Are your Secrets Safe In Python?

On scrolling through Hackernews, I stumbled upon this article where Jesse points out how you or your organization can have secrets hidden in the form of pyc files.

While Jesse's code has scrolled through Github repos and intimated the code owners, there is a good chance that our private repo could have some hanging around.

I modified the code to scroll through Saama's private repositories. Gladly I didn't find any pyc files checked in.

You can use the same code to scroll through your private repositories.


pip install PyGithub pip install uncompyle6


If you want to jump ahead to the whole code checkout the Github repo

  1. Import necessary packages
import base64 import io import os import tempfile import uncompyle6 from github import Github
  1. Authenticate with Github

Create a private access token and use it to authenticate yourself

  1. Get all repos given an organization
repos = g.get_organization(<ORGANIZATION>).get_repos(type="private")
  1. Find files with *.pyc extension
for repo in repos: print (repo) try: contents = repo.get_contents("") except: continue for file_ in contents: try: extension =".")[1] except IndexError: extension = None if in secrets or ( extension and extension == "pyc"): items.append(file_)
  1. If there are no pyc files, you are good to go
if not items: print ("No files found, you are good!")
  1. If any pyc files might contain secrets decompile and print them out
for item in items: print(f"DECOMPILING REPO{item.repository.full_name}") print(f"OWNER TYPE: {item.repository.owner.type}") try: contents = base64.b64decode(item.content) with tempfile.NamedTemporaryFile(suffix=".pyc") as f: f.write(contents) out = io.StringIO() uncompyle6.decompile_file(, out) print( except Exception as e: print(e) print(f"COULD NOT DECOMPILE REPO{item.repository.full_name}") continue print("\n\n\n")

I recently moved my blogs from medium. Find more of my writing here.