit.author.emailEmail of the code author
Author namecommit.author.nameName of the code author
Author GitHub usernameauthor.loginGitHub username of author
Committer emailcommit.committer.emailEmail of the person who committed
Committer namecommit.committer.nameName of the person who committed
Committer GitHub usernamecommitter.loginGitHub username of committer
Filenamefile.filenameName of the changed file
File extensionfile.file_extensionExtension of the changed file

Basic field search examples

# Search for patches from a specific email
commit.author.email: john@yourcompany.com

# Search patch content
file.patch: database

# Search across multiple fields
commit.author.email: @yourcompany.com OR file.patch: yourcompany

Searching for phrases

Use quotes to search for terms that appear together:

file.patch: "production database

Exact keyword matching

For exact matches (case-sensitive), add .keyword suffix:

source_metadata.repo_name.keyword: "YourCompany/api-service"

Practical search examples

What you're looking forQuery to use
Patches containing a termfile.patch: yourcompany
Patches with multiple terms (OR)file.patch: yourcompany OR file.patch: yourdomain
Patches with multiple terms (AND)file.patch: yourcompany AND file.patch: database
Patches from a GitHub usernameauthor.login: username OR committer.login: username
Patches from an email domaincommit.author.email: @yourcompany.com OR commit.committer.email: @yourcompany.com
Patches from a specific person(commit.author.name: "John Doe") OR (commit.committer.name: "John Doe")
Patches from a user after a date(author.login: username OR committer.login: username) AND commit.committer.date:{2024-01-01 TO *}
Patches from a user in date range(author.login: username OR committer.login: username) AND (commit.committer.date:{2024-01-01 TO 2024-03-31})
Patches from multiple users(author.login: (user1 OR user2) OR committer.login: (user1 OR user2))
Patches in specific repositorysource_metadata.repo_name: yourrepo
Advanced search capabilities

Field types and advanced searching

Different field types support different search methods:

Date fields

Use range operators with ISO 8601 format dates. All dates are stored in UTC.

# After a date (inclusive)
source_metadata.created_at:[2024-01-01 TO *]

# Between dates (exclusive start, inclusive end)
commit.author.date:{2024-01-01 TO 2024-03-31]

# Before a date (exclusive)
commit.committer.date:[* TO 2024-01-01}
  • Square brackets [] = inclusive
  • Curly brackets {} = exclusive
  • Asterisk * = wildcard for open-ended ranges

Integer fields

Search numeric fields with exact values or ranges:

# Exactly 10 additions
file.additions: 10

# At least 100 additions
file.additions: [100 TO *]

# Between 50 and 200 additions
file.additions: [50 TO 200]

Text fields vs Keyword fields

  • Text fields (e.g., file.patch): Tokenized and analyzed for flexible searching
  • Keyword fields (e.g., source_metadata.repo_name.keyword): Exact match, case-sensitive

Text field processing

Text fields like file.patch undergo complex processing:

  • Split on special characters (/, :, =, etc.)
  • Extract camelCase terms: GitGuardiangit, guardian, gitguardian
  • Extract email parts: user@company.comuser, company.com, user@company.com
  • Extract domain components and IP address parts
  • Convert to lowercase
  • Remove terms shorter than 3 characters

Complete field reference

FieldTypeDescription
shakeywordCommit SHA
html_urlpathGitHub commit URL
author.idkeywordGitHub author ID
author.loginkeywordGitHub author username
committer.idkeywordGitHub committer ID
committer.loginkeywordGitHub committer username
commit.messagetextGit commit message
commit.author.emailtextGit author email
commit.author.nametextGit author name
commit.author.datedateGit author date
commit.committer.emailtextGit committer email
commit.committer.nametextGit committer name
commit.committer.datedateGit committer date
file.filenamepathPatch filename
file.patchtextPatch content
file.file_extensionkeywordFile extension
file.shakeywordFile SHA
file.additionsintLines added
file.deletionsintLines deleted
file.changesintLines changed
source_metadata.created_atdateGitHub processing date
source_metadata.repo_idkeywordRepository ID
source_metadata.repo_nametextRepository name

Note: Many fields have both text and keyword versions (e.g., commit.author.name vs commit.author.name.keyword).

Search limitations

Text field limitations

  • Cannot search terms shorter than 3 characters
  • Cannot search numbers smaller than 10,000
  • Cannot search special characters directly: ; , " ' = : / \ $ # & ~ | ^ < > [ ] ( ) ? ! § * °`
  • Cannot perform exact substring matching

Subdomain searching

Domain searching has specific behavior:

  • Domains with 3 or fewer levels: file.patch: company.com matches api.company.com
  • Domains with more than 3 levels: requires exact match or middle subdomain search

Building effective searches

Focus your searches on terms most likely to appear near secrets:

  • Company domains: yourcompany.com, api.yourcompany.com
  • Email patterns: @yourcompany.com, specific employee emails
  • Internal services: database names, API endpoints, service identifiers
  • Repository names: company-owned repositories
  • User activity: current or former employee usernames

Remember: More specific searches yield more actionable results and help stay within the 10,000 result limit required for scanning.

Search scope options

  • Entire Public GitHub: Search across all public GitHub repositories (default)
  • Company perimeter: Restrict searches to within your company's public perimeter