I Built a Secret Scanner That Checks Your Git History, Not Just Your Code
A developer has created a tool called leakscan that scans Git history for leaked secrets, addressing a gap in existing secret scanners. Unlike traditional scanners that only check current code, leakscan examines every commit to identify secrets that may have been deleted but are still recoverable. The tool integrates with CI/CD pipelines and offers features like live verification of secrets and baseline management for known findings.
- ▪Leakscan scans for secrets across local file trees, full git history, and public GitHub repositories.
- ▪It uses regex patterns and Shannon entropy scoring to detect leaked secrets.
- ▪The tool can verify if a found secret is still active by making live API calls.
Opening excerpt (first ~120 words) tap to expand
try { if(localStorage) { let currentUser = localStorage.getItem('current_user'); if (currentUser) { currentUser = JSON.parse(currentUser); if (currentUser.id === 2967599) { document.getElementById('article-show-container').classList.add('current-user-is-article-author'); } } } } catch (e) { console.error(e); } Vasishta Nandipati Posted on May 29 I Built a Secret Scanner That Checks Your Git History, Not Just Your Code #security #python #devops #opensource Most developers know they shouldn't commit API keys. Most secret scanners will catch an AWS key sitting in your current codebase. What they won't catch is the key you deleted three commits ago -- which is still fully recoverable by anyone who clones your repo and runs git log -p. That gap is what I built leakscan to address.
…
Excerpt limited to ~120 words for fair-use compliance. The full article is at DEV.to (Top).
Discussion
0 commentsMore from DEV.to (Top)
