While GitHub is a great place for sharing code, it’s also a common place for people to accidentally leak company secrets. The problem is when developer’s post code to GitHub they can unintentionally post company information that is hidden within that code, including but not limited to IP addresses, domain names, passwords, usernames, emails and access keys. This is a common issue for companies that build a lot of custom software and it’s impractical for the security team to manually check every developer’s personal GitHub profile for company secrets. That’s where it becomes important to invest time or money in getting a software solution that allows for automated secrets detection. This way you can simply run a scan of GitHub as a whole or your employees personal GitHub repos and find out within seconds if any company secrets have been leaked. Here I go over some of the best software solutions for GitHub secrets detection:
*Please do your own research before downloading any of these tools (or what is advertised as being any of these tools!)
TruffleHog is a security tool that can detect company secrets across multiple platforms, including GitHub, GitLab, AWS S3, JIRA, Confluence, Slack and more. Not only that but unlike other tools that do point in time assessments, TruffleHog runs constantly in the background scanning for company secrets across multiple platforms and will send you an alert whenever a match is found. Another useful feature is that it has automatic updates so that it’s always up to date with the best regular expressions for secrets detection.
Git-secrets is an open source command line tool that you can use to proactively prevent company secrets from being committed to GitHub. What git-secrets does is that it scans developer commits and merges, if anything in those actions matches a regular expression pattern then the commit will be rejected before it can get to GitHub.
GitHub has it’s own secret scanning solution that can be used to find API Keys and tokens stored in any public GitHub repository. Scanning private repositories is possible but will require an Advanced Security License. You can scan for other types of secrets like passwords, emails etc by creating your own custom regular expressions formulas.
Gitleaks is an open source command line static analysis tool. This tool is used to find hard-coded secrets in both private and public repositories using regular expressions and entropy string coding. It also has the capability to export reports of it’s findings in either JSON, SARIF or CSV formats. GitLeaks can also scan commit history and hook into your CI/CD pipeline.
This tool is a comprehensive commercial solution for secret scanning and detection through the entire build process. Unlike many other tools on this list it comes with an intuitive user interface and it’s AI and machine learning algorithms are constantly being updated by the spectral team to allow for better secrets detection.
GitGuardian is another commercial solution that does secret detection and remediation on both public and internal repositories. They are a full fledged application rather than just a command line tool, which makes it much easier to use and they have even done a side by side comparison with highly popular tools like TruffleHog so you can see how GitGuardian compares to other big name tools. They also give you the option to demo their product so you can see how you like it before you commit to them.