Open-Source Code

Theory

Online repositories of code hold a window into an organization's technology stack, revealing the programming languages and frameworks they employ. In some rare instances, developers have unintentionally exposed sensitive information, including critical data and credentials, within public repositories. These inadvertent revelations may present a unique opportunity us.

Practice

To automate the process of searching sensitives files and hardcoded credentials in Git repositories, we may use following tools

Noseyparker is a command-line program that finds secrets and sensitive information in textual data and Git history.

# Scan a repo
noseyparker scan --datastore np.myDataStore --git-url <repo-url>

# Scan all repo of an user
noseyparker scan --datastore np.myDataStore --github-user <username>

# Scan all repo of an organization
noseyparker scan --datastore np.myDataStore --github-organization <NAME>

# Show result of a scan
noseyparker report -d np.myDataStore

Gitleaks (Go) is a SAST tool for detecting and preventing hardcoded secrets like passwords, api keys, and tokens in git repos.

./gitleaks detect -v -r=<GIT_REPO_URL>

Gitrob (Go) is a tool to help find potentially sensitive files pushed to public repositories on Github. It will clone repositories belonging to a user or organization down to a configurable depth and iterate through the commit history and flag files that match signatures for potentially sensitive files.

Gitrob will need a Github access token in order to interact with the Github API. See Create a personal access token.

# Run it !
# With <TARGET> an organization/user profile (i.e v4resk)
gitrob -github-access-token <TOKEN> <TARGET>

Last updated 6 months ago