repopsy

Repopsy stands for Repository autopsy.

Repopsy is an OSINT tool to gather information on a git repository, it takes a git repo and "explodes it": creating a snapshot folder for every commit, enabling easy comparison, analysis, and archival of code evolution.

How It Works:

1. Validates the git repo
2. Lists commits
3. Creates worker goroutines
4. Each worker uses git archive | tar -x for efficient extraction
5. Writes metadata to each folder in COMMIT_INFO.txt

Installation

With Homebrew

brew install andpalmier/tap/repopsy

With Go

go install github.com/andpalmier/repopsy@latest

Pre-built Binaries

Download pre-built binaries from the Releases page:

Linux:

curl -LO https://github.com/andpalmier/repopsy/releases/latest/download/repopsy_linux_amd64.tar.gz
tar -xzf repopsy_linux_amd64.tar.gz
sudo mv repopsy /usr/local/bin/

macOS:

curl -LO https://github.com/andpalmier/repopsy/releases/latest/download/repopsy_darwin_arm64.tar.gz
tar -xzf repopsy_darwin_arm64.tar.gz
sudo mv repopsy /usr/local/bin/

Docker

docker pull ghcr.io/andpalmier/repopsy:latest
docker run --rm -v "$(pwd):/repo" ghcr.io/andpalmier/repopsy:latest /repo

From Source

git clone https://github.com/andpalmier/repopsy.git
cd repopsy
go build -o repopsy .

Usage

repopsy [flags] <repository-path>

Basic execution

repopsy .

Options

Flag	Description	Default
-o, --output	Output directory	./<repo-name>-exploded
-w, --workers	Number of parallel workers	Number of CPUs
-n, --limit	Maximum number of commits to extract	0 (all)
-b, --branch	Branch to extract from	all branches
-v, --verbose	Show detailed output per commit	false
--version	Show version information	false

Examples

Extract last 5 commits:

repopsy -n 5 /path/to/repo

Extract from a specific branch:

repopsy -b main /path/to/repo

Verbose output:

repopsy -v .

Output Structure

When extracting all branches:

<repo>-exploded/
├── main/
│   ├── 20231205_143022_abc1234/
│   │   ├── COMMIT_INFO.txt
│   │   └── ... (source files)
│   └── 20231205_150000_def5678/
├── feature_branch/
│   └── ...
└── develop/
    └── ...

When extracting a single branch:

<repo>-exploded/
├── 20231205_143022_abc1234/
│   ├── COMMIT_INFO.txt
│   └── ... (source files)
└── 20231205_150000_def5678/

Commit Metadata

Each exploded folder includes a COMMIT_INFO.txt file containing metadata about the commi: this includes verification status (GPG), timestamps, and authorship details.

Example COMMIT_INFO.txt content:

COMMIT INFORMATION
===========================

Hash:           8f6a2b1c4d5e...
Short Hash:     8f6a2b1

AUTHOR (who wrote the code)
---------------------------
Name:           Alice Dev
Email:          alice@example.com
Date:           2023-12-05T14:30:22Z
Timestamp:      1701786622

COMMITTER (who applied the commit)
----------------------------------
Name:           Bob Ops
Email:          bob@example.com
Date:           2023-12-05T15:00:00Z
Timestamp:      1701788400

VERIFICATION
------------
GPG Signature:  Valid signature (good)

LINEAGE
-------
Parents:        7e5d1c2b... 

CHANGE STATISTICS
-----------------
Files Changed:  5
Insertions:     +120
Deletions:      -34

COMMIT MESSAGE
--------------
Subject:
Fix critical security vulnerability in extraction logic

Full Message:
Fix critical security vulnerability in extraction logic

This patch addresses CVE-2023-XXXX by sanitizing input paths...