Skip to content
/ 2ms Public
forked from Checkmarx/2ms

Too many secrets (2MS) helps people protect their secrets on any file or on systems like CMS, chats and git

License

Notifications You must be signed in to change notification settings

Tzurrr/2ms

 
 

Repository files navigation

Latest Release License GitHub Discussions Discord Server

2ms Mascot

Too many secrets (2ms) is a command line tool written in Go language and built over gitleaks. 2ms is capable of finding secrets such as login credentials, API keys, SSH keys and more hidden in code, content systems, chat applications and more.

Installation

Download Precompiled Binaries

2ms precompiled binaries for amd64 architecture are attached as assets in our releases page

Install Globally

You may place the compiled binary on your path. On Linux for example you can place 2ms binary in /usr/local/bin/ or create a symbolic link. For example:

cd /opt
mkdir 2ms
cd 2ms
wget https://github.com/checkmarx/2ms/releases/latest/download/linux-amd64.zip
unzip linux-amd64.zip
sudo ln -s /opt/2ms/2ms /usr/local/bin/2ms

asciicast

Compiling from source

If you wish to compile the project from its source use the following commands

git clone https://github.com/checkmarx/2ms.git
cd 2ms
go build -o dist/2ms main.go
./dist/2ms

Run From Docker Container

We publish container image releases of 2ms to checkmarx/2ms . To run 2ms from a docker container use the following command:

docker run checkmarx/2ms

You may also mount a local directory with the -v <local-dir-path>:<container-dir-path> argument. For instance:

docker run -v /home/user/workspace/git-repo:/repo checkmarx/2ms git /repo
  • For git command, you have to mount your git repository to /repo inside the container

GitHub Actions

To use in GitHub actions, make sure you tell actions/checkout step to go full history depth by setting fetch-depth: 0

name: Pipeline Example With 2MS

on:
  pull_request:
    workflow_dispatch:
    push:
      branches: [main]
jobs:
  test:
    runs-on: ubuntu-latest
    steps:
      - name: Checkout code
        uses: actions/checkout@v3
        with:
          # Required for 2ms to have visibility to all commit history
          fetch-depth: 0

      # ...

      - name: Run 2ms Scan
        run: docker run -v $(pwd):/repo checkmarx/2ms:2.8.1 git /repo
  • In this example we've pinned the version to 2.8.1. Make sure to check out if there's a newer version
  • 💡 Take a look at 2ms GitHub Actions pipeline as 2ms scans itself using 2ms.

Azure DevOps Pipeline

To use 2ms in Azure DevOps Pipeline, create a new pipeline (see this tutorial for getting started with Azure DevOps Pipelines). Next, specify in your pipeline yml file azure-pipelines.yml to run 2ms:

trigger:
- master

pool:
  vmImage: ubuntu-latest

steps:
- script: docker run -v $(pwd):/repo checkmarx/2ms:2.8.1 git /repo
  displayName: Run 2ms
  • In this example we've pinned the version to 2.8.1. Make sure to check out if there's a newer version

Command Line Interface

We've built 2ms command line interface to be as self-descriptive as possible. This is the help message that you will see if you executed 2ms without args:

2ms Secrets Detection: A tool to detect secrets in public websites and communication services.

Usage:
  2ms [command]

Commands
  confluence  Scan Confluence server
  discord     Scan Discord server
  filesystem  Scan local folder
  git         Scan local Git repository
  paligo      Scan Paligo instance
  slack       Scan Slack team

Additional Commands:
  completion  Generate the autocompletion script for the specified shell
  help        Help about any command
  rules       List all rules

Flags:
      --add-special-rule strings      special (non-default) rules to apply.
                                      This list is not affected by the --rule and --ignore-rule flags.
      --config string                 config file path
  -h, --help                          help for 2ms
      --ignore-on-exit ignoreOnExit   defines which kind of non-zero exits code should be ignored
                                      accepts: all, results, errors, none
                                      example: if 'results' is set, only engine errors will make 2ms exit code different from 0 (default none)
      --ignore-result strings         ignore specific result by id
      --ignore-rule strings           ignore rules by name or tag
      --log-level string              log level (trace, debug, info, warn, error, fatal) (default "info")
      --max-target-megabytes int      files larger than this will be skipped.
                                      Omit or set to 0 to disable this check.
      --regex stringArray             custom regexes to apply to the scan, must be valid Go regex
      --report-path strings           path to generate report files. The output format will be determined by the file extension (.json, .yaml, .sarif)
      --rule strings                  select rules by name or tag to apply to this scan
      --stdout-format string          stdout output format, available formats are: json, yaml, sarif (default "yaml")
  -v, --version                       version for 2ms

Use "2ms [command] --help" for more information about a command.

Special Rules

Special rules are rules that are not part of the default ruleset, usually because they are too noisy or too specific. You can use the --add-special-rule flag to add special rules by rule ID.

For example:

2ms git . --add-special-rule hardcoded-password

List of Special Rules

Rule ID Description
hardcoded-password Detects strings that assigned to variables that contain the word password, access, key, etc.

Custom Regex Rules

You may specify one or more custom regex rules with the optional argument --regex. The value provided will be parsed as a regular expression and will be matched against the target items.

my-file.txt

password=1234567
username=admin
2ms filesystem --path . --regex username= --regex password=

asciicast

Plugins

We offer the following list of integrations in the form of plugins

Confluence

scans a Confluence instance

2ms confluence <URL> [flags]
Flag Value Default Description
--url string - Confluence instance URL in the form of https://<company id>.atlassian.net/wiki
--history - not scanning history revisions Scans pages history revisions
--spaces string all spaces The names or IDs of the Confluence spaces to scan
--token string - The Confluence API token for authentication
--username string - Confluence user name or email for authentication

For example:

2ms confluence https://checkmarx.atlassian.net/wiki --spaces secrets

asciicast

Paligo

Scans Paligo content management system instance.

Flag Value Default Description
--instance string - Instance name
--token string - API token for authentication
--username string - Confluence user name or email for authentication
--folder string scanning all instance's folders Folder ID
--auth string - Base64 auth header encoded username:password

Discord

Scans Discord chat application history.

Flag Value Default Description
--token string - Discord token
--channel strings all channels will be scanned Discord channel IDs to scan
--messages-count int 0 = all messages will be scanned Confluence user name or email for authentication
--duration duration 14 days The time interval to scan from the current time. For example, 24h for 24 hours or 336h0m0s for 14 days
--server strings - Discord servers IDs to scan

Slack

Scans Slack chat application history.

Flag Value Default Description
--token string - Slack token
--channel strings all channels will be scanned Slack channel IDs to scan
--messages-count int 0 = all messages will be scanned Confluence user name or email for authentication
--duration duration 14 days The time interval to scan from the current time. For example, 24h for 24 hours or 336h0m0s for 14 days
--team string - Slack team name or ID

Git Repository

Scans a local git repository

2ms git <Git Repo Local Path> [flags]
Flag Value Default Description
--all-branches - false - only current checked in branch scan all branches
--depth int no limit limit the number of historical commits to scan from HEAD

For example

git clone https://github.com/my-account/my-repo.git
cd my-repo
2ms git .

Local Directory

Scans a local repository

2ms filesystem --path PATH [flags]
Flag Value Default Description
--path string - Local directory path
--project-name string - Project name to differentiate between filesystem scans
--ignore-pattern strings - Patterns to ignore

Configuration File

You can pass --config [path to config file] argument to specify a configuration file. The configuration file format can be in YAML or JSON.

log-level: info

regex:
  - password\=

report-path:
  - ./report.yaml
  - ./report.json
  - ./report.sarif

paligo:
  instance: your-instance
  username: your-username

Hybrid Configuration Mode

You may pass a combination of command line arguments and a configuration file, the result is going to merge the values from the file and the explicit arguments

.2ms.yml config file:

ignore-result:
  - b0a735b7b0a2bc6fb1cd69824a9afd26f0f7ebc8
  - 51c76691792d9f6efe8af1c89c678386349f48a9
  - 81318f7350a4c42987d78c99eacba2c5028636cc
  - 8ea22c1e010836b9b0ee84e14609b574c9965c3c

command, --space is provided outside of config file:

docker run -v $(pwd)/.2ms.yml:/app/.2ms.yml checkmarx/2ms confluence --url https://checkmarx.atlassian.net/wiki --spaces secrets --config /app/.2ms.yml

asciicast

Contributing

2ms is extendable with the concept of plugins. We designed it like this so anyone can easily contribute, improve and extend 2ms. Read more about contributing in our CONTRIBUTING.md file.

Contact

Want to report a problem or suggest an idea for improvement? Create an Issue, create a Discussion thread, or Join our Discord Server (seek for #2ms channel)

This project was made and maintained by Checkmarx with ❤️

About

Too many secrets (2MS) helps people protect their secrets on any file or on systems like CMS, chats and git

Resources

License

Stars

Watchers

Forks

Releases

No releases published

Packages

No packages published

Languages

  • Go 98.9%
  • Other 1.1%