Many tools exist to search a Git repository for potentially sensitive information. Each of these may have different capabilities and use different detection methods.
Here is a curated list of the secret detection tools we've come across:
|Name||URL||Installs Pre-Commit Hook?||Supported by
|detect-secrets||https://github.com/Yelp/detect-secrets||An enterprise friendly way of detecting and preventing secrets in code.|
|git-secrets||https://github.com/awslabs/git-secrets||Prevents you from committing secrets and credentials into git repositories|
|Talisman||https://github.com/thoughtworks/talisman||Talisman validates the outgoing changeset for things that look suspicious using pre-push Git hooks|
|truffleHog||https://github.com/dxa4481/truffleHog||Searches through git repositories for high entropy strings and secrets, digging deep into commit history|
|yar||https://github.com/Furduhlutur/yar||Yar is a tool for plunderin' organizations, users and/or repositories.|
|repo-supervisor||https://github.com/auth0/repo-supervisor||Scan your code for security misconfiguration, search for passwords and secrets.
|gitleaks||https://github.com/zricethezav/gitleaks||Audit git repos for secrets
|gitrob||https://github.com/michenriksen/gitrob||Reconnaissance tool for GitHub organizations|
|repo-security-scanner||https://github.com/UKHomeOffice/repo-security-scanner||CLI tool that finds secrets accidentally committed to a git repo, eg passwords, private keys|
|GitGot||https://github.com/BishopFox/GitGot||Semi-automated, feedback-driven tool to rapidly search through troves of public data on GitHub for sensitive secrets.|
|shhgit||https://github.com/eth0izzle/shhgit/||Shhgit finds secrets and sensitive files across GitHub code and Gists committed in near real time by listening to the GitHub Events API.|
|gitGraber||https://github.com/hisxo/gitGraber||Monitor GitHub to search and find sensitive data in real time for different online services.|