In the README, this description is given of the process:
"When the list of repositories has been compiled, it proceeds to gather all the filenames in each repository and runs them through a series of observers that will flag the files, if they match any patterns of known sensitive files. This step might take a while if the organization is big or if the members have a lot of public repositories."
Digging in to the source code under `/lib/gitrob/observers/`, you'll find `sensitive_files.rb` [1]. It looks like this class loads patterns from `patterns.json` [2]. This file contains patterns that match common sensitive files like private key files, common configuration files, command history files, and config files. It has the ability to match by path, filename, or extension.
No tool can look at a file and say for sure if it contains sensitive information, but this list looks like a good start for flagging common mistakes. I'm sure the author would appreciate pull requests to patterns.json as well.
