pleroma.debian.social

2025/11/11 5:30:05 PM UTC

Lars Wirzenius liw@toot.liw.fi

Is there a respected tool for scanning source code for passwords, private keys, API tokens, or such?

2025/11/11 5:33:05 PM UTC

Cornelius K. 📎 kln@mstdn.io

@liw

Trufflehog?

https://github.com/trufflesecurity/trufflehog

2025/11/11 5:51:08 PM UTC

werdahias (tired) werdahias

@liw there's also gitsecrets as commit hook

2025/11/11 5:52:21 PM UTC

Lars Wirzenius liw@toot.liw.fi

@werdahias Can you provide a link to more information about that?

2025/11/11 5:56:36 PM UTC

werdahias (tired) werdahias

@liw https://github.com/awslabs/git-secrets

replies: 0
announces: 0
likes: 1

2025/11/11 6:04:30 PM UTC

Hastar i motvind hastar@mastodon.nu

@liw Gitleaks is working well for us

https://github.com/gitleaks/gitleaks

2025/11/11 9:24:18 PM UTC

Ben Zanin gnomon@mastodon.social

@liw I see that other replies have already mentioned my top three recommendations (git-secrets, gitleaks, and trufflehog). I would only add https://github.com/advanced-security/secret-scanning-custom-patterns/ , which GitHub insists is _not_ exactly equivalent to the list of patterns they use for their GitHub Advanced Security Secret Scanning service offering². (This is not a tool per se, it's a list of categorized regex patterns that you could feed into e.g. `git cat-file --batch-all-objects ... | fgrep ...`)

²: https://docs.github.com/en/code-security/secret-scanning/working-with-secret-scanning-and-push-protection