What does HackerNews think of shhgit?
Ah shhgit! Find secrets in your code. Secrets detection for your GitHub, GitLab and Bitbucket repositories: www.shhgit.com
Language:
JavaScript
There are a lot of secret detection tools out there. It probably is going to depend a lot on the specific features you care about. I personally really like shhgit[0] which is MIT licensed and is the tool I've found to most match my workflows.
Assuming that the person you were working with didn't drain your wallet, there are many tools which can be used to actively monitor for commits being done on GitHub with secrets of sort.
The first one that comes to my mind is shhgit (https://github.com/eth0izzle/shhgit)
Anyone can self host it and then add multiple GitHub Dev keys to it. Then this can be used to monitor GitHub commits being done, majority of which can be categorized as "secrets".
- https://github.com/auth0/repo-supervisor
- https://github.com/awslabs/git-secrets
- https://github.com/trufflesecurity/truffleHog
- https://www.gitguardian.com/
- https://github.com/eth0izzle/shhgit
All these tools can be configured to scan the repositories and generate alert when credentials or API keys are encounteredThere are tools available to help look for this sort of thing (for both you and any potential attackers). TruffleHog[1] is the first one that comes to mind for me.
I also like shhgit[2] for looking for secrets in repositories. (I don't think shhgit will look back in the git history for you though).
Here is one interesting project that lets you see in almost real time leaked secrets (or suscpected secrets there might be fasle positives) across Github, Gists, Gitlab, and Bitbucket: https://www.shhgit.com/
You can also run your own instance: https://github.com/eth0izzle/shhgit/
There are bots (some even run by security and threat intel companies) feeding off of the firehose. For a public display of one type of scanning functionality, take a look at shhgit[0,1].
Author here. I released the tool a few weeks back and since downsized the EC2 instance. So this post pretty much killed the box. I've just up-sized it again but it's still running fairly slowly due to high load. It typically finds around 5 secrets/a second. Corresponding blog post here: https://darkport.co.uk/blog/ahh-shhgit!/ and you can run your own instance here: https://github.com/eth0izzle/shhgit