How do you scan for credentials checked into a Git repo

General Question, does anybody scan for credentials checked into a Git repo, and if so what tools do you use?

We used credscan from the ms extension for a while, but that is no longer supported. I’ve extended gitleabs with most of the rules from credscan.

I have used credscan in the past, but saw today it is EOL, so looking for alternatives to use with Azure DevOps.

Time for a blogpost on gitleaks :wink:

I’ll see if I can open the repo up this week…

https://github.com/jessehouwing/gitleaks-azure

This repo contains a git-leaks file that ports most of the rules from credscan’s config. Except that credscan had a few clever tricks which gitleaks can’t support. Like running a regex over a decoded base64 string, therefore gitleaks will either miss a few passwords or flag more false poritives.

I cleaned up the repo a bit. It’s not 100% what credscan did, but it does get close. I’ll see if I can get some of these merged into the gitleaks project: https://github.com/jessehouwing/gitleaks-azure

Thanks will take a look, even try and get some companies to help sponser but no promise on that one

Always nice :slightly_smiling_face: