Securelog Scan
Securelog Scan is a fast, resilient tool that detects secrets like API keys and tokens in your codebase. It scans .env files, parses .git history, and analyzes files line by line to ensure security.
Installation
yarn add global securelog-scan
You can easily check the version of your CLI with this command.
sls --version
Using it as a CLI
Securelog Scan works as a CLI to detect secrets in your codebase. It can rewrite Git history or serve as a pre-commit hook to block secret leaks before they reach your repository.
Scan files and directories
This command will scan the directory and all its subdirectories for secrets.
sls scan --dir <directory>
Scan only changed files
To scan only files and lines that have been changed in recent commits (useful in CI pipelines to only scan code changes):
sls scan --changed
Scan via URL
To scan your codebase just by specifying the public URL (only github, gitlab & bitbucket URLs for now)
sls scan --url https://github.com/username/my-public-repository
Securelog scan automatically defaults to $cwd if --dir flag is not provided.
Excluding folders, specifying maximum git commits, masking and verifying secrets
To exclude specific folders or file extensions using the --exclude option:
sls scan --dir <directory> --exclude <folders> --commits <100> --verify <false> -- mask <true>
--exclude <folders>: Comma-separated list of folders to exclude from scanning.--commits <number>: Number of most recent commits to scan (defaults to 100 most recent commits).--mask <boolean>: Whether secret should be masked or not (default is false).--verify <boolean>: Specify this if you want secrets to be verified against their service provider.
Remove secrets from git history
To remove any detected secret from git history, use the following command:
sls git-rewrite --secrets
Note: This command modifies your Git history, so you should force-push the cleaned branches to the remote repository after running this using the commands below:
git push --force --all
git push --force --tags
Config file
You can specify a path to a configuration file using the --config option. This file allows you to customize regex patterns and exclusion lists:
sls scan --config <path_to_config_file>
--config <path_to_config_file>: Path to the config file.
Example config.yml
Here is an example of what your config file might look like:
Adding custom regex patterns, paths or extensions to exclude is optional and should be used for your specific need only. By default, these have already been added to the library.
detectors:
# paystack:
# regex: "\\bsk\\_[a-z]{1,}\\_[A-Za-z0-9]{40}\\b"
# keywords: ["paystack"]
# detectorType: "Paystack"
# mailgun:
# regex:
# "Original Token": "\\b([a-zA-Z-0-9]{72})\\b"
# "Key-Mailgun Token": "\\b(key-[a-z0-9]{32})\\b"
# "Hex Mailgun Token": "\\b([a-f0-9]{32}-[a-f0-9]{8}-[a-f0-9]{8})\\b"
# keywords: ["mailgun"]
# detectorType: "Mailgun"
# Agora:
# regex: "\\b([a-z0-9]{32})\\b"
# keywords: ["agora"]
# detectorType: "Agora"
# group: ["agora"] // sorrounding groups to reduce false positives (mostly for generic secret types)
exclude:
paths:
# - "node_modules"
# - "dist"
# - ".git"
extensions:
# - ".png"
# - ".jpg"
# - ".log"
Example command
sls scan --dir ./my-project --exclude dist,node_modules --config ./config.yml --commits 100
Secret in a string
To detect secrets in a string and mask it by default using the command below
sls scan-string --rawValue "raw secret values"
Secret in a file
you can also scan from a file and write the contents of the file using the command below
sls scan-string --file "path/to/file" --updateFile # --updateFile will rewrite the contents of the file by masking secrets values inside the file