In some scenarios, we need to check the leaked credentials in maultiple Git repos. It will be annoying to scan code in Git when there are many projects, especially because Gitlab does not support code snippet search in CE version.
This script iterator with *.git directories, and check each Git repo with git command, let’s explain it in details.
Get the files in Git repo
git ls-tree will display the file paths in branch
git ls-tree -r master --name-only
git show HEAD:file-path will show the file content of a tracking file, with a gripe to filter with keyword.
git show HEAD:$f | grep -n -A4 -B4 'nokogiri' ;
Find the related user
If we want to do some fix, we need to find the latest author for review the fix.
git log will display the author:
git log -1 pretty=format:'%ae'
Code scan snippet in git Repos
Combine the commands into final check scripts.
for x in **/*.git; do ## echo "checking $x" pushd $x > /dev/null while read -r f; do git show HEAD:$f | grep -n -A4 -B4 'nokogiri' ; if [ $? == 0 ]; then last=`git log -1 --pretty=format:'%ae'` printf "found at: $(pwd)/$f\nlast user: $last\n\n" fi done <<< "`git ls-tree -r master --name-only|grep -E '(Gemfile.lock)'`" popd > /dev/null done
For more study please refer to: Version Control with Git: Powerful tools and techniques for collaborative software development