gitleaks: Gitleaks 是一款 SAST 工具，用于检测 git repos 中的密码、api key 和 tok ...

OGeek|极客世界-中国程序员成长平台 › 门户 › 开源› 开发工具›版本管理系统

原作者: [db:作者] 来自: Gitee 收藏邀请

○│╲│ ○○ ░░    gitleaks

Gitleaks is a SAST tool for detecting and preventing hardcoded secrets like passwords, api keys, and tokens in git repos. Gitleaks is an easy-to-use, all-in-one solution for detecting secrets, past or present, in your code.

Getting Started

Gitleaks can be installed using Homebrew, Docker, or Go. Gitleaks is also available in binary form for many popular platforms and OS types on the releases page. In addition, Gitleaks can be implemented as a pre-commit hook directly in your repo.

MacOS

brew install gitleaks

Docker

DockerHub

docker pull zricethezav/gitleaks:latestdocker run -v ${path_to_host_folder_to_scan}:/path zricethezav/gitleaks:latest [COMMAND] --source="/path" [OPTIONS]

ghrc.io

docker pull ghcr.io/zricethezav/gitleaks:latestdocker run -v ${path_to_host_folder_to_scan}:/path zricethezav/gitleaks:latest [COMMAND] --source="/path" [OPTIONS]

From Source

Download and install Go from https://golang.org/dl/
Clone the repo

git clone https://github.com/zricethezav/gitleaks.git

Build the binary

cd gitleaksmake build

Pre-Commit

Install pre-commit from https://pre-commit.com/#install
Create a .pre-commit-config.yaml file at the root of your repository with the following content:

repos:  - repo: https://github.com/zricethezav/gitleaks    rev: v8.2.0    hooks:      - id: gitleaks

Install with pre-commit install
Now you're all set!

➜ git commit -m "this commit contains a secret"Detect hardcoded secrets.................................................Failed

Note: to disable the gitleaks pre-commit hook you can prepend SKIP=gitleaks to the commit commandand it will skip running gitleaks

➜ SKIP=gitleaks git commit -m "skip gitleaks check"Detect hardcoded secrets................................................Skipped

Usage

Usage:  gitleaks [command]Available Commands:  completion  generate the autocompletion script for the specified shell  detect      Detect secrets in code  help        Help about any command  protect     Protect secrets in code  version     Display gitleaks versionFlags:  -c, --config string          config file path                               order of precedence:                               1. --config/-c                               2. env var GITLEAKS_CONFIG                               3. (--source/-s)/.gitleaks.toml                               If none of the three options are used, then gitleaks will use the default config      --exit-code string       exit code when leaks have been encountered (default: 1)  -h, --help                   help for gitleaks  -l, --log-level string       log level (debug, info, warn, error, fatal) (default "info")      --redact                 redact secrets from logs and stdout  -f, --report-format string   output format (json, csv, sarif)  -r, --report-path string     report file  -s, --source string          path to source (git repo, directory, file)  -v, --verbose                show verbose output from scanUse "gitleaks [command] --help" for more information about a command.

Commands

There are two commands you will use to detect secrets; detect and protect.

Detect

The detect command is used to scan repos, directories, and files. This command can be used on developer machines and in CI environments.

When running detect on a git repository, gitleaks will parse the output of a git log -p command (you can see how this executedhere).git log -p generates patches which gitleaks will use to detect secrets.You can configure what commits git log will range over by using the --log-opts flag. --log-opts accepts any option for git log -p.For example, if you wanted to run gitleaks on a range of commits you could use the following command: gitleaks --source . --log-opts="--all commitA..commitB".See the git log documentation for more information.

You can scan files and directories by using the --no-git option.

Protect

The protect command is used to uncommitted changes in a git repo. This command should be used on developer machines in accordance withshifting left on security.When running protect on a git repository, gitleaks will parse the output of a git diff command (you can see how this executedhere). You can set the--staged flag to check for changes in commits that have been git added. The --staged flag should be used when running Gitleaksas a pre-commit.

NOTE: the protect command can only be used on git repos, running protect on files or directories will result in an error message.

Verify Findings

You can verify a finding found by gitleaks using a git log command.Example output:

{        "Description": "AWS",        "StartLine": 37,        "EndLine": 37,        "StartColumn": 19,        "EndColumn": 38,        "Match": "\t\t\"aws_secret= \\\"AKIAIMNOJVGFDXXXE4OA\\\"\":          true,",        "Secret": "AKIAIMNOJVGFDXXXE4OA",        "File": "checks_test.go",        "Commit": "ec2fc9d6cb0954fb3b57201cf6133c48d8ca0d29",        "Entropy": 0,        "Author": "zricethezav",        "Email": "[email protected]",        "Date": "2018-01-28 17:39:00 -0500 -0500",        "Message": "[update] entropy check",        "Tags": [],        "RuleID": "aws-access-token"}

We can use the following format to verify the leak:

git log -L {StartLine,EndLine}:{File} {Commit}

So in this example it would look like:

git log -L 37,37:checks_test.go ec2fc9d6cb0954fb3b57201cf6133c48d8ca0d29

Which gives us:

commit ec2fc9d6cb0954fb3b57201cf6133c48d8ca0d29Author: zricethezav <[email protected]>Date:   Sun Jan 28 17:39:00 2018 -0500    [update] entropy checkdiff --git a/checks_test.go b/checks_test.go--- a/checks_test.go+++ b/checks_test.go@@ -28,0 +37,1 @@+               "aws_secret= \"AKIAIMNOJVGFDXXXE4OA\"":          true,

Pre-Commit hook

You can run Gitleaks as a pre-commit hook by copying the example pre-commit.py script intoyour .git/hooks/ directory.

Configuration

Gitleaks offers a configuration format you can follow to write your own secret detection rules:

# Title for the gitleaks configuration file.title = "Gitleaks title"# An array of tables that contain information that define instructions# on how to detect secrets[[rules]]# Unique identifier for this ruleid = "awesome-rule-1"# Short human readable description of the rule.description = "awesome rule 1"# Golang regular expression used to detect secrets. Note Golang's regex engine# does not support lookaheads.regex = '''one-go-style-regex-for-this-rule'''# Golang regular expression used to match paths. This can be used as a standalone rule or it can be used# in conjunction with a valid `regex` entry.path = '''a-file-path-regex'''# Array of strings used for metadata and reporting purposes.tags = ["tag","another tag"]# Int used to extract secret from regex match and used as the group that will have# its entropy checked if `entropy` is set.secretGroup = 3# Float representing the minimum shannon entropy a regex group must have to be considered a secret.entropy = 3.5# You can include an allowlist table for a single rule to reduce false positives or ignore commits# with known/rotated secrets[rules.allowlist]description = "ignore commit A"commits = [ "commit-A", "commit-B"]paths = ['''one-file-path-regex''']regexes = ['''one-regex-within-the-already-matched-regex''']# This is a global allowlist which has a higher order of precedence than rule-specific allowlists.# If a commit listed in the `commits` field below is encountered then that commit will be skipped and no# secrets will be detected for said commit. The same logic applies for regexes and paths.[allowlist]description = "ignore commit A"commits = [ "commit-A", "commit-B"]paths = ['''one-file-path-regex''']regexes = ['''one-regex-within-the-already-matched-regex''']

Refer to the default gitleaks config for examples and advice on writing regular expressions for secret detection.

Tips on Writing Regular Expressions

Gitleaks rules are defined by regular expressions and entropy ranges.Some secrets have unique signatures which make detecting those secrets easy.Examples of those secrets would be Gitlab Personal Access Tokens, AWS keys, and Github Access Tokens.All these examples have defined prefixes like glpat, AKIA, ghp_, etc.

Other secrets might just be a hash which means we need to write more complex rules to verifythat what we are matching is a secret.

Here is an example of a semi-generic secret

discord_client_secret = "8dyfuiRyq=vVc3RRr_edRk-fK__JItpZ"

We can write a regular expression to capture the variable name (identifier),the assignment symbol (like '=' or ':='), and finally the actual secret.The structure of a rule to match this example secret is below:

                                                       Beginning string                                                           quotation                                                               │            End string quotation                                                               │                      │                                                               ▼                      ▼(?i)(discord[a-z0-9_ .\-,]{0,25})(=|>|:=|\|\|:|<=|=>|:).{0,5}['\"]([a-z0-9=_\-]{32})['\"]               ▲                              ▲                                ▲               │                              │                                │               │                              │                                │          identifier                  assignment symbol                                                                            Secret

A Note on Generic Secrets

Let's continue with the example discord_client_secret = "8dyfuiRyq=vVc3RRr_edRk-fK__JItpZ".This secret would match both the discord-client-secret rule and the generic-api-key rule in the default config.

[[rules]]id = "discord-client-secret"description = "Discord client secret"regex = '''(?i)(discord[a-z0-9_ .\-,]{0,25})(=|>|:=|\|\|:|<=|=>|:).{0,5}['\"]([a-z0-9=_\-]{32})['\"]'''secretGroup = 3[[rules]]id = "generic-api-key"description = "Generic API Key"regex = '''(?i)((key|api|token|secret|password)[a-z0-9_ .\-,]{0,25})(=|>|:=|\|\|:|<=|=>|:).{0,5}['\"]([0-9a-zA-Z\-_=]{8,64})['\"]'''entropy = 3.7secretGroup = 4

If gitleaks encountered discord_client_secret = "8dyfuiRyq=vVc3RRr_edRk-fK__JItpZ", only the discord rule would report a finding becausethe generic rule has the string generic somewhere in the rule's id. If a secret is encountered and both a generic and non-generic rule have discovered the same secret, the non-genericwill be given precedence.

Sponsorships

Exit Codes

You can always set the exit code when leaks are encountered with the --exit-code flag. Default exit codes below:

0 - no leaks present1 - leaks or error encountered126 - unknown flag

鲜花

握手

雷人

路过

鸡蛋

该文章已有0人参与评论

请发表评论

全部评论

专题导读

More+

sserver: Gitee: Subversion access bridge发布时间：2022-02-13

commitlint: Lint commit messages发布时间：2022-02-13

客服电话

电子邮件