📊 NEW! Voice of Practitioners 2024: The State of Secrets in AppSec
3
.svg)
Download and execute this python script. You can check the code!
Once your secret is hashed paste it in the above field. Press "Scan for leaks" and get your results!
#! python3
from getpass import getpass
from hashlib import sha256
try:
from cryptography.hazmat.primitives.kdf.scrypt import Scrypt
except ModuleNotFoundError:
print("Package cryptography not installed")
print("Please run (pip install cryptography)")
exit()
def compute_key(secret: str) -> str:
pepper = sha256(b"GitGuardian").digest()
return (
Scrypt(salt=pepper, n=2048, r=8, p=1, length=32)
.derive(secret.encode("utf-8"))
.hex()
)
secret = getpass("Please paste your secret here: ")
print("Your hash is: ")
print(compute_key(secret))
# Here, secrets.txt is a text file containing a list of 3 secrets values.
$ ggshield hmsl check secrets.txt
Collecting secrets...
Collected 3 secrets.
Querying HasMySecretLeaked...
97 credits left for today.
Found 2 leaked secrets.
> Secret 1
Secret name: "ggt***********kbf"
Secret hash: "e9b39209f72228f30b60c19493a3f756ac97dc02ae7f52db2a3abbe3c3269339"
Distinct locations: 1
First occurrence:
URL: "https://github.com/GitGuardian/ggshield/commit/394b160c36f42aee3b0d4b84ed70eb58e646046f"
> Secret 2
Secret name: "ggt***********jfa"
Secret hash: "d775db0302080c1b7516109e929dd4b214a0f353ed3b66ff2e56c47d55a102ed"
Distinct locations: 1
First occurrence:
URL: "https://github.com/GitGuardian/ggshield/commit/ada1b96da53c23f1dfe956fff902c33ff55afd15"
# Here, secrets.txt is a text file containing a list of 3 secrets values.
$ ggshield hmsl fingerprint secrets.txt
payload.txt and mapping.txt files have been written.
Prepared 3 secrets.
# Here, payload.txt is a text file containing a five-character long prefix of each hashed value of the secrets initially provided in secrets.txt (see previous command). Only this file is shared with GitGuardian.
$ ggshield hmsl query payload.txt > results.dump
97 credits left for today.
Audited 3 secrets in total for leaks.
# Here, results.dump is the file returned by GitGuardian and contains potential matches of the audited secrets (see previous command). All the content of results.dump is encrypted and can only be decrypted locally in the user’s environment.
$ ggshield hmsl decrypt results.dump
Found 2 leaked secrets.
> Secret 1
Secret name: "ggt***********kbf"
Secret hash: "e9b39209f72228f30b60c19493a3f756ac97dc02ae7f52db2a3abbe3c3269339"
Distinct locations: 1
First occurrence:
URL: "https://github.com/GitGuardian/ggshield/commit/ada1b96da53c23f1dfe956fff902c33ff55afd15"
> Secret 2
Secret name: "ggt***********jfa"
Secret hash: "d775db0302080c1b7516109e929dd4b214a0f353ed3b66ff2e56c47d55a102ed"
Distinct locations: 1
First occurrence:
URL: "https://github.com/GitGuardian/ggshield/commit/42f8f8a16deb779fbf7e67332f24ad32f3572459"
(ggshield hmsl fingerprint)
secret
sk_live_epISNGSkdeXov2frTey7RHAi
secret hash
d4cbf.
....c462e648
hint (hash of the secret hash)
bc084e1.....bc5c06f1
HASHING THE SECRET
{ "secret hash prefix": "d4cbf" }
USER FINDS THE MATCHING ROW (if any)...
[
{ "hint": "94479a6.....7434868d", "encrypted_location": "Heif7639fjKhfS384jYf" },
{ "hint": "bc084e1.....bc5c06f1", "encrypted_location": "Kdje8Gz5f1al9MWxv7y5" },
{ "hint": "6af758a.....ea241fc6", "encrypted_location": "le6Op98b0mPSv4Th7s3k" },
]
github.com/repoC/
USER SENDS THE SECRET HASH PREFIX
API QUERYING DATABASE FOR...
secrets hashes
secrets locations
aaa6e.....43aa8eff
github.com/repoA/...
d4cbf.
....df4e9a02
github.com/repoC/...
d4cbf.
....c462e648
github.com/repoB/...
d4cbf.
....a2d88eff
github.com/repoD/...
99fe6.....76aef23a
github.com/repoE/...
GITGUARDIAN SERVER PROCESSES...
secrets hashes
secrets locations
d4cbf.
....c462e648
github.com/repoB/...
d4cbf.
....df4e9a02
github.com/repoC/...
d4cbf.
....a2d88eff
github.com/repoD/...
READY TO SEND A BUCKET OF HITS
[
{ "hint": "94479a6.....7434868d", "encrypted_location": "Heif7639fjKhfS384jYf" },
{ "hint": "bc084e1.....bc5c06f1", "encrypted_location": "Kdje8Gz5f1al9MWxv7y5" },
{ "hint": "6af758a.....ea241fc6", "encrypted_location": "le6Op98b0mPSv4Th7s3k" },
]
USER FINDS THE MATCHING ROW (if any)...
[
{ "hint": "94479a6.....7434868d", "encrypted_location": "Heif7639fjKhfS384jYf" },
{ "hint": "bc084e1.....bc5c06f1", "encrypted_location": "Kdje8Gz5f1al9MWxv7y5" },
{ "hint": "6af758a.....ea241fc6", "encrypted_location": "le6Op98b0mPSv4Th7s3k" },
]
github.com/repoC/
Since 2017, GitGuardian’s detection engine has been scanning every single contribution and event on public GitHub–in repositories, gists, issues, and comments–catching every secret it can find.
We have built a database containing over %ntlss% million leaks, and it’s growing daily!
secrets detected in %stats-year%
growth in secrets leaked vs %previous-stats-year%
public commits scanned in %stats-year%
secrets found per day
pro-bono alerts sent to developers in %stats-year%
Taylor:
Hi, Owlie 👋 I’m a security engineer at HotDog Corp. Why should I search for my secrets across all available GitHub content? Why can’t I just scan the code repositories my organization owns?
Owlie:
Sure, Taylor! You should scan your own repositories for secrets, but it’s not enough. Secrets are susceptible to leaks during "out of office hours," often in places lying beyond your organization's perimeter or control.
Also, ‘vaulting’ your secrets is a good practice, but it does not guarantee they will never leak. If you truly want peace of mind, you should audit every secret in your pipeline for leaks.
Taylor:
How does this work? I wouldn't want to share secrets that might be safe out in the open and expose them to you or anyone else.
Owlie:
That’s a valid concern. No one sees or touches your secrets–not even GitGuardian!
Owlie:
HasMySecretLeaked will always:
Owlie:
This is a high-level overview. If you want to dive deeper into the technical details of the data flows, encryption, and more, read “HasMySecretLeaked – Building a Trustless and Secure Protocol".
Taylor:
Thank you for sharing all these details, Owlie! I just tried it and found my secret was safe 😌How can I audit all my secrets in one go now?
Owlie:
Great news! You should use ggshield, the GitGuardian command-line interface (CLI), to check all your secrets simultaneously. It has a few commands to prepare and check every secret you own for leaks. You can also connect it to your AWS Secrets Manager or HashiCorp Vault and pull your secrets. Keep scrolling, and I will show you what it looks like in your terminal!
# Here, secrets.txt is a text file containing a list of 3 secrets values.
$ ggshield hmsl check secrets.txt
Collecting secrets...
Collected 3 secrets.
Querying HasMySecretLeaked...
97 credits left for today.
Found 2 leaked secrets.
> Secret 1
Secret name: "ggt***********kbf"
Secret hash: "e9b39209f72228f30b60c19493a3f756ac97dc02ae7f52db2a3abbe3c3269339"
Distinct locations: 1
First occurrence:
URL: "https://github.com/GitGuardian/ggshield/commit/394b160c36f42aee3b0d4b84ed70eb58e646046f"
> Secret 2
Secret name: "ggt***********jfa"
Secret hash: "d775db0302080c1b7516109e929dd4b214a0f353ed3b66ff2e56c47d55a102ed"
Distinct locations: 1
First occurrence:
URL: "https://github.com/GitGuardian/ggshield/commit/ada1b96da53c23f1dfe956fff902c33ff55afd15"
# Here, secrets.txt is a text file containing a list of 3 secrets values.
$ ggshield hmsl fingerprint secrets.txt
payload.txt and mapping.txt files have been written.
Prepared 3 secrets.
# Here, payload.txt is a text file containing a five-character long prefix of each hashed value of the secrets initially provided in secrets.txt (see previous command). Only this file is shared with GitGuardian.
$ ggshield hmsl query payload.txt > results.dump
97 credits left for today.
Audited 3 secrets in total for leaks.
# Here, results.dump is the file returned by GitGuardian and contains potential matches of the audited secrets (see previous command). All the content of results.dump is encrypted and can only be decrypted locally in the user’s environment.
$ ggshield hmsl decrypt results.dump
Found 2 leaked secrets.
> Secret 1
Secret name: "ggt***********kbf"
Secret hash: "e9b39209f72228f30b60c19493a3f756ac97dc02ae7f52db2a3abbe3c3269339"
Distinct locations: 1
First occurrence:
URL: "https://github.com/GitGuardian/ggshield/commit/ada1b96da53c23f1dfe956fff902c33ff55afd15"
> Secret 2
Secret name: "ggt***********jfa"
Secret hash: "d775db0302080c1b7516109e929dd4b214a0f353ed3b66ff2e56c47d55a102ed"
Distinct locations: 1
First occurrence:
URL: "https://github.com/GitGuardian/ggshield/commit/42f8f8a16deb779fbf7e67332f24ad32f3572459"
Connect ggshield (GitGuardian CLI) with AWS Secrets Manager or HashiCorp Vault, collect all your secrets, and run a leak check in one command! Stay tuned for more integrations!
HasMySecretLeaked is a project from GitGuardian that aims to help individual users and organizations verify if their developer secrets have leaked on public repositories, gists, and issues on GitHub projects.
Users can interact with HasMySecretLeaked via the search bar on this webpage or the GitGuardian CLI ggshield. It is also integrated into the GitGuardian Platform in the Secrets Detection module.
HasMySecretLeaked comprises two components: a REST API used to interact with the service and a database containing all secret leaks discovered by GitGuardian on public GitHub. Both the source code of the REST API and the content of the database are closed-source and proprietary. Please note that all the secrets are hashed, and their corresponding locations are encrypted.
HasMySecretLeaked is also integrated into ggshield, the GitGuardian command-line interface application. The CLI is open-source, and its source code is available on the official GitHub repository.
ggshield is a command-line interface application developed by GitGuardian. ggshield helps developers detect and prevent hardcoded secrets (like API keys, certificates, and database connection URLs) before pushing their code to shared repositories. ggshield acts as a wrapper for GitGuardian’s Python API client, py-gitguardian.
The minimum requirements for installing ggshield are:
Note: GitGuardian only supports versions of ggshield above and including v1.12.0. The package runs on MacOS, Linux, and Windows.
For more information, please read the official documentation.
HasMySecretLeaked is available for free. Visitors to this web page are given 5 credits daily when using HasMySecretLeaked via the search bar.
Unauthenticated users of the GitGuardian CLI, ggshield, are given 5 credits daily. To get a larger quota, please sign up for a free GitGuardian account. GitGuardian authenticated users are given:
NB. If you have already installed ggshield, run ‘ggshield auth login’ and follow the web-based authentication flow, where you will be asked to log in to an existing account or sign up for a new one.
Widely adopted by developer communities, GitGuardian and ggshield are used by over %nggsu% thousand developers and rank 1st in the security category on GitHub Marketplace. Developers from leading companies, including Instacart, Orange, Iress, Beyond Identity, and NOW: Pensions, use ggshield for secrets scanning.
If you have found a bug or have suggestions for the GitGuardian team to improve ggshield, please visit the official GitHub repository to create an issue.
GitGuardian leads the way in Non-Human Identity security, offering end-to-end solutions from secrets detection in code, productivity tools and environments to strong remediation, observability and proactive prevention of leaks.
.svg)
