Project description

dangling-finder

Find dangling commits inside your GitHub repositories.

Introduction

This is an attempt to find ways to recover dangling commits inside a GitHub repository, to help you improve your use of repository secret scanning tools like trufflehog or gitleaks. For now, only one way is used:

recover all force-pushed events in a pull request and list all former HEADs of the PR (most probably dangling-commits)
TODO: get all available Push events from GitHub API (but only the X last events can be retrieved)
TODO: add closed and not merged PR, in addition to their lost force-pushed commits
TODO: try with user specific events to get more dangling commits

Limitations

This tool only focuses on potential dangling-commits sources. It doesn't list:

current HEADS of pull requests (whether opened, merged or closed - TODO: check if closed PRs are already covered by popular tools)
parent dangling-commits of the dangling HEADs found in a "force-pushed" event (git fetch can be used to avoid thinking about this, see below in Usage)
the content of the dangling-commits found: it would require to browse all commits from the dangling HEADs found (unecessary if you use git fetch) and to have a way to get the content of each commit (the GitHub GraphQL API does not seem to provide a way to do so, and it would cost too much using the REST API - git fetch avoid us this trouble)

Installation

git clone git@github.com:MickaelFontes/dangling-finder.git && cd dangling-finder
poetry install

Usage

To show the help, run:

poetry run dangling-finder -h

To use the commands, you will need to provide a GitHub API token. Read the documentation here to generate a token.

Use the script to find the dangling heads and use the generated script with the dangling heads to add the dangling commits in the clone repo.

poetry run dangling-finder owner repo --github-token $GITHUB_TOKEN --git-script > owner-repo-dangling-scirpt.sh
git clone git@github.com:owner/repo.git && cd owner/repo
chmod +x ../owner-repo-dangling-scirpt.sh && bash ../owner-repo-dangling-scirpt.sh

Then scan the repo local for secrets with your favorite tool.

Project details

These details have not been verified by PyPI

Release history Release notifications | RSS feed

0.3.3

Jun 17, 2024

0.3.2

Jun 17, 2024

0.3.1

Mar 21, 2024

This version

0.2.0

Feb 28, 2024

0.1.3

Feb 25, 2024

Download files

Download the file for your platform. If you're not sure which to choose, learn more about installing packages.

Source Distribution

dangling_finder-0.2.0.tar.gz (14.8 kB view hashes)

Uploaded Feb 28, 2024 Source

Built Distribution

dangling_finder-0.2.0-py3-none-any.whl (7.7 kB view hashes)

Uploaded Feb 28, 2024 Python 3

Hashes for dangling_finder-0.2.0.tar.gz

Hashes for dangling_finder-0.2.0.tar.gz
Algorithm	Hash digest
SHA256	`9c565e4b9323ffd9bf19c11a97c1d83a82e8b08b1958c71eb20b9f25d8bbae4b`
MD5	`51648b3ce0af939004bc9bedd83b73f4`
BLAKE2b-256	`09ac92f35325b3effcb862bb08215891206ed1f43af5de0c5ac4438cd184dc9a`

Hashes for dangling_finder-0.2.0-py3-none-any.whl

Hashes for dangling_finder-0.2.0-py3-none-any.whl
Algorithm	Hash digest
SHA256	`043508feecf111d38d74ca98fe2a9f574ea20176332835040351c27ea07e4ad9`
MD5	`9203cb5632c09953d03e9195e6ccc7ee`
BLAKE2b-256	`9e196a74ef069b0d8a5dfae0dcd7620a1722ced613347b402a00f85c3365bc87`