How to scan your code (Github) for Passwords and Keys

If you are a programmer, there is a very good chance that you use Github to host your code. But do you have a habit (or maybe unintentionally) of committing sensitive and confidential information like Keys and Passwords to your public repositories. In some cases, it can be a complete disaster.

It is more common than you may think: Over 100,000 GitHub repos have leaked API or cryptographic keys

So how to prevent something like above from happening? Of course, the straight forward answer is, “Don’t store sensitive data in your repo”. Sure, you can make this your habit but you cannot control which coding habits your team members are following.

I recently looked into few tools to tackle with this issue and would like to share with you.

1. Truffle Hog

This tool searches through git repositories for high entropy strings and secrets. The search goes deep to your commit history and branches.

TruffleHog can be installed using pip.

pip install trufflehog

2. GittyLeaks

GittyLeaks searches for words like ‘username’, ‘password’, and ’email’ and shortenings in quoted strings, config style or JSON format in your code.

This can also be installed using pip.

3. GitSecrets

This is a tool from AWSLabs. It prevents you from committing AWS keys and secrets in your code.

Git Secrets scans commits, commit messages, and –no-ff merges to prevent adding secrets into your git repositories. If a commit, commit message, or any commit in a –no-ff merge history matches one of your configured prohibited regular expression patterns, then the commit is rejected.

Hope these 3 tools will help you in identifying and/or preventing you from making your sensitive information public.

Abhishek Balani

A full stack developer, sometimes designer, passionate coder, tireless knowledge seeker, curious learner. I have a strong passion for new technologies, very autodidact and love to build new things from the ground up. Having 5+ years of dynamic experience accumulated from working in early stage startups to mid-sized organizations in Agile environment. Skilled in Python and related frameworks, React.js, Databases, Hadoop, Elastic Search and various AWS Services like Boto3, API Gateway, Lamda, EC2, EMR, CloudWatch.

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.