One thing white hats and black hats alike often do is search Git repositories for secrets that have been accidentally committed. So we created a bookmarklet that can reveal what secrets might be lurking in any given GitHub repository.
Open source supply chains and code security has been on my mind lately, and one thing white hats and black hats alike often do is search Git repositories for secrets that have been accidentally committed. While playing with the Sourcegraph search console to learn about the different filters/types/options, and to sharpen up on my regex I thought why not create a bookmarklet that can reveal what secrets might be lurking in any given GitHub repository?
Introducing No Secrets!, a bookmarklet that works on any modern browser. Here is how to try it:
This will load the Sourcegraph search console and find all types of secrets ranging from the AWS API to YouTube OAuth credentials. You can then edit that search query to create your own via the console.
No Secrets! is a great way to get started but to truly protect your secrets, you need to automate this process. We use Code monitoring because we love to dogfood. Here are some triggers you can set up to send an email, Slack message, or call a webhook:
Last but not least, you can help make No Secrets! better by contributing to the project. The more secret-catching patterns that are committed can help secure code in open source supply chain.
🍻 Cheers to no more secrets in your public repositories! Join the discussion on Hacker News.
Thanks to the following people for helping with this post: Beyang Liu, André Eleuterio, and Nick Moore.
Justin Dorfman is Sourcegraph's Open Source Program Manager and is responsible for fostering the adoption of code intelligence in the open source community. You can chat with Justin on Twitter @jdorfman or our community Discord
With Sourcegraph, the code understanding platform for enterprise.
Schedule a demo