git-all-secrets

git-all-secrets is a tool that can:

• Clone multiple public/private github repositories of an organization and scan them,
• Clone multiple public/private github repositories of a user that belongs to an organization and scan them,
• Clone a single public/private repository of an organization and scan it,
• Clone a single public/private repository of a user and scan it,
• Clone a single public/secret gist of a user and scan it
• Clone a team’s repositories in an organization and scan them,
• All of the above together!! Oh yeah!! Simply provide an organization name and get all their secrets. If you also want to get secrets of a team within an organization, just mention the team name along with the Org.
• Clone and scan Github Enterprise repositories and gists as well.

Scanning is done by multiple open source tools such as:

• truffleHog – scans commits for high entropy strings and user provided regular expressions,
• repo-supervisor – scans for high entropy strings in .js and .json files

NOTE – More such tools can be added in future if desired! NOTE – Scanning can be done by all the tools or any one of them by specifying the toolName flag.

If all the tools are used to scan, the final output from the tool combines the output from all files from all the tools into one consolidated output file.

Features

• You can add your own regular expressions in the rules.json file and include it when executing docker run using the argument -v $(pwd)/rules.json:/root/truffleHog/rules.json.
• The tool looks for some default regular expressions. If needed, it can also be made for high entropy strings. All this happens via the truffleHog tool.
• It can look for high entropy strings in .js and .json files via the repo-supervisor tool.
• It scans users gists, which most of the tools dont.
• If there is a new tool that is good, it can be integrated into git-all-secrets pretty effortlessly.
• It is built for integration with other tools and frameworks. It takes in a few input parameters and produces an output file of the results. Pretty straightforward!
• It supports scanning Github Enterprise orgs/users/repos/gists as well.
• Most of the tools out there are made to scan individual repositories. If you want to loop it over multiple repositories, you’d have to write your own for loop in a shell script or something like that. git-all-secrets can help you scan multiple repositories at one go.
• You can now merge outputs from both the tools into a json file which can then be used in other automation type tools/frameworks

Changelog

• 7/31/18 – Made trugglehog’s installation simpler by using pip. @mhmdiaa fixed a bug wrt trufflehog’s output function where it wasn’t merging and sorting properly. Updated the regex file to include things like password. Built and pushed a new Docker image. GLHF!
• 7/15/18 – Updated repo-supervisor’s fork because the upstream had some changes. Rebuilt a new Docker image using the latest Trufflehog. Provided the rules.json file that contains all the regexes that Trufflehog uses to find secrets. Added the ability to also merge outputs (in json) for both the tools using the -mergeOutput flag. Drastically reduced the Docker image size by using multi-stage builds and dep for managing dependencies. Huge shout out to @mhmdiaa for all of this!

Download &&Use

Demo

Copyright (c) 2017 Anshuman Bhartiya

Source: https://github.com/anshumanbh/