No Secrets! Quickly find sensitive files in your GitHub repo
Open source supply chains and code security has been on my mind lately, and one thing white hats and black hats alike often do is search Git repositories for secrets that have been accidentally committed. While playing with the Sourcegraph search console to learn about the different filters/types/options, and to sharpen up on my regex I thought why not create a bookmarklet that can reveal what secrets might be lurking in any given GitHub repository?
Secrets, No More
Introducing No Secrets!, a bookmarklet that works on any modern browser. Here is how to try it:
- Drag the blue-button above to your bookmarks bar
- Go to the demo
- Click “No Secrets! 🤫” in your bookmarks bar
This will load the Sourcegraph search console and find all types of secrets ranging from the AWS API to YouTube OAuth credentials. You can then edit that search query to create your own via the console.
Next steps
No Secrets! is a great way to get started but to truly protect your secrets, you need to automate this process. We use Code monitoring because we love to dogfood. Here are some triggers you can set up to send an email, Slack message, or call a webhook:
- AWS API Key
- GCP API Key
- Mailgun API Key
- RSA Private Key
- Stripe API Key
- Twitter Bearer Token
- YouTube OAuth
Last but not least, you can help make No Secrets! better by contributing to the project. The more secret-catching patterns that are committed can help secure code in open source supply chain.
🍻 Cheers to no more secrets in your public repositories! Join the discussion on Hacker News.
Thanks to the following people for helping with this post: Beyang Liu, André Eleuterio, and Nick Moore.
About the author
Justin Dorfman is Sourcegraph’s Open Source Program Manager and is responsible for fostering the adoption of code intelligence in the open source community. You can chat with Justin on Twitter @jdorfman or our community Discord