Find secrets in git repositories with TruffleHog & Gitleaks
Project description
git-secret-scanner
This tool aims to find secrets and credentials in git repositories owned by Organizations or Groups using the libraries TruffleHog & Gitleaks.
Warning
This tool is only designed for Linux and MacOS. The current version only supports GitLab and GitHub.
Why this tool?
Trufflehog and Gitleaks are already designed to find secrets in git repositories. So you may wonder "what is the purpose of a tool combining both scanners?"
These two tools have both their own strenghts and weaknesses:
- TruffleHog is very effective at classifying different secrets, but cannot find them all. It relies on detectors that can easily detect specific types of secrets, but not general secrets or general API keys.
- Gitleaks is able to find many more secrets, but is not as good as Trufflehog at classification. It contains fewer detectors and relies on string entropy to detect potential secrets that are not found by its detectors.
We designed this tool to combine the strenghts of both previous tools in order to find as many secrets as possible and to have an efficient classification of these secrets.
Requirements
git-secret-scanner
requires the following tools to work:
- Python 3 (>= 3.11)
- pip
- git
- TruffleHog (>= 3.0)
- Gitleaks (>= 8.0)
You can easily check that all requirements are met with the commands below:
$ python --version
$ pip --version
$ git --version
$ trufflehog --version
$ gitleaks version
Installation
Using pip
The simplest way to install git-secret-scanner
is with pip
.
$ pip install git-secret-scanner
Then export your personal access token for (GitHub or GitLab):
# GitHub
$ export GITHUB_TOKEN="<token>"
# GitLab
$ export GITLAB_TOKEN="<token>"
From source
- Clone the repository
$ git clone https://github.com/padok-team/git-secret-scanner.git # using https
# or
$ git clone git@github.com:padok-team/git-secret-scanner.git # using ssh
$ cd git-secret-scanner
- Install the Python requirements to run the tool
$ pip install -r requirements.txt
# GitHub
$ export GITHUB_TOKEN="<token>"
# GitLab
$ export GITLAB_TOKEN="<token>"
GitHub tokens require the
repo
scope, GitLab tokens require bothread_api
andread_repository
scopes.
Usage
To get detailed usage information about how to use this tool, run
$ git-secret-scanner --help
Examples
GitHub
Scan the repositories of the organization my-org and write the output in the file output.csv:
$ git-secret-scanner github -o <my-org>
GitLab
Scan the repositories of the group my-group and write the output in the file output.csv:
$ git-secret-scanner gitlab -o <my-org>
Questions?
Open an issue to contact us or to give us suggestions. We are open to collaboration!
License
Project details
Release history Release notifications | RSS feed
Download files
Download the file for your platform. If you're not sure which to choose, learn more about installing packages.
Source Distribution
Built Distribution
Hashes for git_secret_scanner-0.3.3-py3-none-any.whl
Algorithm | Hash digest | |
---|---|---|
SHA256 | d455851f234611c7e691a26715e776b8e6b9b3f2774a2f5dc079326971986a4f |
|
MD5 | b37e40b17f28e578ae287a0ee97d2adb |
|
BLAKE2b-256 | 4b7be2ff14916874c168d9dd663878013fbcea80612c3225bbdd8cc93665fd3a |