Hacker News new | comments | show | ask | jobs | submit login
Ask HN: How are you monitoring source code for secrets?
14 points by dvdhnt 10 months ago | hide | past | web | favorite | 2 comments
I've been researching Static Code Analysis and available implementations. One feature that'd be nice is flagging of secrets, API keys, and passwords. Amazon Macie mentions this as a use case but appears only to work with data in an S3 bucket [1].

After browsing available AWS products, nothing sticks out to me as an obvious solution. I saw Sonar but their TypeScript support appears to be less effective - which is expected to some degree since it's originally a Java tool [2].

Is there an AWS solution to this? Or do you have a recommendation?


PS - this would of course be in addition to our existing code review process.

1. https://aws.amazon.com/macie/?nc2=h_m1

2. https://www.sonarsource.com/products/sonarqube/

I wrote something* that checks the entropy of strings found in incoming webhook commit payloads. It catches a good amount of secrets, but even more false flags. I have to work on honing it in.

I'm not sure about hosted solutions but there are some great open source tools that scan entire repos as well as their history. I have used, and like, Gitrob and Trufflehog.

* https://github.com/michenriksen/gitrob

* https://github.com/dxa4481/truffleHog

* * not currently OSS unfortunately

In the past I've used a little command line utility I wrote that matches against a set of known regexp patterns: https://github.com/ezekg/git-hound. But I agree, it would be cool to see something like that directly from AWS that is 100% automated a la their secret key "alerting."

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact