Code Security Showdown: shhgit vs. gitleaks
Discover the key features and differences between shhgit and gitleaks, two popular tools for detecting and preventing sensitive data leaks in your code. Learn which tool is best suited for your needs and how to effectively use it to secure your codebase.
Dec 11, 2022 by Nicolas Béguier
Both shhgit and gitleaks are command line tools that can help you find sensitive information that has been committed to a git repository. However, they differ in a few key ways, which we'll explore in this article.
Gitleaks and shhgit are both tools for searching for sensitive information in Git repositories. Gitleaks searches for specific patterns of text, such as passwords and API keys but among all commits,
while shhgit searches for known sensitive patterns, such as private keys and passwords no matter if this is a Git repository or a directory. Both tools can be used from the command line and are
designed to be fast and efficient.
Shhgit
Shhgit is a go binary that can handle git repository, but also regular files in directories. Here it's the git repository of shhgit:
https://github.com/eth0izzle/shhgit.
This tool is looking for filenames, extensions or contents matching a specific regex: usernames and passwords, API tokens, or private keys.
How to install
Install Go for you platform. $ go get github.com/eth0izzle/shhgit # Don't forget to pick a directory for your shhgit configuration
# in this example, it's /opt/shhgit/
$ curl -o /opt/shhgit/config.yaml https://raw.githubusercontent.com/eth0izzle/shhgit/master/config.yaml
How to use
Your shhgit local path is /opt/shhgit/ and you will scan your current directory recursively $ shhgit -local . -config-path /opt/shhgit/
This tool is looking for filenames, extensions or contents matching a specific regex: usernames and passwords, API tokens, or private keys.
How to install
Install Go for you platform. $ go get github.com/eth0izzle/shhgit # Don't forget to pick a directory for your shhgit configuration
# in this example, it's /opt/shhgit/
$ curl -o /opt/shhgit/config.yaml https://raw.githubusercontent.com/eth0izzle/shhgit/master/config.yaml
How to use
Your shhgit local path is /opt/shhgit/ and you will scan your current directory recursively $ shhgit -local . -config-path /opt/shhgit/
For more examples, you can take a look on this other article.
Gitleaks
Gitleaks is a tool for searching for sensitive information in Git repositories. It can be used from the command line and is designed to be fast and efficient. It searches for patterns of text in the repository, such as passwords
and API keys, and outputs the results in a human-readable format.
How to install
# For a temporary install
$ curl -L https://github.com/zricethezav/gitleaks/releases/download/v8.15.2/gitleaks_8.15.2_linux_x64.tar.gz -o /tmp/gitleaks_8.15.2_linux_x64.tar.gz && tar xvzf /tmp/gitleaks_8.15.2_linux_x64.tar.gz -C /tmp/ -x gitleaks # /tmp/gitleaks
How to use
Once gitleaks is installed, you can use it to search for sensitive information in a Git repository. For example, the following command will search for instances of the word "password" in the current repository:
$ gitleaks detect
This command will scan the entire repository and output a list of secrets found among all commits.
Gitleaks is a powerful tool for finding sensitive information in Git repositories. It is fast and efficient, and can help you ensure that your codebase is secure.
Conclusion
Secrets such as passwords, API keys, and other sensitive information can be exploited by hackers if they are not properly protected. This can lead to security breaches and other serious problems, such as data theft or damage to
your company's reputation. Additionally, if secrets are left unsecured in your codebase, they can be accidentally exposed through things like code commits or public bug reports, which can also put your company at risk. By
looking for secrets in your codebase and taking steps to protect them, you can help keep your company and its sensitive information safe from potential threats.