In the world of version control, it's crucial to keep your code repositories secure. Two tools that can help with this are shhgit and gitleaks.
Both are command line tools that can help you find sensitive information committed to a Git repository, but they differ in a few key ways. Gitleaks searches for specific patterns — passwords and API keys — across all commits, while shhgit searches for known sensitive patterns — private keys and passwords — regardless of whether the target is a Git repository or a plain directory.
shhgit
Shhgit is a Go binary that can handle both Git repositories and regular files in directories. It looks for filenames, extensions, or contents matching specific regexes: usernames, passwords, API tokens, and private keys.
Install
First, install Go for your platform, then:
$ go get github.com/eth0izzle/shhgitDownload the default configuration file (pick a directory of your choice, here /opt/shhgit/):
$ curl -o /opt/shhgit/config.yaml https://raw.githubusercontent.com/eth0izzle/shhgit/master/config.yamlUse
Scan your current directory recursively:
$ shhgit -local . -config-path /opt/shhgit/For more examples, see Security Post-it #5 – Looking for secrets.
gitleaks
Gitleaks searches for patterns of text in Git repositories — passwords, API keys — and outputs results in a human-readable format. It scans across all commits, making it particularly useful for auditing repository history.
Install
# Temporary install (Linux x64) $ curl -L https://github.com/zricethezav/gitleaks/releases/download/v8.15.2/gitleaks_8.15.2_linux_x64.tar.gz \ -o /tmp/gitleaks.tar.gz $ tar xvzf /tmp/gitleaks.tar.gz -C /tmp/ gitleaksUse
Run gitleaks from the root of your Git repository to scan for secrets across all commits:
$ gitleaks detectThis will scan the entire commit history and output a list of secrets found.
Conclusion
Secrets such as passwords, API keys, and other sensitive information can be exploited by attackers if not properly protected — through code commits, public bug reports, or accidental exposure. Both shhgit and gitleaks are fast, efficient tools for auditing your codebase. Use gitleaks when you need to audit full Git history, and shhgit when you want to scan any directory regardless of Git.