goose

module

v0.0.0-...-a3af1b0 Latest Latest Go to latest Published: Aug 16, 2021 License: MIT

Details

Valid go.mod file

The Go module system was introduced in Go 1.11 and is the official dependency management solution for Go.
Redistributable license

Redistributable licenses place minimal restrictions on how software can be used, modified, and redistributed.
Tagged version

Modules with tagged versions give importers more predictable builds.
Stable version

When a project reaches major version v1 it is considered stable.
Learn more about best practices

Repository

gitlab.com/lapt0r/goose

README ¶

Goose

It's a lovely day in source control, and you are a horrible tool.

to install, run go get -u gitlab.com/lapt0r/goose/cmd/goose

Background

Goose is (yet another) tool for auditing source code for secrets (API keys, access tokens, passwords, etc). Its behavior is similar to other tools in the space (such as detect-secrets and Trufflehog), using both regex-based detection as well as the Shannon probability mass function for entropy. If you are unfamiliar with entropy in the context of information theory, see the Wikipedia primer here.

Requirements

Goose was developed with Go version 1.13. It should be compatible with all Go 1.x runtimes (but has not been tested extensively). If you find a compatibility problem, please file an issue!

Go installation instructions can be found here.

Usage

Goose can be run in pipeline (default) or interactive mode. Pipeline mode is "silent" other than a JSON blob of results returned to standard output. Interactive mode will provide updates on number of files scanned as well as pretty-printed results. Regex rules use Google RE2 syntax documented here.

Arguments

-target <string> : The target directory to scan. This will enumerate all files with a valid text encoding as well as the git history and scan using the provided regex rules.
-interactive : Runs Goose in interactive mode. Default behavior is now pipeline-compatible.
-decisiontree : Runs goose in decision-tree mode. This overrides regex behavior and uses a parser/tokenizer and decision tree to generate findings.
-commitDepth <int> : Specifies the maximum commit depth to scan. Default 0 (no commit history)
-config <string> : Provides a path to configuration file.
-help : Print the help screen with command line arguments for Goose.
-ignore <comma-separated list> : List of path fragments to ignore (default "test")
-outputmode <string> : Specifies an output mode to use for integration mode. Goose serialization is the default. Options are unspecified (default) and GitLab

Acknowledgements

This tool builds upon the prior work of a whole bunch of folks:

TruffleHog https://github.com/dxa4481/truffleHog
detect-secrets https://github.com/Yelp/detect-secrets
GitRob https://github.com/michenriksen/gitrob

Contributors

Directories ¶

Path	Synopsis
assets
cli
cmd
goose
internal
app
pkg/assignment
pkg/configuration
pkg/decisionfilter
pkg/decisiontree
pkg/entropy
pkg/finding
pkg/languagefilter
pkg/loader
pkg/reflectorfilter
pkg/regexfilter
pkg/report

?	: This menu
/	: Search site
f or F	: Jump to
y or Y	: Canonical URL