leaky-repo
betterscan
leaky-repo | betterscan | |
---|---|---|
2 | 34 | |
230 | 839 | |
0.9% | 0.8% | |
0.0 | 9.9 | |
6 months ago | 2 days ago | |
Python | Python | |
MIT License | GNU Affero General Public License v3.0 |
Stars - the number of stars that a project has on GitHub. Growth - month over month growth in stars.
Activity is a relative number indicating how actively a project is being developed. Recent commits have higher weight than older ones.
For example, an activity of 9.0 indicates that a project is amongst the top 10% of the most actively developed projects that we are tracking.
leaky-repo
-
Nosey Parker: a new scanner to find misplaced secrets in textual data and Git history
Also, I've built a repo of credentials and benchmarked several tools including trufflehog against it if you want to see how your tool and default ruleset stack up: https://github.com/Plazmaz/leaky-repo
-
Discover Hidden Secrets in Git Repos with Rust
At this point, we've succeeded at what we set out to create. I went ahead and scanned common testing repositories for this sort of thing like Plazmaz/leaky-repo and dijininja/leakyrepo. In general the program found all or most of the secrets. In the case of dijininja/leakyrepo it found a lot of RSA private keys which is acceptable but technically a misidentification. For Plazmaz/leaky-repo we find the majority of the keys although once again misidentify some. The decision to use rust makes performance really solid although still a little slow even for small repos. A couple good extensions to this to help with that could be adding a thread pool in order to scan objects in parallel. In more professional code, it seems more idiomatic for the scan_objects() function to return some objects of objects including their results rather than just printing the one containing secrets. For example, it could be formatted something like this:
betterscan
-
Cloud and Code Security - betterscan.io
More on the website: www.betterscan.io
-
Do you SLSA or SBOM in your SDLC?
Maybe you will find https://github.com/marcinguy/betterscan-ce useful (scans SBOMs and Dependencies, apart from Code and IaC).
-
SBOM and dependencies check tool and vulnerabilities database from Google
P.S I also added it to my Security Automation/Orchestration project, it was missing there: https://github.com/marcinguy/betterscan-ce Hope it helps somebody.
-
Nosey Parker: a new scanner to find misplaced secrets in textual data and Git history
Congrats on release. Feel free to check out https://github.com/marcinguy/betterscan-ce It is not that fast, but detects 166+ secret types (modified trufflehog3) and also bugs and vulnerabilities in Code and Cloud setups.
-
OpenSSL 3.0.7 Published
If you want to scan binary to see if this uses vulnerable version, use this YARA rule: https://github.com/marcinguy/betterscan-ce/blob/master/analy...
Courtesy of Akamai.
If you don't know YARA tool, you can run this command in the folder where your binary is (it will install everything needed):
sh <(curl https://dl.betterscan.io/cli.sh)
Hope that helps somebody
-
Text4shell CVE-2022-42889 scan
More: https://github.com/marcinguy/betterscan-ce
- Asking for feedback about my business website
- PMD Apex Code Scanner with integration with CLI output (HTML, JSON, Terminal) or Platform
- Open Source (with Professional paid version) Apex Scanning Tool for Salesforce for Security, Quality and Best practices using PMD with many other checks (incl. secrets)
- Checkov + Kubescape + Code checks unified in one interface/UI or output
What are some alternatives?
tartufo - Searches through git repositories for high entropy strings and secrets, digging deep into commit history
osv-scanner - Vulnerability scanner written in Go which uses the data provided by https://osv.dev
deadshot - Deadshot is a Github pull request scanner to identify sensitive data being committed to a repository
ThreatPlaybook - A unified DevSecOps Framework that allows you to go from iterative, collaborative Threat Modeling to Application Security Test Orchestration
whispers - Identify hardcoded secrets in static structured text
awesome-guidelines - A curated list of high quality coding style conventions and standards.
JAZ - Find secrets hidden in commits
osv.dev - Open source vulnerability DB and triage service.
noseyparker - Nosey Parker is a command-line tool that finds secrets and sensitive information in textual data and Git history.
git-alerts - Tool to detect and monitor GitHub org users' public repositories for secrets and sensitive files
eth-phishing-detect - Utility for detecting phishing domains targeting Web3 users