If you are a programmer, there is a very good chance that you use Github to host your code. But do you have a habit (or maybe unintentionally) of committing sensitive and confidential information like Keys and Passwords to your public repositories. In some cases, it can be a complete disaster.
It is more common than you may think: Over 100,000 GitHub repos have leaked API or cryptographic keys
So how to prevent something like above from happening? Of course, the straight forward answer is, “Don’t store sensitive data in your repo”. Sure, you can make this your habit but you cannot control which coding habits your team members are following.
I recently looked into few tools to tackle with this issue and would like to share with you.
1. Truffle Hog
This tool searches through git repositories for high entropy strings and secrets. The search goes deep to your commit history and branches.
TruffleHog can be installed using pip.
pip install trufflehog
2. GittyLeaks
GittyLeaks searches for words like ‘username’, ‘password’, and ’email’ and shortenings in quoted strings, config style or JSON format in your code.
This can also be installed using pip.
3. GitSecrets
This is a tool from AWSLabs. It prevents you from committing AWS keys and secrets in your code.
Git Secrets scans commits, commit messages, and –no-ff merges to prevent adding secrets into your git repositories. If a commit, commit message, or any commit in a –no-ff merge history matches one of your configured prohibited regular expression patterns, then the commit is rejected.
Hope these 3 tools will help you in identifying and/or preventing you from making your sensitive information public.
