Secret scanner is a command-line tool to scan Git repositories for any sensitive information such as private keys, API secrets and tokens, etc.
It does so by looking at file names, extensions, and content, attempting to match them against a list of signatures.
The tool is based on Gitrob, with added support for Gitlab and Bitbucket on top of Github.
The use of this tool requires you to set various Git provider (Github / Gitlab / Bitbucket) authentication token in your environment.
You can do so by:
export GITHUB_TOKEN=my-token; secret-scanner -repos jquery/jquery
To persist the various Git provider tokens, you can add them into your .bash_profile or create a .env file. See .env.example.
You can define paths to be excluded from scanning by defining them in a comma separated format in .env file.
SKIP_EXT defines the file extensions to be excluded
SKIP_PATHS defines the paths/files to be excluded if the path matches one of the patterns defined in the list
SKIP_TEST_PATHS defines any test directories/files that you would like to skip. It is being kept separately from SKIP_PATHS because sometimes it may be useful to scan the test files as well. You can toggle to scan test files by giving -skip-tests=false in the CLI.
For bool CLI flags, use = between key-val pair. Eg -ui=false
The most basic usage requires a list of Github repository identifiers in the form of org/repo.
./secret-scanner -repos jquery/jquery
To scan repositories in other Git providers, simply specify the Git provider name.
For Gitlab, provide the project ID instead of org/repo.
./secret-scanner -git bitbucket -repos litmis/mama
./secret-scanner -git gitlab -repos 3836952
You can scan multiple repositories from the same Git provider by providing multiple identifiers separated by commas.
./secret-scanner -repos jquery/jquery,lodash/lodash
By default, the tool will attempt to make a clone before scanning the files.
If you already have a copy of the repository on local disk, you can do a local scan by specifying the dir parameter.
./secret-scanner -dir /dir/path/to/local/repository
In instances where a repository contains multiple projects (i.e monorepo), or you simply want to scan specific sub-directory, you can do so by providing sub-dir.
Example: https://github.com/user/awesome-projects contains
- build/
- dist/
- src/
- test/
- ...
Caveat: Only works with single repos
To scan src only:
./secret-scanner -repos jquery/jquery -sub-dir src
By default, findings found during the scan will be printed as console output. You can save it as JSON to path by specifying the output param
./secret-scanner -repos jquery/jquery -output ~/report.json
The output file will contain the lines containing the potential secrets. In circumstances where you do not want to expose them, you can specify -log-secret=false
By default, no scan state is being kept, meaning every scan on the same repository will start afresh.
If scan state is enabled, the scanner will save the latest scan session and commit hash in JSON format. From the next scan onwards for the same repository,the scanner will only scan changes since the last saved commit hash.
The default location of scan state JSON file is in ~/.secret-scanner/.
./secret-scanner -repos jquery/jquery -use-state=true
-baseurl string
Specify Git provider base URL
-commit-depth int
Number of repository commits to process (default 500)
-debug
Print debugging information
-env string
.env file path containing Git provider base URLs and tokens
-git string
Name of git provider (Eg. github, gitlab, bitbucket) (default "github")
-load string
Load session file
-dir string
Specify the local git repo path to scan
-log-secret
If true, the matched secret will be included in output file (default true)
-output string
Save session to file
-repos string
Comma-separated list of repos to scan
-sub-dir string
Sub-directory within the repository to scan
-quiet
Suppress all output except for errors
-skip-tests
Skips possible test contexts (default true)
-use-state
If use-state is off, every scan will be treated as a brand new scan.
-threads int
Number of concurrent threads (default number of logical CPUs)
-token string
Specify Git provider token
Project is built upon the ground work laid in Gitrob by Michael Henriksen.
And many secret signatures was taken from shhgit.