Skip to content

akankwatsakevin0-ctrl/Cyber_Script

Repository files navigation

Cyber_Stip

DevSecOps Secret Scanning Toolkit

Gitleaks TruffleHog Pre-commit License

Multi-layered secret detection — pre-commit hooks, CI gates, and audit workflows to prevent credential leaks in your repositories.


Overview

Cyber_Stip provides a defense-in-depth approach to secret management:

  1. Local Gate — Pre-commit hook that blocks secrets at commit time
  2. CI Gate — GitHub Actions workflow that runs on every push/PR
  3. CI Audit — Full history scan on a schedule or manual trigger
  4. Baseline Management — Suppress known false positives

Features

Secret Detection Rules

Rule Targets
Database connection strings PostgreSQL, MySQL, MongoDB, Redis, SQL Server, JDBC
API credentials Custom API keys, Bearer tokens, npm tokens, NuGet keys
Cloud/Infrastructure SSH URIs with credentials, Private keys (RSA, DSA, EC, OpenSSH, PGP)
Webhooks Slack webhook URLs
Environment files .env files with password/secret/token assignments
Generic patterns Connection strings, authorization headers

Defensive Layers

Layer Tool When
🛑 Pre-commit hook Gitleaks Before every local commit
🔍 CI Gate Gitleaks On every push and PR
📋 CI Audit Gitleaks + TruffleHog Scheduled (weekly) or manual
📊 CI Health Custom checks Monitors config validity
🗂️ Baseline .baseline.json Suppress known/historical findings

Tech Stack

Tool Purpose
Gitleaks Git-based secret scanning (default + custom rules)
TruffleHog Deep content scanning for secrets
pre-commit Local git hook framework
GitHub Actions CI/CD pipeline integration

Getting Started

Prerequisites

Step-by-Step Setup

1. Clone the repository

git clone https://github.com/akankwatsakevin0-ctrl/Cyber_Stip.git
cd Cyber_Stip

2. Run the initialization script

Windows (PowerShell as Administrator):

Set-ExecutionPolicy RemoteSigned -Scope CurrentUser   # If needed
.\init-cyber-stip.ps1

Linux/macOS:

chmod +x init-cyber-stip.sh
./init-cyber-stip.sh

3. What the script does

The init script automates everything:

Step Action
1 Checks Python is installed
2 Installs pre-commit via pip (if missing)
3 Downloads and installs Gitleaks (Windows only; Linux/macOS users install separately)
4 Validates that all config files exist (.gitleaks.toml, .pre-commit-config.yaml, .gitleaksignore)
5 Initializes git repo (if not already one)
6 Installs pre-commit hooks into .git/hooks/
7 Generates an initial .baseline.json to suppress known historical findings

4. Verify it's working

Test the hook by trying to commit a fake secret:

echo "password = \"supersecret123\"" > test.txt
git add test.txt
git commit -m "test"
# ⛔ Should be BLOCKED by Gitleaks with a warning

# Clean up test file
rm test.txt

If the commit was blocked — Cyber_Stip is active! 🎉

Adding Cyber_Stip to an Existing Repo

To use these secret scanning rules in another project:

# Copy the config files to your repo
cp /path/to/Cyber_Stip/.gitleaks.toml /your/repo/
cp /path/to/Cyber_Stip/.pre-commit-config.yaml /your/repo/
cp /path/to/Cyber_Stip/.gitleaksignore /your/repo/

# Copy the GitHub workflows
mkdir -p /your/repo/.github/workflows
cp /path/to/Cyber_Stip/.github/workflows/* /your/repo/.github/workflows/

# Install the pre-commit hook
cd /your/repo
pre-commit install

Project Structure

Cyber_Stip/
├── .github/workflows/
│   ├── cyber_stip_gate.yml       # CI gate on push/PR
│   ├── cyber_stip_audit.yml      # Full history audit
│   ├── cyber_stip_baseline.yml   # Baseline management
│   └── cyber_stip_health.yml     # Config health check
├── .gitleaks.toml                # Custom Gitleaks rules
├── .gitleaksignore               # Suppressed findings
├── .pre-commit-config.yaml       # Pre-commit hook config
├── init-cyber-stip.ps1           # Windows setup script
├── init-cyber-stip.sh            # Unix setup script
└── .gitignore

GitHub Actions Workflows

Workflow Trigger Action
Gate push, pull_request Scans new/changed commits; fails if secrets found
Audit schedule (weekly), workflow_dispatch Full history scan with TruffleHog + Gitleaks
Baseline workflow_dispatch Regenerates .baseline.json
Health push (config changes), schedule Validates config files and tool versions

Custom Rules

Add your own detection patterns in .gitleaks.toml:

[[rules]]
id = "my-custom-rule"
description = "Description of what this detects"
regex = '''your-regex-pattern'''
secretGroup = 1
entropy = 3.5
keywords = ["keyword1", "keyword2"]
tags = ["custom", "tag"]

Built with Gitleaks, TruffleHog, and pre-commit hooks

About

DevSecOps secret scanning toolkit with Gitleaks, TruffleHog, and pre-commit hooks

Resources

License

Stars

0 stars

Watchers

0 watching

Forks

Releases

No releases published

Packages

 
 
 

Contributors