Secrets Hunter
is a simple engine developed to detect hardcoded secrets
within a code base.
This tool is designed to be a simple, fast and efficient scanner:
- No project dependencies
- Simple INI rules file format
- Exploit the
.gitignore
to exclude files and directories - JSON output format
Scanning Docker image layers or Git commits is not supported and not planed.
- Python >= 3.7
$ python3 -m secrets_hunter -h
usage: __main__.py [-h] [--version] [--no-ansi] [--verbose]
[--threads THREADS] [--output OUTPUT] [--format {json}]
--rules RULES SCAN_TARGET
A simple code base secrets scanner
positional arguments:
SCAN_TARGET Project source directory
options:
-h, --help show this help message and exit
--version show program version number and exit
--no-ansi disable ANSI output (default: False)
--verbose, -v increase output verbosity (default: Error)
--threads THREADS, -t THREADS
threads number (default: 5)
--output OUTPUT, -o OUTPUT
output path (default: STDOUT)
--format {json}, -f {json}
output format (default: json)
--rules RULES, -r RULES
rules file path
$ git clone https://github.com/j0k2r/secrets-hunter.git && cd secrets-hunter
$ python3 -m secrets_hunter -vvv --rules ./etc/secrets-hunter.ini TARGET
from secrets_hunter import core
target: str = "/TARGET"
rules_path: str = "/RULES.ini"
threads_nb: int = 5
output_format: str = "json"
output_path: str = "/tmp/secrets.json"
ret_code = core.run(
target, rules_path, threads_nb, output_format, output_path
)
This project use Poetry as a dependency management system.
Poetry can be installed using pip:
$ export POETRY_PREVIEW=1
$ curl -sSL https://raw.githubusercontent.com/python-poetry/poetry/master/get-poetry.py | python -
$ poetry plugin add poetry-version-plugin
Multiple tools are used to lint, test and validate the annotation typing:
flake8
: Python linterflake8-fixme
: Check for FIXME and TODO keywordsflake8-ensure-ascii
: Ensure that Python code contain only ASCII charsflake8-isort
: Ensure that the imports are sorted the way you expectflake8-sfs
: Check the Python string formatting styleflake8-print
: Check for Print statements in python files
pydocstyle
: Python doc checkerblack
: Python source formatterpytest
: Python unit testerisort
: Sort Python importsbandit
: Check for common security issues in Python codepre-commit
: Pre-commit hookscoverage
: Measure code coverage of Python programs
To install development dependencies use:
$ poetry install --no-root
unittest
is used for unit testing.
The testing process can be executed with:
$ poetry run python3 -m unittest -b
To measure the program code coverage, the coverage
module must be run:
$ poetry run coverage run -m unittest -b
The Git hooks must be initialized on the developer workstation before committing changes:
$ poetry run pre-commit install
The Git hooks can be triggered manually using:
$ poetry run pre-commit run --all-files