github上每年都有很多起因密钥或密码等机密数据泄露的事件,比如有aws的密钥,oss桶密钥等,有的甚至被人利用创建了云主机进行了挖矿。。
这里推荐一款代码库扫描工具–gitleaks,github上有15k的start。
- 环境搭建:
还是使用docker镜像启动,挂载需要检测的code目录
$ cat docker-compose.yml
version: '3'
services:
gitleaks-test:
container_name: gitleaks-test
hostname: gitleaks-test
restart: always
image: zricethezav/gitleaks:v8.18.2
tty: true
stdin_open: true
volumes:
- ./leakcheck:/code
entrypoint: bash- gitleaks命令行参数
# gitleaks --help
Gitleaks scans code, past or present, for secrets
Usage:
gitleaks [command]
Available Commands:
completion generate the autocompletion script for the specified shell
detect detect secrets in code
help Help about any command
protect protect secrets in code
version display gitleaks version
Flags:
-b, --baseline-path string path to baseline with issues that can be ignored
-c, --config string config file path
order of precedence:
1. --config/-c
2. env var GITLEAKS_CONFIG
3. (--source/-s)/.gitleaks.toml
If none of the three options are used, then gitleaks will use the default config
--enable-rule gitleaks detect only enable specific rules by id
--exit-code int exit code when leaks have been encountered (default 1)
--follow-symlinks scan files that are symlinks to other files
-i, --gitleaks-ignore-path string path to .gitleaksignore file or folder containing one (default ".")
-h, --help help for gitleaks
--ignore-gitleaks-allow ignore gitleaks:allow comments
-l, --log-level string log level (trace, debug, info, warn, error, fatal) (default "info")
--log-opts string git log options
--max-target-megabytes int files larger than this will be skipped
--no-banner suppress banner
--no-color turn off color for verbose output
--redact uint[=100] redact secrets from logs and stdout.
-f, --report-format string output format (json, csv, junit, sarif) (default "json")
-r, --report-path string report file
-s, --source string path to source (default ".")
-v, --verbose show verbose output from scan
Use "gitleaks [command] --help" for more information about a command.- 执行检测
$ gitleaks detect --source /code/myproject -v
### 发现了代码中硬编码的PRIVATE_KEY
Finding: ...ing REQUEST_PRIVATE_KEY = "MIICdgIBAxxxxWxxQ" + "OxxxxH...
Secret: MIICdgIBAxxxxWxxQ...OxxxxH
RuleID: generic-api-key
Entropy: 4.680964
File: src/main/java/com/myproject/common/utils/RSAEncrypt.java
Line: 40
Commit: 3a9f15961143287a0f417a37665415643232438a
Author: fisher
Email: fisher@mymail.com
Date: 2024-03-08T08:40:34Z
Fingerprint: 3axxa:src/main/java/com/myproject/common/utils/RSAEncrypt.java:generic-api-key:40
### 发现了代码中dev环境中的配置文件,里面有数据库密码
Finding: jdbc.password=sxxxs
Secret: sxxxxs
RuleID: generic-api-key
Entropy: 3.700440
File: src/main/resources/dev/db.properties
Line: 3
Commit: 25ea03dbaf47307ec86a2a625a0fa5b6bd409a97
Author: fisher
Email: fisher@mymail.com
Date: 2024-03-16T03:12:30Z
Fingerprint: 25exx97:src/main/resources/dev/db.properties:generic-api-key:3
8:56AM INF 849 commits scanned.
8:56AM INF scan completed in 4.65s
8:56AM WRN leaks found: 24