{"id":13612807,"url":"https://github.com/padok-team/git-secret-scanner","last_synced_at":"2025-04-07T13:05:55.815Z","repository":{"id":173348107,"uuid":"647761894","full_name":"padok-team/git-secret-scanner","owner":"padok-team","description":"Find secrets in git repositories with TruffleHog \u0026 Gitleaks","archived":false,"fork":false,"pushed_at":"2025-02-26T09:05:53.000Z","size":226,"stargazers_count":45,"open_issues_count":13,"forks_count":3,"subscribers_count":3,"default_branch":"main","last_synced_at":"2025-02-26T09:12:27.569Z","etag":null,"topics":["auditing","credentials","git","scan","secrets","security"],"latest_commit_sha":null,"homepage":"","language":"Go","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"apache-2.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/padok-team.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":".github/CODEOWNERS","security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2023-05-31T13:18:46.000Z","updated_at":"2025-02-25T00:44:13.000Z","dependencies_parsed_at":null,"dependency_job_id":"a4e55203-e394-4263-8a63-dcd1ef66278f","html_url":"https://github.com/padok-team/git-secret-scanner","commit_stats":null,"previous_names":["padok-team/git-secret-scanner"],"tags_count":12,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/padok-team%2Fgit-secret-scanner","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/padok-team%2Fgit-secret-scanner/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/padok-team%2Fgit-secret-scanner/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/padok-team%2Fgit-secret-scanner/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/padok-team","download_url":"https://codeload.github.com/padok-team/git-secret-scanner/tar.gz/refs/heads/main","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":247657276,"owners_count":20974344,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["auditing","credentials","git","scan","secrets","security"],"created_at":"2024-08-01T20:00:34.739Z","updated_at":"2025-04-07T13:05:55.795Z","avatar_url":"https://github.com/padok-team.png","language":"Go","funding_links":[],"categories":["Awesome secret leak tools"],"sub_categories":[],"readme":"# git-secret-scanner\n\nThis tool aims to find secrets and credentials in git repositories owned by Organizations or Groups using the libraries [TruffleHog](https://trufflesecurity.com/) \u0026amp; [Gitleaks](https://gitleaks.io/).\n\n\u003e **Warning**\n\u003e \n\u003e This tool is only designed for Linux and MacOS.\n\u003e The current version only supports Gitlab and GitHub.\n\n## Why this tool?\n\nTrufflehog and Gitleaks are already designed to find secrets in git repositories. So you may wonder *\"what is the purpose of a tool combining both scanners?\"* \n\nThese two tools have both their own strenghts and weaknesses:\n- TruffleHog is very effective at classifying different secrets, but cannot find them all. It relies on detectors that can easily detect specific types of secrets, but not general secrets or general API keys.\n- Gitleaks is able to find many more secrets, but is not as good as Trufflehog at classification. It contains fewer detectors and relies on string entropy to detect potential secrets that are not found by its detectors.\n\nWe designed this tool to combine the strenghts of both previous tools in order to find as many secrets as possible and to have an efficient classification of these secrets.\n\n## Requirements\n\n`git-secret-scanner` requires the following tools to work:\n- [git](https://git-scm.com/book/fr/v2/D%C3%A9marrage-rapide-Installation-de-Git)\n- [TruffleHog](https://github.com/trufflesecurity/trufflehog) (\u003e= 3.82.13)\n- [Gitleaks](https://github.com/gitleaks/gitleaks) (\u003e= 8.21.1)\n\nYou can easily check that all requirements are met with the commands below:\n\n```shell\ngit --version\ntrufflehog --version\ngitleaks version\n```\n\n## Installation\n\n### Using `homebrew`\n\nThe simplest way to install `git-secret-scanner` is with `homebrew`.\n\n```shell\nbrew tap padok-team/tap\nbrew install git-secret-scanner\n```\n\n### With Docker\n\n`git-secret-scanner` is prepackaged in a Docker image with all required dependencies.\n\n```shell\n# Run GitHub scan\ndocker run --rm -it \\\n    -e GITHUB_TOKEN=$GITHUB_TOKEN \\\n    -v \"$(pwd):/home/git-secret-scanner\" \\\n    ghcr.io/padok-team/git-secret-scanner github -o \"\u003corg\u003e\"\n\n# Run Gitlab scan\ndocker run --rm -it \\\n    -e GITLAB_TOKEN=$GITLAB_TOKEN \\\n    -v \"$(pwd):/home/git-secret-scanner\" \\\n    ghcr.io/padok-team/git-secret-scanner gitlab -g \"\u003cgroup\u003e\"\n```\n\n### With binary\n\nDownload the binary for your platform and OS on the [realeases page](https://github.com/zricethezav/gitleaks/releases).\n\n### From source\n\n1. Clone the repository\n\n```shell\ngit clone https://github.com/padok-team/git-secret-scanner.git\ncd git-secret-scanner\n```\n\n2. Build the binary\n\n```shell\nmake build\n```\n\n## Usage\n\nTo get detailed usage information about how to use this tool, run \n\n```shell\ngit-secret-scanner --help\n```\n\n### Basics\n\nAdd a personal access token ([GitHub](https://docs.github.com/en/enterprise-server@3.4/authentication/keeping-your-account-and-data-secure/creating-a-personal-access-token) / [Gitlab](https://docs.gitlab.com/ee/user/profile/personal_access_tokens.html)) for your git SaaS in your environment variables.\n\n```shell\n# GitHub\nexport GITHUB_TOKEN=\"\u003ctoken\u003e\"\n# Gitlab\nexport GITLAB_TOKEN=\"\u003ctoken\u003e\"\n```\n\n\u003e GitHub tokens require the `repo` scope, Gitlab tokens require both `read_api` and `read_repository` scopes.\n\n```shell\n# With GITHUB_TOKEN set\ngit-secret-scanner github -o \"\u003corg\u003e\"\n# With GITLAB_TOKEN set\ngit-secret-scanner gitlab -g \"\u003cgroup\u003e\"\n```\n\n### Ignore secrets\n\nYou can instruct `git-secret-scanner` to ignore some specific secrets in its results. This is useful to ignore false positives or to ignore secrets that have already been dealt with.\n\n#### Ignore secrets with comments\n\n`git-secret-scanner` understands Gitleaks and Trufflehog annotations to ignore secrets (`gitleaks:allow` and `trufflehog:ignore`). You can add a comment with one of these annotations on the line that has the secret to have `git-secret-scanner` ignore it.\n\n#### Ignore secrets with fingerprints\n\nTo ignore specific fingerprints, create a file with a list of all secret fingerprints to ignore during the scan. A fingerprint is computed in the following way:\n\n```\n\u003crepo_name\u003e:\u003ccommit_sha\u003e:\u003cfile\u003e:\u003cline\u003e\n```\n\nThen run `git-secret-scanner` with the `-i` flag:\n\n```shell\ngit-secret-scanner github -o \"\u003corg\u003e\" -i \"\u003cpath_to_fingerprints_ignore_file\u003e\"\ngit-secret-scanner gitlab -g \"\u003cgroup\u003e\" -i \"\u003cpath_to_fingerprints_ignore_file\u003e\"\n```\n\n### Baseline\n\n`git-secret-scanner` supports using a previous report as a baseline for a scan. All previous secrets found in the baseline are ignored in the final report. This is useful to detect added secrets between two scans.\n\n```shell\ngit-secret-scanner github -o \"\u003corg\u003e\" -b \"\u003cpath_to_previous_report_csv\u003e\"\ngit-secret-scanner gitlab -g \"\u003cgroup\u003e\" -b \"\u003cpath_to_previous_report_csv\u003e\"\n```\n\n## Questions?\n\nOpen an issue to contact us or to give us suggestions. We are open to collaboration.\n\n## License\n\n[![License](https://img.shields.io/badge/License-Apache_2.0-blue.svg)](https://opensource.org/licenses/Apache-2.0)\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fpadok-team%2Fgit-secret-scanner","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fpadok-team%2Fgit-secret-scanner","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fpadok-team%2Fgit-secret-scanner/lists"}