General Question, does anybody scan for credentials checked into a Git repo, and if so what tools do you use?
We used credscan from the ms extension for a while, but that is no longer supported. I’ve extended gitleabs with most of the rules from credscan.
I have used credscan in the past, but saw today it is EOL, so looking for alternatives to use with Azure DevOps.
Time for a blogpost on gitleaks
I’ll see if I can open the repo up this week…
This repo contains a git-leaks file that ports most of the rules from credscan’s config. Except that credscan had a few clever tricks which gitleaks can’t support. Like running a regex over a decoded base64 string, therefore gitleaks will either miss a few passwords or flag more false poritives.
I cleaned up the repo a bit. It’s not 100% what credscan did, but it does get close. I’ll see if I can get some of these merged into the gitleaks project: https://github.com/jessehouwing/gitleaks-azure
Thanks will take a look, even try and get some companies to help sponser but no promise on that one