Check for secret material

gitleaks

• gitleaks
• Diskussion about what passwords to protect
• pre-commit-hook integration
• Megalinter integration
• Configuration

Install:

sudo pacman -S gitleaks

Scan git history:

gitleaks detect -v

Ignore/allow false-positives:

• Add a # gitleaks:allow at the end of the line with an allowed false-positive
• For retroactive ignores from already committed false-positives add the fingerprint shown by gitleaks detect -v to a .gitleaksignore, see this repos .gitleaksignore as example

secretlint

• GitHub
• Megalinter integration
• Configuration
  • .secretlintignore
• Not available in Arch/AUR, Mason, Mise

Install:

eget secretlint/secretlint

Run using podman:

alias secretlint="podman run -v `pwd`:`pwd` -w `pwd` --rm -it docker.io/secretlint/secretlint secretlint '**/*'"

ripsecrets

• GitHub

talisman

https://github.com/thoughtworks/talisman/

If you are sure you want to ignore detected secret material:

echo 'aarwolf.yaml # ignore:filecontent' >> .talismanignore

Issues:

• No way to Permanent ignore for scoped file patterns
  • see also no Option to permanently ignore a file

git-secrets

• Stale, no new release including pre-commit support
• Last tag 2019
• Example pre-commit-hooks.yml
• Doesn't detect a kubeconfig file!