Too many secrets (2ms
) is a command line tool written in Go language and built over gitleaks. 2ms
is capable of finding secrets such as login credentials, API keys, SSH keys and more hidden in code, content systems, chat applications and more.
2ms precompiled binaries for amd64 architecture are attached as assets in our releases page
You may place the compiled binary on your path. On Linux for example you can place 2ms
binary in /usr/local/bin/
or create a symbolic link. For example:
cd /opt
mkdir 2ms
cd 2ms
wget https://github.com/checkmarx/2ms/releases/latest/download/linux-amd64.zip
unzip linux-amd64.zip
sudo ln -s /opt/2ms/2ms /usr/local/bin/2ms
If you wish to compile the project from its source use the following commands
git clone https://github.com/checkmarx/2ms.git
cd 2ms
go build -o dist/2ms main.go
./dist/2ms
We publish container image releases of 2ms
to checkmarx/2ms . To run 2ms
from a docker container use the following command:
docker run checkmarx/2ms
You may also mount a local directory with the -v <local-dir-path>:<container-dir-path>
argument. For instance:
docker run -v /home/user/workspace/git-repo:/repo checkmarx/2ms git /repo
- For
git
command, you have to mount your git repository to/repo
inside the container
To use in GitHub actions, make sure you tell actions/checkout
step to go full history depth by setting fetch-depth: 0
name: Pipeline Example With 2MS
on:
pull_request:
workflow_dispatch:
push:
branches: [main]
jobs:
test:
runs-on: ubuntu-latest
steps:
- name: Checkout code
uses: actions/checkout@v3
with:
# Required for 2ms to have visibility to all commit history
fetch-depth: 0
# ...
- name: Run 2ms Scan
run: docker run -v $(pwd):/repo checkmarx/2ms:2.8.1 git /repo
- In this example we've pinned the version to
2.8.1
. Make sure to check out if there's a newer version - 💡 Take a look at 2ms GitHub Actions pipeline as 2ms scans itself using 2ms.
To use 2ms in Azure DevOps Pipeline, create a new pipeline (see this tutorial for getting started with Azure DevOps Pipelines). Next, specify in your pipeline yml
file azure-pipelines.yml
to run 2ms
:
trigger:
- master
pool:
vmImage: ubuntu-latest
steps:
- script: docker run -v $(pwd):/repo checkmarx/2ms:2.8.1 git /repo
displayName: Run 2ms
- In this example we've pinned the version to
2.8.1
. Make sure to check out if there's a newer version
We've built 2ms
command line interface to be as self-descriptive as possible. This is the help message that you will see if you executed 2ms
without args:
2ms Secrets Detection: A tool to detect secrets in public websites and communication services.
Usage:
2ms [command]
Commands
confluence Scan Confluence server
discord Scan Discord server
filesystem Scan local folder
git Scan local Git repository
paligo Scan Paligo instance
slack Scan Slack team
Additional Commands:
completion Generate the autocompletion script for the specified shell
help Help about any command
rules List all rules
Flags:
--add-special-rule strings special (non-default) rules to apply.
This list is not affected by the --rule and --ignore-rule flags.
--config string config file path
-h, --help help for 2ms
--ignore-on-exit ignoreOnExit defines which kind of non-zero exits code should be ignored
accepts: all, results, errors, none
example: if 'results' is set, only engine errors will make 2ms exit code different from 0 (default none)
--ignore-result strings ignore specific result by id
--ignore-rule strings ignore rules by name or tag
--log-level string log level (trace, debug, info, warn, error, fatal) (default "info")
--max-target-megabytes int files larger than this will be skipped.
Omit or set to 0 to disable this check.
--regex stringArray custom regexes to apply to the scan, must be valid Go regex
--report-path strings path to generate report files. The output format will be determined by the file extension (.json, .yaml, .sarif)
--rule strings select rules by name or tag to apply to this scan
--stdout-format string stdout output format, available formats are: json, yaml, sarif (default "yaml")
-v, --version version for 2ms
Use "2ms [command] --help" for more information about a command.
Special rules are rules that are not part of the default ruleset, usually because they are too noisy or too specific. You can use the --add-special-rule
flag to add special rules by rule ID.
For example:
2ms git . --add-special-rule hardcoded-password
Rule ID | Description |
---|---|
hardcoded-password |
Detects strings that assigned to variables that contain the word password , access , key , etc. |
You may specify one or more custom regex rules with the optional argument --regex
. The value provided will be parsed as a regular expression and will be matched against the target items.
my-file.txt
password=1234567
username=admin
2ms filesystem --path . --regex username= --regex password=
We offer the following list of integrations in the form of plugins
scans a Confluence instance
2ms confluence <URL> [flags]
Flag | Value | Default | Description |
---|---|---|---|
--url |
string | - | Confluence instance URL in the form of https://<company id>.atlassian.net/wiki |
--history |
- | not scanning history revisions | Scans pages history revisions |
--spaces |
string | all spaces | The names or IDs of the Confluence spaces to scan |
--token |
string | - | The Confluence API token for authentication |
--username |
string | - | Confluence user name or email for authentication |
For example:
2ms confluence https://checkmarx.atlassian.net/wiki --spaces secrets
- 💡 The
secrets
Confluence site purposely created with plain example secrets as a test subject for this demo
Scans Paligo content management system instance.
Flag | Value | Default | Description |
---|---|---|---|
--instance |
string | - | Instance name |
--token |
string | - | API token for authentication |
--username |
string | - | Confluence user name or email for authentication |
--folder |
string | scanning all instance's folders | Folder ID |
--auth |
string | - | Base64 auth header encoded username:password |
Scans Discord chat application history.
Flag | Value | Default | Description |
---|---|---|---|
--token |
string | - | Discord token |
--channel |
strings | all channels will be scanned | Discord channel IDs to scan |
--messages-count |
int | 0 = all messages will be scanned | Confluence user name or email for authentication |
--duration |
duration | 14 days | The time interval to scan from the current time. For example, 24h for 24 hours or 336h0m0s for 14 days |
--server |
strings | - | Discord servers IDs to scan |
Scans Slack chat application history.
Flag | Value | Default | Description |
---|---|---|---|
--token |
string | - | Slack token |
--channel |
strings | all channels will be scanned | Slack channel IDs to scan |
--messages-count |
int | 0 = all messages will be scanned | Confluence user name or email for authentication |
--duration |
duration | 14 days | The time interval to scan from the current time. For example, 24h for 24 hours or 336h0m0s for 14 days |
--team |
string | - | Slack team name or ID |
Scans a local git repository
2ms git <Git Repo Local Path> [flags]
Flag | Value | Default | Description |
---|---|---|---|
--all-branches |
- | false - only current checked in branch | scan all branches |
--depth |
int | no limit | limit the number of historical commits to scan from HEAD |
For example
git clone https://github.com/my-account/my-repo.git
cd my-repo
2ms git .
Scans a local repository
2ms filesystem --path PATH [flags]
Flag | Value | Default | Description |
---|---|---|---|
--path |
string | - | Local directory path |
--project-name |
string | - | Project name to differentiate between filesystem scans |
--ignore-pattern |
strings | - | Patterns to ignore |
You can pass --config [path to config file]
argument to specify a configuration file. The configuration file format can be in YAML or JSON.
log-level: info
regex:
- password\=
report-path:
- ./report.yaml
- ./report.json
- ./report.sarif
paligo:
instance: your-instance
username: your-username
You may pass a combination of command line arguments and a configuration file, the result is going to merge the values from the file and the explicit arguments
.2ms.yml
config file:
ignore-result:
- b0a735b7b0a2bc6fb1cd69824a9afd26f0f7ebc8
- 51c76691792d9f6efe8af1c89c678386349f48a9
- 81318f7350a4c42987d78c99eacba2c5028636cc
- 8ea22c1e010836b9b0ee84e14609b574c9965c3c
command, --space
is provided outside of config file:
docker run -v $(pwd)/.2ms.yml:/app/.2ms.yml checkmarx/2ms confluence --url https://checkmarx.atlassian.net/wiki --spaces secrets --config /app/.2ms.yml
2ms
is extendable with the concept of plugins. We designed it like this so anyone can easily contribute, improve and extend 2ms
. Read more about contributing in our CONTRIBUTING.md file.
Want to report a problem or suggest an idea for improvement? Create an Issue, create a Discussion thread, or Join our Discord Server (seek for #2ms
channel)
This project was made and maintained by Checkmarx with ❤️