2ms

command module

v4.9.0 Latest Latest Go to latest Published: Dec 12, 2025 License: Apache-2.0 Imports: 7 Imported by: 0

Details

Valid go.mod file
Redistributable license
Tagged version
Stable version
Learn more about best practices

Repository

github.com/checkmarx/2ms

Links

Open Source Insights

README ¶

2ms (Too Many Secrets)

2ms Mascot

Modern secrets discovery CLI for code, content, and collaboration platforms.

2ms is an open-source CLI from Checkmarx that helps teams surface credentials, API keys, tokens, and other sensitive data before it leaks. It builds on the gitleaks detection engine, adds Checkmarx expertise, CVSS-based scoring, and optional secret validation so you can triage the riskiest findings first.

Quick Start

Install, scan your local workspace, and review the findings in seconds:

brew install 2ms
2ms filesystem --path .

Scan recent Git history instead:

2ms git . --depth 50

2ms prints a YAML summary by default and returns a non-zero exit code when secrets are detected.

Highlights

Unified scanning for local directories, Git history, Slack, Discord, Confluence Cloud, and Paligo — each exposed as a dedicated subcommand.
Hundreds of tuned detection rules curated by Checkmarx on top of gitleaks, enriched with CVSS-based scoring in every finding.
Optional live secret validation (--validate) to confirm whether discovered credentials are still active.
Flexible filtering and noise reduction: --rule, --ignore-rule, --add-special-rule, --ignore-result, --regex, --allowed-values, and --max-target-megabytes.
Rich reporting for developers and pipelines with JSON, YAML, and SARIF outputs, multiple --report-path destinations, and CI-aware exit handling via --ignore-on-exit.
Automation ready: configuration files, 2MS_* environment variables, Docker images, and GitHub Actions templates.
Extensible plugin architecture — contributions for new data sources are welcome.

Installation

Homebrew (macOS/Linux)

brew install 2ms

Upgrade with brew upgrade 2ms. Confirm the install:

2ms --version

Prebuilt Binaries

Download the latest release for your platform from the releases page:

Unzip the archive and place the 2ms binary somewhere on your PATH (for example /usr/local/bin/2ms).

Build from Source

git clone https://github.com/checkmarx/2ms.git
cd 2ms
go build -o dist/2ms ./...
./dist/2ms --version

Refer to go.mod for the minimum Go toolchain version.

Docker

Run 2ms from the published container image:

docker run --rm checkmarx/2ms

Mount a workspace to scan it:

docker run --rm -v "$(pwd)":/repo checkmarx/2ms git /repo --stdout-format json

Provide tokens and other secrets through environment variables (-e SLACK_TOKEN=...) or mounted config files.

Scan Targets

Command	Surface	Typical Use
`2ms filesystem`	Local directories	Scan any type of source file.
`2ms git <path>`	Git repositories	Inspect commit history to find any secret exposed.
`2ms confluence <URL>`	Confluence Cloud	Crawl spaces and pages.
`2ms discord`	Discord servers	Audit server message history.
`2ms slack`	Slack workspaces	Review channels for exposed credentials.
`2ms paligo`	Paligo instances	Scrape documentation components delivered via Paligo.

Local File System

2ms filesystem --path . --ignore-pattern "*.log"

Flag	Type	Description
`--path`	string (required)	Directory to scan.
`--project-name`	string	Optional label to distinguish multiple filesystem scans.
`--ignore-pattern`	string slice	Glob patterns to exclude (matched against the file or folder name).

Git Repositories

2ms git /path/to/repo --depth 200 --project-name api-service

Flag	Type	Description
`--depth`	int	Limit how many commits from `HEAD` are analyzed.
`--all-branches`	bool	Scan every branch instead of the checked-out branch.
`--base-commit`	string	Only scan commits between the base commit and `HEAD`.
`--project-name`	string	Optional label to differentiate results.

Confluence Cloud

2ms confluence https://<org>.atlassian.net/wiki --space-keys ENG,SEC --history \
  --username alice@example.com --token "$ATLASSIAN_TOKEN"

Flag	Type	Description
`--space-keys`	string slice	Comma-separated space keys to crawl.
`--space-ids`	string slice	Comma-separated space IDs to crawl.
`--page-ids`	string slice	Specific page IDs to scan.
`--history`	bool	Include all revisions (page history).
`--username`	string	Confluence user/email for authentication.
`--token`	string	Authentication token (Confluence API token or scoped API token).
`--max-api-response-megabytes`	int	Soft per-response size limit (MB). `0` disables it. Exceeded batches are skipped.
`--max-page-body-megabytes`	int	Soft per-page body size limit (MB). `0` disables it. Oversized pages are skipped.
`--max-total-scan-megabytes`	int	Global download limit (MB). `0` disables it. If exceeded, the scan stops early.

URLs must be HTTPS. Without credentials 2ms scans only public content.

Authentication

To scan private spaces, provide --username and --token (API token).
How to create a Confluence API token: https://support.atlassian.com/atlassian-account/docs/manage-api-tokens-for-your-atlassian-account/

Examples

Scan all public pages (no auth):

2ms confluence https://<org>.atlassian.net/wiki

Scan private pages with an api token or a scoped api token (requires auth):

2ms confluence https://<org>.atlassian.net/wiki --username <USERNAME> --token <API_TOKEN>

Scan specific spaces by ID:

2ms confluence https://<org>.atlassian.net/wiki --space-ids 1234567890,9876543210

Scan specific pages by ID:

2ms confluence https://<org>.atlassian.net/wiki --page-ids 11223344556,99887766554

Slack

2ms slack --token "$SLACK_TOKEN" --team my-workspace --duration 30d --channel secure-chat

Flag	Type	Description
`--token`	string (required)	Slack token with permission to read conversations.
`--team`	string (required)	Workspace name or ID.
`--channel`	string slice	Channel names or IDs to target. Defaults to all channels.
`--duration`	duration	Look back interval (default `14d`). Use values like `24h`, `7d`, `1M`.
`--messages-count`	int	Upper bound on messages per channel (0 = all).

Discord

2ms discord --token "$DISCORD_TOKEN" --server 1097814317077897307 --duration 9999h

Flag	Type	Description
`--token`	string (required)	Discord bot or user token.
`--server`	string slice (required)	Server (guild) names or IDs to scan.
`--channel`	string slice	Channel names or IDs to restrict the scan. Defaults to all channels.
`--duration`	duration	Look back interval (default `14d`).
`--messages-count`	int	Maximum messages per channel (0 = scan until duration is met).

Paligo

2ms paligo --instance your-instance --username alice --token "$PALIGO_TOKEN"

Flag	Type	Description
`--instance`	string (required)	Paligo instance name (subdomain).
`--username`	string	Paligo username (use with `--token`).
`--token`	string	API token for authentication.
`--auth`	string	Base64-encoded `username:password` alternative to `--username/--token`.
`--folder`	int	Folder ID to scope the scan; scans the whole instance when omitted.

Configuration & Tuning

Global flags work with every subcommand. Combine them with configuration files and environment variables to automate 2ms in large environments.

Global Flags

Flag	Type	Default	Description
`--config`	string		Path to a YAML or JSON configuration file.
`--log-level`	string	`info`	Logging level: `trace`, `debug`, `info`, `warn`, `error`, `fatal`, or `none`.
`--stdout-format`	string	`yaml`	`yaml`, `json`, or `sarif` output on stdout.
`--report-path`	string slice		Write findings to one or more files; format is inferred from the extension.
`--ignore-on-exit`	enum	`none`	Control exit codes: `all`, `results`, `errors`, or `none`.
`--max-target-megabytes`	int	`0`	Skip files larger than the threshold (0 disables the check).
`--validate`	bool	`false`	Enrich results by verifying secrets when supported.

Configuration Files & Environment Variables

Pass --config to load shared defaults:

# .2ms.yaml
log-level: debug
stdout-format: json
report-path:
  - reports/2ms.json

filesystem:
  path: .
  ignore-pattern:
    - "*.log"

You can still override values via CLI flags; the CLI always wins over config values.

Rules, Validation, and Custom Detection

List the available detection rules (and whether they support validation) with 2ms rules.
The full rule catalog lives in docs/list-of-rules.md.
Focus on specific checks with --rule <rule-id> or exclude noisy ones with --ignore-rule.
Enable opt-in detections via --add-special-rule <rule-id> and tailor searches using custom --regex patterns.
Suppress individual findings with --ignore-result <secret-id> or whitelist known safe secrets using --allowed-values.
--validate asks 2ms to contact the upstream service (when available) to confirm a secret is still active. Validation outcomes feed into the CVSS-derived score in each result.

Reports & Outputs

2ms prints YAML summaries by default. Switch formats or emit multiple artifacts:

2ms git . \
  --stdout-format json \
  --report-path build/2ms.sarif \
  --report-path build/2ms.yaml

SARIF reports plug directly into GitHub Advanced Security or other code-scanning dashboards. All outputs include rule metadata, severity scores, file locations, and (when enabled) validation status.

CI/CD & Automation

Run 2ms in pipelines, scheduled jobs, or security gates:

name: secret-scan
on:
  pull_request:
  push:
    branches: [main]

jobs:
  scan:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11
        with:
          fetch-depth: 0
      - name: Run 2ms
        run: |
          docker run --rm -v "$PWD":/repo checkmarx/2ms \
            git /repo --stdout-format sarif \
            --report-path /repo/artifacts/2ms.sarif \
            --ignore-on-exit results
      - name: Upload SARIF
        uses: github/codeql-action/upload-sarif@v3
        with:
          sarif_file: artifacts/2ms.sarif

Use --ignore-on-exit results to keep pipelines green when only findings (not errors) are present, or leave it at the default none to fail on detected secrets.

Contributing

2ms is built around a plugin system so new targets and enhancements are easy to add. Check out CONTRIBUTING.md for development setup, coding guidelines, and how to propose new rules or plugins.

Community

Report issues or feature requests

2ms is maintained by Checkmarx and released under the Apache 2.0 License — contributions and feedback are always welcome.

Documentation ¶

There is no documentation for this package.

Source Files ¶

View all Source files

Directories ¶

Path	Synopsis
benches
cmd
engine
chunk Package chunk is a generated GoMock package.	Package chunk is a generated GoMock package.
extra
linecontent
rules
score
semaphore Package semaphore is a generated GoMock package.	Package semaphore is a generated GoMock package.
validation
internal
resources
workerpool
lib
config
reporting
secrets
utils
pkg
plugins

?	: This menu
/	: Search site
f or F	: Jump to
y or Y	: Canonical URL