Cookie Consent by Free Privacy Policy Generator ๐Ÿ“Œ Shhgit - Find GitHub Secrets In Real Time

๐Ÿ  Team IT Security News

TSecurity.de ist eine Online-Plattform, die sich auf die Bereitstellung von Informationen,alle 15 Minuten neuste Nachrichten, Bildungsressourcen und Dienstleistungen rund um das Thema IT-Sicherheit spezialisiert hat.
Ob es sich um aktuelle Nachrichten, Fachartikel, Blogbeitrรคge, Webinare, Tutorials, oder Tipps & Tricks handelt, TSecurity.de bietet seinen Nutzern einen umfassenden รœberblick รผber die wichtigsten Aspekte der IT-Sicherheit in einer sich stรคndig verรคndernden digitalen Welt.

16.12.2023 - TIP: Wer den Cookie Consent Banner akzeptiert, kann z.B. von Englisch nach Deutsch รผbersetzen, erst Englisch auswรคhlen dann wieder Deutsch!

Google Android Playstore Download Button fรผr Team IT Security



๐Ÿ“š Shhgit - Find GitHub Secrets In Real Time


๐Ÿ’ก Newskategorie: IT Security Nachrichten
๐Ÿ”— Quelle: feedproxy.google.com





Shhgit finds secrets and sensitive files across GitHub code and Gists committed in near real time by listening to the GitHub Events API.

NEW: LIVE VERSION. Find GitHub secrets straight from your browser!

Finding secrets in GitHub is nothing new. There are many great tools available to help with this depending on which side of the fence you sit. On the adversarial side, popular tools such as gitrob and truggleHog focus on digging in to commit history to find secret tokens from specific repositories, users or organisations. On the defensive side, GitHub themselves are actively scanning for secrets through their token scanning project. Their objective is to identify secret tokens within committed code in real-time and notify the service provider to action. So in theory if any AWS secret keys are committed to GitHub, Amazon will be notified and automatically revoke them.
I developed shhgit to raise awareness and bring to life the prevalence of this issue. I hope GitHub will do more to prevent bad actors using the treasure trove of information across the platform. I don't know the inner-workings of their token scanning project but delaying the real-time feed API until the pipeline has completed and posing SLAs on the providers seems like a step in the right direction.
With some tweaking of the signatures shhgit would make an awesome addition to your bug bounty toolkit.

Run from Docker
  1. Edit config.yaml and insert your github credentials
  2. $ docker run -v $(pwd)/config.yaml:/config.yaml:ro fnxpt/shhgit


Installation
You can use the precompiled binaries or build from source:
  1. Install Go for your platform.
  2. $ go get github.com/eth0izzle/shhgit will download and build shhgit.
  3. See usage.

Usage
shhgit needs to access the public GitHub API so you will need to obtain and provide an access token. The API has a hard rate limit of 5,000 requests per hour per account, regardless what token is used. The more account-unique tokens you provide, the faster you can process the events. Follow this guide to generate a token; it doesn't require any scopes or permissions. And then place it under github_access_tokens in config.yaml. Note that it is against the GitHub terms to bypass their rate limits. Use multiple tokens at your own risk.
Unlike other tools, you don't need to pass any targets with shhgit. Simply run $ shhgit to start watching GitHub commits and find secrets or sensitive files matching the included 120 signatures.
Alternatively, you can forgo the signatures and use shhgit with a search query, e.g. to find all AWS keys you could use shhgit --search-query AWS_ACCESS_KEY_ID=AKIA

Options
--clone-repository-timeout
Maximum time it should take to clone a repository in seconds (default 10)
--csv-path
Specify a path if you want to write found secrets to a CSV. Leave blank to disable
--debug
Print debugging information
--entropy-threshold
Finds high entropy strings in files. Higher threshold = more secret secrets, lower threshold = more false positives. Set to 0 to disable entropy checks (default 5.0)
--maximum-file-size
Maximum file size to process in KB (default 512)
--maximum-repository-size
Maximum repository size to download and process in KB) (default 5120)
--minimum-stars
Only clone repositories with this many stars or higher. Set to 0 to ignore star count (default 0)
--path-checks
Set to false to disable file name/path signature checking, i.e. just match regex patterns (default true)
--process-gists
Watch and proces s Gists in real time. Set to false to disable (default true)
--search-query
Specify a search string to ignore signatures and filter on files containing this string (regex compatible)
--silent
Suppress all output except for errors
--temp-directory
Directory to store repositories/matches (default "%temp%\shhgit")
--threads
Number of concurrent threads to use (default number of logical CPUs)

Config
The config.yaml file has 6 elements. A default is provided.
github_access_tokens: # provide at least one token
- 'token one'
- 'token two'
slack_webhook: '' # url to your slack webhook. Found secrets will be sent here
blacklisted_extensions: [] # list of extensions to ignore
blacklisted_paths: [] # list of paths to ignore
blacklisted_entropy_extensions: [] # additional extensions to ignore for entropy checks
signatures: # list of signatures to check
- part: '' # either filename, extension, path or contents
match: '' # simple text comparison (if no regex element)
regex: '' # regex pattern (if no match element)
name: '' # name of the signature

Signatures
shhgit comes with 120 signatures. You can remove or add more by editing config.yaml.
Chef private key, Potential Linux shadow file, Potential Linux passwd file, Docker configuration file, NPM configuration file, Environment configuration file, Contains a private key, AWS Access Key ID Value, AWS Access Key ID, AWS Account ID, AWS Secret Access Key, AWS Session Token, Artifactory, CodeClimate, Facebook access token, Google (GCM) Service account, Stripe API key, Google OAuth Key, Google Cloud API Key
Google OAuth Access Token, Picatic API key, Square Access Token, Square OAuth Secret, PayPal/Braintree Access Token, Amazon MWS Auth Token, Twilo API Key, MailGun API Key, MailChimp API Key, SSH Password, Outlook team, Sauce Token, Slack Token, Slack Webhook, SonarQube Docs API Key, HockeyApp, Username and password in URI, NuGet API Key, Potential cryptographic private key, Log file, Potential cryptographic key bundle, Potential cryptographic key bundle
Potential cryptographic key bundle, Potential cryptographic key bundle, Pidgin OTR private key, OpenVP N client configuration file, Azure service configuration schema file, Remote Desktop connection file, Microsoft SQL database file, Microsoft SQL server compact database file, SQLite database file, SQLite3 database file, Microsoft BitLocker recovery key file
Microsoft BitLocker Trusted Platform Module password file, Windows BitLocker full volume encrypted data file, Java keystore file, Password Safe database file, Ruby On Rails secret token configuration file, Carrierwave configuration file, Potential Ruby On Rails database configuration file, OmniAuth configuration file, Django configuration file
1Password password manager database file, Apple Keychain database file, Network traffic capture file, GnuCash database file, Jenkins publish over SSH plugin file, Potential Jenkins credentials file, KDE Wallet Manager database file, Potential MediaWiki configuration file, Tunnelblick VPN configuration file, Sequel Pro MySQL database manager bookmark file, Little Snitch firewall configuration file, Day One journal file, Potential jrnl journal file, Chef Knife configuration file, cPanel backup ProFTPd credentials file
Robomongo MongoDB manager configuration file, FileZilla FTP configuration file, FileZilla FTP recent servers file, Ventrilo server configuration file, Terraform variable config file, Shell configuration file, Shell configuration file, Shell configuration file, Private SSH key, Private SSH key, Private SSH key, Private SSH key, SSH configuration file, Potential cryptographic private key, Shell command history file
MySQL client command history file, PostgreSQL client command history file, PostgreSQL password file, Ruby IRB console history file, Pidgin chat client account configuration file, Hexchat/XChat IRC client server list configuration file, Irssi IRC client configuration file, Recon-ng web reconnaissance framework API key database, DBeaver SQL database manager configuration file, Mutt e-mail client configuration file, S3cmd configuration file, AWS CLI credentials file, SFTP connection configuration file, T command-line Twitter client configuration file, Shell configuration file
Shell profile configuration file, Shell command alias configuration file, PHP configuration file, GNOME Keyring database file, KeePass password manager database file, SQL dump file, Apache htpasswd file, Configuration file for auto-login process, Rubygems credentials file, Tugboat DigitalOcean management tool configuration, DigitalOcean doctl command-line client configuration file, git-credential-store helper credentials file, GitHub Hub command-line client configuration file, Git configuration file

Contributing
  1. Fork it, baby!
  2. Create your feature branch: git checkout -b my-new-feature
  3. Commit your changes: git commit -am 'Add some feature'
  4. Push to the branch: git push origin my-new-feature
  5. Submit a pull request.

Credits
Some code borrowed from Gitrob by Michael Henriksen.

Disclaimer
I take no responsibility for how you use this tool. Don't be a dick.


...



๐Ÿ“Œ Deploying a Vite app on GitHub Pages using GitHub Actions with GitHub Secrets


๐Ÿ“ˆ 34.05 Punkte

๐Ÿ“Œ Commit Stream - OSINT Tool For Finding Github Repositories By Extracting Commit Logs In Real Time From The Github Event API


๐Ÿ“ˆ 29.22 Punkte

๐Ÿ“Œ Real-time programming with Linux, part 1: What is real-time?


๐Ÿ“ˆ 28.42 Punkte

๐Ÿ“Œ Data Analysis for Live Streaming: What Happens in Real Time Is Analyzed in Real Time?


๐Ÿ“ˆ 28.42 Punkte

๐Ÿ“Œ Real-Time Payments, Real-Time Fraud Risks?


๐Ÿ“ˆ 28.42 Punkte

๐Ÿ“Œ Real-Time Payments, Real-Time Fraud Risks?


๐Ÿ“ˆ 28.42 Punkte

๐Ÿ“Œ IT Science Case Study: Real-time Customer Support Using Real-time Collaboration


๐Ÿ“ˆ 28.42 Punkte

๐Ÿ“Œ Yes, GitHub's Copilot Can Leak (Real) Secrets


๐Ÿ“ˆ 27.06 Punkte

๐Ÿ“Œ Amazon Addresses Best Practice Secrets Management with AWS Secrets Manager


๐Ÿ“ˆ 23.04 Punkte

๐Ÿ“Œ Git-Secrets Prevents You From Committing Secrets And Credentials Into Git Repositories


๐Ÿ“ˆ 23.04 Punkte

๐Ÿ“Œ Secrets Hub fรผr AWS Secrets Manager


๐Ÿ“ˆ 23.04 Punkte

๐Ÿ“Œ Secrets Hub fรผr AWS Secrets Manager - com! professional


๐Ÿ“ˆ 23.04 Punkte

๐Ÿ“Œ Tell Me Your Secrets Without Telling Me Your Secrets


๐Ÿ“ˆ 23.04 Punkte

๐Ÿ“Œ 1Password Secrets Automation helps businesses secure and manage secrets


๐Ÿ“ˆ 23.04 Punkte

๐Ÿ“Œ Secure, orchestrate, and manage your companyโ€™s infrastructure secrets with 1Password Secrets Automation


๐Ÿ“ˆ 23.04 Punkte

๐Ÿ“Œ Hard-coded secrets up 67% as secrets sprawl threatens software supply chain


๐Ÿ“ˆ 23.04 Punkte

๐Ÿ“Œ Bitwarden Secrets Manager secures, controls, and manages infrastructure secrets


๐Ÿ“ˆ 23.04 Punkte

๐Ÿ“Œ Effective Secrets Management: Retrieving Secrets From Azure Key Vault With Powershell Script


๐Ÿ“ˆ 23.04 Punkte

๐Ÿ“Œ The Secrets of Python โ€œSecretsโ€


๐Ÿ“ˆ 23.04 Punkte

๐Ÿ“Œ Secrets Sensei: Conquering Secrets Management Challenges


๐Ÿ“ˆ 23.04 Punkte

๐Ÿ“Œ No, GitHub's source code wasn't hacked and posted on GitHub, says GitHub CEO


๐Ÿ“ˆ 22.52 Punkte

๐Ÿ“Œ GitHub Honors Class of 2021 with 'GitHub Yearbook' and 'GitHub Graduation' Ceremony


๐Ÿ“ˆ 22.52 Punkte

๐Ÿ“Œ GitHub announces the preview of GitHub Copilot Enterprise and general availability of GitHub Copilot Chat


๐Ÿ“ˆ 22.52 Punkte

๐Ÿ“Œ Seven ways to make real-time technology real for your organization


๐Ÿ“ˆ 22.24 Punkte

๐Ÿ“Œ Apache Kafka Is NOT Real Real-Time Data Streaming!


๐Ÿ“ˆ 22.24 Punkte

๐Ÿ“Œ Python Time Module | Useful Functions | How to Use? | Applications in Real Models | 2 Real World Programs


๐Ÿ“ˆ 22.24 Punkte

๐Ÿ“Œ It appears that all data before 6/16 for GitLab's GitHub importer is gone, time when GitHub was sold to Microsoft, anyone knows why?


๐Ÿ“ˆ 21.2 Punkte

๐Ÿ“Œ Google Research Introduces TimesFM: A Single Forecasting Model Pre-Trained on a Large Time-Series Corpus of 100B Real World Time-Points


๐Ÿ“ˆ 20.39 Punkte

๐Ÿ“Œ Disgusting Secrets of Real Hardware by Zack Freedman


๐Ÿ“ˆ 19.55 Punkte

๐Ÿ“Œ Paper: Leaked Auth Secrets Rampant Across GitHub


๐Ÿ“ˆ 19.03 Punkte

๐Ÿ“Œ GitHub now scans for accidentally-exposed PyPI, RubyGems secrets


๐Ÿ“ˆ 19.03 Punkte

๐Ÿ“Œ GitHub Advanced Security Now Scans For Secrets With Each Push


๐Ÿ“ˆ 19.03 Punkte

๐Ÿ“Œ Best software tools for GitHub secrets detection


๐Ÿ“ˆ 19.03 Punkte











matomo