GitGuardian

Detect secrets in source code, public and private!

#5 Product of the DayOctober 28, 2018

GitGuardian is the first platform scanning all GitHub public activity in real time for API secret tokens, database credentials or vault keys.

Be alerted in seconds. Integrate in minutes.

Discussion
Would you recommend this product?
7 Reviews4.3/5
This is actually pretty good idea.
@julienvallini, thanks for hunting us! We have been scanning GitHub for leaked credentials and alerting Open Source developers every time we found a leak for one year and a half now. During one year and a half we have processed more than 1 billion commits and raised more than 150.000 alerts (growing exponentially!). Check the stats on our website, they are real-time stats directly from our backend ;-) More info: - More than 100 supported API providers Detecting keys in source code can be hard. There are a lot of APIs out there and many keys and authentication patterns. We support more than 100 API providers for now and we are committed to constantly improving our algorithms to support the thousands of APIs developers use everyday. Cloud providers, payment systems, messaging systems, databases, crypto wallets, even SSH keys, SSL certificates, ... We got you covered! - Be alerted the way you prefer Setup your email at subscription to make it easy for us to reach you! More communication channels to be widely available soon. - Detect secrets in private repositories as well Making sure your secrets are not pushed into your version control in the first place is your first line of defense against leaked or compromised credentials. We have been working on a non-intrusive way to detect secrets in your private code while respecting your privacy. Contact us to join our private beta or stay tuned for general availability! You won't pay a dime! Public monitoring is free for individual developers and will always be, as giving something back to the Open Source community is our mantra since day #0. Subscribe to our app to be alerted before the git process returns control back to your terminal. :-) Stay safe!
Do they not already do this? Maybe not as well but I saw this tweet this week :). If you can do it quicker and or auto remove or better not allow it in the first place :) https://twitter.com/paulr_rohan/...
Hi @mrsimonbennett, - Some providers provide an endpoint to automatically revoke credentials, like our friends at Slack. For AWS there is this tleyden's fantastic open source project "keynuker" that is automatically revoking AWS credentials when they leak! 😮 https://github.com/tleyden/keynuker We also detect secrets in private repos to prevent them from being committed into the version control in the first place, see there is no silver-bullet solution! - Regarding the tweet that you cite and after discussing with @paulr_rohan, it turns out that we are the only ones that did the alerting ;-) A few providers warn the developer and / or the account owner and / or revoke the key. According to our tests, AWS warns the account owner and not always the developer. We're happy that the issue is taken more and more seriously although we think it could be handled in a more transparent way! Always alerting developers is a must!
Have a look at -> https://github.com/awslabs/git-s... Made at AWS and open-sourced. May be you can utilize this as well.
@itsshashank Client-side monitoring (with git hooks installed locally) is good but not sufficient. - You have to trust the fact that the hook was properly installed (and updated). As an enterprise it's impossible to make sure all your developers installed and updated the hook in all their environments (including personal computers as a lot of company leaks we find are pushed from personal computers). - The hook must be very light which calls for very simple algorithms (regular expressions that only work well for prefixed keys). A lot of keys are just random strings. And a lot of random strings are not keys 😉

Look at the wall of *fame* : https://www.gitguardian.com/tweet

Pros:

Real-time GitHub public activity monitoring and real-time alerting

Cons:

To Be Determined