gitleaks VS detect-secrets

install gitleaks in your machine gitleaks

> gitleaks : fatal error: runtime: out of memory

Should be fixed now: https://github.com/gitleaks/gitleaks/pull/1292. Thanks for highlighting this simple change I've been putting off :)

I work in IT and we're enhancing our 'Shift Left Security' approach to prevent sensitive data leaks in our GitHub repositories. We've customized Gitleaks to send git-related information (like remote repository, author details, commit hash etc.) to our backend after each commit. This setup helps us monitor Gitleaks usage among our developers. (gitleaks)

Cool. What features/capabilities are different compared to gitleaks?

To add my anecdote, testing out Trufflehog versus Gitleaks and detect-secrets the other tools seemed superior on detection rate and easier to work with.

Some tools to consider: Gitleaks - open-source secret scanner for git repositories, files, and directories. Retire.js - dependency check tool for client JS code. Censys - It’s a search engine that you can use, for example, to scan any IP address and check open ports, software versions, location of the servers, etc. If you want to check more tools, you can download this free ebook with a list of recommended security tools: https://brightinventions.pl/blog/app-security-free-ebook/ The listed tools are free or offer free trials.

bonuses: - https://github.com/trufflesecurity/trufflehog - https://github.com/gitleaks/gitleaks

I GET IT I need to follow best practice and not upload any sensitive information, even if its a private repo. But through my 10 yeras of coding it happened twice. However these keys only lived in 2 areas: my laptop and GITHUB. My laptop is pretty secured, and the timing of the above events just make me really think someone internally at Github is running https://github.com/gitleaks/gitleaks on private repos he / she has access to.

Maybe https://github.com/gitleaks/gitleaks is what you are looking for

Gitleaks

I searched a bit and found: https://github.com/Yelp/detect-secrets

To add my anecdote, testing out Trufflehog versus Gitleaks and detect-secrets the other tools seemed superior on detection rate and easier to work with.

Respecting your privacy: To protect your sensitive data, um uses the excellent detect-secrets python library to remove passwords and tokens before indexing commands. Also our OpenAI account is opted out of collecting and using data for training the next versions of GPT.

exclude: "^/migrations/" default_stages: [ commit, push ] default_language_version: python: python3 repos: - repo: https://github.com/Yelp/detect-secrets rev: v1.4.0 hooks: - id: detect-secrets name: Detect secrets language: python entry: detect-secrets-hook args: ['--baseline', '.secrets.baseline']

repos: - repo: https://github.com/pre-commit/pre-commit-hooks rev: v2.3.0 hooks: - id: check-yaml - id: end-of-file-fixer - id: trailing-whitespace - repo: https://github.com/Yelp/detect-secrets rev: v1.4.0 hooks: - id: detect-secrets - repo: https://github.com/igorshubovych/markdownlint-cli rev: v0.33.0 hooks: - id: markdownlint args: ["--disable=MD013"] # this removes line length warnings

Yelp has a "detect-secrets" project that can detect potential secrets and can be used as a pre-commit hook: https://github.com/Yelp/detect-secrets

detect-secret is an enterprise-friendly tool for detecting and preventing secrets in the code base. We can also scan the non-git tracked files. There are other tools as well like Gitleaks which also provide similar functionality.

As presented in the report, a lot of secrets are hardcoded in the Git repository. This can be detected by secret detection tools. There are OSS like https://github.com/Yelp/detect-secrets or SaaS alternatives. The detection process can be executed by every team member locally using Git Hooks and on Github using Github Checks on the Pull Request level.