HungryFox

State: In development now! You probably will get many bugs!

HungryFox is a software for continuous search for leaks of sensitive information like passwords, api-keys, private certificates and etc in your repositories.

HungryFox differs from other solutions as it can work as a daemon and efficiently scans each new commit in repo and sends notification about found leaks.

HungryFor works on regex-patterns only and does not use analyze by entropy because in my opinion this way generates a lot of false positive events. Maybe analyse by entropy will be added in future.

It is hard to write a good enough regex-pattern that could simultaneously find all leaks and not to generate a lot of false positive events so HungryFox in addition with regex-patterns has regex-filters. You can write weak regex-pattern for search leaks and skip known false positive with the help of regex-filters.

Features

• Patterns and filters
• State support
• Notifications by email
• History limit by time
• GitHub-support
• Written on pure go and no requirement of external git (wait)
• Line number of leak (wait)
• GitHook support
• HTTP Api
• WebUI
• Tests
• Integration with Hashicorp Vault

Installation

From Sources

go get github.com/AlexAkulov/hungryfox/cmd/hungryfox

From packagecloud.io

Configuation

common:
  state_file: /var/lib/hungryfox/state.yml
  history_limit: 1y
  scan_interval: 30m
  log_level: debug
  leaks_file: /var/lib/hungryfox/leaks.json

smtp:
  enable: true
  host: smtp.kontur
  port: 25
  mail_from: [email protected]
  disable_tls: true
  recipient: [email protected]
  sent_to_author: false

webhook:
  enable: true
  method: POST
  url: https://example.com/webhook
  headers:
    x-sample-header: value

inspect:
  # Inspects for leaks in your local repositories without clone or fetch. It is suitable for running on git-server
  - type: path
    trim_prefix: "/var/volume/repositories"
    trim_suffix: ".git"
    url: https://gitlab.example.com
    paths:
      - "/data/gitlab/repositories/*/*.git"
      - "/data/gitlab/repositories/*/*/*.git"
      - "!/data/gitlab/repositories/excluded/repo.git"
  # Inspects for leaks on GitHub. HungryFox will clone the repositories into work_dir and fetch them before scannig
  - type: github
    token: # is required for scanning private repositories
    work_dir: "/var/hungryfox/github"
    users:
      - AlexAkulov
    repos:
      - moira-alert/moira
    orgs:
      - skbkontur

patterns:
  - name: secret in my code                 # not required
    file: \.go$                             # .+ by default
    content: (?i)secret = ".+"              # .+ by default

filters:
  - name: skip any leaks in tests           # not required
    file: /IntegrationTests/.+_test\.go$    # .+ by default
    # content:                              # .+ by default

Performance

We use HungryFox for scanning ~3,5K repositories on our GitLab server and about one hundred repositories on GitHub

Alternatives

• Gitrob by michenriksen
• Gitleaks by zricethezav
• git-secrets by AWSLabs
• Truffle Hog by dxa4481
• repo-scraper by dssg
• Security Scan by onetwopunch
• repo-security-scanner by UKHomeOffice
• detect-secrets by Yelp
• Github Dorks by techgaun
• Repo Supervisor by Auth0
• git-all-secrets by anshumanbh