gitleaks
berglas
Our great sponsors
gitleaks | berglas | |
---|---|---|
35 | 37 | |
15,197 | 1,222 | |
2.3% | 0.1% | |
8.2 | 6.9 | |
2 days ago | 9 days ago | |
Go | Go | |
MIT License | Apache License 2.0 |
Stars - the number of stars that a project has on GitHub. Growth - month over month growth in stars.
Activity is a relative number indicating how actively a project is being developed. Recent commits have higher weight than older ones.
For example, an activity of 9.0 indicates that a project is amongst the top 10% of the most actively developed projects that we are tracking.
gitleaks
-
How to use Lefthooks in your node project?
install gitleaks in your machine gitleaks
-
Go Security Scanner
Cool. What features/capabilities are different compared to gitleaks?
-
My boss keeps committing his creds into git
To add my anecdote, testing out Trufflehog versus Gitleaks and detect-secrets the other tools seemed superior on detection rate and easier to work with.
-
any open source that checks security vulnerabilities in code?
Maybe https://github.com/gitleaks/gitleaks is what you are looking for
-
Securing the software supply chain in the cloud
Gitleaks
- How to deal with unintended information leakage when using GitHub as your GIT?
- GitHub Access Token Exposure
-
Thinking Like a Hacker: AWS Keys in Private Repos
It’s easy to think that it’s only important to scan for secrets in your public-facing repositories, but this real-world data breach proves that you need to treat all code the same from a security perspective. Malicious hackers can use open-source tools like Gitleaks and TruffleHog to quickly detect secrets in massive amounts of code*, without leaving a trace. As a defender, **it’s extremely important to have secret scans tightly integrated into your SDLC* (software development lifecycle) to reduce the risks of exposing them. GitGuardian offers secret scanning for private repositories in their Free, Business, and Enterprise plans.
-
Toyota Accidently Exposed a Secret Key Publicly on GitHub for Five Years
Good reminder to run Gitleaks[1] or Gitleaks-Action[2] on your repos
berglas
-
How to deploy a Django app to Google Cloud Run using Terraform
Secret Manager: secure storage for sensitive data e.g passwords.
-
Increasing Your Cloud Function Development Velocity Using Dynamically Loading Python Classes
Google Secret Manager
-
Getting started using Google APIs: API Keys (Part 2)
API keys are easy to "leak" or compromise, so best to not only use the restrictions presented to you when you create them but physically protect them as well. Don't code them in plain-text, don't check them into GitHub, etc. Store them in a secure database or use a service like GCP Secret Manager.
-
Need some advice on API key storage
I've been looking at Google Secret Manager which sounds promising but I've not been able to find any examples or tutorials that help with the actual practical details of best practice or getting this working. I'm currently reading about Cloud Functions which also sound promising but again, I'm just going deeper and deeper into GCP without feeling like I'm gaining any useful insights.
-
Secure GitHub Actions by pull_request_target
In this post, I described how to build secure GitHub Actions workflows by pull_request_target event instead of pull_request event. Using pull_request_target, you can prevent malicious codes from being executed in CI. And by managing secrets in secrets management services such as AWS Secrets Manager and Google Secret Manager and access them via OIDC, you can restrict the access to secrets securely. To migrate pull_request to pull_request_target, several modifications are needed. And pull_request_target has a drawback that it's difficult to test changes of workflows, so it's good to introduce pull_request_target to repositories that require strong permissions in CI. For example, a Terraform Monorepo tends to require strong permissions for CI, so it's good to introduce pull_request_target to it.
-
How to Deploy and Scale Strapi on a Kubernetes Cluster 1/2
Store the Secrets in a vault like Hashicorp Vault, AWS Secrets Manager, GCP Secret Manager, etc., and then use an operator like External Secrets Operator to add them to your K8s cluster.
-
Vault Secrets in K8S, use CRD Injector ?
is the secret store csi driver used to fetch secrets from services like the: - https://aws.amazon.com/fr/secrets-manager - https://cloud.google.com/secret-manager - https://azure.microsoft.com/en-us/products/key-vault/
-
Show HN: Infisical – open-source secrets manager
This looks great! But after looking through the docs and Github, I don't know what the architecture is beyond there is a CLI and a browser UI that interact with some sort of central service.
The main thing stopping me from using Vault is that it can become a central point of failure. If the cloud provider secret managers are down then its likely that something else in the cloud is having major issues as well so from an uptime perspective and easy of operations that has always seemed a safe approach, although the pricing is kind of outrageous. But just storing (e2e encrypted, etc) in cloud object storage is also an option. Berglass for example gives the option of storing in the secret manager or in cloud storage directly: https://github.com/GoogleCloudPlatform/berglas
-
Shhhh... Kubernetes Secrets Are Not Really Secret!
Sealed Secrets are a great starting point for securing secrets, but there is an even better way. Using the External Secrets Operator (ESO) and an external secret management system like HashiCorp Vault, AWS Secrets Manager, Google Secrets Manager, or Azure Key Vault. While this is a bit more involved to set up, it is a better approach if you use a cloud provider to host your Kubernetes cluster. ESO supports many such secret managers and watches for changes to external secret stores, and keeps Kubernetes secrets in sync.
-
Web Security 101 - Part 1: Secrets
Products like Google Cloud have the authentication, authorization, secret storage, and secret retrieval built into the system you use to deploy your code.
What are some alternatives?
trufflehog - Find and verify credentials
trivy - Find vulnerabilities, misconfigurations, secrets, SBOM in containers, Kubernetes, code repositories, clouds and more
git-secrets - Prevents you from committing secrets and credentials into git repositories
pre-commit - A framework for managing and maintaining multi-language pre-commit hooks.
husky - git hooks made easy
kubernetes-external-secrets - Integrate external secret management systems with Kubernetes
semgrep - Lightweight static analysis for many languages. Find bug variants with patterns that look like source code.
sops - Simple and flexible tool for managing secrets
git-all-secrets - A tool to capture all the git secrets by leveraging multiple open source git searching tools
shhgit - Ah shhgit! Find secrets in your code. Secrets detection for your GitHub, GitLab and Bitbucket repositories.
bandit - Bandit is a tool designed to find common security issues in Python code.
dockle - Container Image Linter for Security, Helping build the Best-Practice Docker Image, Easy to start