git-secret-scanner

Find secrets in git repositories with TruffleHog & Gitleaks


Keywords
git, scan, secret, security, auditing, credentials, secrets
License
Apache-2.0
Install
pip install git-secret-scanner==0.2.2

Documentation

git-secret-scanner

This tool aims to find secrets and credentials in git repositories owned by Organizations or Groups using the libraries TruffleHog & Gitleaks.

Warning

This tool is only designed for Linux and MacOS. The current version only supports GitLab and GitHub.

Why this tool?

Trufflehog and Gitleaks are already designed to find secrets in git repositories. So you may wonder "what is the purpose of a tool combining both scanners?"

These two tools have both their own strenghts and weaknesses:

  • TruffleHog is very effective at classifying different secrets, but cannot find them all. It relies on detectors that can easily detect specific types of secrets, but not general secrets or general API keys.
  • Gitleaks is able to find many more secrets, but is not as good as Trufflehog at classification. It contains fewer detectors and relies on string entropy to detect potential secrets that are not found by its detectors.

We designed this tool to combine the strenghts of both previous tools in order to find as many secrets as possible and to have an efficient classification of these secrets.

Requirements

git-secret-scanner requires the following tools to work:

You can easily check that all requirements are met with the commands below:

$ python --version
$ pip --version
$ git --version
$ trufflehog --version
$ gitleaks version

Installation

Using pip

The simplest way to install git-secret-scanner is with pip.

$ pip install git-secret-scanner

Then export your personal access token for (GitHub or GitLab):

# GitHub
$ export GITHUB_TOKEN="<token>"
# GitLab
$ export GITLAB_TOKEN="<token>"

From source

  1. Clone the repository
$ git clone https://github.com/padok-team/git-secret-scanner.git # using https
# or
$ git clone git@github.com:padok-team/git-secret-scanner.git # using ssh
$ cd git-secret-scanner
  1. Install the Python requirements to run the tool
$ pip install -r requirements.txt
  1. Add your personal access token (GitHub / GitLab) for your git SaaS in your environment variables:
# GitHub
$ export GITHUB_TOKEN="<token>"
# GitLab
$ export GITLAB_TOKEN="<token>"

GitHub tokens require the repo scope, GitLab tokens require both read_api and read_repository scopes.

Usage

To get detailed usage information about how to use this tool, run

$ git-secret-scanner --help

Examples

GitHub

Scan the repositories of the organization my-org and write the output in the file output.csv:

$ git-secret-scanner github -o <my-org>

GitLab

Scan the repositories of the group my-group and write the output in the file output.csv:

$ git-secret-scanner gitlab -o <my-org>

Questions?

Open an issue to contact us or to give us suggestions. We are open to collaboration!

License

License