What are the best automated tools for keeping credentials out of GitHub?

Question

I've a new client, a fast growing startup. Their security situation is a mess and I'm trying to get it under control. I'd love to hear anyone's strategies for imposing security on what has been an insecure system. Especially automated tools for basic stuff, like keeping API credentials out of Github.

mzfr · Accepted Answer

- https://github.com/auth0/repo-supervisor - https://github.com/awslabs/git-secrets - https://github.com/trufflesecurity/truffleHog - https://www.gitguardian.com/ - https://github.com/eth0izzle/shhgit All these tools can be configured to scan the repositories and generate alert when credentials or API keys are encountered

lumberjack24 · Answer

Try GitGuardian to monitor internal repos on GitHub, 100k+ developers use it to scan their commits for all sorts of credentials and secrets.https://bit.ly/3AHfI9d

paktek123 · Answer

Cloud providers have aws secrets and azure key vault. Then there is always hashi Corp vault.