A hard fork of wraith (which itself is a hard fork of gitrob)
rvsecret detects secrets in git repositories (or localpath). The big differentiator is it is tightly integrated with Github and Gitlab APIs and has no extra dependencies. It's just one binary you can use anywhere (even in scratch containers).
The tool is undergoing a big refactor at the moment, hence it's not stable to be used yet. For detailed refactoring plans checkout TODO.md.
- Gitlab.com repositories and projects
- Github.com repositories and organizations
- Local git repositories
- Local filesystem
- Exclude files, paths, and extensions
- Web and terminal interfaces for real-time results (very much alpha)
- Configurable commit depth
- Compile it (
make build) - Download the signature file to
~/.rvsecret/signatures/ - Use it:
bin/rvsecret-darwin scan local-git-repo --local-repos rumenvasilev/terraformTo build from source, you need Go 1.21.
$ cd $GOPATH/src
$ git clone [email protected]:rumenvasilev/rvsecret.git
$ cd rvsecret
$ make build
$ ./bin/rvsecret-<ARCH> <sub-command>Signatures are the current method used to detect secrets within a target source. They are broken out into the wraith-signatures repo for extensability purposes. This allows them to be independently versioned and developed without having to recompile the code. To make changes just edit an existing signature or create a new one. Check the README in that repo for additional details.
rvsecret will need either a GitLab or Github access token in order to interact with their appropriate API's. You can create a GitLab personal access token, or a Github personal access token and save it in an environment variable in your bashrc, add it to a rvsecret config file, or pass it in on the command line. Passing it in on the commandline should be avoided if possible for security reasons. Of course if you want to eat your own dog food, go ahead and do it that way, then point rvsecret at your command history file. 😈
Fork, PR and lets have a chat. Outstanding work is in TODO.md.