
Ask HN: How are you monitoring source code for secrets? - dvdhnt
I&#x27;ve been researching Static Code Analysis and available implementations. One feature that&#x27;d be nice is flagging of secrets, API keys, and passwords. Amazon Macie mentions this as a use case but appears only to work with data in an S3 bucket [1].<p>After browsing available AWS products, nothing sticks out to me as an obvious solution. I saw Sonar but their TypeScript support appears to be less effective - which is expected to some degree since it&#x27;s originally a Java tool [2].<p>Is there an AWS solution to this? Or do you have a recommendation?<p>Thanks.<p>PS - this would of course be in addition to our existing code review process.<p>1. https:&#x2F;&#x2F;aws.amazon.com&#x2F;macie&#x2F;?nc2=h_m1<p>2. https:&#x2F;&#x2F;www.sonarsource.com&#x2F;products&#x2F;sonarqube&#x2F;
======
t3h2mas
I wrote something* that checks the entropy of strings found in incoming
webhook commit payloads. It catches a good amount of secrets, but even more
false flags. I have to work on honing it in.

I'm not sure about hosted solutions but there are some great open source tools
that scan entire repos as well as their history. I have used, and like, Gitrob
and Trufflehog.

* [https://github.com/michenriksen/gitrob](https://github.com/michenriksen/gitrob)

* [https://github.com/dxa4481/truffleHog](https://github.com/dxa4481/truffleHog)

* * not currently OSS unfortunately

------
ezekg
In the past I've used a little command line utility I wrote that matches
against a set of known regexp patterns: [https://github.com/ezekg/git-
hound](https://github.com/ezekg/git-hound). But I agree, it would be cool to
see something like that directly from AWS that is 100% automated a la their
secret key "alerting."

