GitGoat
git-alerts
Our great sponsors
GitGoat | git-alerts | |
---|---|---|
9 | 11 | |
162 | 190 | |
-0.6% | 5.8% | |
0.0 | 5.4 | |
4 months ago | 2 days ago | |
Python | Go | |
MIT License | Apache License 2.0 |
Stars - the number of stars that a project has on GitHub. Growth - month over month growth in stars.
Activity is a relative number indicating how actively a project is being developed. Recent commits have higher weight than older ones.
For example, an activity of 9.0 indicates that a project is amongst the top 10% of the most actively developed projects that we are tracking.
GitGoat
-
How We Converted a GitHub Tool Into a General Purpose Webhook Proxy to Supercharge Our Integration Development
Doron Guttman and Roei Ben-Harush @ [arnica], April 2023
- GitGoat v2 is released – fake commits with real vulnerable code
- GitGoat v2 is released: multiple vulnerable projects with amended commit history
- Show HN: GitGoat v2 is released – fake commits with real vulnerable code
-
Personal + Work accounts or one account for both?
The downside is that developers can choose to avoid using one of the controls above, such as enabling MFA. In that case, the developers will likely prefer to create a new account and the use git config user.email [personal_email] to add the stats to their accounts. It will require the company to work harder on mapping the author (from the git config) to the pusher of the code (arnica.io correlates this data in the GitHub user inventory, so it is possible to solve with some engineering work).
-
Try to take permissions from devs…
This meme was created by arnica.io, which solves it. The nice thing about it is that the continuous analysis of excessive permissions is free forever for unlimited users.
-
Tell HN: GitHub Apps bug created tokens with elevated privileges
You can assess all GitHub app permissions on https://arnica.io. The excessive permissions are presented at the end of the data ingestion process. This is part of the freemium.
- GitGoat - deliberately misconfigured GitHub org
-
GotGoat - deliberately misconfigured GitHub organization
Pretty cool way to generate dummy data on GitHub, such as invite members, add them to Teams, commit code and secrets, raise & review PRs, and configure different branch protection policies (such as CODEOWNERS). Link: https://github.com/arnica-ext/GitGoat
git-alerts
- GitHub - boringtools/git-alerts: Tool to detect and monitor GitHub org users' public repositories for secrets and sensitive files
- GitHub - boringtools/git-alerts: A Public Git repository
- GitHub - boringtools/git-alerts: A Public Git repository & misconfiguration detection tool
- A Public Git repository and misconfiguration detection tool
- boringtools/git-alerts: A Public Git repository & misconfiguration detection tool
- Monitor your users Public GitHub Repositories
- A Public Git repository & misconfiguration detection tool
What are some alternatives?
WebGoat - WebGoat is a deliberately insecure application
deadshot - Deadshot is a Github pull request scanner to identify sensitive data being committed to a repository
ggshield - Find and fix 360+ types of hardcoded secrets and 70+ types of infrastructure-as-code misconfigurations.
secrets-patterns-db - Secrets Patterns DB: The largest open-source Database for detecting secrets, API keys, passwords, tokens, and more.
smee.io - ☁️📦 Webhook payload delivery service
leaky-repo - Benchmarking repo for secrets scanning
sish - HTTP(S)/WS(S)/TCP Tunnels to localhost using only SSH.
github-leak-audit - A GitHub workflow to identify employees that have leaked your organization's code
smee-client - 🔴 Receives payloads then sends them to your local server
gh-action-pypi-publish - The blessed :octocat: GitHub Action, for publishing your :package: distribution files to PyPI: https://github.com/marketplace/actions/pypi-publish
node-config - Node.js Application Configuration
whispers - Identify hardcoded secrets in static structured text