Online repositories of code hold a window into an organization's technology stack, revealing the programming languages and frameworks they employ. In some rare instances, developers have unintentionally exposed sensitive information, including critical data and credentials, within public repositories. These inadvertent revelations may present a unique opportunity us.
Practice
To automate the process of searching sensitives files and hardcoded credentials in Git repositories, we may use following tools
Noseyparker is a command-line program that finds secrets and sensitive information in textual data and Git history.
# Scan a reponoseyparkerscan--datastorenp.myDataStore--git-url<repo-url># Scan all repo of an usernoseyparkerscan--datastorenp.myDataStore--github-user<username># Scan all repo of an organizationnoseyparkerscan--datastorenp.myDataStore--github-organization<NAME># Show result of a scannoseyparkerreport-dnp.myDataStore
Gitleaks (Go) is a SAST tool for detecting and preventing hardcoded secrets like passwords, api keys, and tokens in git repos.
./gitleaksdetect-v-r=<GIT_REPO_URL>
Gitrob (Go) is a tool to help find potentially sensitive files pushed to public repositories on Github. It will clone repositories belonging to a user or organization down to a configurable depth and iterate through the commit history and flag files that match signatures for potentially sensitive files.