
CLI tool that finds secrets accidentally committed to a Git repo (2017) - kiyanwang
https://github.com/UKHomeOffice/repo-security-scanner
======
jsd1982
I read that as "CLI tool ... accidentally committed to a Git repo," as in the
CLI tool itself committed to a Git repo by accident, and that the CLI tool
finds secrets.

Title as of my reading was "CLI tool that finds secrets accidentally committed
to a Git repo (2017)".

~~~
lthemick
I read it the same way

------
zricethezav
I made a similar tool
[https://github.com/zricethezav/gitleaks](https://github.com/zricethezav/gitleaks)
Reasons why you might want to use gitleaks over this:

* performance (powered by go-git)

* scan github orgs/users

* ref targeting

------
amelius
I'd like to have some way to prevent certain code from being committed in the
first place.

E.g. when I have a line saying

    
    
        printf("debug: now at: %d\n", i); /* DONTCOMMIT */
    

then when I type "git commit ...", a script will be invoked that will
recognize the "DONTCOMMIT" string, and it will abort the commit.

~~~
wink
Should be possible if you create a pre-commit hook, like this one
[https://gist.github.com/guilherme/9604324](https://gist.github.com/guilherme/9604324)

~~~
amelius
Hmm, it uses "git diff" but in my case, this shows a few lines of context. So
if the context contains "console.log" (and not the change itself), the script
would still complain.

~~~
cyphar
You could use 'git diff -U0' which shows no lines of context. Or you could
just search for "DONTCOMMIT" (which is what your example used).

------
mulrian
TIL the UK Home Office has over 700 projects on GitHub.

------
Cthulhu_
Is there a similar tool that can run as a pre-commit hook and prevent it from
happening in the first place / after this scan?

~~~
burdzwastaken
I wrote one using the same difference library a few months ago:
[https://github.com/burdzwastaken/git-rid-of-
keys](https://github.com/burdzwastaken/git-rid-of-keys).

------
packetized
Looks nifty, but I'd ask: why use this over Trufflehog?

[https://github.com/dxa4481/truffleHog](https://github.com/dxa4481/truffleHog)

~~~
techjacker
As well as the CLI tool the repository contains code for a server to listen
for pushes to repositories in github via webhooks and write any violations
found into elasticsearch.

------
woodruffw
Maybe I'm missing something, but doesn't a whitelist (the `.secignore`
mentioned in the README) defeat much of the point of a secret-scanning tool?
If I whitelist a file now for containing the (benign) string "password," I'm
likely to miss a future problem in that file.

------
marataziat
There are backdoor for SMTP credentials in django projects:
[https://searchcode.com/?q=EMAIL_HOST_PASSWORD%3D&p=1&loc=0&l...](https://searchcode.com/?q=EMAIL_HOST_PASSWORD%3D&p=1&loc=0&loc2=10000&lan=19)

------
quiq
Now if only there was a CLI tool to convince my coworkers that storing secrets
in git is a bad idea.

~~~
0xdeadbeefbabe
I'm guessing such people have little interest in new CLI tools, since CLI is
for old tools, etc.

------
scarface74
And how to really remove a file from your git history....

[https://help.github.com/articles/removing-sensitive-data-
fro...](https://help.github.com/articles/removing-sensitive-data-from-a-
repository/)

~~~
craftyguy
> And how to really remove a file from your git history....

That's misleading. Once you commit and push it to a remote, you should
consider it compromised. You could remove it from the repo and force-push to
re-write history, but anyone could have pulled from the same remote since your
original push and have the file locally on their system.

A better option is to push a new commit to remove the file from the repo (add
to .gitignore), then set a new, strong passphrase/whatever and don't ever use
the one you pushed again.

~~~
scarface74
How is the article misleading? It said the same thing you did in bold....

 _Warning: Once you have pushed a commit to GitHub, you should consider any
data it contains to be compromised. If you committed a password, change it! If
you committed a key, generate a new one._

~~~
craftyguy
Your comment was misleading, not the article, which is why I quoted you
comment and not the article...

~~~
scarface74
Fair Enough....

------
zapita
This reminds me of gitguardian.

