State: In development now! You probably will get many bugs!
HungryFox is a software for continuous search for leaks of sensitive information like passwords, api-keys, private certificates and etc in your repositories.
HungryFox differs from other solutions as it can work as a daemon and efficiently scans each new commit in repo and sends notification about found leaks.
HungryFor works on regex-patterns only and does not use analyze by entropy because in my opinion this way generates a lot of false positive events. Maybe analyse by entropy will be added in future.
It is hard to write a good enough regex-pattern that could simultaneously find all leaks and not to generate a lot of false positive events so HungryFox in addition with regex-patterns has regex-filters. You can write weak regex-pattern for search leaks and skip known false positive with the help of regex-filters.
- Patterns and filters
- State support
- Notifications by email
- History limit by time
- GitHub-support
- Written on pure go and no requirement of external git (wait)
- Line number of leak (wait)
- GitHook support
- HTTP Api
- WebUI
- Tests
- Integration with Hashicorp Vault
go get github.com/AlexAkulov/hungryfox/cmd/hungryfox
From packagecloud.io
common:
state_file: /var/lib/hungryfox/state.yml
history_limit: 1y
scan_interval: 30m
log_level: debug
leaks_file: /var/lib/hungryfox/leaks.json
smtp:
enable: true
host: smtp.kontur
port: 25
mail_from: hungryfox@example.com
disable_tls: true
recipient: security@example.com
sent_to_author: false
webhook:
enable: true
method: POST
url: https://example.com/webhook
headers:
x-sample-header: value
inspect:
# Inspects for leaks in your local repositories without clone or fetch. It is suitable for running on git-server
- type: path
trim_prefix: "/var/volume/repositories"
trim_suffix: ".git"
url: https://gitlab.example.com
paths:
- "/data/gitlab/repositories/*/*.git"
- "/data/gitlab/repositories/*/*/*.git"
- "!/data/gitlab/repositories/excluded/repo.git"
# Inspects for leaks on GitHub. HungryFox will clone the repositories into work_dir and fetch them before scannig
- type: github
token: # is required for scanning private repositories
work_dir: "/var/hungryfox/github"
users:
- AlexAkulov
repos:
- moira-alert/moira
orgs:
- skbkontur
patterns:
- name: secret in my code # not required
file: \.go$ # .+ by default
content: (?i)secret = ".+" # .+ by default
filters:
- name: skip any leaks in tests # not required
file: /IntegrationTests/.+_test\.go$ # .+ by default
# content: # .+ by default
We use HungryFox for scanning ~3,5K repositories on our GitLab server and about one hundred repositories on GitHub
