Back to Details

secrets-detector

Compare original and translation side by side

🇺🇸

Original

English
🇨🇳

Translation

Chinese

Secrets Detector

Secrets Detector

Quick Start

快速开始

Scan for secrets using gitleaks:
bash
undefined
使用gitleaks扫描密钥:
bash
undefined

Install

安装

brew install gitleaks # macOS
brew install gitleaks # macOS

or

pip install detect-secrets
pip install detect-secrets

Scan current directory

扫描当前目录

gitleaks detect --source .
undefined
gitleaks detect --source .
undefined

Instructions

操作步骤

Step 1: Choose Detection Tool

步骤1:选择检测工具

Gitleaks (recommended):
bash
gitleaks detect --source . --verbose
detect-secrets:
bash
detect-secrets scan . --all-files
Manual grep patterns:
bash
grep -rn "AKIA[0-9A-Z]{16}" .  # AWS Access Key
grep -rn "ghp_[a-zA-Z0-9]{36}" .  # GitHub Token
Gitleaks(推荐):
bash
gitleaks detect --source . --verbose
detect-secrets
bash
detect-secrets scan . --all-files
手动grep匹配
bash
grep -rn "AKIA[0-9A-Z]{16}" .  # AWS访问密钥
grep -rn "ghp_[a-zA-Z0-9]{36}" .  # GitHub令牌

Step 2: Scan for Common Patterns

步骤2:扫描常见模式

Secret TypePatternExample
AWS Access Key
AKIA[0-9A-Z]{16}
AKIAIOSFODNN7EXAMPLE
AWS Secret Key
[A-Za-z0-9/+=]{40}
wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY
GitHub Token
ghp_[a-zA-Z0-9]{36}
ghp_xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
GitHub OAuth
gho_[a-zA-Z0-9]{36}
gho_xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
Slack Token
xox[baprs]-[0-9a-zA-Z-]+
xoxb-123456789-abcdefghij
Private Key
-----BEGIN.*PRIVATE KEY-----
RSA/EC private keys
Generic API Key
api[_-]?key.*=.*['\"][a-zA-Z0-9]{20,}
api_key = "abc123..."
Generic Password
password.*=.*['\"][^'\"]+['\"]
password = "secret123"
密钥类型匹配模式示例
AWS访问密钥
AKIA[0-9A-Z]{16}
AKIAIOSFODNN7EXAMPLE
AWS秘密密钥
[A-Za-z0-9/+=]{40}
wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY
GitHub令牌
ghp_[a-zA-Z0-9]{36}
ghp_xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
GitHub OAuth
gho_[a-zA-Z0-9]{36}
gho_xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
Slack令牌
xox[baprs]-[0-9a-zA-Z-]+
xoxb-123456789-abcdefghij
私钥
-----BEGIN.*PRIVATE KEY-----
RSA/EC私钥
通用API密钥
api[_-]?key.*=.*['\"][a-zA-Z0-9]{20,}
api_key = "abc123..."
通用密码
password.*=.*['\"][^'\"]+['\"]
password = "secret123"

Step 3: Check Git History

步骤3:检查Git历史记录

Secrets may exist in git history even if removed:
bash
undefined
即使密钥已被移除,仍可能存在于Git历史记录中:
bash
undefined

Scan entire git history

扫描整个Git历史

gitleaks detect --source . --log-opts="--all"
gitleaks detect --source . --log-opts="--all"

Check specific commits

检查特定提交

git log -p --all -S 'password' --source
undefined
git log -p --all -S 'password' --source
undefined

Step 4: Categorize Findings

步骤4:分类扫描结果

Critical - Immediate rotation required:
  • Cloud provider credentials (AWS, GCP, Azure)
  • Database connection strings
  • Private keys
High - Rotate soon:
  • API keys for external services
  • OAuth tokens
  • Webhook secrets
Medium - Review and rotate:
  • Internal service tokens
  • Test credentials that might be reused
严重 - 需立即轮换:
  • 云服务商凭据(AWS、GCP、Azure)
  • 数据库连接字符串
  • 私钥
高风险 - 尽快轮换:
  • 外部服务API密钥
  • OAuth令牌
  • Webhook密钥
中风险 - 审核并轮换:
  • 内部服务令牌
  • 可能被复用的测试凭据

Step 5: Report Findings

步骤5:报告扫描结果

markdown
undefined
markdown
undefined

Secrets Detection Report

密钥检测报告

Critical (1)

严重(1)

  1. AWS Secret Key - config/aws.js:12
    • Type: AWS credentials
    • Action: Rotate immediately in AWS console
  1. AWS秘密密钥 - config/aws.js:12
    • 类型:AWS凭据
    • 操作:立即在AWS控制台轮换

High (2)

高风险(2)

  1. GitHub Token - scripts/deploy.sh:45
    • Type: Personal access token
    • Action: Revoke and regenerate
  2. Slack Webhook - src/notifications.js:23
    • Type: Incoming webhook URL
    • Action: Regenerate webhook
undefined
  1. GitHub令牌 - scripts/deploy.sh:45
    • 类型:个人访问令牌
    • 操作:撤销并重新生成
  2. Slack Webhook - src/notifications.js:23
    • 类型:传入Webhook URL
    • 操作:重新生成Webhook
undefined

Prevention

预防措施

Pre-commit Hook

提交前钩子

bash
undefined
bash
undefined

.pre-commit-config.yaml

.pre-commit-config.yaml

repos:
undefined
repos:
undefined

.gitignore Patterns

.gitignore规则

gitignore
undefined
gitignore
undefined

Environment files

环境文件

.env .env.local .env.*.local
.env .env.local .env.*.local

Key files

密钥文件

*.pem *.key *_rsa *_ecdsa *_ed25519
*.pem *.key *_rsa *_ecdsa *_ed25519

Config with secrets

包含密钥的配置文件

config/secrets.yml credentials.json
undefined
config/secrets.yml credentials.json
undefined

Environment Variables

环境变量

Move secrets to environment variables:
javascript
// BAD
const apiKey = "sk-abc123...";

// GOOD
const apiKey = process.env.API_KEY;
将密钥迁移至环境变量:
javascript
// 错误示例
const apiKey = "sk-abc123...";

// 正确示例
const apiKey = process.env.API_KEY;

Common False Positives

常见误报

  • Example/placeholder values in documentation
  • Test fixtures with fake credentials
  • Base64-encoded non-secret data
  • Hash values (SHA, MD5)
Review each finding to confirm it's a real secret before taking action.
  • 文档中的示例/占位符值
  • 包含虚假凭据的测试用例
  • Base64编码的非密钥数据
  • 哈希值(SHA、MD5)
在采取行动前,需审核每个扫描结果以确认是否为真实密钥。