gitz
noseyparker
gitz | noseyparker | |
---|---|---|
8 | 13 | |
30 | 1,515 | |
- | 2.1% | |
6.8 | 9.4 | |
about 2 months ago | 6 days ago | |
Python | Rust | |
MIT License | Apache License 2.0 |
Stars - the number of stars that a project has on GitHub. Growth - month over month growth in stars.
Activity is a relative number indicating how actively a project is being developed. Recent commits have higher weight than older ones.
For example, an activity of 9.0 indicates that a project is amongst the top 10% of the most actively developed projects that we are tracking.
gitz
-
Managing secrets like API keys in Python - Why are so many devs still hardcoding secrets?
When I develop a big feature, I do it on a private branch, and then I commit and push an "anonymous" commit (using this) whenever I have made any progress.
-
An alias that has saved me hours since I created it yesterday
where git st is here (a lot like git status.)
-
GitHub's Missing Merge Option
No, there's no reason to preserve commit messages you used during development.
When I am developing, I make many tiny commits with an automatically generated title ('Modify util/files.py') each time my tests pass, or really, when I do anything of value. (I use `git-infer`: https://github.com/rec/gitz/blob/master/git-infer)
This makes it impossible for me to lose work, and acts like a coarse-grained undo for me, where I can quickly move back and forth between spots that the tests worked if I decide I'm going the wrong way, or create a new branch, move back a bit, and make some changes and compare.
_Before anyone sees this code_ I rebase it down to a logical sequence extremely-carefully named and organized commits. (The word "manicured" has been used more than once.)
As I go through code review, I make tiny commits and at the end, rebase them into my carefully-named commits.
I create at least five commit IDs for each final commit I created. No one wants to see these.
I spend considerable time organizing everything so just the information you need to see is in the final commits. All the information should be there.
-
What one thing would you improve about Git?
I have a truly evil command in my gitz package https://github.com/rec/gitz called git adjust.
-
Eli5: Why do so many people like to use the terminal instead of a good client?
I have a bunch of git utilities to do common chores, but more, I tend to stack up a lot of commands at once in the command line separated by &&.
-
Why is git pull broken?
This isn't just academic - it affects every git tool. I have a collection of git utilities, fairly high quality, but a lot of my favorite ones don't work over merge commits, not because I was lazy but because I simply couldn't figure out a way to do it that made sense in every case.
- Does format() method returns a list?
noseyparker
-
Magika: AI powered fast and efficient file type identification
Yes!
Sometimes a file has no extension. Other times the extension is a lie. Still other times, you may be dealing with an unnamed bytestring and wish to know what kind of content it is.
This last case happens quite a lot in Nosey Parker [1], a detector of secrets in textual data. There, it is possible to come across unnamed files in Git history, and it would be useful to the user to still indicate what type of file it seems to be.
I added file type detection based on libmagic to Nosey Parker a while back, but it's not compiled in by default because libmagic is slow and complicates the build process. Also, libmagic is implemented as a large C library whose primary job is parsing, which makes the security side of me jittery.
I will likely add enabled-by-default filetype detection to Nosey Parker using Magika's ONNX model.
[1] https://github.com/praetorian-inc/noseyparker
- GitHub: Can no longer search code without being logged in
- Managing secrets like API keys in Python - Why are so many devs still hardcoding secrets?
-
Show HN: Nosey Parker, a fast and low-noise secrets detector for textual data
Yes and no.
On the one hand, Nosey Parker is effectively a special-purpose `grep` with a bunch of security-relevant patterns built-in, including one for PEM-encoded keys: <https://github.com/praetorian-inc/noseyparker/blob/main/data...>
On the other hand, to naively run the check you describe, you would need access to a copy of all of GitHub, which isn't feasible.
What you can do with Nosey Parker is use its GitHub enumeration features to specify your GitHub organization and a list of GitHub usernames you are interested in, and scan against just those. This will implicitly list all the relevant public repositories, clone them, and scan their entire history.
For your use case, another thing you could do is use the new GitHub code search (<https://cs.github.com>) to regex search for particular keys or tokens. That new search seems to cover lots of the public content available on GitHub.
Also, to put some color on this use case: in offensive security engagements (aka "red team" engagements) at Praetorian, we frequently find leaked credentials or tokens on GitHub or elsewhere, which allow us deeper access into the client's systems. It's a significant problem.
- Nosey Parker, a fast and low-noise secrets detector, now supports enumerating GitHub repositories and writing results in SARIF format
- Nosey Parker, a newer secrets detector, can scan 100GB of Linux kernel commit history in 2 minutes on a laptop, and now can write SARIF output
- Nosey Parker, a fast secrets detector, now enumerates GitHub repos, writes SARIF output, and has 90 default rules
-
Tools for scanning commits?
A tool just got open-sourced called Nosey Parker that scans commits and git history for secrets. You could look at Nosey Parker's source code to see how they scan commits and design your tool based on that.
- Nosey Parker, a new scanner for hardcoded secrets in textual data
What are some alternatives?
Git - Git Source Code Mirror - This is a publish-only repository but pull requests can be turned into patches to the mailing list via GitGitGadget (https://gitgitgadget.github.io/). Please follow Documentation/SubmittingPatches procedure for any of your improvements.
betterscan-ce - Code Scanning/SAST/Static Analysis/Linting using many tools/Scanners + OpenAI GPT with One Report (Code, IaC) - Betterscan Community Edition (CE)
safer - ๐งท A safer writer ๐งท
trufflehog - Find and verify secrets
xmod - ๐ฑ Turn any object into a module ๐ฑ
leaky-repo - Benchmarking repo for secrets scanning
wavemap - ๐ mmap massive audio files as numpy ๐
MyBB - MyBB is a free and open source forum software.
vl8 - ๐ Perturbed audio ๐
mfaws - A cross-platform CLI tool to manage AWS credentials for MFA-enabled accounts
git-push-update - Push with "server-side" merge or rebase
parse-server - Parse Server for Node.js / Express