top | item 45777476

(no title)

connectsnk | 4 months ago

Are there any open source tools that scans the code and detects such gaffes

discuss

Not open source, but I have used this before, and they have a very generous free tier: https://www.gitguardian.com/monitor-internal-repositories-fo...

You install their Github app and give them access to your Github repo (private repos are ok too) and they run a Github workflow when each PR is submitted scanning for secrets that should not be in the code. Really happy with how their product works.

unsungNovelty|4 months ago

If you weren't aware of it... There is a world of static application security tools (SAST) which can help you. Add them to your text editor/ci/cd to use them.

https://owasp.org/www-community/Source_Code_Analysis_Tools

EatonZ|4 months ago

TruffleHog: https://trufflesecurity.com/trufflehog

I worked for them a little bit and their product is really impressive and works great.

heretoread9000|4 months ago

trufflehog is a good starting point, then bake in your own simple regex into your github actions or equivalent and make it part of your test suite

vivzkestrel|4 months ago

stupid question, can we not make a regex for searching API keys for particular APIs and do a brute force scan across the internet

richbell|4 months ago

There are a number of products and open source tools that do this. Look up "secret scanning".