Skip to content
CLI tool that finds secrets accidentally committed to a git repo, eg passwords, private keys
Branch: master
Clone or download
chrisns Merge pull request #16 from Nhoya/master
fixing case insensitive import collision
Latest commit a13a016 Dec 14, 2017
Permalink
Type Name Latest commit message Commit time
Failed to load latest commit information.
cmd/scanrepo 216-cli-commit-id: Adds commit hash to violation output logs May 19, 2017
elastalert
kube 197-restrict-access: Adds auth middleware Feb 23, 2017
rules
test/fixtures feature/210-notifications-app: Adds elasticsearch logger Mar 21, 2017
.dockerignore drone+docker Jan 13, 2017
.drone.yml
.drone.yml.sig 236-new-namespace: Updates kube namespace May 19, 2017
.env.example
.gitignore
.pre-commit-config.yaml
.secignore
Dockerfile
LICENSE Initial commit Jan 13, 2017
Makefile feature/210-notifications-app: Adds elasticsearch logger Mar 21, 2017
README.md
TODO.md
diff.go Uses DiffChecker Feb 12, 2017
docker-compose.yml
github.go feature/210-notifications-app: Adds elasticsearch logger Mar 21, 2017
github_test.go Adds DecodeJSON function Feb 12, 2017
handlers.go
handlers_test.go
log.go
main.go
middleware.go
middleware_test.go 197-restrict-access: Adds auth middleware Feb 23, 2017
testhelpers_test.go
vendor.conf feature/210-notifications-app: Adds elasticsearch logger Mar 21, 2017
version

README.md

repo-security-scanner

  • CLI tool that finds secrets accidentally committed to a git repo, eg passwords, private keys
  • Run it against your entire repo's history by piping the output from git log -p

Installation

  1. Download the latest stable release of the CLI tool for your architecture
  2. Extract the tar and move the scanrepo binary to somewhere in your $PATH, eg /usr/bin

Usage

Check the entire history of the current branch for secrets.

$ git log -p | scanrepo

------------------
Violation 1
Commit: 4cc087a1b4731d1017844cc86323df43068b0409
File: web/src/db/seed.sql
Reason: "SQL dump file"

------------------
Violation 2
Commit: 142e6019248c0d53a5240242ed1a75c0cc110a0b
File: config/passwords.ini
Reason: "Contains word: password"

...

Add false positives to .secignore

$ cat .secignore
file/that/is/not/really/a/secret/but/looks/like/one/to/diffence
these/pems/are/ok/*.pem

See example in this repo.


Notifications

Work in progress.

Local Testing

Set environment variables needed

Create env file and update environment variables.

$ cp .env{.example,}
# update .env values
$ vi .env
$ source .env

Launch containers

$ docker-compose up -d

Run test offenses

$ make test-run-offenses

Debugging Elastalert

$ docker exec -it <elastalert_container_hash> sh
# run elastalert test rule utility within elastalert container
$ elastalert-test-rule --config $ELASTALERT_CONFIG --count-only "$RULES_DIRECTORY/new_violation.yaml"
$ elastalert-test-rule --alert --config $ELASTALERT_CONFIG "$RULES_DIRECTORY/new_violation.yaml"
# run elastalert in debug mode
$ elastalert --config "$ELASTALERT_CONFIG" --rule "$RULES_DIRECTORY/new_violation.yaml" --debug

Logs

$ tail -f /log/elastalert_new_violation_rule.log
You can’t perform that action at this time.
You signed in with another tab or window. Reload to refresh your session. You signed out in another tab or window. Reload to refresh your session.