Last active
January 17, 2023 18:19
-
-
Save jfgordon2/401032dc13f7d4ca6c6a0d6699255e80 to your computer and use it in GitHub Desktop.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/bin/bash | |
| # Scan all local repos for secrets using gitleaks | |
| # Usage: gitleaks-scan.sh [--path <path>] [--config <path>] [--report <path>] | |
| function show_help(){ | |
| printf "\e[1m%s\e[0m%s" "Usage: " "$0 [--path <path>] [--config <path>] [--report <path>]" | |
| echo "" | |
| echo "Scans all local repos for secrets using gitleaks" | |
| echo "" | |
| echo "Options:" | |
| echo " --path <path> Path to the folder containing all repos to scan" | |
| echo " --config <path> Path to the gitleaks config file" | |
| echo " --report <path> Path to the folder where the reports will be saved" | |
| echo " --help Show this help" | |
| echo " --verbose GitLeaks verbose details" | |
| echo "" | |
| printf "\e[1m%s\e[0m" "Requirements:" | |
| echo " gitleaks: https://github.com/zricethezav/gitleaks" | |
| exit 0 | |
| } | |
| # Requires gitleaks: | |
| if ! command -v gitleaks &>/dev/null; then | |
| printf "\e[1m%s\e[0m" "gitleaks not installed" | |
| echo "See https://github.com/zricethezav/gitleaks" | |
| exit 1 | |
| fi | |
| # Set defaults | |
| path="$HOME/GitHub" | |
| config="" | |
| report_path="$HOME/Desktop/GitLeaks" | |
| additional_args="--redact --no-banner --log-level warn" | |
| # Parse arguments | |
| while true; do | |
| if [ -z "$1" ]; then | |
| break | |
| fi | |
| case "$1" in | |
| --path) | |
| path="$2" | |
| shift 2 | |
| ;; | |
| --config) | |
| config="$2" | |
| shift 2 | |
| ;; | |
| --report) | |
| report_path="$2" | |
| shift 2 | |
| ;; | |
| --help) | |
| show_help | |
| ;; | |
| --verbose) | |
| additional_args="$additional_args --verbose" | |
| shift 1 | |
| ;; | |
| *) | |
| echo "Unknown argument: $1" | |
| echo "" | |
| echo "Run $0 --help for usage" | |
| exit 1 | |
| ;; | |
| esac | |
| done | |
| if [ ! -d "$path" ]; then | |
| echo "Path $path does not exist" | |
| exit 1 | |
| fi | |
| if [ ! -d "$report_path" ]; then | |
| echo "Report path $report_path does not exist" | |
| exit 1 | |
| fi | |
| if [ -n "$config" ] && [ ! -f "$config" ]; then | |
| echo "Config file $config does not exist" | |
| exit 1 | |
| fi | |
| if [ -z "$config" ]; then | |
| config="$path"/.gitleaks.toml | |
| echo "Using config file $config" | |
| wget -O "$config" https://raw.githubusercontent.com/zricethezav/gitleaks/master/config/gitleaks.toml &>/dev/null | |
| fi | |
| echo "Scanning $path for secrets" | |
| echo "" | |
| # Scan all repos inside the provided folder | |
| for repo in "$path"/*/; do | |
| if [ -d "$repo" ]; then | |
| folder_name=$(basename "$repo") | |
| report_file="$report_path/$folder_name-report.json" | |
| # check for .git directory | |
| if [ ! -d "$repo"/.git ]; then | |
| echo "Skipping $repo - not a git repo" | |
| continue | |
| fi | |
| # update config toml | |
| echo "Scanning $repo" | |
| gitleaks detect --source="$repo" --config="$config" --report-path="$report_file" $additional_args | |
| # if empty file, delete it | |
| if [ ! -f "$report_file" ] || [ "$(cat "$report_file")" = "[]" ]; then | |
| rm "$report_file" | |
| else | |
| echo "Report saved to $report_file" | |
| echo "" | |
| fi | |
| fi | |
| done |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment