Scan code and credentials in Git repos

  • Misc
Scan code and credentials in Git repos 1

Motivation

In some scenarios, we need to check the leaked credentials in maultiple Git repos. It will be annoying to scan code in Git when there are many projects, especially because Gitlab does not support code snippet search in CE version.

This script iterator with *.git directories, and check each Git repo with git command, let’s explain it in details.

Get the files in Git repo

git ls-tree will display the file paths in branch

git ls-tree -r master --name-only

File checking

git show HEAD:file-path will show the file content of a tracking file, with a gripe to filter with keyword.

git show HEAD:$f | grep -n -A4 -B4 'nokogiri' ;

Find the related user

If we want to do some fix, we need to find the latest author for review the fix.

git log will display the author:

git log -1 pretty=format:'%ae'

Code scan snippet in git Repos

Combine the commands into final check scripts.

for x in **/*.git; do
    ## echo "checking $x"
    pushd $x > /dev/null
    while read -r f; do
        git show HEAD:$f | grep -n -A4 -B4 'nokogiri' ;
        if [ $? == 0 ]; then
            last=`git log -1 --pretty=format:'%ae'`
            printf "found at: $(pwd)/$f\nlast user: $last\n\n"
        fi
    done <<< "`git ls-tree -r master --name-only|grep -E '(Gemfile.lock)'`"
    popd > /dev/null
done

For more study please refer to: Version Control with Git: Powerful tools and techniques for collaborative software development

Last Updated on

Leave a Reply

Your email address will not be published. Required fields are marked *