diff --git a/gitkeyfinder b/gitkeyfinder
new file mode 100755
index 0000000..1fbea25
--- /dev/null
+++ b/gitkeyfinder
@@ -0,0 +1,63 @@
+#!/usr/bin/python3
+
+import argparse
+import shutil
+import tempfile
+
+import pygit2
+
+import keyfinder
+
+ap = argparse.ArgumentParser()
+ap.add_argument("repo", help="URL or local path of git repository")
+ap.add_argument("--keep", action="store_true", help="Don't delete tmpdir")
+args = ap.parse_args()
+
+tmpdir = tempfile.mkdtemp(prefix="gitkf")
+
+
+if "://" in args.repo:
+    rep = pygit2.clone_repository(args.repo, tmpdir)
+else:
+    rep = pygit2.Repository(args.repo)
+
+dd = rep.odb
+
+count = 0
+results = {}
+for oid in dd:
+    o = rep.get(oid)
+    if isinstance(o, pygit2.Blob):
+        keys = keyfinder.findkeys(o.read_raw(), usebk=True)
+        if keys:
+            results[str(oid)] = keys
+            count += 1
+            if count % 1000 == 0:
+                print(f"pass1: {count} objects...")
+            print(f"found key(s) in {oid}")
+
+fcount = 0
+fnames = {}
+for oid in dd:
+    o = rep.get(oid)
+    if isinstance(o, pygit2.Tree):
+        for x in o:
+            gid = str(x.id)
+            if gid in results and id not in fnames:
+                fnames[gid] = x.name
+                fcount += 1
+                if fcount >= count:
+                    break
+        else:
+            continue
+        break
+
+for k, v in results.items():
+    for spki, key in v.items():
+        fn = fnames.get(k, k)
+        keyfinder.writekey(key, fn, "out/", spki)
+
+if args.keep:
+    print(f"Git clone / tmpdir not removed: {tmpdir}")
+else:
+    shutil.rmtree(tmpdir)
diff --git a/runci.sh b/runci.sh
index 1492305..efadcea 100755
--- a/runci.sh
+++ b/runci.sh
@@ -1,5 +1,5 @@
 #!/bin/bash
 set -euo pipefail
 
-ruff check --select=ALL --ignore=PTH,ANN,D,ERA,S310,T201,C,PLR,S501,FIX,TD,FBT,I001 keyfinder.py
+ruff check --select=ALL --ignore=PTH,ANN,D,ERA,S310,T201,C,PLR,S501,FIX,TD,FBT,I001 keyfinder.py gitkeyfind
 python -m unittest -v