What does HackerNews think of gitleaks?

Protect and discover secrets using Gitleaks 🔑

Language: Go

#58 in Go
#41 in Go
#125 in Hacktoberfest
#38 in Security
#5 in Security
Toyota Accidently Exposed a Secret Key Publicly on GitHub for Five Years | Oct 2022
Good reminder to run Gitleaks or Gitleaks-Action on your repos

- https://github.com/zricethezav/gitleaks

- https://gitleaks.io/products

Ask HN: What are some good non-subscription Mac apps? | May 2022
monodraw - https://monodraw.helftone.com/ like paint but for ascii art

I used it to come up with the new gitleaks logo: https://github.com/zricethezav/gitleaks

Show HN: Stop Putting AWS Credentials in GitHub Secrets | Jan 2022
Speaking of credentials, you can use https://github.com/zricethezav/gitleaks to check if your repos contain any secrets
So-called sophisticated cyberattack against US government, a simple GitHub leak | Dec 2020
Good time run to https://github.com/zricethezav/gitleaks on your projects
What will happen when you commit secrets to a public Git repo? | Nov 2020
Greetings fellow Hackers! OP here. I see that my experiment got some traction which means more awareness should be spread about this class of bugs.

For starters I recommend reading "How Bad Can It Git" [1] and "Detecting and Mitigating Secret-Key Leaks inSource Code Repositories" [2] papers.

After that you can read "How I made $10K in bug bounties from GitHub secret leaks" [3] and some notable reports on HackerOne Hacktivity [4] [5] and [6]. This last one is interesting - leaking secrets is not only about code repository! Actually it's about entire toolset used for software development, hence secret scanning could (should?) be performed for other places such as CICD logs or even Slack messages [7].

Anyhow, back to code repositories. GitHub and GitLab both recognized secrets as a problem, so they came up with solutions. If you use GitHub you can easily integrate GitGuardian [8] into your workflow ($$$) but even if you don't GitHub provides you with Secret Scanning feature [9] (both are mentioned within the Twitter and HN threads). If you use GitLab you have a Secret Detection feature [10] at your disposal BUT in order to use it you need to setup Auto DevOps (that's why in my experiment GitLab didn't alert me - I just pushed commits to my public repo but didn't setup anything).

Apart from built-in solutions provided by GitHub and GitLab, one can use tooling of their own choice. For this I'd recommend two types of solutions: proactive and reactive. For proactive security, as mentioned in the Twitter thread, you can use Talisman [11] as pre-commit hook. For reactive security you can use GitLeaks [12] (used by GitLab) or similar tools - there are many of them but one stands out, namely truffleHog [13] which can sniff each and every commit across all branches (also used by GitLab).

What if you already commited a secret into the public repository? Start with revoking and continue with this tutorial [14]

gl, hf.

[1] https://www.ndss-symposium.org/ndss-paper/how-bad-can-it-git... [2] https://people.eecs.berkeley.edu/~rohanpadhye/files/key_leak... [3] https://tillsongalloway.com/finding-sensitive-information-on... [4] https://hackerone.com/reports/716292 [5] https://hackerone.com/reports/396467 [6] https://hackerone.com/reports/496937 [7] https://github.com/PaperMtn/slack-watchman [8] https://www.gitguardian.com/ [9] https://developer.github.com/partnerships/secret-scanning/ [10] https://docs.gitlab.com/ee/user/application_security/sast/#s... [11] https://github.com/thoughtworks/talisman [12] https://github.com/zricethezav/gitleaks [13] https://github.com/dxa4481/truffleHog [14] https://docs.github.com/en/free-pro-team@latest/github/authe...

How bad can it Git? Characterizing secret leakage in public GitHub repositories | Apr 2019
https://github.com/zricethezav/gitleaks plugging my own tool. You can enforce custom rules like entropy ranges + custom regexes to get less false positives similar to what is described under "Validity Filters" in this article.
Facebook Stored Hundreds of Millions of User Passwords in Plain Text for Years | Mar 2019
Expand Context ↕
Ah, sorry about that. I got hung up on the second half of your post. Can't say I can think of a good automated solution for bad security hygiene among employees. :/

Though if you guys primarily use Git, this does wonders: https://github.com/zricethezav/gitleaks

The only thing I can think of that would help prevent credential compromises is to either implement a company password manager (akin to your butt-in-seat solution) with an ACL, and only accessible on the local network. That shouldn't be too much friction for employees to actually utilize it.

Next is having a secure channel to transmit secrets. That + Password manager has personally helped stop my coworkers in the past from sending passwords in emails, slack messages, post-it notes, text files on their computer, a committed file in a repo, etc.
Hyperscan: A Fast Multi-Pattern Regex Matcher for Modern CPUs | Feb 2019
Hyperscan is also used for scanning repos at Github: https://github.blog/2018-10-17-behind-the-scenes-of-github-t.... I have a similar project for scanning repos, https://github.com/zricethezav/gitleaks and plan on adding hyperscan functionality in a future release. Really speeds up scans when trying to match many regexes.
CLI tool that finds secrets accidentally committed to a Git repo (2017) | Aug 2018
I made a similar tool https://github.com/zricethezav/gitleaks Reasons why you might want to use gitleaks over this:

* performance (powered by go-git)

* scan github orgs/users

* ref targeting

Show HN: I built an open source event-management system | May 2018
Expand Context ↕
made a little tool to catch these things https://github.com/zricethezav/gitleaks. working on a CI version of it right now as well. gotta protect those credentials.

edit: ci version here - https://github.com/zricethezav/gitleaks-ci. work in progress, trying to add readme and instructions tonight. Also if anyone is interested in making gitleaks-ci into a paid github app... hmu