blog post: https://blog.jonaylor.xyz/discover-hidden-secrets-in-git-repos-with-rust
With the growing importance of open source software and increasing usage of public code repositories like GitHub, it has become increasingly important to protect against accidental secret commiting. While it may seem that doing this is as easy as deleting a key file or removing an oauth token from a configuration file, the bittersweet fact about git is that it'll keep a history of that secret. By searching through the git commit logs, an attacker could find and exploit application secrets. This project set out to create an automated way to find secrets hidden in the git commit history.
As of now we are scanning for the following secrets based off common regex patterns identifying them. More can easily be added once a regex pattern is developed to identify them.
- Slack Token
- RSA private key
- (OPENSSH) private key
- SSH (DSA) private key
- SSH (EC) private key
- PGP private key block
- Facebook Oauth
- Twitter Oauth
- GitHub
- Google Oauth
- AWS API Key
- Heroku API Key
- Generic Secret
- Generic API Key
- Slack Webhook
- Google (GCP) Service-account
- Twilio API Key
- Password in URL
In each object contained in the object database, we scan through and look for regex patterns of common keys provided by an array. If any secrets are found, the script simply prints the secret type to the console and provides the object id.
The following is a list of improvements that would be good to add for the future. In general they make JAZ better or easier to use.
- Threadpool
- Config file based scanning
- remote scanning
- better CI/CD
- automated GitHub repo scanning
From Source
~$ cargo build
This will build into the target directory under debug by default and under release if the project is built with cargo build --release
Arch
~$ yay -S jaz
MacOS
~$ brew install jaz
Cargo
~$ cargo install jaz
Execution
~$ ./jaz /path/to/repo
We scanned common testing repositories for this sort of thing like Plazmaz/leaky-repo and dijininja/leakyrepo. In general JAZ found all or most of the secrets. In the case of dijininja/leakyrepo we found a lot of RSA private keys which is acceptable but technically is a misidentification. For Plazmaz/leaky-repo we find the majority of the keys although once again misidentify some.