{"id":13467578,"url":"https://github.com/Checkmarx/2ms","last_synced_at":"2025-03-26T03:30:40.995Z","repository":{"id":152936744,"uuid":"608641388","full_name":"Checkmarx/2ms","owner":"Checkmarx","description":"Too many secrets (2MS) helps people protect their secrets on any file or on systems like CMS, chats and git","archived":false,"fork":false,"pushed_at":"2025-03-20T10:34:40.000Z","size":443,"stargazers_count":89,"open_issues_count":34,"forks_count":19,"subscribers_count":5,"default_branch":"master","last_synced_at":"2025-03-21T09:31:58.176Z","etag":null,"topics":["api-keys","appsec","secret-keys","secret-management","secrets","security"],"latest_commit_sha":null,"homepage":"","language":"Go","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"apache-2.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/Checkmarx.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":"CONTRIBUTING.md","funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":".github/CODEOWNERS","security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2023-03-02T12:49:54.000Z","updated_at":"2025-03-17T17:04:48.000Z","dependencies_parsed_at":"2024-11-11T13:42:35.172Z","dependency_job_id":null,"html_url":"https://github.com/Checkmarx/2ms","commit_stats":null,"previous_names":[],"tags_count":40,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/Checkmarx%2F2ms","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/Checkmarx%2F2ms/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/Checkmarx%2F2ms/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/Checkmarx%2F2ms/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/Checkmarx","download_url":"https://codeload.github.com/Checkmarx/2ms/tar.gz/refs/heads/master","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":245584441,"owners_count":20639549,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["api-keys","appsec","secret-keys","secret-management","secrets","security"],"created_at":"2024-07-31T15:00:58.091Z","updated_at":"2025-03-26T03:30:40.972Z","avatar_url":"https://github.com/Checkmarx.png","language":"Go","readme":"[![Latest Release](https://img.shields.io/github/v/release/checkmarx/2ms)](https://github.com/checkmarx/2ms/releases)\n[![License](https://img.shields.io/badge/License-Apache%202.0-blue.svg)](https://opensource.org/licenses/Apache-2.0)\n[![GitHub Discussions](https://img.shields.io/badge/chat-discussions-blue.svg?style=flat-square\u0026logo=github)](https://github.com/Checkmarx/2ms/discussions)\n[![Discord Server](https://img.shields.io/discord/1116626376674521169?logo=discord)](https://discord.gg/uYVhfSGG)\n\n![2ms Mascot](https://github.com/Checkmarx/2ms/assets/1287098/3a543045-9c6a-4a35-9bf8-f41919e7b03e)\n\n**Too many secrets (`2ms`)** is an open source CLI tool, powered by Checkmarx, that enables you to identify sensitive data such as secrets, authentication keys and passwords that are stored in your system in unencrypted text. This tool supports scanning of internal communication platforms (Slack, Discord), content management (Confluence, Paligo) and source code storage locations (Git repo, local directory). \nThis application is written in Go language and is based on the framework provided by [gitleaks](https://github.com/gitleaks/gitleaks).\n\nThe tool checks the content using a series of rules that are designed to identify a wide range of sensitive items such as AWS access token, Bitbucket Client ID, GitHub PAT etc. For a complete list of rules, see [docs/list-of-rules.md](docs/list-of-rules.md).\n\nAdditionally, the tool incorporates a scoring system based on the Common Vulnerability Scoring System (CVSS) to help prioritize remediation efforts.\n\n# Installation\n\nThe following sections explain how to install 2ms using the following methods:\n\n- [Download and Install Precompiled Binaries](#download-and-install-precompiled-binaries)\n- [Compile from Source](#compile-from-source)\n- [Run From Docker Container](#run-from-docker-container)\n- [CI/CD Integrations](#cicd-integrations)\n\n## Download and Install Precompiled Binaries\n\nYou can download 2ms precompiled binaries for amd64 architecture from our [releases page](https://github.com/Checkmarx/2ms/releases). \nThe following links can be used to download the \"latest\" version, for each supported OS.\n\n- [Download for Windows](https://github.com/checkmarx/2ms/releases/latest/download/windows-amd64.zip)\n- [Download for MacOS](https://github.com/checkmarx/2ms/releases/latest/download/macos-amd64.zip)\n- [Download for Linux](https://github.com/checkmarx/2ms/releases/latest/download/linux-amd64.zip)\n\n### Install Globally\n\nInstall 2ms globally on your local machine by placing the compiled binary on your path. For example, on Linux you can place `2ms` binary in `/usr/local/bin/` or create a symbolic link.\n\n**Example:**\n\n```\ncd /opt\nmkdir 2ms\ncd 2ms\nwget https://github.com/checkmarx/2ms/releases/latest/download/linux-amd64.zip\nunzip linux-amd64.zip\nsudo ln -s /opt/2ms/2ms /usr/local/bin/2ms\n```\n\n[![asciicast](https://asciinema.org/a/zkgwRn5fF7JG8uUG3MGJy6UGT.svg)](https://asciinema.org/a/zkgwRn5fF7JG8uUG3MGJy6UGT)\n\n## Compile from source\n\nYou can compile the project from its source using the following commands:\n\n```bash\ngit clone https://github.com/checkmarx/2ms.git\ncd 2ms\ngo build -o dist/2ms main.go\n./dist/2ms\n```\n\n## Run From Docker Container\n\nWe publish container image releases of `2ms` to [checkmarx/2ms](https://hub.docker.com/r/checkmarx/2ms) .\nTo run `2ms` from a docker container use the following command:\n\n```\ndocker run checkmarx/2ms\n```\n\n### Mounting a Local Directory\n\nYou can also mount a local directory by using the`-v` flag with the following syntax `-v \u003clocal-dir-path\u003e:\u003ccontainer-dir-path\u003e`\n\n**Example:**\n\n```bash\ndocker run -v /home/user/workspace/git-repo:/repo checkmarx/2ms git /repo\n```\n\n- For `git` command, you need to mount your git repository to `/repo` inside the container\n\n## CI/CD Integrations\n\n### GitHub Actions\n\nThe following is a template for creating a GitHub Action that runs 2ms from a Docker image to scan your GitHub repo. \n**Note:** Make sure that in the `actions/checkout` step you access the full history by setting the depth as follows `fetch-depth: 0`\n\n```yaml\nname: Pipeline Example With 2MS\n\non:\n pull_request:\n workflow_dispatch:\n push:\n branches: [main]\njobs:\n test:\n runs-on: ubuntu-latest\n steps:\n - name: Checkout code\n uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1\n with:\n # Required for 2ms to have visibility to all commit history\n fetch-depth: 0\n\n # ...\n\n - name: Run 2ms Scan\n run: docker run -v $(pwd):/repo checkmarx/2ms:2.8.1 git /repo\n```\n\n- This example uses version to `2.8.1` of 2ms. Make sure to check for the latest version.\n- 💡 Take a look at [2ms GitHub Actions pipeline](https://github.com/Checkmarx/2ms/blob/master/.github/workflows/release.yml) as 2ms scans itself using 2ms.\n\n### Azure DevOps Pipeline\n\nTo use 2ms in Azure DevOps Pipeline, create a new pipeline ([see this tutorial](https://learn.microsoft.com/en-us/azure/devops/pipelines/create-first-pipeline) for getting started with Azure DevOps Pipelines). Then, use the following template to create a `yml` file `azure-pipelines.yml` to run `2ms`:\n\n```yaml\ntrigger:\n - master\n\npool:\n vmImage: ubuntu-latest\n\nsteps:\n - script: docker run -v $(pwd):/repo checkmarx/2ms:2.8.1 git /repo\n displayName: Run 2ms\n```\n\n- This example uses version to `2.8.1` of 2ms. Make sure to check for the latest version.\n\n# Running 2ms Scans\n\n## Overview\n\n2ms has dedicated commands for scanning each of the supported platforms. To run a scan, you need to enter the command for the platform that you are scanning, along with all of the arguments that are relevant for that platform. The scan command arguments are used for authentication as well as to provide details about the locations that will be scanned. These arguments differ for each platform. In addition, you can add global flags to customize the scan configuration. \nThe fundamental structure of a scan command is:\n\n```text\n2ms \u003cscan command\u003e [scan command arguments] [global flags]\n```\n\nScan command arguments and global flags can be passed either as flags in the scan command or via a config file.\n\n### Command Line Help\n\nWe've built the `2ms` command line interface to be as self-descriptive as possible. This is the help message that is shown when you execute `2ms` without args:\n\n\u003c!-- command-line:start --\u003e\n\n```text\n2ms Secrets Detection: A tool to detect secrets in public websites and communication services.\n\nUsage:\n 2ms [command]\n\nScan Commands\n confluence Scan Confluence server\n discord Scan Discord server\n filesystem Scan local folder\n git Scan local Git repository\n paligo Scan Paligo instance\n slack Scan Slack team\n\nAdditional Commands:\n completion Generate the autocompletion script for the specified shell\n help Help about any command\n rules List all rules\n\nFlags:\n --add-special-rule strings special (non-default) rules to apply.\n This list is not affected by the --rule and --ignore-rule flags.\n --allowed-values strings allowed secrets values to ignore\n --config string config file path\n -h, --help help for 2ms\n --ignore-on-exit ignoreOnExit defines which kind of non-zero exits code should be ignored\n accepts: all, results, errors, none\n example: if 'results' is set, only engine errors will make 2ms exit code different from 0 (default none)\n --ignore-result strings ignore specific result by id\n --ignore-rule strings ignore rules by name or tag\n --log-level string log level (trace, debug, info, warn, error, fatal) (default \"info\")\n --max-target-megabytes int files larger than this will be skipped.\n Omit or set to 0 to disable this check.\n --regex stringArray custom regexes to apply to the scan, must be valid Go regex\n --report-path strings path to generate report files. The output format will be determined by the file extension (.json, .yaml, .sarif)\n --rule strings select rules by name or tag to apply to this scan\n --stdout-format string stdout output format, available formats are: json, yaml, sarif (default \"yaml\")\n --validate trigger additional validation to check if discovered secrets are valid or invalid\n -v, --version version for 2ms\n\nUse \"2ms [command] --help\" for more information about a command.\n```\n\n\u003c!-- command-line:end --\u003e\n\n### Configuration File\n\nYou can pass `--config [path to config file]` argument to specify a configuration file. The configuration file format can be YAML or JSON.\n\n**Example:**\n\n```yaml\nlog-level: info\n\nregex:\n - password\\=\n\nreport-path:\n - ./report.yaml\n - ./report.json\n - ./report.sarif\n\npaligo:\n instance: your-instance\n username: your-username\n```\n\n#### Hybrid Configuration Mode\n\nYou can pass a combination of command line arguments **and** a configuration file. In this case, the 2ms merges the values from the file and the explicit arguments.\n\n`.2ms.yml` config file:\n\n```yaml\nignore-result:\n - b0a735b7b0a2bc6fb1cd69824a9afd26f0f7ebc8\n - 51c76691792d9f6efe8af1c89c678386349f48a9\n - 81318f7350a4c42987d78c99eacba2c5028636cc\n - 8ea22c1e010836b9b0ee84e14609b574c9965c3c\n```\n\nCommand: The `--spaces` flag is provided in the CLI command (outside of config file):\n\n**Example:**\n\n```yaml\ndocker run -v $(pwd)/.2ms.yml:/app/.2ms.yml checkmarx/2ms \\\n confluence --url https://checkmarx.atlassian.net/wiki \\\n --spaces secrets --config /app/.2ms.yml\n```\n\n[![asciicast](https://asciinema.org/a/n8RHL4v6vI87uiUPZ9I7CgfYy.svg)](https://asciinema.org/a/n8RHL4v6vI87uiUPZ9I7CgfYy)\n\n## Scan Commands\n\nThe following sections describe the arguments used for scanning each of the supported platforms.\n\n### Confluence\n\nThis command is used to scan a [Confluence](https://www.atlassian.com/software/confluence) instance.\n\n```text\n2ms confluence \u003cURL\u003e [flags]\n```\n\n| Flag | Type | Default | Description |\n| ------------ | ----- | ------------------------------ | -------------------------------------------------------------------------------- |\n| `\u003curl\u003e` | string | - | Confluence instance URL, in the following format: `https://\u003ccompany id\u003e.atlassian.net/wiki` |\n| `--history` | - | Doesn't scan history revisions | Scans pages history revisions |\n| `--spaces` | string | all spaces | The names or IDs of the Confluence spaces to scan |\n| `--token` | string | - | The Confluence API token for authentication |\n| `--username` | string | - | Confluence user name or email for authentication |\n\nFor example:\n\n- To scan public spaces:\n\n ```bash\n 2ms confluence https://checkmarx.atlassian.net/wiki --spaces secrets\n ```\n 💡 [The `secrets` Confluence site](https://checkmarx.atlassian.net/wiki/spaces/secrets) purposely created with plain example secrets as a test subject for this demo\n\n- To scan private spaces, authentication is required\n ```bash\n 2ms confluence \u003cURL\u003e --username \u003cUSERNAME\u003e --token \u003cAPI_TOKEN\u003e --spaces \u003cSPACES\u003e\n ```\n [How to get a Confluence API token](https://support.atlassian.com/atlassian-account/docs/manage-api-tokens-for-your-atlassian-account/).\n\n[![asciicast](https://asciinema.org/a/607179.svg)](https://asciinema.org/a/607179)\n\n### Paligo\n\nScans [Paligo](https://paligo.net/) content management system instance.\n\n| Flag | Value | Default | Description |\n| ------------ | ------ | ------------------------------- | ------------------------------------------------ |\n| `--instance` | string | - | Instance name |\n| `--token` | string | - | API token for authentication |\n| `--username` | string | - | Paligo username |\n| `--folder` | string | scanning all instance's folders | Folder ID |\n| `--auth` | string | - | Base64 auth header encoded username:password |\n\n### Discord\n\nScans [Discord](https://discord.com/) chat application history.\n\n| Flag | Value | Default | Description |\n| ------------------ | -------- | -------------------------------- | ------------------------------------------------------------------------------------------------------ |\n| `--token` | string | - | Discord token |\n| `--channel` | strings | all channels will be scanned | Discord channel IDs to scan |\n| `--messages-count` | int | 0 = all messages will be scanned | The number of messages to scan |\n| `--duration` | duration | 14 days | The time interval to scan from the current time. For example, 24h for 24 hours or 336h0m0s for 14 days |\n| `--server` | strings | - | Discord servers IDs to scan |\n\n[How to get a Discord token](https://www.geeksforgeeks.org/how-to-get-discord-token/).\n\nExample:\n\n```bash\n2ms discord --token \u003cYOUR_TOKEN\u003e --server 1097814317077897307 --duration 9999h\n```\n\n### Slack\n\nScans [Slack](https://slack.com/) chat application history.\n\n| Flag | Value | Default | Description |\n| ------------------ | -------- | -------------------------------- | ------------------------------------------------------------------------------------------------------ |\n| `--token` | string | - | Slack token |\n| `--channel` | strings | all channels will be scanned | Slack channel IDs to scan |\n| `--messages-count` | int | 0 = all messages will be scanned | The number of messages to scan |\n| `--duration` | duration | 14 days | The time interval to scan from the current time. For example, 24h for 24 hours or 336h0m0s for 14 days |\n| `--team` | string | - | Slack team name or ID |\n\n### Git Repository\n\nScans a local git repository\n\n```text\n2ms git \u003cGit Repo Local Path\u003e [flags]\n```\n\n| Flag | Value | Default | Description |\n| ---------------- | ----- | -------------------------------------- | -------------------------------------------------------- |\n| `--all-branches` | - | false - only current checked in branch | scan all branches |\n| `--depth` | int | no limit | limit the number of historical commits to scan from HEAD |\n\nFor example\n\n```bash\ngit clone https://github.com/my-account/my-repo.git\ncd my-repo\n2ms git .\n```\n\n### Local Directory\n\nScans a local repository\n\n```bash\n2ms filesystem --path PATH [flags]\n```\n\n| Flag | Value | Default | Description |\n| ------------------ | ------- | ------- | ------------------------------------------------------ |\n| `--path` | string | - | Local directory path |\n| `--project-name` | string | - | Project name to differentiate between filesystem scans |\n| `--ignore-pattern` | strings | - | Patterns to ignore |\n\nExample:\n\n```bash\n2ms filesystem --path .\n```\n\n## Global Flags\n\nThe following table describes the global flags that can be used together with any of the scan commands.\n| Flag | Type | Default | Description |\n|------|------|---------|-------------|\n|--add-special-rule | string | | Add special (non-default) rules to apply. This list is not affected by the --rule and --ignore-rule flags. SEE BELOW |\n|--config | string | | Path to the config file |\n|-h, --help | string | | Help for 2ms commands |\n|--ignore-on-exit | | None | Defines which kind of non-zero exits code should be ignored. Options are: all, results, errors, none. For example, if 'results' is set, only engine errors will make 2ms exit code different from 0. |\n|--ignore-result | strings | | Ignore specific result by ID |\n|--ignore-rule | strings | | Ignore rules by name or tag. |\n|--log-level | string | info | Type of log to return. Options are: trace, debug, info, warn, error, fatal |\n|--max-target-megabytes | int | | Files larger than than the specified threshold will be skipped. Omit or set to 0 to disable this check. |\n|--regex | stringArray | | Custom regexes to apply to the scan. Must be valid Go regex. |\n|--report-path | strings | | Path to generate report files. The output format will be determined by the file extension (.json, .yaml, .sarif) |\n|--rule | strings | | Select rules by name or tag to apply to this scan. |\n|--stdout-format | string | yaml | Stdout output format, available formats are: json, yaml, sarif |\n|--validate | | | Trigger additional validation to check if discovered secrets are valid or invalid. SEE BELOW |\n|-v, --version | | | Version of 2ms that is running. |\n\n### Validity Check\n\nAdding the `--validate` flag checks the validity of the secrets found. For example, if a Github token is found, it will check if the token is valid by making a request to the Github API. We will use the least intrusive method possible to check the validity of the secret.\n\nThe list of services that support the Validity Check feature can be found in the [List of Rules](docs/list-of-rules.md) document.\n\nThe result of the validation can be:\n\n- `valid` - The secret is valid\n- `invalid` - The secret is invalid\n- `unknown` - We failed to check, or we are not checking the validity of the secret at all\n\nIf the `--validate` flag is not provided, the validation field will be omitted from the output, or its value will be an empty string.\n\n\u003e **Note:** The validity check also impacts the score field. If the flag is not provided, the validity is assumed to be \"unknown\" in the score formula.\n\n### Special Rules\n\nSpecial rules are rules that are configured in 2ms but are not run as part of the default ruleset, usually because they are too noisy or too specific. You can use the `--add-special-rule` flag to add special rules by rule ID.\n\nFor example:\n\n```bash\n2ms git . --add-special-rule hardcoded-password\n```\n\n#### List of Special Rules\n\n| Rule ID | Description |\n| -------------------- | -------------------------------------------------------------------------------------------------- |\n| `hardcoded-password` | Detects strings that are assigned to variables that contain the word `password`, `access`, `key`, etc. |\n\n## Custom Regex Rules\n\nYou may specify one or more custom regex rules with the optional argument `--regex`. The value provided will be parsed as a regular expression and will be matched against the target items.\n\nmy-file.txt\n\n```bash\npassword=1234567\nusername=admin\n```\n\n```bash\n2ms filesystem --path . --regex username= --regex password=\n```\n\n[![asciicast](https://asciinema.org/a/607198.svg)](https://asciinema.org/a/607198)\n\n## Contributing\n\n`2ms` is extendable with the concept of plugins. We designed it like this so anyone can easily contribute, improve and extend `2ms`. Read more about contributing in our [CONTRIBUTING.md](CONTRIBUTING.md) file.\n\n## Contact\n\nWant to report a problem or suggest an idea for improvement? Create an [Issue](https://github.com/Checkmarx/2ms/issues/new), create a [Discussion thread](https://github.com/Checkmarx/2ms/discussions), or Join our [Discord Server](https://discord.gg/9uFqFDWPyz) (seek for `#2ms` channel)\n\nThis project was made and maintained by Checkmarx with :heart:\n","funding_links":[],"categories":["Go"],"sub_categories":[],"project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2FCheckmarx%2F2ms","html_url":"https://awesome.ecosyste.ms/projects/github.com%2FCheckmarx%2F2ms","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2FCheckmarx%2F2ms/lists"}