Skip to content

Monitoring for leaks of sensitive information in git repositories

License

Notifications You must be signed in to change notification settings

AlexAkulov/hungryfox

Repository files navigation

HungryFox

Build Status codecov

State: In development now! You probably will get many bugs!

HungryFox is a software for continuous search for leaks of sensitive information like passwords, api-keys, private certificates and etc in your repositories.

HungryFox differs from other solutions as it can work as a daemon and efficiently scans each new commit in repo and sends notification about found leaks.

HungryFor works on regex-patterns only and does not use analyze by entropy because in my opinion this way generates a lot of false positive events. Maybe analyse by entropy will be added in future.

It is hard to write a good enough regex-pattern that could simultaneously find all leaks and not to generate a lot of false positive events so HungryFox in addition with regex-patterns has regex-filters. You can write weak regex-pattern for search leaks and skip known false positive with the help of regex-filters.

Features

  • Patterns and filters
  • State support
  • Notifications by email
  • History limit by time
  • GitHub-support
  • Written on pure go and no requirement of external git (wait)
  • Line number of leak (wait)
  • GitHook support
  • HTTP Api
  • WebUI
  • Tests
  • Integration with Hashicorp Vault

Installation

From Sources

go get github.com/AlexAkulov/hungryfox/cmd/hungryfox

Configuation

common:
  state_file: /var/lib/hungryfox/state.yml
  history_limit: 1y
  scan_interval: 30m
  log_level: debug
  leaks_file: /var/lib/hungryfox/leaks.json

smtp:
  enable: true
  host: smtp.kontur
  port: 25
  mail_from: hungryfox@example.com
  disable_tls: true
  recipient: security@example.com
  sent_to_author: false

webhook:
  enable: true
  method: POST
  url: https://example.com/webhook
  headers:
    x-sample-header: value

inspect:
  # Inspects for leaks in your local repositories without clone or fetch. It is suitable for running on git-server
  - type: path
    trim_prefix: "/var/volume/repositories"
    trim_suffix: ".git"
    url: https://gitlab.example.com
    paths:
      - "/data/gitlab/repositories/*/*.git"
      - "/data/gitlab/repositories/*/*/*.git"
      - "!/data/gitlab/repositories/excluded/repo.git"
  # Inspects for leaks on GitHub. HungryFox will clone the repositories into work_dir and fetch them before scannig
  - type: github
    token: # is required for scanning private repositories
    work_dir: "/var/hungryfox/github"
    users:
      - AlexAkulov
    repos:
      - moira-alert/moira
    orgs:
      - skbkontur

patterns:
  - name: secret in my code                 # not required
    file: \.go$                             # .+ by default
    content: (?i)secret = ".+"              # .+ by default

filters:
  - name: skip any leaks in tests           # not required
    file: /IntegrationTests/.+_test\.go$    # .+ by default
    # content:                              # .+ by default

Performance

We use HungryFox for scanning ~3,5K repositories on our GitLab server and about one hundred repositories on GitHub

Alternatives