Secrets Scanning

Ensuring you don't leak secrets and bad actors use them

About

Source control is not a secure place to store secrets such as credentials, API keys or tokens, even if the repo is private. Secrets scanning tools can scan and monitor git repositories and pull-requests for secrets, and can be used to prevent secrets from being committed, or to find and remove secrets that have already been committed to source control. [1]

Tools / Solutions / Products

TruffleSecurity Trufflehog (web): find and verify credentials.
- Chrome extension
gitleaks (web): a fast, light-weight, portable, and open-source secret scanner for git repositories, files, and directories.
Deepfence SecretScanner: find secrets and passwords in container images and file systems.
TruffleSecurity Driftwood: a tool that can enable you to lookup whether a private key is used for things like TLS or as a GitHub SSH key for a user.
stacs: a YARA powered static credential scanner which suports binary file formats, analysis of nested archives, composable rulesets and ignore lists, and SARIF reporting.
git-hound: Reconnaissance tool for GitHub code search. Scans for exposed API keys across all of GitHub, not just known repos.
AWS Labs git-secrets: Prevents you from committing secrets and credentials into git repositories
GoDaddy Tartufo (web): searches through git repositories for high entropy strings and secrets, digging deep into commit history
Yelp detect-secrets: An enterprise friendly way of detecting and preventing secrets in code.
Auth0 Repo-supervisor: a tool that helps you to detect secrets and passwords in your code.
GitGuardian: secure your software development lifecycle with enterprise-grade secrets detection. Eliminate blind spots with our automated, battle-tested detection engine.
Nightfall: discover, classify, and remove secrets and keys to protect your organization and maintain compliance.
Spectral: monitor, classify, and protect your code, assets, and infrastructure for exposed API keys, tokens, credentials, and high-risk security misconfigurations in a simple way, without noise.

Sources

[1]: https://github.com/TaptuIT/awesome-devsecops#secrets-scanning

PreviousSecrets Management NextInfrastructure as Code (IaC)

Last updated 1 year ago

Was this helpful?

About

Tools / Solutions / Products

TruffleSecurity Trufflehog (web): find and verify credentials.

Chrome extension

gitleaks (web): a fast, light-weight, portable, and open-source secret scanner for git repositories, files, and directories.

Deepfence SecretScanner: find secrets and passwords in container images and file systems.

TruffleSecurity Driftwood: a tool that can enable you to lookup whether a private key is used for things like TLS or as a GitHub SSH key for a user.

stacs: a YARA powered static credential scanner which suports binary file formats, analysis of nested archives, composable rulesets and ignore lists, and SARIF reporting.

git-hound: Reconnaissance tool for GitHub code search. Scans for exposed API keys across all of GitHub, not just known repos.

AWS Labs git-secrets: Prevents you from committing secrets and credentials into git repositories

GoDaddy Tartufo (web): searches through git repositories for high entropy strings and secrets, digging deep into commit history

Yelp detect-secrets: An enterprise friendly way of detecting and preventing secrets in code.

Auth0 Repo-supervisor: a tool that helps you to detect secrets and passwords in your code.

GitGuardian: secure your software development lifecycle with enterprise-grade secrets detection. Eliminate blind spots with our automated, battle-tested detection engine.

Nightfall: discover, classify, and remove secrets and keys to protect your organization and maintain compliance.

Spectral: monitor, classify, and protect your code, assets, and infrastructure for exposed API keys, tokens, credentials, and high-risk security misconfigurations in a simple way, without noise.