🔒🤖 The Next Step in GitGuardian’s Approach to NHI Security

DISCOVER

🔒🤖 The Next Step in GitGuardian’s Approach to NHI Security

DISCOVER
HasMySecretLeaked icon

Has My Secret Leaked?

BEGINNER

Select a secret in the list and see how HasMySecretLeaked works.

advanced

Create a hashed & encrypted version of your secret, paste the hash and get the results.

Create a hashed & encrypted version of your secret, paste the hash and get the results.

gitguardian cli

Use ggshield to check any secret or even a list of secrets directly in your CLI.

🔮 You have {{triesLeft}} of {{triesTotal}} tries left today.

The secret is being hashed in your browser...

{{currentStep.secret}}

Only a fragment of the hash will be shared with GitGuardian to check for potential leaks on GitHub.

Scanning for potential leaks...

{{currentStep.hashPrefix}}

Only the prefix of the hash is being shared with GitGuardian to check for potential leaks on GitHub.

Hooray 🎉 The secret is safe!

{{currentStep.hashPrefix}}

To check all your secrets for leaks in one go, use ggshield, the GitGuardian CLI.

Uh oh, it looks like we found something!

This secret might be compromised.

-

Guardian/ev_secrets_nt

Please take the time to inspect it, and if a leak is confirmed, make sure to revoke and rotate your secret to avoid its abuse by malicious actors on GitHub. Learn more.

Are you sure your input is a hash of a secret?

This search yielded too many results.

{{currentStep.hashPrefix}}

Please try again

Oops! No more test available today

{{currentStep.hashPrefix}}

To check all your secrets for leaks in one go, use ggshield, the GitGuardian CLI.

Run GGShield
Thank you! Your submission has been received!
{{currentStep.message}}

How to create your Hash

Download and execute this python script. You can check the code!

Once your secret is hashed paste it in the above field. Press "Scan for leaks" and get your results!

Download script

#! python3
from getpass import getpass
from hashlib import sha256

try:
    from cryptography.hazmat.primitives.kdf.scrypt import Scrypt
except ModuleNotFoundError:
    print("Package cryptography not installed")
    print("Please run (pip install cryptography)")
    exit()

def compute_key(secret: str) -> str:
    pepper = sha256(b"GitGuardian").digest()
    return (
        Scrypt(salt=pepper, n=2048, r=8, p=1, length=32)
        .derive(secret.encode("utf-8"))
        .hex()
    )

secret = getpass("Please paste your secret here: ")
print("Your hash is: ")
print(compute_key(secret))

Audit Every Secret You Own
Right From Your Terminal

# Here, secrets.txt is a text file containing a list of 3 secrets values.

$ ggshield hmsl check secrets.txt

Collecting secrets...

Collected 3 secrets.

Querying HasMySecretLeaked...

97 credits left for today.

Found 2 leaked secrets.

> Secret 1

Secret name: "ggt***********kbf"

Secret hash: "e9b39209f72228f30b60c19493a3f756ac97dc02ae7f52db2a3abbe3c3269339"

Distinct locations: 1

First occurrence:

    URL: "https://github.com/GitGuardian/ggshield/commit/394b160c36f42aee3b0d4b84ed70eb58e646046f

> Secret 2

Secret name: "ggt***********jfa"

Secret hash: "d775db0302080c1b7516109e929dd4b214a0f353ed3b66ff2e56c47d55a102ed"

Distinct locations: 1

First occurrence:

    URL: "https://github.com/GitGuardian/ggshield/commit/ada1b96da53c23f1dfe956fff902c33ff55afd15"

# Here, secrets.txt is a text file containing a list of 3 secrets values.

$ ggshield hmsl fingerprint secrets.txt

payload.txt and mapping.txt files have been written.

Prepared 3 secrets.

# Here, payload.txt is a text file containing a five-character long prefix of each hashed value of the secrets initially provided in secrets.txt (see previous command). Only this file is shared with GitGuardian.

$ ggshield hmsl query payload.txt > results.dump

97 credits left for today.

Audited 3 secrets in total for leaks.

# Here, results.dump is the file returned by GitGuardian and contains potential matches of the audited secrets (see previous command). All the content of results.dump is encrypted and can only be decrypted locally in the user’s environment. 

$ ggshield hmsl decrypt results.dump

Found 2 leaked secrets.

> Secret 1

Secret name: "ggt***********kbf"

Secret hash: "e9b39209f72228f30b60c19493a3f756ac97dc02ae7f52db2a3abbe3c3269339"

Distinct locations: 1

First occurrence:

    URL: "https://github.com/GitGuardian/ggshield/commit/ada1b96da53c23f1dfe956fff902c33ff55afd15"

> Secret 2

Secret name: "ggt***********jfa"

Secret hash: "d775db0302080c1b7516109e929dd4b214a0f353ed3b66ff2e56c47d55a102ed"

Distinct locations: 1

First occurrence:

    URL: "https://github.com/GitGuardian/ggshield/commit/42f8f8a16deb779fbf7e67332f24ad32f3572459"

How it works

USER CLI

PREPARING THE DATA

(ggshield hmsl fingerprint)

secret

sk_live_epISNGSkdeXov2frTey7RHAi

secret hash

d4cbf.

....c462e648

hint (hash of the secret hash)

bc084e1.....bc5c06f1

HASHING THE SECRET

{ "secret hash prefix": "d4cbf" }

USER FINDS THE MATCHING ROW (if any)...

[

{ "hint": "94479a6.....7434868d", "encrypted_location": "Heif7639fjKhfS384jYf" },

{ "hint": "bc084e1.....bc5c06f1", "encrypted_location": "Kdje8Gz5f1al9MWxv7y5" },

{ "hint": "6af758a.....ea241fc6", "encrypted_location": "le6Op98b0mPSv4Th7s3k" },

]

A secret was found in

1 location

Github Logo

github.com/repoC/

HASMYSECRETLEAKED

USER SENDS THE SECRET HASH PREFIX

API  QUERYING  DATABASE  FOR...

secrets hashes

secrets locations

aaa6e.....43aa8eff

github.com/repoA/...

d4cbf.

....df4e9a02

github.com/repoC/...

d4cbf.

....c462e648

github.com/repoB/...

d4cbf.

....a2d88eff

github.com/repoD/...

99fe6.....76aef23a

github.com/repoE/...

GITGUARDIAN SERVER PROCESSES...

secrets hashes

secrets locations

d4cbf.

....c462e648

github.com/repoB/...

d4cbf.

....df4e9a02

github.com/repoC/...

d4cbf.

....a2d88eff

github.com/repoD/...

READY TO SEND A BUCKET OF HITS

[

{ "hint": "94479a6.....7434868d", "encrypted_location": "Heif7639fjKhfS384jYf" },

{ "hint": "bc084e1.....bc5c06f1", "encrypted_location": "Kdje8Gz5f1al9MWxv7y5" },

{ "hint": "6af758a.....ea241fc6", "encrypted_location": "le6Op98b0mPSv4Th7s3k" },

]

USER CLI

USER FINDS THE MATCHING ROW (if any)...

[

{ "hint": "94479a6.....7434868d", "encrypted_location": "Heif7639fjKhfS384jYf" },

{ "hint": "bc084e1.....bc5c06f1", "encrypted_location": "Kdje8Gz5f1al9MWxv7y5" },

{ "hint": "6af758a.....ea241fc6", "encrypted_location": "le6Op98b0mPSv4Th7s3k" },

]

A secret was found in

1 location

Github Logo

github.com/repoC/

Secrets are all over the place.

Since 2017, GitGuardian’s detection engine has been scanning every single contribution and event on public GitHub–in repositories, gists, issues, and comments–catching every secret it can find.

We have built a database containing over %ntlss% million leaks, and it’s growing daily!

over
10
M

secrets detected in %stats-year%

around
50
%

growth in secrets leaked vs %previous-stats-year%

over
1
B

public commits scanned in %stats-year%

over
27
K

secrets found per day

over
1.2
m

pro-bono alerts sent to developers in %stats-year%

Think Your Secrets Are Safe?
Let’s Put Them to the Test!

Taylor:

Hi, Owlie 👋 I’m a security engineer at HotDog Corp. Why should I search for my secrets across all available GitHub content? Why can’t I just scan the code repositories my organization owns?

Owlie:

Sure, Taylor! You should scan your own repositories for secrets, but it’s not enough. Secrets are susceptible to leaks during "out of office hours," often in places lying beyond your organization's perimeter or control.

Also, ‘vaulting’ your secrets is a good practice, but it does not guarantee they will never leak. If you truly want peace of mind, you should audit every secret in your pipeline for leaks.

Taylor:

How does this work? I wouldn't want to share secrets that might be safe out in the open and expose them to you or anyone else.

Owlie:

That’s a valid concern. No one sees or touches your secrets–not even GitGuardian!

Owlie:

HasMySecretLeaked will always: 

  1. Hash your secret on the client side, using Scrypt to derive a 256-bit long hash;
  2. Extract a 5-character prefix of your secret’s hash, always on the client side;
  3. Share the prefix of your secret’s hash with GitGuardian. No one can reconstruct your secret with this much information!
  4. Return a list of potential matches where each match consists of a secret plus its location. Remember that all matches are encrypted using their secret’s own hash!
  5. Decrypt the potential matches on the client side. You can only decrypt perfect matches to view the secret, the number of times it leaked, and where it was first exposed. This process guarantees that no other secrets or locations are revealed!

Owlie:

This is a high-level overview. If you want to dive deeper into the technical details of the data flows, encryption, and more, read “HasMySecretLeaked – Building a Trustless and Secure Protocol".

Taylor:

Thank you for sharing all these details, Owlie! I just tried it and found my secret was safe 😌How can I audit all my secrets in one go now?

Owlie:

Great news! You should use ggshield, the GitGuardian command-line interface (CLI), to check all your secrets simultaneously. It has a few commands to prepare and check every secret you own for leaks. You can also connect it to your AWS Secrets Manager or HashiCorp Vault and pull your secrets. Keep scrolling, and I will show you what it looks like in your terminal!

Audit Every Secret You Own
Right From Your Terminal

# Here, secrets.txt is a text file containing a list of 3 secrets values.

$ ggshield hmsl check secrets.txt

Collecting secrets...

Collected 3 secrets.

Querying HasMySecretLeaked...

97 credits left for today.

Found 2 leaked secrets.

> Secret 1

Secret name: "ggt***********kbf"

Secret hash: "e9b39209f72228f30b60c19493a3f756ac97dc02ae7f52db2a3abbe3c3269339"

Distinct locations: 1

First occurrence:

    URL: "https://github.com/GitGuardian/ggshield/commit/394b160c36f42aee3b0d4b84ed70eb58e646046f

> Secret 2

Secret name: "ggt***********jfa"

Secret hash: "d775db0302080c1b7516109e929dd4b214a0f353ed3b66ff2e56c47d55a102ed"

Distinct locations: 1

First occurrence:

    URL: "https://github.com/GitGuardian/ggshield/commit/ada1b96da53c23f1dfe956fff902c33ff55afd15"

# Here, secrets.txt is a text file containing a list of 3 secrets values.

$ ggshield hmsl fingerprint secrets.txt

payload.txt and mapping.txt files have been written.

Prepared 3 secrets.

# Here, payload.txt is a text file containing a five-character long prefix of each hashed value of the secrets initially provided in secrets.txt (see previous command). Only this file is shared with GitGuardian.

$ ggshield hmsl query payload.txt > results.dump

97 credits left for today.

Audited 3 secrets in total for leaks.

# Here, results.dump is the file returned by GitGuardian and contains potential matches of the audited secrets (see previous command). All the content of results.dump is encrypted and can only be decrypted locally in the user’s environment. 

$ ggshield hmsl decrypt results.dump

Found 2 leaked secrets.

> Secret 1

Secret name: "ggt***********kbf"

Secret hash: "e9b39209f72228f30b60c19493a3f756ac97dc02ae7f52db2a3abbe3c3269339"

Distinct locations: 1

First occurrence:

    URL: "https://github.com/GitGuardian/ggshield/commit/ada1b96da53c23f1dfe956fff902c33ff55afd15"

> Secret 2

Secret name: "ggt***********jfa"

Secret hash: "d775db0302080c1b7516109e929dd4b214a0f353ed3b66ff2e56c47d55a102ed"

Distinct locations: 1

First occurrence:

    URL: "https://github.com/GitGuardian/ggshield/commit/42f8f8a16deb779fbf7e67332f24ad32f3572459"

BYOV: Bring Your Own Vault

Connect ggshield (GitGuardian CLI) with AWS Secrets Manager or HashiCorp Vault, collect all your secrets, and run a leak check in one command! Stay tuned for more integrations!

GitGuardian radar scanning different secret management services
  • What is HasMySecretLeaked?

    HasMySecretLeaked is a project from GitGuardian that aims to help individual users and organizations verify if their developer secrets have leaked on public repositories, gists, and issues on GitHub projects.

    Users can interact with HasMySecretLeaked via the search bar on this webpage or the GitGuardian CLI ggshield. It is also integrated into the GitGuardian Platform in the Secrets Detection module.

  • Is HasMySecretLeaked open-source?

    HasMySecretLeaked comprises two components: a REST API used to interact with the service and a database containing all secret leaks discovered by GitGuardian on public GitHub. Both the source code of the REST API and the content of the database are closed-source and proprietary. Please note that all the secrets are hashed, and their corresponding locations are encrypted.

    HasMySecretLeaked is also integrated into ggshield, the GitGuardian command-line interface application. The CLI is open-source, and its source code is available on the official GitHub repository.

  • What is ggshield?

    ggshield is a command-line interface application developed by GitGuardian. ggshield helps developers detect and prevent hardcoded secrets (like API keys, certificates, and database connection URLs) before pushing their code to shared repositories. ggshield acts as a wrapper for GitGuardian’s Python API client, py-gitguardian.

    The minimum requirements for installing ggshield are:

    • python 3.7+
    • Git
    • pip

    Note: GitGuardian only supports versions of ggshield above and including v1.12.0. The package runs on MacOS, Linux, and Windows.

    For more information, please read the official documentation.

  • Is HasMySecretLeaked free?

    HasMySecretLeaked is available for free. Visitors to this web page are given 5 credits daily when using HasMySecretLeaked via the search bar.

    Unauthenticated users of the GitGuardian CLI, ggshield, are given 5 credits daily. To get a larger quota, please sign up for a free GitGuardian account. GitGuardian authenticated users are given:

    • 30 credits daily if their workspace is on the Free plan
    • 1000 credits daily if their workspace is on the Business plan

    NB. If you have already installed ggshield, run ‘ggshield auth login’ and follow the web-based authentication flow, where you will be asked to log in to an existing account or sign up for a new one.

  • Who else uses ggshield?

    Widely adopted by developer communities, GitGuardian and ggshield are used by over %nggsu% thousand developers and rank 1st in the security category on GitHub Marketplace. Developers from leading companies, including Instacart, Orange, Iress, Beyond Identity, and NOW: Pensions, use ggshield for secrets scanning.

  • I found a bug/I have a feature request.

    If you have found a bug or have suggestions for the GitGuardian team to improve ggshield, please visit the official GitHub repository to create an issue.

Has Your Secret Leaked?

There’s Only One Way To Find Out