gitleaks
ggshield
Our great sponsors
gitleaks | ggshield | |
---|---|---|
34 | 22 | |
15,075 | 1,502 | |
3.3% | 1.9% | |
8.2 | 9.7 | |
3 days ago | about 20 hours ago | |
Go | Python | |
MIT License | MIT License |
Stars - the number of stars that a project has on GitHub. Growth - month over month growth in stars.
Activity is a relative number indicating how actively a project is being developed. Recent commits have higher weight than older ones.
For example, an activity of 9.0 indicates that a project is amongst the top 10% of the most actively developed projects that we are tracking.
gitleaks
-
Go Security Scanner
Cool. What features/capabilities are different compared to gitleaks?
-
My boss keeps committing his creds into git
To add my anecdote, testing out Trufflehog versus Gitleaks and detect-secrets the other tools seemed superior on detection rate and easier to work with.
-
any open source that checks security vulnerabilities in code?
Maybe https://github.com/gitleaks/gitleaks is what you are looking for
-
Securing the software supply chain in the cloud
Gitleaks
- How to deal with unintended information leakage when using GitHub as your GIT?
- GitHub Access Token Exposure
-
Thinking Like a Hacker: AWS Keys in Private Repos
It’s easy to think that it’s only important to scan for secrets in your public-facing repositories, but this real-world data breach proves that you need to treat all code the same from a security perspective. Malicious hackers can use open-source tools like Gitleaks and TruffleHog to quickly detect secrets in massive amounts of code*, without leaving a trace. As a defender, **it’s extremely important to have secret scans tightly integrated into your SDLC* (software development lifecycle) to reduce the risks of exposing them. GitGuardian offers secret scanning for private repositories in their Free, Business, and Enterprise plans.
-
Toyota Accidently Exposed a Secret Key Publicly on GitHub for Five Years
Good reminder to run Gitleaks[1] or Gitleaks-Action[2] on your repos
-
Implement DevSecOps to Secure your CI/CD pipeline
detect-secret is an enterprise-friendly tool for detecting and preventing secrets in the code base. We can also scan the non-git tracked files. There are other tools as well like Gitleaks which also provide similar functionality.
ggshield
-
What do i tell him?
I believe you'll get all the information you need on their website
- GitHub Access Token Exposure
-
How To Use ggshield To Avoid Hardcoded Secrets [cheat sheet included]
If you want to build a configuration from an example, you can find a sample config file at https://github.com/GitGuardian/ggshield/blob/main/.gitguardian.example.yml.
-
Security scanning
I agree that code scanning is really important, the best way to convince others is to identify high-risk threats in source code and present them to the decision-makers. For example, scanning Secrets is great for showing how repositories can be a massive vulnerability and identifying some low-hanging fruit, especially in the git history. Attackers are really after git repository access for this reason and there are plenty of open-source or free tools that you can use to illustrate the problem. Git-Secrets, Truffle Hog. These aren't great for a long-term commercial solution, something like GitGuardian is a better commercial tool but if the goal is just to illustrate the problem then finding some high-value secrets with free tools is a good way to convince the security personnel to invest in some solutions. Then the door is open to having more conversations as you have already proven the risk.
-
Toyota Accidently Exposed a Secret Key Publicly on GitHub for Five Years
You can definitely use pre commit hooks for this like the one of ggshield https://github.com/GitGuardian/ggshield - remediation is far quicker when the secret does't make it to the codebase!
-
Life is Too Short to Review Spaces
ggshield is one of the tools we develop at GitGuardian to help secure the codebase. Integrated as a hook it will scan the content of the git patch to make sure it does not contains any secret like an API token.
-
[DevOpsSec)How do you manage container images scanning in your CI/CD pipelines ?
And for secrets you can use ggshield - https://github.com/GitGuardian/ggshield
-
Secrets: A command-line tool to prevent committing secret keys into your source
you may also want to look at ggshield: https://github.com/GitGuardian/ggshield
-
git repo secret scanning?
did you try GitGuardian? It has a free version for individual developers, but also you can try ggshield if you prefer to install a pre commit hook.
What are some alternatives?
trufflehog - Find and verify credentials
trivy - Find vulnerabilities, misconfigurations, secrets, SBOM in containers, Kubernetes, code repositories, clouds and more
git-secrets - Prevents you from committing secrets and credentials into git repositories
pre-commit - A framework for managing and maintaining multi-language pre-commit hooks.
husky - git hooks made easy
semgrep - Lightweight static analysis for many languages. Find bug variants with patterns that look like source code.
sops - Simple and flexible tool for managing secrets
git-all-secrets - A tool to capture all the git secrets by leveraging multiple open source git searching tools
shhgit - Ah shhgit! Find secrets in your code. Secrets detection for your GitHub, GitLab and Bitbucket repositories.
bandit - Bandit is a tool designed to find common security issues in Python code.
Mobile-Security-Framework-MobSF - Mobile Security Framework (MobSF) is an automated, all-in-one mobile application (Android/iOS/Windows) pen-testing, malware analysis and security assessment framework capable of performing static and dynamic analysis.
dockle - Container Image Linter for Security, Helping build the Best-Practice Docker Image, Easy to start