What does HackerNews think of shhgit?

Ah shhgit! Find secrets in your code. Secrets detection for your GitHub, GitLab and Bitbucket repositories: www.shhgit.com

Language: JavaScript

#29 in Go
#30 in Security
Tencent WeChat is now a GitHub secret scanning partner | Dec 2022
Expand Context ↕
https://github.com/eth0izzle/shhgit
TruffleHog v3 – Detect and automatically verify over 600 credential types | Apr 2022
Expand Context ↕
There are a lot of secret detection tools out there. It probably is going to depend a lot on the specific features you care about. I personally really like shhgit[0] which is MIT licensed and is the tool I've found to most match my workflows.

[0]: https://github.com/eth0izzle/shhgit
My MetaMask Private Keys Stolen from GitHub Private Repo in 1 Hour | Jan 2022
Assuming that the person you were working with didn't drain your wallet, there are many tools which can be used to actively monitor for commits being done on GitHub with secrets of sort.

The first one that comes to my mind is shhgit (https://github.com/eth0izzle/shhgit)

Anyone can self host it and then add multiple GitHub Dev keys to it. Then this can be used to monitor GitHub commits being done, majority of which can be categorized as "secrets".

Ask HN: What are the best automated tools for keeping credentials out of GitHub? | Aug 2021 

    - https://github.com/auth0/repo-supervisor
    - https://github.com/awslabs/git-secrets
    - https://github.com/trufflesecurity/truffleHog
    - https://www.gitguardian.com/
    - https://github.com/eth0izzle/shhgit
All these tools can be configured to scan the repositories and generate alert when credentials or API keys are encountered
The Python Package Index is now a GitHub secret scanning integrator | Mar 2021
Expand Context ↕
There are tools available to help look for this sort of thing (for both you and any potential attackers). TruffleHog[1] is the first one that comes to mind for me.

I also like shhgit[2] for looking for secrets in repositories. (I don't think shhgit will look back in the git history for you though).

[1]: https://github.com/dxa4481/truffleHog

[2]: https://github.com/eth0izzle/shhgit
SolarWinds leaked FTP credentials through a public GitHub repo since 2018 | Dec 2020
Here is one interesting project that lets you see in almost real time leaked secrets (or suscpected secrets there might be fasle positives) across Github, Gists, Gitlab, and Bitbucket: https://www.shhgit.com/

You can also run your own instance: https://github.com/eth0izzle/shhgit/

What will happen when you commit secrets to a public Git repo? | Nov 2020
Expand Context ↕
There are bots (some even run by security and threat intel companies) feeding off of the firehose. For a public display of one type of scanning functionality, take a look at shhgit[0,1].

0: https://www.shhgit.com/

1: https://github.com/eth0izzle/shhgit
View leaked secrets in Git live | Oct 2019
Author here. I released the tool a few weeks back and since downsized the EC2 instance. So this post pretty much killed the box. I've just up-sized it again but it's still running fairly slowly due to high load. It typically finds around 5 secrets/a second. Corresponding blog post here: https://darkport.co.uk/blog/ahh-shhgit!/ and you can run your own instance here: https://github.com/eth0izzle/shhgit