iknowjason/secrets-scanning.sh

## secrets-scanning.sh
# Secrets scanning at scale:  3 different tools

# trufflehog
#!/bin/bash
# 1. get all repos: gh repo list <organization> --limit 1000 > repos.txt
# 2. parse repos.txt so each line looks similar to: https://github.com/username/repo-name.git

# Remotely scan the repos using trufflehog without downloading
while IFS= read -r repo
do
  echo "Scanning $repo"
  trufflehog git $repo --only-verified
done < "repos.txt"

# gitleaks
#!/bin/bash
# 1. get all repos: gh repo list <organization> --limit 1000 > repos.txt
# 2. parse repos.txt so each line looks similar to: https://github.com/username/repo-name.git

# Step 1:  Download all repos to local
while IFS= read -r line
do
  echo "downloading $line"
  git clone $line
done < "repos.txt"

# Step 2:  Scan the repo locally with gitleaks
while IFS= read -r line
do
  repo_name=$(echo $line | awk -F/ '{print $NF}' | sed -e 's/\.git$//')
  echo "Scanning locally with gitleaks: $repo_name"
  cd ${repo_name}
  gitleaks detect --verbose --source="./" -f json -r ./gitleaks_report.json
  cd ..
done < "repos.txt"


# detect-secrets
#!/bin/bash
# 1. get all repos: gh repo list <organization> --limit 1000 > repos.txt
# 2. parse repos.txt so each line looks similar to: https://github.com/username/repo-name.git

# Step 1:  Download all repos
while IFS= read -r line
do
  echo "downloading $line"
  git clone $line
done < "repos.txt"

# Step 2:  Scan the repo name
while IFS= read -r line
do
  repo_name=$(echo $line | awk -F/ '{print $NF}' | sed -e 's/\.git$//')
  echo "Scanning locally with detect-secrets: $repo_name"
  detect-secrets -C $repo_name scan
done < "repos.txt"
	# Secrets scanning at scale: 3 different tools

	# trufflehog
	#!/bin/bash
	# 1. get all repos: gh repo list <organization> --limit 1000 > repos.txt
	# 2. parse repos.txt so each line looks similar to: https://github.com/username/repo-name.git

	# Remotely scan the repos using trufflehog without downloading
	while IFS= read -r repo
	do
	echo "Scanning $repo"
	trufflehog git $repo --only-verified
	done < "repos.txt"

	# gitleaks
	#!/bin/bash
	# 1. get all repos: gh repo list <organization> --limit 1000 > repos.txt
	# 2. parse repos.txt so each line looks similar to: https://github.com/username/repo-name.git

	# Step 1: Download all repos to local
	while IFS= read -r line
	do
	echo "downloading $line"
	git clone $line
	done < "repos.txt"

	# Step 2: Scan the repo locally with gitleaks
	while IFS= read -r line
	do
	repo_name=$(echo $line \| awk -F/ '{print $NF}' \| sed -e 's/\.git$//')
	echo "Scanning locally with gitleaks: $repo_name"
	cd ${repo_name}
	gitleaks detect --verbose --source="./" -f json -r ./gitleaks_report.json
	cd ..
	done < "repos.txt"


	# detect-secrets
	#!/bin/bash
	# 1. get all repos: gh repo list <organization> --limit 1000 > repos.txt
	# 2. parse repos.txt so each line looks similar to: https://github.com/username/repo-name.git

	# Step 1: Download all repos
	while IFS= read -r line
	do
	echo "downloading $line"
	git clone $line
	done < "repos.txt"

	# Step 2: Scan the repo name
	while IFS= read -r line
	do
	repo_name=$(echo $line \| awk -F/ '{print $NF}' \| sed -e 's/\.git$//')
	echo "Scanning locally with detect-secrets: $repo_name"
	detect-secrets -C $repo_name scan
	done < "repos.txt"