Documentation

Everything you need to get started with Credfence

Installation

Direct download 

https://github.com/Mx0M/credfence/releases/download/v1.0/credfence

Usage

Basic Scan

Scan your repository for secrets: 

./credfence --repo https://github.com/xyz.git \
                    --output-format json --rules-source ./rules --scan-id 001

Deep Scan

Scan entire Git history:

./credfence --repo https://github.com/xyz.git \
                    --output-format json --rules-source ./rules --scan-id 001 --deep-scan

Output Formats

Export results in JSON or SARIF: 

credfence scan --output json > results.json
credfence scan --output sarif > results.sarif

options

CLI options:

                    
      --repo                   Path or URL to the repo
      --scan-id               
      --token                   
      --commit                 Commit SHA or ref to scan (HEAD is default) [default: HEAD]
      --rules-source     Path to rules folder [default: ./rules]
      --output-format   Output format: json (default) or sarif [default: json] [possible values: json, sarif]
      --ignore-path     
      --deep-scan                      Enable deep history scan
      --threads              [default: auto]
      --diff-only                      Use diff-only deep scanning (only changed files per commit)
      --parallel                       Parallel scanning using Rayon

Configuration

Create a .credfence.yaml file in your repository root: 

rules:
  - id: custom-api-key
    pattern: 'API_KEY_[A-Z0-9]{32}'
    severity: critical
    description: Custom API Key

ignore_paths:
  - vendor/
  - node_modules/
  - "*.test.js"
  - "*.spec.ts"

threads: 8

CI/CD Integration

GitHub Actions 

name: Secret Scanning
on: [push, pull_request]

jobs:
  scan:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v3
      - name: Install Credfence
        run: curl -L -o credfence https://github.com/Mx0M/credfence/releases/download/v1.0/credfence
      - name: Run Scan
        run: credfence --repo https://github.com/xyz.git  --rules-source ./rules --scan-id 4001 --output-format sarif > results.sarif
      - name: Upload Results
        uses: github/codeql-action/upload-sarif@v2
        with:
          sarif_file: results.sarif

GitLab CI 

secret_scanning:
  stage: test
  script: 
    - curl -L -o credfence https://github.com/Mx0M/credfence/releases/download/v1.0/credfence   
    - credfence --repo https://github.com/xyz.git  --rules-source ./rules --scan-id 4001 --output-format json > gl-secret-scanning.json
  artifacts:
    reports:
      secret_detection: gl-secret-scanning.json