好用的代码库密钥泄露检测工具:gitleaks

github上每年都有很多起因密钥或密码等机密数据泄露的事件,比如有aws的密钥,oss桶密钥等,有的甚至被人利用创建了云主机进行了挖矿。。

这里推荐一款代码库扫描工具–gitleaks,github上有15k的start。

  • 环境搭建:

还是使用docker镜像启动,挂载需要检测的code目录

$ cat docker-compose.yml
version: '3'
services:
  gitleaks-test:
    container_name: gitleaks-test
    hostname: gitleaks-test
    restart: always
    image: zricethezav/gitleaks:v8.18.2
    tty: true
    stdin_open: true
    volumes:
      - ./leakcheck:/code
    entrypoint: bash
  • gitleaks命令行参数
# gitleaks --help
Gitleaks scans code, past or present, for secrets
Usage:
  gitleaks [command]

Available Commands:
  completion  generate the autocompletion script for the specified shell
  detect      detect secrets in code
  help        Help about any command
  protect     protect secrets in code
  version     display gitleaks version

Flags:
  -b, --baseline-path string           path to baseline with issues that can be ignored
  -c, --config string                  config file path
                                       order of precedence:
                                       1. --config/-c
                                       2. env var GITLEAKS_CONFIG
                                       3. (--source/-s)/.gitleaks.toml
                                       If none of the three options are used, then gitleaks will use the default config
      --enable-rule gitleaks detect    only enable specific rules by id
      --exit-code int                  exit code when leaks have been encountered (default 1)
      --follow-symlinks                scan files that are symlinks to other files
  -i, --gitleaks-ignore-path string    path to .gitleaksignore file or folder containing one (default ".")
  -h, --help                           help for gitleaks
      --ignore-gitleaks-allow          ignore gitleaks:allow comments
  -l, --log-level string               log level (trace, debug, info, warn, error, fatal) (default "info")
      --log-opts string                git log options
      --max-target-megabytes int       files larger than this will be skipped
      --no-banner                      suppress banner
      --no-color                       turn off color for verbose output
      --redact uint[=100]              redact secrets from logs and stdout. 
  -f, --report-format string           output format (json, csv, junit, sarif) (default "json")
  -r, --report-path string             report file
  -s, --source string                  path to source (default ".")
  -v, --verbose                        show verbose output from scan

Use "gitleaks [command] --help" for more information about a command.
  • 执行检测
$ gitleaks detect --source /code/myproject -v

### 发现了代码中硬编码的PRIVATE_KEY
Finding:     ...ing REQUEST_PRIVATE_KEY = "MIICdgIBAxxxxWxxQ" + "OxxxxH...
Secret:      MIICdgIBAxxxxWxxQ...OxxxxH
RuleID:      generic-api-key
Entropy:     4.680964
File:        src/main/java/com/myproject/common/utils/RSAEncrypt.java
Line:        40
Commit:      3a9f15961143287a0f417a37665415643232438a
Author:      fisher
Email:       fisher@mymail.com
Date:        2024-03-08T08:40:34Z
Fingerprint: 3axxa:src/main/java/com/myproject/common/utils/RSAEncrypt.java:generic-api-key:40


### 发现了代码中dev环境中的配置文件,里面有数据库密码
Finding:     jdbc.password=sxxxs
Secret:      sxxxxs
RuleID:      generic-api-key
Entropy:     3.700440
File:        src/main/resources/dev/db.properties
Line:        3
Commit:      25ea03dbaf47307ec86a2a625a0fa5b6bd409a97
Author:      fisher
Email:       fisher@mymail.com
Date:        2024-03-16T03:12:30Z
Fingerprint: 25exx97:src/main/resources/dev/db.properties:generic-api-key:3

8:56AM INF 849 commits scanned.
8:56AM INF scan completed in 4.65s
8:56AM WRN leaks found: 24