Protect and discover secrets using Gitleaks 🔑
MIT License
Bot releases are visible (Hide)
Published by zricethezav about 6 years ago
Published by zricethezav about 6 years ago
Published by zricethezav about 6 years ago
--repo
-r
and --repo-path
from being auditedPublished by zricethezav about 6 years ago
Published by zricethezav about 6 years ago
Published by zricethezav about 6 years ago
go test -run=Benchmark -bench=. -benchtime=5s
goos: darwin
goarch: amd64
pkg: github.com/zricethezav/gitleaks
BenchmarkAuditRepo1Proc-8 1 17250146938 ns/op
BenchmarkAuditRepo2Proc-8 1 8195122742 ns/op
BenchmarkAuditRepo4Proc-8 2 5076421992 ns/op
BenchmarkAuditRepo8Proc-8 2 4598899766 ns/op
BenchmarkAuditRepo10Proc-8 2 4674707999 ns/op
BenchmarkAuditRepo100Proc-8 2 4597661354 ns/op
BenchmarkAuditRepo1000Proc-8 2 4706597867 ns/op
BenchmarkAuditRepo10000Proc-8 2 4828204609 ns/op
BenchmarkAuditRepo100000Proc-8 2 5163678699 ns/op
BenchmarkAuditLeakRepo1Proc-8 300 23209156 ns/op
BenchmarkAuditLeakRepo2Proc-8 500 14325588 ns/op
BenchmarkAuditLeakRepo4Proc-8 1000 9686543 ns/op
BenchmarkAuditLeakRepo8Proc-8 1000 8920760 ns/op
BenchmarkAuditLeakRepo10Proc-8 1000 8755894 ns/op
BenchmarkAuditLeakRepo100Proc-8 1000 9072689 ns/op
BenchmarkAuditLeakRepo1000Proc-8 1000 8569304 ns/op
BenchmarkAuditLeakRepo10000Proc-8 1000 8502946 ns/op
BenchmarkAuditLeakRepo100000Proc-8 1000 8685711 ns/op
PASS
ok github.com/zricethezav/gitleaks 211.480s
--disk
option. Before v1.6.0, gitleaks would wait until the entire org audit has been complete.... so you were at risk of running out of disk space. This eliminates that fear.Published by zricethezav about 6 years ago
--csv
option to output your report as a csv.Example: $ gitleaks --github-user=gitleakstest --report="report.csv" --csv
contents of report.csv
:
repo | line | commit | offender | reason | commitMsg | author | file | branch |
gronit | const AWS_KEY = "AKIALALEMEL33243OLIAE" | eaeffdc65b4c73ccb67e75d96bd8743be2c85973 | AKIALALEMEL33243OLIA | AWS | remove fake key | Zachary Rice [email protected] | main.go | refs/heads/master |
gronit | const AWS_KEY = "AKIALALEMEL33243OLIAE" | cb5599aeed261b2c038aa4729e2d53ca050a4988 | AKIALALEMEL33243OLIA | AWS | fake key | Zachary Rice [email protected] | main.go | refs/heads/master |
Published by zricethezav about 6 years ago
Published by zricethezav about 6 years ago
Published by zricethezav about 6 years ago
Published by zricethezav about 6 years ago
Published by zricethezav about 6 years ago
Published by zricethezav over 6 years ago
Published by zricethezav over 6 years ago
in-memory
--disk
Published by zricethezav over 6 years ago
Gitleaks v1.0.0 introduces major performance gains, cleaner ui, and some new features.
go get -u github.com/zricethezav/gitleaks
Or download from release binaries here
Prior to v1.0.0 Gitleaks relied on shelling out git commands. This meant for every diff you would be reading from disk. Thanks to src-d's go-git package you are now able to process your repos in memory with the --in-memory
option. Additionally, Gitleaks v1.0.0 audits just additions and deletions in your commit patches -- before, gitleaks looked at the entire commit patch. Another gain v1.0.0 introduces is support for whitelisting commits, files, regexes, and branches specified in GITLEAKS_CONFIG
or --config=
options config.
Gitleaks v1.0.0 uses jessevdk's go-flags which offers much cleaner option handling. Let's go through some examples:
# audit a single public repo
$ gitleaks --repo=https://github.com/gitleakstest/gronit
# audit a single private repo
# NOTE: SSH auth only -- this requires your private key (default: ~/.ssh/id_rsa) or set by --ssh-key
$ gitleaks [email protected]:gitleakstest/privaterepo.git
# audit github user's public repos
$ gitleaks --github-user=gitleakstest
# audit github user's private repos
# NOTE: SSH auth only -- this requires your private key (default: ~/.ssh/id_rsa) or set by --ssh-key
# NOTE: `GITHUB_TOKEN` must be set in your env otherwise it will pull public repos
$ gitleaks --github-user=gitleakstest --private
# save report to file
# NOTE: report format is json -- support for more coming in later versions
$ gitleaks --repo=https://github.com/gitleakstest/gronit --report=report.json
A common request I heard was the ability to externalize regexes so you could search for whatever you wanted in your git history. This has been added in v1.0.0. Of course there are default checks that I have in place that include AWS, Facebook, Twitter, PGP, BGP, RSA, and Heroku but if you want to remove or add regexes all you need to do is supply gitleaks with a config specified in GITLEAKS_CONFIG
or pass the path to the config as an option with --config=
. The config is a simple toml file that looks like:
[[regexes]]
description = "AWS"
regex = '''AKIA[0-9A-Z]{16}'''
[[regexes]]
description = "Github"
regex = '''(?i)github.*['\"][0-9a-zA-Z]{35,40}['\"]'''
[whitelists]
files = [
"(.*?)(jpg|gif|doc|pdf|bin)$"
]
This sample config will look for github and aws keys and ignore and jpg, gif, doc, pdf, or bin files it encounters during the audit.
You can whitelist more than just files! In addition to files you can whitelist regexes, branches, and commits. Say for example you want to ignore the leak that occurs for commit cb5599aeed261b2c038aa4729e2d53ca050a4988
in https://github.com/gitleakstest/gronit/commits/master. You can do this by adding including a commits
array to your [whitelist]
table in your config. So for the example above our config would look like this now:
[[regexes]]
description = "AWS"
regex = '''AKIA[0-9A-Z]{16}'''
[[regexes]]
description = "Github"
regex = '''(?i)github.*['\"][0-9a-zA-Z]{35,40}['\"]'''
[whitelists]
files = [
"(.*?)(jpg|gif|doc|pdf|bin)$"
]
commits = [
"cb5599aeed261b2c038aa4729e2d53ca050a4988"
]
Similarly you can include a branch
and regex
array in your whitelist
table. See these tests for more examples.
More robust code (please add to tests if you want to help the project)
You can set the maximum concurrent go routines spun up per repo with --max-go
. Note: I've been running unbounded and haven't run into any problems... let me know if you do.
Prior to v1.0.0 Gitleaks was only auditing origin/HEAD
. You can now scrub through all refs with --all-refs
. NOTE: support for auditing an array of refs will be coming in next version.
Published by zricethezav over 6 years ago
Added support for external regexes
Published by zricethezav over 6 years ago
Version 0.3.0 of Gitleaks introduces
Published by zricethezav over 6 years ago
Version 0.2.0 of Gitleaks is the first version update since this got relatively popular. Based on the issues raised it seems that folks want better support for integration into their pipelines.
Published by zricethezav over 6 years ago
Version 0.1.0 of Gitleaks demonstrates: