tartufo
leaky-repo
tartufo | leaky-repo | |
---|---|---|
6 | 2 | |
484 | 228 | |
4.4% | - | |
6.0 | 0.0 | |
16 days ago | 3 months ago | |
Python | Python | |
GNU General Public License v3.0 only | MIT License |
Stars - the number of stars that a project has on GitHub. Growth - month over month growth in stars.
Activity is a relative number indicating how actively a project is being developed. Recent commits have higher weight than older ones.
For example, an activity of 9.0 indicates that a project is amongst the top 10% of the most actively developed projects that we are tracking.
tartufo
- Tartufo searches through Git repositories for high entropy strings and secrets
- Show HN: Tartufo, the godaddy Git secrets linter
- GitHub Access Token Exposure
-
Toyota Accidently Exposed a Secret Key Publicly on GitHub for Five Years
You could set up something like https://github.com/godaddy/tartufo in a pre-commit hook. Not sure if github has a way to hook into the push hooks on server side, they might though.
- Tartufo – effective finds secrets accidentally committed
leaky-repo
-
Nosey Parker: a new scanner to find misplaced secrets in textual data and Git history
Also, I've built a repo of credentials and benchmarked several tools including trufflehog against it if you want to see how your tool and default ruleset stack up: https://github.com/Plazmaz/leaky-repo
-
Discover Hidden Secrets in Git Repos with Rust
At this point, we've succeeded at what we set out to create. I went ahead and scanned common testing repositories for this sort of thing like Plazmaz/leaky-repo and dijininja/leakyrepo. In general the program found all or most of the secrets. In the case of dijininja/leakyrepo it found a lot of RSA private keys which is acceptable but technically a misidentification. For Plazmaz/leaky-repo we find the majority of the keys although once again misidentify some. The decision to use rust makes performance really solid although still a little slow even for small repos. A couple good extensions to this to help with that could be adding a thread pool in order to scan objects in parallel. In more professional code, it seems more idiomatic for the scan_objects() function to return some objects of objects including their results rather than just printing the one containing secrets. For example, it could be formatted something like this:
What are some alternatives?
deadshot - Deadshot is a Github pull request scanner to identify sensitive data being committed to a repository
betterscan - Code Scanning/SAST/Static Analysis/Linting using many tools/Scanners with One Report (Code, IaC) - Betterscan
whispers - Identify hardcoded secrets in static structured text
secrets - A command-line tool to prevent committing secret keys into your source code [Moved to: https://github.com/sirwart/ripsecrets]
leakyrepo - A repo which contains lots of things which it shouldn't
Pathfinder - Search Strategy analysis and more for spatial navigation data in rodents
kscp - Kubernetes Secrets Control Plane
JAZ - Find secrets hidden in commits
gitleaks - Protect and discover secrets using Gitleaks 🔑
noseyparker - Nosey Parker is a command-line program that finds secrets and sensitive information in textual data and Git history.