README
¶
diffence
- Checks a git diff for passwords/secret keys accidentally committed
- Golang 1.7+
Check the entire history of current branch for passwords/keys committed
$ git log -p | diffence
Example
$ git log -p --full-diff | diffence
------------------
Violation 1
Commit: 4cc087a1b4731d1017844cc86323df43068b0409
File: web/src/db/seed.sql
Reason: "SQL dump file"
------------------
Violation 2
Commit: 142e6019248c0d53a5240242ed1a75c0cc110a0b
File: config/passwords.ini
Reason: "Contains word: password"
Add false positives to .secignore
$ cat .secignore
file/that/is/not/really/a/secret/but/looks/like/one/to/diffence
these/pems/are/ok/*.pem
Install
Binary
Download the latest stable release.
CLI
$ go get -u github.com/techjacker/diffence/cmd/diffence
Library
$ go get -u github.com/techjacker/diffence
CLI tool
Example Usage
$ touch key.pem
$ git add -N key.pem
$ git diff --stat HEAD
gds HEAD
key.pem | 0
1 file changed, 0 insertions(+), 0 deletions(-)
$ git diff HEAD |diffence
File key.pem violates 1 rules:
Caption: Potential cryptographic private key
Description: <nil>
Part: extension
Pattern: pem
Type: match
Rules
- Analyse fPaths with gitrob rules
- Analyse added lines - need to find/create ruleset that can analyse file contents
- Add option to use your own rules again file path/contents
Tests
$ go test ./...
Local Development
Build & Run Locally
$ go install -race ./cmd/diffence
OR
$ go build -race ./cmd/diffence
Check for race conditions
$ go run -race ./cmd/diffence/main.go
Documentation
¶
Index ¶
- Constants
- func LoadDefaultRules() (*[]Rule, error)
- func LoadRulesJSON(fPath string) (*[]Rule, error)
- func LoadRulesJSONFromPwd(rulesPath string) *[]Rule
- func ScanDiffs(data []byte, atEOF bool) (advance int, token []byte, err error)
- func SplitDiffHashKey(s string) (string, string)
- func SplitDiffs(r io.Reader, l List) error
- type Checker
- type Diff
- type DiffChecker
- type DiffItem
- type Ignorer
- type List
- type Logger
- type MatchedRules
- type Matcher
- type Result
- type Results
- type Rule
Constants ¶
const ( // RuleTypeRegex is the regex type for pattern matching RuleTypeRegex = "regex" // RuleTypeMatch is the string match type for pattern matching RuleTypeMatch = "match" )
https://github.com/michenriksen/gitrob#signature-keys
const ( // RulePartPath checks the whole path of the file RulePartPath = "path" // RulePartFilename checks the name of the file RulePartFilename = "filename" // RulePartExtension checks the extension of the file RulePartExtension = "extension" )
Variables ¶
This section is empty.
Functions ¶
func LoadDefaultRules ¶
LoadDefaultRules unmarshalls the go generated byte slice of the gitrob JSON rules file
func LoadRulesJSON ¶
LoadRulesJSON reads a file of JSON rules from the local filesystem
func LoadRulesJSONFromPwd ¶
LoadRulesJSONFromPwd reads a rules JSON from a path relative to the process's pwd
func SplitDiffHashKey ¶
SplitDiffHashKey splits a DiffItem's hash key
Types ¶
type DiffChecker ¶
DiffChecker checks an io.Reader for matches against the supplied ruleset
type DiffItem ¶
type DiffItem struct {
// contains filtered or unexported fields
}
DiffItem is a diff struct for an inidividual file
func (*DiffItem) GetHashKey ¶
GetHashKey returns the hash key identifier for the diff
type Ignorer ¶
type Ignorer struct {
// contains filtered or unexported fields
}
Ignorer is used to exclude content in .secignore files
func NewIgnorer ¶
NewIgnorer will create an Ignorer from a read stream
func NewIgnorerFromFile ¶
NewIgnorerFromFile will safely create an Ignorer whether the file exists or not
type Logger ¶
type Logger interface {
Print(v ...interface{})
Printf(format string, v ...interface{})
}
Logger is the logger interface
type MatchedRules ¶
MatchedRules is slice of matched rules for each file in diff [fPath] => Rule{rule1, rule2}
type Result ¶
type Result struct {
// Have any of the files matches against the rules?
Matched bool
MatchedRules MatchedRules
}
Result compiles the results of matched rules for a diff
Source Files
Directories