WingNews logo WingNews GitHub [2]
top | item 28113267

Ask HN: What are the best automated tools for keeping credentials out of GitHub?

4 points| lkrubner | 4 years ago | reply

I've a new client, a fast growing startup. Their security situation is a mess and I'm trying to get it under control. I'd love to hear anyone's strategies for imposing security on what has been an insecure system. Especially automated tools for basic stuff, like keeping API credentials out of Github.

3 comments

order
[+] mzfr|4 years ago|reply 

    - https://github.com/auth0/repo-supervisor
    - https://github.com/awslabs/git-secrets
    - https://github.com/trufflesecurity/truffleHog
    - https://www.gitguardian.com/
    - https://github.com/eth0izzle/shhgit
All these tools can be configured to scan the repositories and generate alert when credentials or API keys are encountered
[+] lumberjack24|4 years ago|reply
Try GitGuardian to monitor internal repos on GitHub, 100k+ developers use it to scan their commits for all sorts of credentials and secrets.

https://bit.ly/3AHfI9d

[+] paktek123|4 years ago|reply
Cloud providers have aws secrets and azure key vault. Then there is always hashi Corp vault.