/git-alerts

Tool to detect and monitor GitHub org users' public repositories for secrets and sensitive files

Primary LanguageGoApache License 2.0Apache-2.0

GitAlerts

Go Report Card License Release

What problem does it solve?

GitHub repositories created under any organization can be controlled by the GitHub administrators. However any repository created under an organization's user account is not controllable unless the organisation has adopted the GitHub enterprise-managed user (EMU) model.

Any public repository under the organization's user account that was created accidentally or for testing purposes could leak secrets, internal information, code etc. GitAlerts helps you detect and monitor such cases

Example

Can be controlled by the administrator https://github.com/<org>/<org-repo-name>

Can't be controlled by the administrator https://github.com/<org-user>/<org-user-repo-name>

Getting Started

  • Download the binary file for your operating system / architecture from the Official GitHub Releases

  • You can also install git-alerts using homebrew in MacOS and Linux

brew tap boringtools/tap
brew install boringtools/tap/git-alerts
  • Alternatively, build from source

Ensure $(go env GOPATH)/bin is in your $PATH

go install github.com/boringtools/git-alerts@main

Setup GitHub personal access token (PAT) as the environment variable, without PAT GitHub will only allow 60 request per hour.

export GITHUB_PAT=YOUR_GITHUB_PAT

Usage

Scan

Scan GitHub repositories belonging to your organization users

git-alerts scan --org your-org-name

Scan and generate report with custom path

git-alerts scan --org your-org-name --report-path /your/file/path/

Monitor

Monitor new public repositories being created by your organization users

git-alerts monitor --org your-org-name

Monitor new public repositories being created by your organization users with slack notification

git-alerts monitor --org your-org-name --slack-alert

Setup slack webhook token as the environment variable

export SLACK_HOOK=SLACK_WEBHOOK_URL

Secrets

Scan with secrets detection using Trufflehog

Ensure trufflehog is installed in your machine

git-alerts detect --org your-org-name --trufflehog
git-alerts detect --org your-org-name --trufflehog-verified

Scan with secrets detection using Gitleaks

Ensure Gitleaks is installed in your machine

git-alerts detect --org your-org-name --gitleaks

Documentation

docs

Please feel to reach out for any feedback and suggestions

Star History

Star History Chart