GitPlanet

Cheap and reliable Node.js hosting starts at $3/month, and $1/month static HTML hosting

Created with love in Canada, visit hostnodejs.com today

Feel like to post an Ad? Learn Details
All Projects → GitGuardian → ggshield-action

GitGuardian / ggshield-action

Licence: MIT license
GitGuardian Shield GitHub Action - Find exposed credentials in your commits

Labels

devopscisecurity-toolsdevsecopsgithub-actionssecrets-detectiongitguardian

Projects that are alternatives of or similar to ggshield-action

ggshield
Find and fix 360+ types of hardcoded secrets and 70+ types of infrastructure-as-code misconfigurations.
Stars: ✭ 1,272 (+318.42%)
Mutual labels:  devsecops, secrets-detection
nightfall dlp action
GitHub Data Loss Prevention (DLP) Action: Scan Pull Requests for sensitive data, like credentials & secrets, PII, credit card numbers, and more.
Stars: ✭ 46 (-84.87%)
Mutual labels:  devsecops, secrets-detection
Threagile
Agile Threat Modeling Toolkit
Stars: ✭ 162 (-46.71%)
Mutual labels:  devsecops
Gg Shield Action
GitGuardian Shield GitHub Action - Find exposed credentials in your commits
Stars: ✭ 248 (-18.42%)
Mutual labels:  devsecops
Containerssh
ContainerSSH: Launch containers on demand
Stars: ✭ 195 (-35.86%)
Mutual labels:  devsecops
Docker Security Images
🔐 Docker Container for Penetration Testing & Security
Stars: ✭ 172 (-43.42%)
Mutual labels:  devsecops
Whispers
Identify hardcoded secrets and dangerous behaviours
Stars: ✭ 66 (-78.29%)
Mutual labels:  devsecops
Nodejsscan
nodejsscan is a static security code scanner for Node.js applications.
Stars: ✭ 1,874 (+516.45%)
Mutual labels:  devsecops
Sast Scan
Scan is a free & Open Source DevSecOps tool for performing static analysis based security testing of your applications and its dependencies. CI and Git friendly.
Stars: ✭ 234 (-23.03%)
Mutual labels:  devsecops
Checkov
Prevent cloud misconfigurations during build-time for Terraform, Cloudformation, Kubernetes, Serverless framework and other infrastructure-as-code-languages with Checkov by Bridgecrew.
Stars: ✭ 3,572 (+1075%)
Mutual labels:  devsecops
Awesome Devsecops
Curating the best DevSecOps resources and tooling.
Stars: ✭ 188 (-38.16%)
Mutual labels:  devsecops
Threatplaybook
A unified DevSecOps Framework that allows you to go from iterative, collaborative Threat Modeling to Application Security Test Orchestration
Stars: ✭ 173 (-43.09%)
Mutual labels:  devsecops
Awesome Devsecops
An authoritative list of awesome devsecops tools with the help from community experiments and contributions.
Stars: ✭ 2,805 (+822.7%)
Mutual labels:  devsecops
Devsecops
🔱 Collection and Roadmap for everyone who wants DevSecOps.
Stars: ✭ 171 (-43.75%)
Mutual labels:  devsecops
sdp-pipeline-framework
The Solutions Delivery Platform runtime pipeline framework
Stars: ✭ 41 (-86.51%)
Mutual labels:  devsecops
Openrasp
🔥Open source RASP solution
Stars: ✭ 2,036 (+569.74%)
Mutual labels:  devsecops
Sbt Dependency Check
SBT Plugin for OWASP DependencyCheck. Monitor your dependencies and report if there are any publicly known vulnerabilities (e.g. CVEs). 🌈
Stars: ✭ 187 (-38.49%)
Mutual labels:  devsecops
Riskassessmentframework
The Secure Coding Framework
Stars: ✭ 201 (-33.88%)
Mutual labels:  devsecops
DevSecOps
Ultimate DevSecOps library
Stars: ✭ 4,450 (+1363.82%)
Mutual labels:  devsecops
prowler
Prowler is an Open Source Security tool for AWS, Azure and GCP to perform Cloud Security best practices assessments, audits, incident response, compliance, continuous monitoring, hardening and forensics readiness. It contains hundreds of controls covering CIS, PCI-DSS, ISO27001, GDPR, HIPAA, FFIEC, SOC2, AWS FTR, ENS and custom security frameworks.
Stars: ✭ 8,046 (+2546.71%)
Mutual labels:  devsecops
View All Similar Projects ➔

GitGuardian Shield GitHub Action

GitHub Marketplace Docker Image Version (latest semver) License GitHub stars

Find exposed credentials in your commits using GitGuardian shield.

The GitGuardian shield (ggshield) is a CLI application that runs in your local environment or in a CI environment to help you detect more than 200 types of secrets, as well as other potential security vulnerabilities or policy breaks.

GitGuardian shield uses our public API through py-gitguardian to scan your files and detect potential secrets or issues in your code. The /v1/scan endpoint of the public API is stateless. We will not store any files you are sending or any secrets we have detected.

Requirements

  • Have an account on GitGuardian. Sign up now if you haven't before!
  • Create an API key on the API Section of your dashboard.

Project secrets

  • GITGUARDIAN_API_KEY [Required]: Necessary to authenticate to GitGuardian's API. You can set the GITGUARDIAN_API_KEY value in the "Secrets" page of your repository's settings. You can create your API Key here.

Usage

Add a new job to your GitHub workflow using the GitGuardian/ggshield-action action.

name: GitGuardian scan

on: [push, pull_request]

jobs:
  scanning:
    name: GitGuardian scan
    runs-on: ubuntu-latest
    steps:
      - name: Checkout
        uses: actions/checkout@v2
        with:
          fetch-depth: 0 # fetch all history so multiple commits can be scanned
      - name: GitGuardian scan
        uses: GitGuardian/[email protected]
        env:
          GITHUB_PUSH_BEFORE_SHA: ${{ github.event.before }}
          GITHUB_PUSH_BASE_SHA: ${{ github.event.base }}
          GITHUB_PULL_BASE_SHA: ${{ github.event.pull_request.base.sha }}
          GITHUB_DEFAULT_BRANCH: ${{ github.event.repository.default_branch }}
          GITGUARDIAN_API_KEY: ${{ secrets.GITGUARDIAN_API_KEY }}

Do not forget to add your GitGuardian API Key to the GITGUARDIAN_API_KEY secret in your project settings.

Adding extra options to the action

The following options can be added to the action by using action inputs:

Options:
  --show-secrets  Show secrets in plaintext instead of hiding them.
  --exit-zero     Always return a 0 (non-error) status code, even if issues
                  are found.The env var GITGUARDIAN_EXIT_ZERO can also be used
                  to set this option.

  --all-policies  Present fails of all policies (Filenames, FileExtensions,
                  Secret Detection).By default, only Secret Detection is
                  shown.

  -v, --verbose   Verbose display mode.

Example:

name: GitGuardian scan

on: [push, pull_request]

jobs:
  scanning:
    name: GitGuardian scan
    runs-on: ubuntu-latest
    steps:
      - name: Checkout
        uses: actions/checkout@v2
        with:
          fetch-depth: 0 # fetch all history so multiple commits can be scanned
      - name: GitGuardian scan
        uses: GitGuardian/[email protected]
        with:
          args: -v --all-policies
        env:
          GITHUB_PUSH_BEFORE_SHA: ${{ github.event.before }}
          GITHUB_PUSH_BASE_SHA: ${{ github.event.base }}
          GITHUB_PULL_BASE_SHA: ${{ github.event.pull_request.base.sha }}
          GITHUB_DEFAULT_BRANCH: ${{ github.event.repository.default_branch }}
          GITGUARDIAN_API_KEY: ${{ secrets.GITGUARDIAN_API_KEY }}

Examples of GitGuardian scanning

Scan output example

This a sample scan result from GitGuardian shield.

If the secret detected has been revoked and you do not wish to rewrite git history, you can use a value of the policy break (for example: the value of |_password_|) or the ignore SHA displayed in your .gitguardian.yaml under matches-ignore.

An example configuration file is available here.

Status example

If there are secret leaks or other security issues in your commit your workflow will be marked as failed.

Be sure to add GitGuardian scan to your required status checks in your repository settings to stop pull requests with security issues from being merged.

License

GitGuardian shield is MIT licensed.

Note that the project description data, including the texts, logos, images, and/or trademarks, for each open source project belongs to its rightful owner. If you wish to add or remove any projects, please contact us at [email protected].