在线时间:8:00-16:00
迪恩网络APP
随时随地掌握行业动态
扫描二维码
关注迪恩网络微信公众号
○│╲│ ○○ ░░ gitleaks
Gitleaks is a SAST tool for detecting and preventing hardcoded secrets like passwords, api keys, and tokens in git repos. Gitleaks is an easy-to-use, all-in-one solution for detecting secrets, past or present, in your code. Getting StartedGitleaks can be installed using Homebrew, Docker, or Go. Gitleaks is also available in binary form for many popular platforms and OS types on the releases page. In addition, Gitleaks can be implemented as a pre-commit hook directly in your repo. MacOSbrew install gitleaks DockerDockerHubdocker pull zricethezav/gitleaks:latestdocker run -v ${path_to_host_folder_to_scan}:/path zricethezav/gitleaks:latest [COMMAND] --source="/path" [OPTIONS] ghrc.iodocker pull ghcr.io/zricethezav/gitleaks:latestdocker run -v ${path_to_host_folder_to_scan}:/path zricethezav/gitleaks:latest [COMMAND] --source="/path" [OPTIONS] From Source
git clone https://github.com/zricethezav/gitleaks.git
cd gitleaksmake build Pre-Commit
repos: - repo: https://github.com/zricethezav/gitleaks rev: v8.2.0 hooks: - id: gitleaks
➜ git commit -m "this commit contains a secret"Detect hardcoded secrets.................................................Failed Note: to disable the gitleaks pre-commit hook you can prepend ➜ SKIP=gitleaks git commit -m "skip gitleaks check"Detect hardcoded secrets................................................Skipped UsageUsage: gitleaks [command]Available Commands: completion generate the autocompletion script for the specified shell detect Detect secrets in code help Help about any command protect Protect secrets in code version Display gitleaks versionFlags: -c, --config string config file path order of precedence: 1. --config/-c 2. env var GITLEAKS_CONFIG 3. (--source/-s)/.gitleaks.toml If none of the three options are used, then gitleaks will use the default config --exit-code string exit code when leaks have been encountered (default: 1) -h, --help help for gitleaks -l, --log-level string log level (debug, info, warn, error, fatal) (default "info") --redact redact secrets from logs and stdout -f, --report-format string output format (json, csv, sarif) -r, --report-path string report file -s, --source string path to source (git repo, directory, file) -v, --verbose show verbose output from scanUse "gitleaks [command] --help" for more information about a command. CommandsThere are two commands you will use to detect secrets; DetectThe When running You can scan files and directories by using the ProtectThe NOTE: the Verify FindingsYou can verify a finding found by gitleaks using a { "Description": "AWS", "StartLine": 37, "EndLine": 37, "StartColumn": 19, "EndColumn": 38, "Match": "\t\t\"aws_secret= \\\"AKIAIMNOJVGFDXXXE4OA\\\"\": true,", "Secret": "AKIAIMNOJVGFDXXXE4OA", "File": "checks_test.go", "Commit": "ec2fc9d6cb0954fb3b57201cf6133c48d8ca0d29", "Entropy": 0, "Author": "zricethezav", "Email": "[email protected]", "Date": "2018-01-28 17:39:00 -0500 -0500", "Message": "[update] entropy check", "Tags": [], "RuleID": "aws-access-token"} We can use the following format to verify the leak: git log -L {StartLine,EndLine}:{File} {Commit} So in this example it would look like: git log -L 37,37:checks_test.go ec2fc9d6cb0954fb3b57201cf6133c48d8ca0d29 Which gives us: commit ec2fc9d6cb0954fb3b57201cf6133c48d8ca0d29Author: zricethezav <[email protected]>Date: Sun Jan 28 17:39:00 2018 -0500 [update] entropy checkdiff --git a/checks_test.go b/checks_test.go--- a/checks_test.go+++ b/checks_test.go@@ -28,0 +37,1 @@+ "aws_secret= \"AKIAIMNOJVGFDXXXE4OA\"": true, Pre-Commit hookYou can run Gitleaks as a pre-commit hook by copying the example ConfigurationGitleaks offers a configuration format you can follow to write your own secret detection rules: # Title for the gitleaks configuration file.title = "Gitleaks title"# An array of tables that contain information that define instructions# on how to detect secrets[[rules]]# Unique identifier for this ruleid = "awesome-rule-1"# Short human readable description of the rule.description = "awesome rule 1"# Golang regular expression used to detect secrets. Note Golang's regex engine# does not support lookaheads.regex = '''one-go-style-regex-for-this-rule'''# Golang regular expression used to match paths. This can be used as a standalone rule or it can be used# in conjunction with a valid `regex` entry.path = '''a-file-path-regex'''# Array of strings used for metadata and reporting purposes.tags = ["tag","another tag"]# Int used to extract secret from regex match and used as the group that will have# its entropy checked if `entropy` is set.secretGroup = 3# Float representing the minimum shannon entropy a regex group must have to be considered a secret.entropy = 3.5# You can include an allowlist table for a single rule to reduce false positives or ignore commits# with known/rotated secrets[rules.allowlist]description = "ignore commit A"commits = [ "commit-A", "commit-B"]paths = ['''one-file-path-regex''']regexes = ['''one-regex-within-the-already-matched-regex''']# This is a global allowlist which has a higher order of precedence than rule-specific allowlists.# If a commit listed in the `commits` field below is encountered then that commit will be skipped and no# secrets will be detected for said commit. The same logic applies for regexes and paths.[allowlist]description = "ignore commit A"commits = [ "commit-A", "commit-B"]paths = ['''one-file-path-regex''']regexes = ['''one-regex-within-the-already-matched-regex'''] Refer to the default gitleaks config for examples and advice on writing regular expressions for secret detection. Tips on Writing Regular ExpressionsGitleaks rules are defined by regular expressions and entropy ranges.Some secrets have unique signatures which make detecting those secrets easy.Examples of those secrets would be Gitlab Personal Access Tokens, AWS keys, and Github Access Tokens.All these examples have defined prefixes like Other secrets might just be a hash which means we need to write more complex rules to verifythat what we are matching is a secret. Here is an example of a semi-generic secret discord_client_secret = "8dyfuiRyq=vVc3RRr_edRk-fK__JItpZ" We can write a regular expression to capture the variable name (identifier),the assignment symbol (like '=' or ':='), and finally the actual secret.The structure of a rule to match this example secret is below: Beginning string quotation │ End string quotation │ │ ▼ ▼(?i)(discord[a-z0-9_ .\-,]{0,25})(=|>|:=|\|\|:|<=|=>|:).{0,5}['\"]([a-z0-9=_\-]{32})['\"] ▲ ▲ ▲ │ │ │ │ │ │ identifier assignment symbol Secret A Note on Generic SecretsLet's continue with the example [[rules]]id = "discord-client-secret"description = "Discord client secret"regex = '''(?i)(discord[a-z0-9_ .\-,]{0,25})(=|>|:=|\|\|:|<=|=>|:).{0,5}['\"]([a-z0-9=_\-]{32})['\"]'''secretGroup = 3[[rules]]id = "generic-api-key"description = "Generic API Key"regex = '''(?i)((key|api|token|secret|password)[a-z0-9_ .\-,]{0,25})(=|>|:=|\|\|:|<=|=>|:).{0,5}['\"]([0-9a-zA-Z\-_=]{8,64})['\"]'''entropy = 3.7secretGroup = 4 If gitleaks encountered SponsorshipsExit CodesYou can always set the exit code when leaks are encountered with the --exit-code flag. Default exit codes below: 0 - no leaks present1 - leaks or error encountered126 - unknown flag |
请发表评论