ggshield
Vault
ggshield | Vault | |
---|---|---|
22 | 160 | |
1,529 | 29,693 | |
1.8% | 0.6% | |
9.6 | 10.0 | |
7 days ago | 4 days ago | |
Python | Go | |
MIT License | GNU General Public License v3.0 or later |
Stars - the number of stars that a project has on GitHub. Growth - month over month growth in stars.
Activity is a relative number indicating how actively a project is being developed. Recent commits have higher weight than older ones.
For example, an activity of 9.0 indicates that a project is amongst the top 10% of the most actively developed projects that we are tracking.
ggshield
-
Tools for checking your code?
For secrets scanning you can implement ggshield precommit hook. : https://github.com/GitGuardian/ggshield
-
What do i tell him?
I believe you'll get all the information you need on their website
-
Infrastructure as Code Security [Security Zines]
The GitGuardian's CLI, ggshield, was recently updated to support IaC misconfigurations scanning: it's as easy as ggshield iac scan path_to_iac_main_folder.
- GitHub Access Token Exposure
-
How To Use ggshield To Avoid Hardcoded Secrets [cheat sheet included]
If you want to build a configuration from an example, you can find a sample config file at https://github.com/GitGuardian/ggshield/blob/main/.gitguardian.example.yml.
-
Security scanning
I agree that code scanning is really important, the best way to convince others is to identify high-risk threats in source code and present them to the decision-makers. For example, scanning Secrets is great for showing how repositories can be a massive vulnerability and identifying some low-hanging fruit, especially in the git history. Attackers are really after git repository access for this reason and there are plenty of open-source or free tools that you can use to illustrate the problem. Git-Secrets, Truffle Hog. These aren't great for a long-term commercial solution, something like GitGuardian is a better commercial tool but if the goal is just to illustrate the problem then finding some high-value secrets with free tools is a good way to convince the security personnel to invest in some solutions. Then the door is open to having more conversations as you have already proven the risk.
- Toyota Accidently Exposed a Secret Key Publicly on GitHub for Five Years
-
Thinking Like a Hacker: Abusing Stolen Private Keys
First up is the leaked TLS private key. Poor Corp added their wildcard certificate to their GitLab image, but they didn’t consider that anyone could steal the private key from the Docker image once published on Docker Hub. Rather than adding sensitive files and hardcoded environment variables to their containers while they were being built, Poor Corp should have used runtime environment variables and mounted volumes to pass secrets into the container—by the way, ggshield, the secrets detection CLI from GitGuardian, has a command for scanning Docker images. If you find that you’ve also made this mistake, you need to immediately revoke any certificates or credentials that were exposed.
-
How to make security policies a team effort
GitGuardian’s CLI, ggshield, can be installed as a pre-commit hook on a developer’s workstation to act like a security seatbelt preventing any secret from being committed locally in the first place. If a developer chooses to bypass the guardrail and push a secret anyway, the event is reported in the GitGuardian dashboard. This allows security teams to have eyes on any possible policy issues as developers build—all without holding up their progress. These tools can detect risks, watch for vulnerabilities, and notify the right people in a non-intrusive way.
-
Life is Too Short to Review Spaces
ggshield is one of the tools we develop at GitGuardian to help secure the codebase. Integrated as a hook it will scan the content of the git patch to make sure it does not contains any secret like an API token.
Vault
- Terraform & HashiCorp Vault Integration: Seamless Secrets Management
-
Top Secrets Management Tools for 2024
HashiCorp Vault
-
Keep it cool and secure: do's and don'ts for managing Web App secrets
For a more comprehensive and robust secret management solution, get your hands on tools like GCP Secret Manager, or HashiCorp Vault. They're like the security guards of your secrets, providing a safe house, access control, and keeping logs of who’s been snooping around.
-
Kubernetes Secret Management
HashiCorp Vault is a popular tool for managing secrets in Kubernetes clusters. It offers advanced features such as secure storage, encryption, dynamic secrets generation, and integration with Kubernetes through its Kubernetes authentication method.
-
Champion Building - How to successfully adopt a developer tool
So you've just bought a new platform tool? Maybe it's Hashicorp Vault? Snyk? Backstage? You’re excited about all of the developer experience, security and other benefits you're about to unleash on your company—right? But wait…
-
AWS Secrets Manager for on-premise and other cloud accounts scaled architecture
You seem to be looking for a cross-platform solution, and https://www.vaultproject.io/ provides just that. If everything was in AWS, AWS Secret Manager might be great, but imo Vault provides much better platform-agnostic capabilities.
-
Show HN: Anchor – developer-friendly private CAs for internal TLS
https://github.com/openwrt/luci/blob/master/applications/luc...
https://developer.hashicorp.com/vault/tutorials/secrets-mana... https://github.com/hashicorp/vault :
> Refer to Build Certificate Authority (CA) in Vault with an offline Root for an example of using a root CA external to Vault.
-
The Complete Microservices Guide
Secret Management: Securely stores sensitive configuration data and secrets using tools like AWS Secrets Manager or HashiCorp Vault. Avoid hardcoding secrets in code or configuration files.
-
Horcrux: Split your file into encrypted fragments
The author of this tool basically took the Shamir code from Hashicorp Vault, which is pretty mainstream. If you're looking for a solid implementation, I would start there[0]. I wouldn't use the Shamir code from this repo, as it's an old version of the vault code using field arithmetic that doesn't run in constant time.
[0]: https://github.com/hashicorp/vault/blob/main/shamir/shamir.g...
-
OpenTF Announces Fork of Terraform
Out of curiosity, what do you mean by this? cross-cluster? they already have HA: https://github.com/hashicorp/vault/blob/v1.14.1/website/cont...
while digging up that link, I also saw one named replication: https://github.com/hashicorp/vault/blob/v1.14.1/website/cont...
What are some alternatives?
Mobile-Security-Framework-MobSF - Mobile Security Framework (MobSF) is an automated, all-in-one mobile application (Android/iOS/Windows) pen-testing, malware analysis and security assessment framework capable of performing static and dynamic analysis.
Keycloak - Open Source Identity and Access Management For Modern Applications and Services
whispers - Identify hardcoded secrets in static structured text
sealed-secrets - A Kubernetes controller and tool for one-way encrypted Secrets
gitleaks - Protect and discover secrets using Gitleaks 🔑
sops - Simple and flexible tool for managing secrets
buildnotify - A system tray based build status notification app for cctray.xml feeds.
etcd - Distributed reliable key-value store for the most critical data of a distributed system
ochrona-cli - A command line tool for detecting vulnerabilities in Python dependencies and doing safe package installs
OPA (Open Policy Agent) - Open Policy Agent (OPA) is an open source, general-purpose policy engine.
faraday_plugins - Security tools report parsers for Faradaysec.com
bitwarden_rs - Unofficial Bitwarden compatible server written in Rust, formerly known as bitwarden_rs [Moved to: https://github.com/dani-garcia/vaultwarden]