As well as the CLI tool the repository contains code for a server to listen for pushes to repositories in github via webhooks and write any violations found into elasticsearch.
> And how to really remove a file from your git history....
That's misleading. Once you commit and push it to a remote, you should consider it compromised. You could remove it from the repo and force-push to re-write history, but anyone could have pulled from the same remote since your original push and have the file locally on their system.
A better option is to push a new commit to remove the file from the repo (add to .gitignore), then set a new, strong passphrase/whatever and don't ever use the one you pushed again.
How is the article misleading? It said the same thing you did in bold....
Warning: Once you have pushed a commit to GitHub, you should consider any data it contains to be compromised. If you committed a password, change it! If you committed a key, generate a new one.
Maybe I'm missing something, but doesn't a whitelist (the `.secignore` mentioned in the README) defeat much of the point of a secret-scanning tool? If I whitelist a file now for containing the (benign) string "password," I'm likely to miss a future problem in that file.
Hmm, it uses "git diff" but in my case, this shows a few lines of context. So if the context contains "console.log" (and not the change itself), the script would still complain.
I read that as "CLI tool ... accidentally committed to a Git repo," as in the CLI tool itself committed to a Git repo by accident, and that the CLI tool finds secrets.
Title as of my reading was "CLI tool that finds secrets accidentally committed to a Git repo (2017)".
35 comments
[ 2.6 ms ] story [ 76.1 ms ] threadhttps://github.com/dxa4481/truffleHog
https://help.github.com/articles/removing-sensitive-data-fro...
That's misleading. Once you commit and push it to a remote, you should consider it compromised. You could remove it from the repo and force-push to re-write history, but anyone could have pulled from the same remote since your original push and have the file locally on their system.
A better option is to push a new commit to remove the file from the repo (add to .gitignore), then set a new, strong passphrase/whatever and don't ever use the one you pushed again.
Warning: Once you have pushed a commit to GitHub, you should consider any data it contains to be compromised. If you committed a password, change it! If you committed a key, generate a new one.
E.g. when I have a line saying
then when I type "git commit ...", a script will be invoked that will recognize the "DONTCOMMIT" string, and it will abort the commit.Additionally, GitLab has push rules[0] that help preventing pushing secrets (based on filenames).
[0]: https://gitlab.adhoc-gti.com/help/push_rules/push_rules#prev...
Title as of my reading was "CLI tool that finds secrets accidentally committed to a Git repo (2017)".
* performance (powered by go-git)
* scan github orgs/users
* ref targeting