gitleaks
dockle
Our great sponsors
gitleaks | dockle | |
---|---|---|
34 | 2 | |
15,075 | 2,630 | |
2.5% | 1.6% | |
8.2 | 5.8 | |
2 days ago | 8 days ago | |
Go | Go | |
MIT License | Apache License 2.0 |
Stars - the number of stars that a project has on GitHub. Growth - month over month growth in stars.
Activity is a relative number indicating how actively a project is being developed. Recent commits have higher weight than older ones.
For example, an activity of 9.0 indicates that a project is amongst the top 10% of the most actively developed projects that we are tracking.
gitleaks
-
Go Security Scanner
Cool. What features/capabilities are different compared to gitleaks?
-
My boss keeps committing his creds into git
To add my anecdote, testing out Trufflehog versus Gitleaks and detect-secrets the other tools seemed superior on detection rate and easier to work with.
-
any open source that checks security vulnerabilities in code?
Maybe https://github.com/gitleaks/gitleaks is what you are looking for
-
Securing the software supply chain in the cloud
Gitleaks
- How to deal with unintended information leakage when using GitHub as your GIT?
- GitHub Access Token Exposure
-
Thinking Like a Hacker: AWS Keys in Private Repos
It’s easy to think that it’s only important to scan for secrets in your public-facing repositories, but this real-world data breach proves that you need to treat all code the same from a security perspective. Malicious hackers can use open-source tools like Gitleaks and TruffleHog to quickly detect secrets in massive amounts of code*, without leaving a trace. As a defender, **it’s extremely important to have secret scans tightly integrated into your SDLC* (software development lifecycle) to reduce the risks of exposing them. GitGuardian offers secret scanning for private repositories in their Free, Business, and Enterprise plans.
-
Toyota Accidently Exposed a Secret Key Publicly on GitHub for Five Years
Good reminder to run Gitleaks[1] or Gitleaks-Action[2] on your repos
-
Implement DevSecOps to Secure your CI/CD pipeline
detect-secret is an enterprise-friendly tool for detecting and preventing secrets in the code base. We can also scan the non-git tracked files. There are other tools as well like Gitleaks which also provide similar functionality.
dockle
What are some alternatives?
trufflehog - Find and verify credentials
trivy - Find vulnerabilities, misconfigurations, secrets, SBOM in containers, Kubernetes, code repositories, clouds and more
hadolint - Dockerfile linter, validate inline bash, written in Haskell
git-secrets - Prevents you from committing secrets and credentials into git repositories
pre-commit - A framework for managing and maintaining multi-language pre-commit hooks.
husky - git hooks made easy
semgrep - Lightweight static analysis for many languages. Find bug variants with patterns that look like source code.
sops - Simple and flexible tool for managing secrets
git-all-secrets - A tool to capture all the git secrets by leveraging multiple open source git searching tools
shhgit - Ah shhgit! Find secrets in your code. Secrets detection for your GitHub, GitLab and Bitbucket repositories.
bandit - Bandit is a tool designed to find common security issues in Python code.