敏感信息泄露 on Linux邪修https://linuxiexiu.github.io/docs/%E7%BD%91%E7%BB%9C%E5%AE%89%E5%85%A8/%E4%BF%A1%E6%81%AF%E6%94%B6%E9%9B%86/%E6%95%8F%E6%84%9F%E4%BF%A1%E6%81%AF%E6%B3%84%E9%9C%B2/Recent content in 敏感信息泄露 on Linux邪修Hugozh© 2024 Linux邪修GitLeaks使用教程https://linuxiexiu.github.io/docs/%E7%BD%91%E7%BB%9C%E5%AE%89%E5%85%A8/%E4%BF%A1%E6%81%AF%E6%94%B6%E9%9B%86/%E6%95%8F%E6%84%9F%E4%BF%A1%E6%81%AF%E6%B3%84%E9%9C%B2/GitLeaks%E4%BD%BF%E7%94%A8%E6%95%99%E7%A8%8B/Mon, 01 Jan 0001 00:00:00 +0000https://linuxiexiu.github.io/docs/%E7%BD%91%E7%BB%9C%E5%AE%89%E5%85%A8/%E4%BF%A1%E6%81%AF%E6%94%B6%E9%9B%86/%E6%95%8F%E6%84%9F%E4%BF%A1%E6%81%AF%E6%B3%84%E9%9C%B2/GitLeaks%E4%BD%BF%E7%94%A8%E6%95%99%E7%A8%8B/<h1 id="gitleaks使用教程">GitLeaks使用教程<a class="anchor" href="#gitleaks%e4%bd%bf%e7%94%a8%e6%95%99%e7%a8%8b">#</a></h1> <h2 id="软件介绍">软件介绍<a class="anchor" href="#%e8%bd%af%e4%bb%b6%e4%bb%8b%e7%bb%8d">#</a></h2> <p>GitLeaks是一款专门用于检测Git仓库中敏感信息泄露的工具。它能够扫描Git历史记录,识别泄露的API密钥、密码、证书等敏感信息,是代码安全和DevSecOps流程中的重要工具。</p> <h3 id="主要功能">主要功能<a class="anchor" href="#%e4%b8%bb%e8%a6%81%e5%8a%9f%e8%83%bd">#</a></h3> <ul> <li>Git仓库敏感信息扫描</li> <li>多种敏感信息模式匹配</li> <li>支持自定义规则</li> <li>扫描Git历史记录</li> <li>支持多种输出格式</li> <li>CI/CD集成</li> <li>高性能扫描</li> <li>实时监控</li> </ul> <h3 id="适用场景">适用场景<a class="anchor" href="#%e9%80%82%e7%94%a8%e5%9c%ba%e6%99%af">#</a></h3> <ul> <li>代码安全审计</li> <li>敏感信息泄露检测</li> <li>DevSecOps流程集成</li> <li>安全合规检查</li> <li>代码仓库安全</li> <li>威胁情报收集</li> </ul> <hr> <h2 id="入门级使用">入门级使用<a class="anchor" href="#%e5%85%a5%e9%97%a8%e7%ba%a7%e4%bd%bf%e7%94%a8">#</a></h2> <h3 id="安装gitleaks">安装GitLeaks<a class="anchor" href="#%e5%ae%89%e8%a3%85gitleaks">#</a></h3> <h4 id="使用go安装">使用Go安装<a class="anchor" href="#%e4%bd%bf%e7%94%a8go%e5%ae%89%e8%a3%85">#</a></h4> <div class="highlight"><pre tabindex="0" style="color:#e2e4e5;background-color:#282a36;-moz-tab-size:4;-o-tab-size:4;tab-size:4;-webkit-text-size-adjust:none;"><code class="language-bash" data-lang="bash"><span style="display:flex;"><span><span style="color:#78787e"># 安装Go语言(如果未安装)</span> </span></span><span style="display:flex;"><span>wget https://go.dev/dl/go1.21.5.linux-amd64.tar.gz </span></span><span style="display:flex;"><span>tar -C /usr/local -xzf go1.21.5.linux-amd64.tar.gz </span></span><span style="display:flex;"><span><span style="color:#ff5c57">export</span> <span style="color:#ff5c57">PATH</span><span style="color:#ff6ac1">=</span><span style="color:#ff5c57">$PATH</span>:/usr/local/go/bin </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span><span style="color:#78787e"># 安装GitLeaks</span> </span></span><span style="display:flex;"><span>go install github.com/zricethezav/gitleaks/v8@latest </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span><span style="color:#78787e"># 验证安装</span> </span></span><span style="display:flex;"><span>gitleaks --version</span></span></code></pre></div><h4 id="使用homebrew安装">使用Homebrew安装<a class="anchor" href="#%e4%bd%bf%e7%94%a8homebrew%e5%ae%89%e8%a3%85">#</a></h4> <div class="highlight"><pre tabindex="0" style="color:#e2e4e5;background-color:#282a36;-moz-tab-size:4;-o-tab-size:4;tab-size:4;-webkit-text-size-adjust:none;"><code class="language-bash" data-lang="bash"><span style="display:flex;"><span><span style="color:#78787e"># 安装Homebrew(如果未安装)</span> </span></span><span style="display:flex;"><span>/bin/bash -c <span style="color:#5af78e">&#34;</span><span style="color:#ff6ac1">$(</span>curl -fsSL https://raw.githubusercontent.com/Homebrew/install/HEAD/install.sh<span style="color:#ff6ac1">)</span><span style="color:#5af78e">&#34;</span> </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span><span style="color:#78787e"># 安装GitLeaks</span> </span></span><span style="display:flex;"><span>brew install gitleaks </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span><span style="color:#78787e"># 验证安装</span> </span></span><span style="display:flex;"><span>gitleaks --version</span></span></code></pre></div><h4 id="使用docker安装">使用Docker安装<a class="anchor" href="#%e4%bd%bf%e7%94%a8docker%e5%ae%89%e8%a3%85">#</a></h4> <div class="highlight"><pre tabindex="0" style="color:#e2e4e5;background-color:#282a36;-moz-tab-size:4;-o-tab-size:4;tab-size:4;-webkit-text-size-adjust:none;"><code class="language-bash" data-lang="bash"><span style="display:flex;"><span><span style="color:#78787e"># 使用Docker运行</span> </span></span><span style="display:flex;"><span>docker run --rm -v <span style="color:#ff6ac1">$(</span><span style="color:#ff5c57">pwd</span><span style="color:#ff6ac1">)</span>:/path zricethezav/gitleaks:latest --source<span style="color:#ff6ac1">=</span>/path </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span><span style="color:#78787e"># 或构建本地镜像</span> </span></span><span style="display:flex;"><span>git clone https://github.com/zricethezav/gitleaks.git </span></span><span style="display:flex;"><span><span style="color:#ff5c57">cd</span> gitleaks </span></span><span style="display:flex;"><span>docker build -t gitleaks . </span></span><span style="display:flex;"><span>docker run --rm -v <span style="color:#ff6ac1">$(</span><span style="color:#ff5c57">pwd</span><span style="color:#ff6ac1">)</span>:/path gitleaks --source<span style="color:#ff6ac1">=</span>/path</span></span></code></pre></div><h3 id="基本扫描">基本扫描<a class="anchor" href="#%e5%9f%ba%e6%9c%ac%e6%89%ab%e6%8f%8f">#</a></h3> <h4 id="扫描当前目录">扫描当前目录<a class="anchor" href="#%e6%89%ab%e6%8f%8f%e5%bd%93%e5%89%8d%e7%9b%ae%e5%bd%95">#</a></h4> <div class="highlight"><pre tabindex="0" style="color:#e2e4e5;background-color:#282a36;-moz-tab-size:4;-o-tab-size:4;tab-size:4;-webkit-text-size-adjust:none;"><code class="language-bash" data-lang="bash"><span style="display:flex;"><span><span style="color:#78787e"># 扫描当前目录</span> </span></span><span style="display:flex;"><span>gitleaks detect --source . </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span><span style="color:#78787e"># 扫描特定目录</span> </span></span><span style="display:flex;"><span>gitleaks detect --source /path/to/project </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span><span style="color:#78787e"># 扫描并显示详细信息</span> </span></span><span style="display:flex;"><span>gitleaks detect --source . --verbose</span></span></code></pre></div><h4 id="扫描git仓库">扫描Git仓库<a class="anchor" href="#%e6%89%ab%e6%8f%8fgit%e4%bb%93%e5%ba%93">#</a></h4> <div class="highlight"><pre tabindex="0" style="color:#e2e4e5;background-color:#282a36;-moz-tab-size:4;-o-tab-size:4;tab-size:4;-webkit-text-size-adjust:none;"><code class="language-bash" data-lang="bash"><span style="display:flex;"><span><span style="color:#78787e"># 扫描Git仓库</span> </span></span><span style="display:flex;"><span>gitleaks detect --source . --git </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span><span style="color:#78787e"># 扫描远程仓库</span> </span></span><span style="display:flex;"><span>gitleaks detect --source https://github.com/user/repo.git --git </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span><span style="color:#78787e"># 扫描特定分支</span> </span></span><span style="display:flex;"><span>gitleaks detect --source . --git --branch develop</span></span></code></pre></div><h4 id="扫描git历史">扫描Git历史<a class="anchor" href="#%e6%89%ab%e6%8f%8fgit%e5%8e%86%e5%8f%b2">#</a></h4> <div class="highlight"><pre tabindex="0" style="color:#e2e4e5;background-color:#282a36;-moz-tab-size:4;-o-tab-size:4;tab-size:4;-webkit-text-size-adjust:none;"><code class="language-bash" data-lang="bash"><span style="display:flex;"><span><span style="color:#78787e"># 扫描所有Git历史</span> </span></span><span style="display:flex;"><span>gitleaks detect --source . --git --history </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span><span style="color:#78787e"># 扫描最近N次提交</span> </span></span><span style="display:flex;"><span>gitleaks detect --source . --git --history --depth <span style="color:#ff9f43">100</span> </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span><span style="color:#78787e"># 扫描特定提交</span> </span></span><span style="display:flex;"><span>gitleaks detect --source . --git --commit abc123</span></span></code></pre></div><hr> <h2 id="初级使用">初级使用<a class="anchor" href="#%e5%88%9d%e7%ba%a7%e4%bd%bf%e7%94%a8">#</a></h2> <h3 id="扫描选项">扫描选项<a class="anchor" href="#%e6%89%ab%e6%8f%8f%e9%80%89%e9%a1%b9">#</a></h3> <h4 id="排除文件和目录">排除文件和目录<a class="anchor" href="#%e6%8e%92%e9%99%a4%e6%96%87%e4%bb%b6%e5%92%8c%e7%9b%ae%e5%bd%95">#</a></h4> <div class="highlight"><pre tabindex="0" style="color:#e2e4e5;background-color:#282a36;-moz-tab-size:4;-o-tab-size:4;tab-size:4;-webkit-text-size-adjust:none;"><code class="language-bash" data-lang="bash"><span style="display:flex;"><span><span style="color:#78787e"># 排除特定文件</span> </span></span><span style="display:flex;"><span>gitleaks detect --source . --exclude <span style="color:#5af78e">&#34;node_modules&#34;</span> </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span><span style="color:#78787e"># 排除多个文件</span> </span></span><span style="display:flex;"><span>gitleaks detect --source . --exclude <span style="color:#5af78e">&#34;node_modules,vendor&#34;</span> </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span><span style="color:#78787e"># 使用正则表达式排除</span> </span></span><span style="display:flex;"><span>gitleaks detect --source . --exclude <span style="color:#5af78e">&#34;.*\\.min\\.js&#34;</span> </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span><span style="color:#78787e"># 排除目录</span> </span></span><span style="display:flex;"><span>gitleaks detect --source . --exclude <span style="color:#5af78e">&#34;*/test/*&#34;</span></span></span></code></pre></div><h4 id="指定扫描深度">指定扫描深度<a class="anchor" href="#%e6%8c%87%e5%ae%9a%e6%89%ab%e6%8f%8f%e6%b7%b1%e5%ba%a6">#</a></h4> <div class="highlight"><pre tabindex="0" style="color:#e2e4e5;background-color:#282a36;-moz-tab-size:4;-o-tab-size:4;tab-size:4;-webkit-text-size-adjust:none;"><code class="language-bash" data-lang="bash"><span style="display:flex;"><span><span style="color:#78787e"># 扫描当前状态</span> </span></span><span style="display:flex;"><span>gitleaks detect --source . --no-git </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span><span style="color:#78787e"># 扫描最近50次提交</span> </span></span><span style="display:flex;"><span>gitleaks detect --source . --git --depth <span style="color:#ff9f43">50</span> </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span><span style="color:#78787e"># 扫描所有历史</span> </span></span><span style="display:flex;"><span>gitleaks detect --source . --git --history</span></span></code></pre></div><h3 id="输出格式">输出格式<a class="anchor" href="#%e8%be%93%e5%87%ba%e6%a0%bc%e5%bc%8f">#</a></h3> <h4 id="输出为json">输出为JSON<a class="anchor" href="#%e8%be%93%e5%87%ba%e4%b8%bajson">#</a></h4> <div class="highlight"><pre tabindex="0" style="color:#e2e4e5;background-color:#282a36;-moz-tab-size:4;-o-tab-size:4;tab-size:4;-webkit-text-size-adjust:none;"><code class="language-bash" data-lang="bash"><span style="display:flex;"><span><span style="color:#78787e"># 输出为JSON格式</span> </span></span><span style="display:flex;"><span>gitleaks detect --source . --report-format json </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span><span style="color:#78787e"># 指定输出文件</span> </span></span><span style="display:flex;"><span>gitleaks detect --source . --report-format json --report-path report.json </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span><span style="color:#78787e"># 美化JSON输出</span> </span></span><span style="display:flex;"><span>gitleaks detect --source . --report-format json | jq .</span></span></code></pre></div><h4 id="输出为csv">输出为CSV<a class="anchor" href="#%e8%be%93%e5%87%ba%e4%b8%bacsv">#</a></h4> <div class="highlight"><pre tabindex="0" style="color:#e2e4e5;background-color:#282a36;-moz-tab-size:4;-o-tab-size:4;tab-size:4;-webkit-text-size-adjust:none;"><code class="language-bash" data-lang="bash"><span style="display:flex;"><span><span style="color:#78787e"># 输出为CSV格式</span> </span></span><span style="display:flex;"><span>gitleaks detect --source . --report-format csv </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span><span style="color:#78787e"># 指定输出文件</span> </span></span><span style="display:flex;"><span>gitleaks detect --source . --report-format csv --report-path report.csv</span></span></code></pre></div><h4 id="输出为sarif">输出为SARIF<a class="anchor" href="#%e8%be%93%e5%87%ba%e4%b8%basarif">#</a></h4> <div class="highlight"><pre tabindex="0" style="color:#e2e4e5;background-color:#282a36;-moz-tab-size:4;-o-tab-size:4;tab-size:4;-webkit-text-size-adjust:none;"><code class="language-bash" data-lang="bash"><span style="display:flex;"><span><span style="color:#78787e"># 输出为SARIF格式(用于GitHub)</span> </span></span><span style="display:flex;"><span>gitleaks detect --source . --report-format sarif </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span><span style="color:#78787e"># 指定输出文件</span> </span></span><span style="display:flex;"><span>gitleaks detect --source . --report-format sarif --report-path report.sarif</span></span></code></pre></div><hr> <h2 id="中级使用">中级使用<a class="anchor" href="#%e4%b8%ad%e7%ba%a7%e4%bd%bf%e7%94%a8">#</a></h2> <h3 id="自定义规则">自定义规则<a class="anchor" href="#%e8%87%aa%e5%ae%9a%e4%b9%89%e8%a7%84%e5%88%99">#</a></h3> <h4 id="使用自定义配置文件">使用自定义配置文件<a class="anchor" href="#%e4%bd%bf%e7%94%a8%e8%87%aa%e5%ae%9a%e4%b9%89%e9%85%8d%e7%bd%ae%e6%96%87%e4%bb%b6">#</a></h4> <div class="highlight"><pre tabindex="0" style="color:#e2e4e5;background-color:#282a36;-moz-tab-size:4;-o-tab-size:4;tab-size:4;-webkit-text-size-adjust:none;"><code class="language-bash" data-lang="bash"><span style="display:flex;"><span><span style="color:#78787e"># 创建自定义配置文件</span> </span></span><span style="display:flex;"><span>cat &gt; gitleaks-config.toml <span style="color:#5af78e">&lt;&lt; EOF </span></span></span><span style="display:flex;"><span><span style="color:#5af78e"># GitLeaks自定义配置 </span></span></span><span style="display:flex;"><span><span style="color:#5af78e"> </span></span></span><span style="display:flex;"><span><span style="color:#5af78e">title = &#34;Custom GitLeaks Config&#34; </span></span></span><span style="display:flex;"><span><span style="color:#5af78e"> </span></span></span><span style="display:flex;"><span><span style="color:#5af78e">[[rules]] </span></span></span><span style="display:flex;"><span><span style="color:#5af78e"> description = &#34;AWS Access Key&#34; </span></span></span><span style="display:flex;"><span><span style="color:#5af78e"> regex = &#39;&#39;&#39;AKIA[0-9A-Z]{16}&#39;&#39;&#39; </span></span></span><span style="display:flex;"><span><span style="color:#5af78e"> tags = [&#34;key&#34;, &#34;AWS&#34;] </span></span></span><span style="display:flex;"><span><span style="color:#5af78e"> </span></span></span><span style="display:flex;"><span><span style="color:#5af78e">[[rules]] </span></span></span><span style="display:flex;"><span><span style="color:#5af78e"> description = &#34;GitHub Token&#34; </span></span></span><span style="display:flex;"><span><span style="color:#5af78e"> regex = &#39;&#39;&#39;ghp_[a-zA-Z0-9]{36}&#39;&#39;&#39; </span></span></span><span style="display:flex;"><span><span style="color:#5af78e"> tags = [&#34;key&#34;, &#34;GitHub&#34;] </span></span></span><span style="display:flex;"><span><span style="color:#5af78e"> </span></span></span><span style="display:flex;"><span><span style="color:#5af78e">[[rules]] </span></span></span><span style="display:flex;"><span><span style="color:#5af78e"> description = &#34;Slack Token&#34; </span></span></span><span style="display:flex;"><span><span style="color:#5af78e"> regex = &#39;&#39;&#39;xox[baprs]-[a-zA-Z0-9-]+&#39;&#39;&#39; </span></span></span><span style="display:flex;"><span><span style="color:#5af78e"> tags = [&#34;key&#34;, &#34;Slack&#34;] </span></span></span><span style="display:flex;"><span><span style="color:#5af78e">EOF</span> </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span><span style="color:#78787e"># 使用自定义配置</span> </span></span><span style="display:flex;"><span>gitleaks detect --source . --config gitleaks-config.toml</span></span></code></pre></div><h4 id="添加自定义规则">添加自定义规则<a class="anchor" href="#%e6%b7%bb%e5%8a%a0%e8%87%aa%e5%ae%9a%e4%b9%89%e8%a7%84%e5%88%99">#</a></h4> <div class="highlight"><pre tabindex="0" style="color:#e2e4e5;background-color:#282a36;-moz-tab-size:4;-o-tab-size:4;tab-size:4;-webkit-text-size-adjust:none;"><code class="language-bash" data-lang="bash"><span style="display:flex;"><span><span style="color:#78787e"># 添加自定义规则</span> </span></span><span style="display:flex;"><span>cat &gt; custom-rules.toml <span style="color:#5af78e">&lt;&lt; EOF </span></span></span><span style="display:flex;"><span><span style="color:#5af78e">[[rules]] </span></span></span><span style="display:flex;"><span><span style="color:#5af78e"> description = &#34;Custom API Key&#34; </span></span></span><span style="display:flex;"><span><span style="color:#5af78e"> regex = &#39;&#39;&#39;custom_key_[a-zA-Z0-9]{32}&#39;&#39;&#39; </span></span></span><span style="display:flex;"><span><span style="color:#5af78e"> tags = [&#34;key&#34;, &#34;custom&#34;] </span></span></span><span style="display:flex;"><span><span style="color:#5af78e"> </span></span></span><span style="display:flex;"><span><span style="color:#5af78e">[[rules]] </span></span></span><span style="display:flex;"><span><span style="color:#5af78e"> description = &#34;Database Password&#34; </span></span></span><span style="display:flex;"><span><span style="color:#5af78e"> regex = &#39;&#39;&#39;password\s*=\s*[&#39;&#34;]([^&#39;&#34;]+)[&#39;&#34;]&#39;&#39;&#39; </span></span></span><span style="display:flex;"><span><span style="color:#5af78e"> tags = [&#34;password&#34;, &#34;database&#34;] </span></span></span><span style="display:flex;"><span><span style="color:#5af78e">EOF</span> </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span><span style="color:#78787e"># 使用自定义规则</span> </span></span><span style="display:flex;"><span>gitleaks detect --source . --config custom-rules.toml</span></span></code></pre></div><h3 id="高级扫描">高级扫描<a class="anchor" href="#%e9%ab%98%e7%ba%a7%e6%89%ab%e6%8f%8f">#</a></h3> <h4 id="扫描多个仓库">扫描多个仓库<a class="anchor" href="#%e6%89%ab%e6%8f%8f%e5%a4%9a%e4%b8%aa%e4%bb%93%e5%ba%93">#</a></h4> <div class="highlight"><pre tabindex="0" style="color:#e2e4e5;background-color:#282a36;-moz-tab-size:4;-o-tab-size:4;tab-size:4;-webkit-text-size-adjust:none;"><code class="language-bash" data-lang="bash"><span style="display:flex;"><span><span style="color:#78787e">#!/bin/bash </span></span></span><span style="display:flex;"><span><span style="color:#78787e"># 扫描多个Git仓库脚本</span> </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span><span style="color:#ff5c57">REPOS_DIR</span><span style="color:#ff6ac1">=</span><span style="color:#5af78e">&#34;/path/to/repos&#34;</span> </span></span><span style="display:flex;"><span><span style="color:#ff5c57">REPORTS_DIR</span><span style="color:#ff6ac1">=</span><span style="color:#5af78e">&#34;./reports&#34;</span> </span></span><span style="display:flex;"><span>mkdir -p <span style="color:#5af78e">&#34;</span><span style="color:#ff5c57">$REPORTS_DIR</span><span style="color:#5af78e">&#34;</span> </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span><span style="color:#78787e"># 遍历所有仓库</span> </span></span><span style="display:flex;"><span><span style="color:#ff6ac1">for</span> repo in <span style="color:#5af78e">&#34;</span><span style="color:#ff5c57">$REPOS_DIR</span><span style="color:#5af78e">&#34;</span>/*/; <span style="color:#ff6ac1">do</span> </span></span><span style="display:flex;"><span> <span style="color:#ff5c57">repo_name</span><span style="color:#ff6ac1">=</span><span style="color:#ff6ac1">$(</span>basename <span style="color:#5af78e">&#34;</span><span style="color:#ff5c57">$repo</span><span style="color:#5af78e">&#34;</span><span style="color:#ff6ac1">)</span> </span></span><span style="display:flex;"><span> <span style="color:#ff5c57">echo</span> <span style="color:#5af78e">&#34;扫描仓库: </span><span style="color:#ff5c57">$repo_name</span><span style="color:#5af78e">&#34;</span> </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span> <span style="color:#78787e"># 运行扫描</span> </span></span><span style="display:flex;"><span> gitleaks detect --source <span style="color:#5af78e">&#34;</span><span style="color:#ff5c57">$repo</span><span style="color:#5af78e">&#34;</span> --git <span style="color:#5af78e">\ </span></span></span><span style="display:flex;"><span> --report-format json <span style="color:#5af78e">\ </span></span></span><span style="display:flex;"><span> --report-path <span style="color:#5af78e">&#34;</span><span style="color:#ff5c57">$REPORTS_DIR</span><span style="color:#5af78e">/</span><span style="color:#5af78e">${</span><span style="color:#ff5c57">repo_name</span><span style="color:#5af78e">}</span><span style="color:#5af78e">.json&#34;</span> </span></span><span style="display:flex;"><span><span style="color:#ff6ac1">done</span> </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span><span style="color:#ff5c57">echo</span> <span style="color:#5af78e">&#34;批量扫描完成&#34;</span></span></span></code></pre></div><h4 id="并行扫描">并行扫描<a class="anchor" href="#%e5%b9%b6%e8%a1%8c%e6%89%ab%e6%8f%8f">#</a></h4> <div class="highlight"><pre tabindex="0" style="color:#e2e4e5;background-color:#282a36;-moz-tab-size:4;-o-tab-size:4;tab-size:4;-webkit-text-size-adjust:none;"><code class="language-bash" data-lang="bash"><span style="display:flex;"><span><span style="color:#78787e">#!/bin/bash </span></span></span><span style="display:flex;"><span><span style="color:#78787e"># 并行扫描脚本</span> </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span><span style="color:#ff5c57">REPOS_DIR</span><span style="color:#ff6ac1">=</span><span style="color:#5af78e">&#34;/path/to/repos&#34;</span> </span></span><span style="display:flex;"><span><span style="color:#ff5c57">REPORTS_DIR</span><span style="color:#ff6ac1">=</span><span style="color:#5af78e">&#34;./reports&#34;</span> </span></span><span style="display:flex;"><span>mkdir -p <span style="color:#5af78e">&#34;</span><span style="color:#ff5c57">$REPORTS_DIR</span><span style="color:#5af78e">&#34;</span> </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span><span style="color:#78787e"># 并行扫描所有仓库</span> </span></span><span style="display:flex;"><span><span style="color:#ff6ac1">for</span> repo in <span style="color:#5af78e">&#34;</span><span style="color:#ff5c57">$REPOS_DIR</span><span style="color:#5af78e">&#34;</span>/*/; <span style="color:#ff6ac1">do</span> </span></span><span style="display:flex;"><span> <span style="color:#ff5c57">repo_name</span><span style="color:#ff6ac1">=</span><span style="color:#ff6ac1">$(</span>basename <span style="color:#5af78e">&#34;</span><span style="color:#ff5c57">$repo</span><span style="color:#5af78e">&#34;</span><span style="color:#ff6ac1">)</span> </span></span><span style="display:flex;"><span> <span style="color:#ff5c57">echo</span> <span style="color:#5af78e">&#34;扫描仓库: </span><span style="color:#ff5c57">$repo_name</span><span style="color:#5af78e">&#34;</span> </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span> <span style="color:#78787e"># 后台运行扫描</span> </span></span><span style="display:flex;"><span> gitleaks detect --source <span style="color:#5af78e">&#34;</span><span style="color:#ff5c57">$repo</span><span style="color:#5af78e">&#34;</span> --git <span style="color:#5af78e">\ </span></span></span><span style="display:flex;"><span> --report-format json <span style="color:#5af78e">\ </span></span></span><span style="display:flex;"><span> --report-path <span style="color:#5af78e">&#34;</span><span style="color:#ff5c57">$REPORTS_DIR</span><span style="color:#5af78e">/</span><span style="color:#5af78e">${</span><span style="color:#ff5c57">repo_name</span><span style="color:#5af78e">}</span><span style="color:#5af78e">.json&#34;</span> &amp; </span></span><span style="display:flex;"><span><span style="color:#ff6ac1">done</span> </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span><span style="color:#78787e"># 等待所有扫描完成</span> </span></span><span style="display:flex;"><span><span style="color:#ff5c57">wait</span> </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span><span style="color:#ff5c57">echo</span> <span style="color:#5af78e">&#34;并行扫描完成&#34;</span></span></span></code></pre></div><hr> <h2 id="中上级使用">中上级使用<a class="anchor" href="#%e4%b8%ad%e4%b8%8a%e7%ba%a7%e4%bd%bf%e7%94%a8">#</a></h2> <h3 id="cicd集成">CI/CD集成<a class="anchor" href="#cicd%e9%9b%86%e6%88%90">#</a></h3> <h4 id="github-actions集成">GitHub Actions集成<a class="anchor" href="#github-actions%e9%9b%86%e6%88%90">#</a></h4> <div class="highlight"><pre tabindex="0" style="color:#e2e4e5;background-color:#282a36;-moz-tab-size:4;-o-tab-size:4;tab-size:4;-webkit-text-size-adjust:none;"><code class="language-yaml" data-lang="yaml"><span style="display:flex;"><span><span style="color:#78787e"># .github/workflows/gitleaks.yml</span> </span></span><span style="display:flex;"><span><span style="color:#ff6ac1">name</span>: GitLeaks Scan </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span><span style="color:#ff6ac1">on</span>: </span></span><span style="display:flex;"><span> <span style="color:#ff6ac1">push</span>: </span></span><span style="display:flex;"><span> <span style="color:#ff6ac1">branches</span>: [ main ] </span></span><span style="display:flex;"><span> <span style="color:#ff6ac1">pull_request</span>: </span></span><span style="display:flex;"><span> <span style="color:#ff6ac1">branches</span>: [ main ] </span></span><span style="display:flex;"><span> <span style="color:#ff6ac1">schedule</span>: </span></span><span style="display:flex;"><span> - <span style="color:#ff6ac1">cron</span>: <span style="color:#5af78e">&#39;0 0 * * 0&#39;</span> <span style="color:#78787e"># 每周运行一次</span> </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span><span style="color:#ff6ac1">jobs</span>: </span></span><span style="display:flex;"><span> <span style="color:#ff6ac1">gitleaks</span>: </span></span><span style="display:flex;"><span> <span style="color:#ff6ac1">runs-on</span>: ubuntu-latest </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span> <span style="color:#ff6ac1">steps</span>: </span></span><span style="display:flex;"><span> - <span style="color:#ff6ac1">uses</span>: actions/checkout@v2 </span></span><span style="display:flex;"><span> <span style="color:#ff6ac1">with</span>: </span></span><span style="display:flex;"><span> <span style="color:#ff6ac1">fetch-depth</span>: <span style="color:#ff9f43">0</span> <span style="color:#78787e"># 获取完整历史</span> </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span> - <span style="color:#ff6ac1">name</span>: Run GitLeaks </span></span><span style="display:flex;"><span> <span style="color:#ff6ac1">uses</span>: gitleaks/gitleaks-action@v2 </span></span><span style="display:flex;"><span> <span style="color:#ff6ac1">env</span>: </span></span><span style="display:flex;"><span> <span style="color:#ff6ac1">GITHUB_TOKEN</span>: ${{ secrets.GITHUB_TOKEN }} </span></span><span style="display:flex;"><span> <span style="color:#ff6ac1">GITLEAKS_LICENSE</span>: ${{ secrets.GITLEAKS_LICENSE }} </span></span><span style="display:flex;"><span> <span style="color:#ff6ac1">with</span>: </span></span><span style="display:flex;"><span> <span style="color:#ff6ac1">report-format</span>: json </span></span><span style="display:flex;"><span> <span style="color:#ff6ac1">report-path</span>: gitleaks-report.json </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span> - <span style="color:#ff6ac1">name</span>: Upload GitLeaks Report </span></span><span style="display:flex;"><span> <span style="color:#ff6ac1">uses</span>: actions/upload-artifact@v2 </span></span><span style="display:flex;"><span> <span style="color:#ff6ac1">with</span>: </span></span><span style="display:flex;"><span> <span style="color:#ff6ac1">name</span>: gitleaks-report </span></span><span style="display:flex;"><span> <span style="color:#ff6ac1">path</span>: gitleaks-report.json</span></span></code></pre></div><h4 id="gitlab-ci集成">GitLab CI集成<a class="anchor" href="#gitlab-ci%e9%9b%86%e6%88%90">#</a></h4> <div class="highlight"><pre tabindex="0" style="color:#e2e4e5;background-color:#282a36;-moz-tab-size:4;-o-tab-size:4;tab-size:4;-webkit-text-size-adjust:none;"><code class="language-yaml" data-lang="yaml"><span style="display:flex;"><span><span style="color:#78787e"># .gitlab-ci.yml</span> </span></span><span style="display:flex;"><span><span style="color:#ff6ac1">stages</span>: </span></span><span style="display:flex;"><span> - security </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span><span style="color:#ff6ac1">gitleaks</span>: </span></span><span style="display:flex;"><span> <span style="color:#ff6ac1">stage</span>: security </span></span><span style="display:flex;"><span> <span style="color:#ff6ac1">image</span>: zricethezav/gitleaks:latest </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span> <span style="color:#ff6ac1">script</span>: </span></span><span style="display:flex;"><span> - gitleaks detect --source . --git --report-format json --report-path gitleaks-report.json </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span> <span style="color:#ff6ac1">artifacts</span>: </span></span><span style="display:flex;"><span> <span style="color:#ff6ac1">paths</span>: </span></span><span style="display:flex;"><span> - gitleaks-report.json </span></span><span style="display:flex;"><span> <span style="color:#ff6ac1">expire_in</span>: <span style="color:#ff9f43">1</span> week </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span> <span style="color:#ff6ac1">allow_failure</span>: <span style="color:#ff6ac1">true</span></span></span></code></pre></div><h4 id="jenkins集成">Jenkins集成<a class="anchor" href="#jenkins%e9%9b%86%e6%88%90">#</a></h4> <div class="highlight"><pre tabindex="0" style="color:#e2e4e5;background-color:#282a36;-moz-tab-size:4;-o-tab-size:4;tab-size:4;-webkit-text-size-adjust:none;"><code class="language-groovy" data-lang="groovy"><span style="display:flex;"><span><span style="color:#78787e">// Jenkinsfile </span></span></span><span style="display:flex;"><span>pipeline <span style="color:#ff6ac1">{</span> </span></span><span style="display:flex;"><span> agent any </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span> stages <span style="color:#ff6ac1">{</span> </span></span><span style="display:flex;"><span> stage<span style="color:#ff6ac1">(</span><span style="color:#5af78e">&#39;GitLeaks Scan&#39;</span><span style="color:#ff6ac1">)</span> <span style="color:#ff6ac1">{</span> </span></span><span style="display:flex;"><span> steps <span style="color:#ff6ac1">{</span> </span></span><span style="display:flex;"><span> script <span style="color:#ff6ac1">{</span> </span></span><span style="display:flex;"><span> <span style="color:#78787e">// 运行GitLeaks </span></span></span><span style="display:flex;"><span> sh <span style="color:#5af78e">&#39;gitleaks detect --source . --git --report-format json --report-path gitleaks-report.json&#39;</span> </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span> <span style="color:#78787e">// 解析结果 </span></span></span><span style="display:flex;"><span> <span style="color:#9aedfe">def</span> report <span style="color:#ff6ac1">=</span> readJSON <span style="color:#ff5c57">file:</span> <span style="color:#5af78e">&#39;gitleaks-report.json&#39;</span> </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span> <span style="color:#ff6ac1">if</span> <span style="color:#ff6ac1">(</span>report<span style="color:#ff6ac1">.</span><span style="color:#57c7ff">size</span><span style="color:#ff6ac1">()</span> <span style="color:#ff6ac1">&gt;</span> <span style="color:#ff9f43">0</span><span style="color:#ff6ac1">)</span> <span style="color:#ff6ac1">{</span> </span></span><span style="display:flex;"><span> error <span style="color:#5af78e">&#34;发现 ${report.size()} 个敏感信息泄露&#34;</span> </span></span><span style="display:flex;"><span> <span style="color:#ff6ac1">}</span> </span></span><span style="display:flex;"><span> <span style="color:#ff6ac1">}</span> </span></span><span style="display:flex;"><span> <span style="color:#ff6ac1">}</span> </span></span><span style="display:flex;"><span> <span style="color:#ff6ac1">}</span> </span></span><span style="display:flex;"><span> <span style="color:#ff6ac1">}</span> </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span> post <span style="color:#ff6ac1">{</span> </span></span><span style="display:flex;"><span> always <span style="color:#ff6ac1">{</span> </span></span><span style="display:flex;"><span> <span style="color:#78787e">// 归档报告 </span></span></span><span style="display:flex;"><span> archiveArtifacts <span style="color:#ff5c57">artifacts:</span> <span style="color:#5af78e">&#39;gitleaks-report.json&#39;</span><span style="color:#ff6ac1">,</span> <span style="color:#ff5c57">fingerprint:</span> <span style="color:#ff6ac1">true</span> </span></span><span style="display:flex;"><span> <span style="color:#ff6ac1">}</span> </span></span><span style="display:flex;"><span> <span style="color:#ff6ac1">}</span> </span></span><span style="display:flex;"><span><span style="color:#ff6ac1">}</span></span></span></code></pre></div><h3 id="自动化脚本">自动化脚本<a class="anchor" href="#%e8%87%aa%e5%8a%a8%e5%8c%96%e8%84%9a%e6%9c%ac">#</a></h3> <h4 id="定期扫描脚本">定期扫描脚本<a class="anchor" href="#%e5%ae%9a%e6%9c%9f%e6%89%ab%e6%8f%8f%e8%84%9a%e6%9c%ac">#</a></h4> <div class="highlight"><pre tabindex="0" style="color:#e2e4e5;background-color:#282a36;-moz-tab-size:4;-o-tab-size:4;tab-size:4;-webkit-text-size-adjust:none;"><code class="language-bash" data-lang="bash"><span style="display:flex;"><span><span style="color:#78787e">#!/bin/bash </span></span></span><span style="display:flex;"><span><span style="color:#78787e"># 定期扫描脚本</span> </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span><span style="color:#ff5c57">REPOS_DIR</span><span style="color:#ff6ac1">=</span><span style="color:#5af78e">&#34;/path/to/repos&#34;</span> </span></span><span style="display:flex;"><span><span style="color:#ff5c57">REPORTS_DIR</span><span style="color:#ff6ac1">=</span><span style="color:#5af78e">&#34;./reports&#34;</span> </span></span><span style="display:flex;"><span><span style="color:#ff5c57">LOG_FILE</span><span style="color:#ff6ac1">=</span><span style="color:#5af78e">&#34;gitleaks-scan.log&#34;</span> </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span><span style="color:#78787e"># 记录日志</span> </span></span><span style="display:flex;"><span>log<span style="color:#ff6ac1">()</span> <span style="color:#ff6ac1">{</span> </span></span><span style="display:flex;"><span> <span style="color:#ff5c57">echo</span> <span style="color:#5af78e">&#34;</span><span style="color:#ff6ac1">$(</span>date <span style="color:#5af78e">&#39;+%Y-%m-%d %H:%M:%S&#39;</span><span style="color:#ff6ac1">)</span><span style="color:#5af78e"> - </span><span style="color:#ff5c57">$1</span><span style="color:#5af78e">&#34;</span> &gt;&gt; <span style="color:#5af78e">&#34;</span><span style="color:#ff5c57">$LOG_FILE</span><span style="color:#5af78e">&#34;</span> </span></span><span style="display:flex;"><span><span style="color:#ff6ac1">}</span> </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span><span style="color:#78787e"># 扫描函数</span> </span></span><span style="display:flex;"><span>scan_repo<span style="color:#ff6ac1">()</span> <span style="color:#ff6ac1">{</span> </span></span><span style="display:flex;"><span> <span style="color:#ff5c57">local</span> <span style="color:#ff5c57">repo_path</span><span style="color:#ff6ac1">=</span><span style="color:#ff5c57">$1</span> </span></span><span style="display:flex;"><span> <span style="color:#ff5c57">local</span> <span style="color:#ff5c57">repo_name</span><span style="color:#ff6ac1">=</span><span style="color:#ff6ac1">$(</span>basename <span style="color:#5af78e">&#34;</span><span style="color:#ff5c57">$repo_path</span><span style="color:#5af78e">&#34;</span><span style="color:#ff6ac1">)</span> </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span> log <span style="color:#5af78e">&#34;开始扫描仓库: </span><span style="color:#ff5c57">$repo_name</span><span style="color:#5af78e">&#34;</span> </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span> <span style="color:#78787e"># 运行扫描</span> </span></span><span style="display:flex;"><span> gitleaks detect --source <span style="color:#5af78e">&#34;</span><span style="color:#ff5c57">$repo_path</span><span style="color:#5af78e">&#34;</span> --git <span style="color:#5af78e">\ </span></span></span><span style="display:flex;"><span> --report-format json <span style="color:#5af78e">\ </span></span></span><span style="display:flex;"><span> --report-path <span style="color:#5af78e">&#34;</span><span style="color:#ff5c57">$REPORTS_DIR</span><span style="color:#5af78e">/</span><span style="color:#5af78e">${</span><span style="color:#ff5c57">repo_name</span><span style="color:#5af78e">}</span><span style="color:#5af78e">_</span><span style="color:#ff6ac1">$(</span>date +%Y%m%d<span style="color:#ff6ac1">)</span><span style="color:#5af78e">.json&#34;</span> </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span> <span style="color:#78787e"># 检查结果</span> </span></span><span style="display:flex;"><span> <span style="color:#ff6ac1">if</span> <span style="color:#ff6ac1">[</span> <span style="color:#ff5c57">$?</span> -eq <span style="color:#ff9f43">0</span> <span style="color:#ff6ac1">]</span>; <span style="color:#ff6ac1">then</span> </span></span><span style="display:flex;"><span> log <span style="color:#5af78e">&#34;仓库 </span><span style="color:#ff5c57">$repo_name</span><span style="color:#5af78e"> 扫描成功&#34;</span> </span></span><span style="display:flex;"><span> <span style="color:#ff6ac1">else</span> </span></span><span style="display:flex;"><span> log <span style="color:#5af78e">&#34;仓库 </span><span style="color:#ff5c57">$repo_name</span><span style="color:#5af78e"> 扫描失败&#34;</span> </span></span><span style="display:flex;"><span> <span style="color:#ff6ac1">fi</span> </span></span><span style="display:flex;"><span><span style="color:#ff6ac1">}</span> </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span><span style="color:#78787e"># 创建报告目录</span> </span></span><span style="display:flex;"><span>mkdir -p <span style="color:#5af78e">&#34;</span><span style="color:#ff5c57">$REPORTS_DIR</span><span style="color:#5af78e">&#34;</span> </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span><span style="color:#78787e"># 扫描所有仓库</span> </span></span><span style="display:flex;"><span><span style="color:#ff6ac1">for</span> repo in <span style="color:#5af78e">&#34;</span><span style="color:#ff5c57">$REPOS_DIR</span><span style="color:#5af78e">&#34;</span>/*/; <span style="color:#ff6ac1">do</span> </span></span><span style="display:flex;"><span> scan_repo <span style="color:#5af78e">&#34;</span><span style="color:#ff5c57">$repo</span><span style="color:#5af78e">&#34;</span> </span></span><span style="display:flex;"><span><span style="color:#ff6ac1">done</span> </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span>log <span style="color:#5af78e">&#34;定期扫描完成&#34;</span></span></span></code></pre></div><h4 id="监控脚本">监控脚本<a class="anchor" href="#%e7%9b%91%e6%8e%a7%e8%84%9a%e6%9c%ac">#</a></h4> <div class="highlight"><pre tabindex="0" style="color:#e2e4e5;background-color:#282a36;-moz-tab-size:4;-o-tab-size:4;tab-size:4;-webkit-text-size-adjust:none;"><code class="language-bash" data-lang="bash"><span style="display:flex;"><span><span style="color:#78787e">#!/bin/bash </span></span></span><span style="display:flex;"><span><span style="color:#78787e"># 实时监控脚本</span> </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span><span style="color:#ff5c57">WATCH_DIR</span><span style="color:#ff6ac1">=</span><span style="color:#5af78e">&#34;/path/to/repos&#34;</span> </span></span><span style="display:flex;"><span><span style="color:#ff5c57">REPORTS_DIR</span><span style="color:#ff6ac1">=</span><span style="color:#5af78e">&#34;./reports&#34;</span> </span></span><span style="display:flex;"><span><span style="color:#ff5c57">LOG_FILE</span><span style="color:#ff6ac1">=</span><span style="color:#5af78e">&#34;gitleaks-monitor.log&#34;</span> </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span><span style="color:#78787e"># 记录日志</span> </span></span><span style="display:flex;"><span>log<span style="color:#ff6ac1">()</span> <span style="color:#ff6ac1">{</span> </span></span><span style="display:flex;"><span> <span style="color:#ff5c57">echo</span> <span style="color:#5af78e">&#34;</span><span style="color:#ff6ac1">$(</span>date <span style="color:#5af78e">&#39;+%Y-%m-%d %H:%M:%S&#39;</span><span style="color:#ff6ac1">)</span><span style="color:#5af78e"> - </span><span style="color:#ff5c57">$1</span><span style="color:#5af78e">&#34;</span> &gt;&gt; <span style="color:#5af78e">&#34;</span><span style="color:#ff5c57">$LOG_FILE</span><span style="color:#5af78e">&#34;</span> </span></span><span style="display:flex;"><span><span style="color:#ff6ac1">}</span> </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span><span style="color:#78787e"># 监控函数</span> </span></span><span style="display:flex;"><span>monitor_repo<span style="color:#ff6ac1">()</span> <span style="color:#ff6ac1">{</span> </span></span><span style="display:flex;"><span> <span style="color:#ff5c57">local</span> <span style="color:#ff5c57">repo_path</span><span style="color:#ff6ac1">=</span><span style="color:#ff5c57">$1</span> </span></span><span style="display:flex;"><span> <span style="color:#ff5c57">local</span> <span style="color:#ff5c57">repo_name</span><span style="color:#ff6ac1">=</span><span style="color:#ff6ac1">$(</span>basename <span style="color:#5af78e">&#34;</span><span style="color:#ff5c57">$repo_path</span><span style="color:#5af78e">&#34;</span><span style="color:#ff6ac1">)</span> </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span> log <span style="color:#5af78e">&#34;监控仓库: </span><span style="color:#ff5c57">$repo_name</span><span style="color:#5af78e">&#34;</span> </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span> <span style="color:#78787e"># 进入仓库目录</span> </span></span><span style="display:flex;"><span> <span style="color:#ff5c57">cd</span> <span style="color:#5af78e">&#34;</span><span style="color:#ff5c57">$repo_path</span><span style="color:#5af78e">&#34;</span> </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span> <span style="color:#78787e"># 监控Git提交</span> </span></span><span style="display:flex;"><span> <span style="color:#ff6ac1">while</span> true; <span style="color:#ff6ac1">do</span> </span></span><span style="display:flex;"><span> <span style="color:#78787e"># 检查是否有新提交</span> </span></span><span style="display:flex;"><span> <span style="color:#ff5c57">NEW_COMMIT</span><span style="color:#ff6ac1">=</span><span style="color:#ff6ac1">$(</span>git rev-parse HEAD<span style="color:#ff6ac1">)</span> </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span> <span style="color:#ff6ac1">if</span> <span style="color:#ff6ac1">[</span> <span style="color:#5af78e">&#34;</span><span style="color:#ff5c57">$NEW_COMMIT</span><span style="color:#5af78e">&#34;</span> !<span style="color:#ff6ac1">=</span> <span style="color:#5af78e">&#34;</span><span style="color:#ff5c57">$LAST_COMMIT</span><span style="color:#5af78e">&#34;</span> <span style="color:#ff6ac1">]</span>; <span style="color:#ff6ac1">then</span> </span></span><span style="display:flex;"><span> log <span style="color:#5af78e">&#34;检测到新提交: </span><span style="color:#ff5c57">$NEW_COMMIT</span><span style="color:#5af78e">&#34;</span> </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span> <span style="color:#78787e"># 运行扫描</span> </span></span><span style="display:flex;"><span> gitleaks detect --source . --git <span style="color:#5af78e">\ </span></span></span><span style="display:flex;"><span> --report-format json <span style="color:#5af78e">\ </span></span></span><span style="display:flex;"><span> --report-path <span style="color:#5af78e">&#34;</span><span style="color:#ff5c57">$REPORTS_DIR</span><span style="color:#5af78e">/</span><span style="color:#5af78e">${</span><span style="color:#ff5c57">repo_name</span><span style="color:#5af78e">}</span><span style="color:#5af78e">_</span><span style="color:#ff6ac1">$(</span>date +%Y%m%d_%H%M%S<span style="color:#ff6ac1">)</span><span style="color:#5af78e">.json&#34;</span> </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span> <span style="color:#ff5c57">LAST_COMMIT</span><span style="color:#ff6ac1">=</span><span style="color:#ff5c57">$NEW_COMMIT</span> </span></span><span style="display:flex;"><span> <span style="color:#ff6ac1">fi</span> </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span> sleep <span style="color:#ff9f43">60</span> <span style="color:#78787e"># 每分钟检查一次</span> </span></span><span style="display:flex;"><span> <span style="color:#ff6ac1">done</span> </span></span><span style="display:flex;"><span><span style="color:#ff6ac1">}</span> </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span><span style="color:#78787e"># 创建报告目录</span> </span></span><span style="display:flex;"><span>mkdir -p <span style="color:#5af78e">&#34;</span><span style="color:#ff5c57">$REPORTS_DIR</span><span style="color:#5af78e">&#34;</span> </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span><span style="color:#78787e"># 监控所有仓库</span> </span></span><span style="display:flex;"><span><span style="color:#ff6ac1">for</span> repo in <span style="color:#5af78e">&#34;</span><span style="color:#ff5c57">$WATCH_DIR</span><span style="color:#5af78e">&#34;</span>/*/; <span style="color:#ff6ac1">do</span> </span></span><span style="display:flex;"><span> monitor_repo <span style="color:#5af78e">&#34;</span><span style="color:#ff5c57">$repo</span><span style="color:#5af78e">&#34;</span> &amp; </span></span><span style="display:flex;"><span><span style="color:#ff6ac1">done</span> </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span>log <span style="color:#5af78e">&#34;监控已启动&#34;</span></span></span></code></pre></div><hr> <h2 id="高级使用">高级使用<a class="anchor" href="#%e9%ab%98%e7%ba%a7%e4%bd%bf%e7%94%a8">#</a></h2> <h3 id="高级分析">高级分析<a class="anchor" href="#%e9%ab%98%e7%ba%a7%e5%88%86%e6%9e%90">#</a></h3> <h4 id="敏感信息分类">敏感信息分类<a class="anchor" href="#%e6%95%8f%e6%84%9f%e4%bf%a1%e6%81%af%e5%88%86%e7%b1%bb">#</a></h4> <div class="highlight"><pre tabindex="0" style="color:#e2e4e5;background-color:#282a36;-moz-tab-size:4;-o-tab-size:4;tab-size:4;-webkit-text-size-adjust:none;"><code class="language-python" data-lang="python"><span style="display:flex;"><span><span style="color:#78787e">#!/usr/bin/env python3</span> </span></span><span style="display:flex;"><span><span style="color:#ff6ac1">import</span> json </span></span><span style="display:flex;"><span><span style="color:#ff6ac1">from</span> collections <span style="color:#ff6ac1">import</span> defaultdict </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span><span style="color:#ff6ac1">def</span> <span style="color:#57c7ff">classify_leaks</span>(report_file): </span></span><span style="display:flex;"><span> <span style="color:#5af78e">&#34;&#34;&#34;分类敏感信息泄露&#34;&#34;&#34;</span> </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span> <span style="color:#ff6ac1">with</span> <span style="color:#ff5c57">open</span>(report_file) <span style="color:#ff6ac1">as</span> f: </span></span><span style="display:flex;"><span> report <span style="color:#ff6ac1">=</span> json<span style="color:#ff6ac1">.</span>load(f) </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span> classifications <span style="color:#ff6ac1">=</span> defaultdict(<span style="color:#ff5c57">list</span>) </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span> <span style="color:#ff6ac1">for</span> leak <span style="color:#ff6ac1">in</span> report: </span></span><span style="display:flex;"><span> leak_type <span style="color:#ff6ac1">=</span> leak<span style="color:#ff6ac1">.</span>get(<span style="color:#5af78e">&#39;rule&#39;</span>, <span style="color:#5af78e">&#39;unknown&#39;</span>) </span></span><span style="display:flex;"><span> file_path <span style="color:#ff6ac1">=</span> leak<span style="color:#ff6ac1">.</span>get(<span style="color:#5af78e">&#39;file&#39;</span>, <span style="color:#5af78e">&#39;unknown&#39;</span>) </span></span><span style="display:flex;"><span> line <span style="color:#ff6ac1">=</span> leak<span style="color:#ff6ac1">.</span>get(<span style="color:#5af78e">&#39;line&#39;</span>, <span style="color:#ff9f43">0</span>) </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span> classifications[leak_type]<span style="color:#ff6ac1">.</span>append({ </span></span><span style="display:flex;"><span> <span style="color:#5af78e">&#39;file&#39;</span>: file_path, </span></span><span style="display:flex;"><span> <span style="color:#5af78e">&#39;line&#39;</span>: line, </span></span><span style="display:flex;"><span> <span style="color:#5af78e">&#39;secret&#39;</span>: leak<span style="color:#ff6ac1">.</span>get(<span style="color:#5af78e">&#39;secret&#39;</span>, <span style="color:#5af78e">&#39;&#39;</span>)[:<span style="color:#ff9f43">20</span>] <span style="color:#ff6ac1">+</span> <span style="color:#5af78e">&#39;...&#39;</span> </span></span><span style="display:flex;"><span> }) </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span> <span style="color:#ff6ac1">return</span> classifications </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span><span style="color:#78787e"># 使用示例</span> </span></span><span style="display:flex;"><span>classifications <span style="color:#ff6ac1">=</span> classify_leaks(<span style="color:#5af78e">&#39;gitleaks-report.json&#39;</span>) </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span><span style="color:#ff6ac1">for</span> leak_type, leaks <span style="color:#ff6ac1">in</span> classifications<span style="color:#ff6ac1">.</span>items(): </span></span><span style="display:flex;"><span> <span style="color:#ff5c57">print</span>(<span style="color:#5af78e">f</span><span style="color:#5af78e">&#34;</span><span style="color:#5af78e">\n</span><span style="color:#5af78e">=== </span><span style="color:#5af78e">{</span>leak_type<span style="color:#5af78e">}</span><span style="color:#5af78e"> ===&#34;</span>) </span></span><span style="display:flex;"><span> <span style="color:#ff6ac1">for</span> leak <span style="color:#ff6ac1">in</span> leaks: </span></span><span style="display:flex;"><span> <span style="color:#ff5c57">print</span>(<span style="color:#5af78e">f</span><span style="color:#5af78e">&#34; 文件: </span><span style="color:#5af78e">{</span>leak[<span style="color:#5af78e">&#39;file&#39;</span>]<span style="color:#5af78e">}</span><span style="color:#5af78e">&#34;</span>) </span></span><span style="display:flex;"><span> <span style="color:#ff5c57">print</span>(<span style="color:#5af78e">f</span><span style="color:#5af78e">&#34; 行号: </span><span style="color:#5af78e">{</span>leak[<span style="color:#5af78e">&#39;line&#39;</span>]<span style="color:#5af78e">}</span><span style="color:#5af78e">&#34;</span>) </span></span><span style="display:flex;"><span> <span style="color:#ff5c57">print</span>(<span style="color:#5af78e">f</span><span style="color:#5af78e">&#34; 密钥: </span><span style="color:#5af78e">{</span>leak[<span style="color:#5af78e">&#39;secret&#39;</span>]<span style="color:#5af78e">}</span><span style="color:#5af78e">&#34;</span>) </span></span><span style="display:flex;"><span> <span style="color:#ff5c57">print</span>()</span></span></code></pre></div><h4 id="趋势分析">趋势分析<a class="anchor" href="#%e8%b6%8b%e5%8a%bf%e5%88%86%e6%9e%90">#</a></h4> <div class="highlight"><pre tabindex="0" style="color:#e2e4e5;background-color:#282a36;-moz-tab-size:4;-o-tab-size:4;tab-size:4;-webkit-text-size-adjust:none;"><code class="language-python" data-lang="python"><span style="display:flex;"><span><span style="color:#78787e">#!/usr/bin/env python3</span> </span></span><span style="display:flex;"><span><span style="color:#ff6ac1">import</span> json </span></span><span style="display:flex;"><span><span style="color:#ff6ac1">import</span> os </span></span><span style="display:flex;"><span><span style="color:#ff6ac1">from</span> datetime <span style="color:#ff6ac1">import</span> datetime </span></span><span style="display:flex;"><span><span style="color:#ff6ac1">import</span> matplotlib.pyplot <span style="color:#ff6ac1">as</span> plt </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span><span style="color:#ff6ac1">def</span> <span style="color:#57c7ff">analyze_trend</span>(reports_dir): </span></span><span style="display:flex;"><span> <span style="color:#5af78e">&#34;&#34;&#34;分析敏感信息泄露趋势&#34;&#34;&#34;</span> </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span> trend_data <span style="color:#ff6ac1">=</span> [] </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span> <span style="color:#78787e"># 读取所有报告</span> </span></span><span style="display:flex;"><span> <span style="color:#ff6ac1">for</span> filename <span style="color:#ff6ac1">in</span> <span style="color:#ff5c57">sorted</span>(os<span style="color:#ff6ac1">.</span>listdir(reports_dir)): </span></span><span style="display:flex;"><span> <span style="color:#ff6ac1">if</span> filename<span style="color:#ff6ac1">.</span>endswith(<span style="color:#5af78e">&#39;.json&#39;</span>): </span></span><span style="display:flex;"><span> filepath <span style="color:#ff6ac1">=</span> os<span style="color:#ff6ac1">.</span>path<span style="color:#ff6ac1">.</span>join(reports_dir, filename) </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span> <span style="color:#ff6ac1">with</span> <span style="color:#ff5c57">open</span>(filepath) <span style="color:#ff6ac1">as</span> f: </span></span><span style="display:flex;"><span> report <span style="color:#ff6ac1">=</span> json<span style="color:#ff6ac1">.</span>load(f) </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span> <span style="color:#78787e"># 提取时间戳</span> </span></span><span style="display:flex;"><span> timestamp <span style="color:#ff6ac1">=</span> datetime<span style="color:#ff6ac1">.</span>strptime(filename, <span style="color:#5af78e">&#39;repo_%Y%m</span><span style="color:#5af78e">%d</span><span style="color:#5af78e">.json&#39;</span>) </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span> <span style="color:#78787e"># 统计泄露</span> </span></span><span style="display:flex;"><span> trend_data<span style="color:#ff6ac1">.</span>append({ </span></span><span style="display:flex;"><span> <span style="color:#5af78e">&#39;timestamp&#39;</span>: timestamp, </span></span><span style="display:flex;"><span> <span style="color:#5af78e">&#39;total&#39;</span>: <span style="color:#ff5c57">len</span>(report), </span></span><span style="display:flex;"><span> <span style="color:#5af78e">&#39;api_keys&#39;</span>: <span style="color:#ff5c57">len</span>([r <span style="color:#ff6ac1">for</span> r <span style="color:#ff6ac1">in</span> report <span style="color:#ff6ac1">if</span> <span style="color:#5af78e">&#39;key&#39;</span> <span style="color:#ff6ac1">in</span> r<span style="color:#ff6ac1">.</span>get(<span style="color:#5af78e">&#39;rule&#39;</span>, <span style="color:#5af78e">&#39;&#39;</span>)<span style="color:#ff6ac1">.</span>lower()]), </span></span><span style="display:flex;"><span> <span style="color:#5af78e">&#39;passwords&#39;</span>: <span style="color:#ff5c57">len</span>([r <span style="color:#ff6ac1">for</span> r <span style="color:#ff6ac1">in</span> report <span style="color:#ff6ac1">if</span> <span style="color:#5af78e">&#39;password&#39;</span> <span style="color:#ff6ac1">in</span> r<span style="color:#ff6ac1">.</span>get(<span style="color:#5af78e">&#39;rule&#39;</span>, <span style="color:#5af78e">&#39;&#39;</span>)<span style="color:#ff6ac1">.</span>lower()]), </span></span><span style="display:flex;"><span> <span style="color:#5af78e">&#39;tokens&#39;</span>: <span style="color:#ff5c57">len</span>([r <span style="color:#ff6ac1">for</span> r <span style="color:#ff6ac1">in</span> report <span style="color:#ff6ac1">if</span> <span style="color:#5af78e">&#39;token&#39;</span> <span style="color:#ff6ac1">in</span> r<span style="color:#ff6ac1">.</span>get(<span style="color:#5af78e">&#39;rule&#39;</span>, <span style="color:#5af78e">&#39;&#39;</span>)<span style="color:#ff6ac1">.</span>lower()]) </span></span><span style="display:flex;"><span> }) </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span> <span style="color:#ff6ac1">return</span> trend_data </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span><span style="color:#ff6ac1">def</span> <span style="color:#57c7ff">plot_trend</span>(trend_data): </span></span><span style="display:flex;"><span> <span style="color:#5af78e">&#34;&#34;&#34;绘制趋势图&#34;&#34;&#34;</span> </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span> timestamps <span style="color:#ff6ac1">=</span> [d[<span style="color:#5af78e">&#39;timestamp&#39;</span>] <span style="color:#ff6ac1">for</span> d <span style="color:#ff6ac1">in</span> trend_data] </span></span><span style="display:flex;"><span> total <span style="color:#ff6ac1">=</span> [d[<span style="color:#5af78e">&#39;total&#39;</span>] <span style="color:#ff6ac1">for</span> d <span style="color:#ff6ac1">in</span> trend_data] </span></span><span style="display:flex;"><span> api_keys <span style="color:#ff6ac1">=</span> [d[<span style="color:#5af78e">&#39;api_keys&#39;</span>] <span style="color:#ff6ac1">for</span> d <span style="color:#ff6ac1">in</span> trend_data] </span></span><span style="display:flex;"><span> passwords <span style="color:#ff6ac1">=</span> [d[<span style="color:#5af78e">&#39;passwords&#39;</span>] <span style="color:#ff6ac1">for</span> d <span style="color:#ff6ac1">in</span> trend_data] </span></span><span style="display:flex;"><span> tokens <span style="color:#ff6ac1">=</span> [d[<span style="color:#5af78e">&#39;tokens&#39;</span>] <span style="color:#ff6ac1">for</span> d <span style="color:#ff6ac1">in</span> trend_data] </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span> plt<span style="color:#ff6ac1">.</span>figure(figsize<span style="color:#ff6ac1">=</span>(<span style="color:#ff9f43">12</span>, <span style="color:#ff9f43">6</span>)) </span></span><span style="display:flex;"><span> plt<span style="color:#ff6ac1">.</span>plot(timestamps, total, label<span style="color:#ff6ac1">=</span><span style="color:#5af78e">&#39;Total&#39;</span>, color<span style="color:#ff6ac1">=</span><span style="color:#5af78e">&#39;red&#39;</span>) </span></span><span style="display:flex;"><span> plt<span style="color:#ff6ac1">.</span>plot(timestamps, api_keys, label<span style="color:#ff6ac1">=</span><span style="color:#5af78e">&#39;API Keys&#39;</span>, color<span style="color:#ff6ac1">=</span><span style="color:#5af78e">&#39;blue&#39;</span>) </span></span><span style="display:flex;"><span> plt<span style="color:#ff6ac1">.</span>plot(timestamps, passwords, label<span style="color:#ff6ac1">=</span><span style="color:#5af78e">&#39;Passwords&#39;</span>, color<span style="color:#ff6ac1">=</span><span style="color:#5af78e">&#39;green&#39;</span>) </span></span><span style="display:flex;"><span> plt<span style="color:#ff6ac1">.</span>plot(timestamps, tokens, label<span style="color:#ff6ac1">=</span><span style="color:#5af78e">&#39;Tokens&#39;</span>, color<span style="color:#ff6ac1">=</span><span style="color:#5af78e">&#39;orange&#39;</span>) </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span> plt<span style="color:#ff6ac1">.</span>xlabel(<span style="color:#5af78e">&#39;Time&#39;</span>) </span></span><span style="display:flex;"><span> plt<span style="color:#ff6ac1">.</span>ylabel(<span style="color:#5af78e">&#39;Leak Count&#39;</span>) </span></span><span style="display:flex;"><span> plt<span style="color:#ff6ac1">.</span>title(<span style="color:#5af78e">&#39;Sensitive Information Leak Trend&#39;</span>) </span></span><span style="display:flex;"><span> plt<span style="color:#ff6ac1">.</span>legend() </span></span><span style="display:flex;"><span> plt<span style="color:#ff6ac1">.</span>xticks(rotation<span style="color:#ff6ac1">=</span><span style="color:#ff9f43">45</span>) </span></span><span style="display:flex;"><span> plt<span style="color:#ff6ac1">.</span>tight_layout() </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span> plt<span style="color:#ff6ac1">.</span>savefig(<span style="color:#5af78e">&#39;leak-trend.png&#39;</span>, dpi<span style="color:#ff6ac1">=</span><span style="color:#ff9f43">300</span>) </span></span><span style="display:flex;"><span> plt<span style="color:#ff6ac1">.</span>close() </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span><span style="color:#78787e"># 使用示例</span> </span></span><span style="display:flex;"><span>trend_data <span style="color:#ff6ac1">=</span> analyze_trend(<span style="color:#5af78e">&#39;./reports&#39;</span>) </span></span><span style="display:flex;"><span>plot_trend(trend_data)</span></span></code></pre></div><h3 id="自定义规则开发">自定义规则开发<a class="anchor" href="#%e8%87%aa%e5%ae%9a%e4%b9%89%e8%a7%84%e5%88%99%e5%bc%80%e5%8f%91">#</a></h3> <h4 id="创建复杂规则">创建复杂规则<a class="anchor" href="#%e5%88%9b%e5%bb%ba%e5%a4%8d%e6%9d%82%e8%a7%84%e5%88%99">#</a></h4> <div class="highlight"><pre tabindex="0" style="color:#e2e4e5;background-color:#282a36;-moz-tab-size:4;-o-tab-size:4;tab-size:4;-webkit-text-size-adjust:none;"><code class="language-toml" data-lang="toml"><span style="display:flex;"><span><span style="color:#78787e"># advanced-rules.toml</span> </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span>[[rules]] </span></span><span style="display:flex;"><span> description = <span style="color:#5af78e">&#34;AWS Secret Access Key&#34;</span> </span></span><span style="display:flex;"><span> regex = <span style="color:#5af78e">&#39;&#39;&#39;(?i)aws_secret_access_key\s*=\s*[&#39;</span><span style="color:#5af78e">&#34;]([A-Za-z0-9/+=]{40})[&#39;&#34;</span>]<span style="color:#5af78e">&#39;&#39;&#39; </span></span></span><span style="display:flex;"><span><span style="color:#5af78e"> entropy = 3.5 </span></span></span><span style="display:flex;"><span><span style="color:#5af78e"> secretGroup = 1 </span></span></span><span style="display:flex;"><span><span style="color:#5af78e"> tags = [&#34;key&#34;, &#34;AWS&#34;, &#34;secret&#34;] </span></span></span><span style="display:flex;"><span><span style="color:#5af78e"> </span></span></span><span style="display:flex;"><span><span style="color:#5af78e">[[rules]] </span></span></span><span style="display:flex;"><span><span style="color:#5af78e"> description = &#34;Google Cloud Service Account Key&#34; </span></span></span><span style="display:flex;"><span><span style="color:#5af78e"> regex = &#39;&#39;&#39;</span><span style="color:#5af78e">&#34;type&#34;</span><span style="color:#ff5c57">:\</span>s<span style="color:#ff5c57">*</span><span style="color:#5af78e">&#34;service_account&#34;</span>[<span style="color:#ff5c57">^</span>}]<span style="color:#ff5c57">*</span><span style="color:#5af78e">&#34;private_key&#34;</span><span style="color:#ff5c57">:\</span>s<span style="color:#ff5c57">*</span><span style="color:#5af78e">&#34;-----BEGIN PRIVATE KEY-----&#39;&#39;&#39; </span></span></span><span style="display:flex;"><span><span style="color:#5af78e"> entropy = 4.0 </span></span></span><span style="display:flex;"><span><span style="color:#5af78e"> tags = [&#34;</span>key<span style="color:#5af78e">&#34;, &#34;</span>GCP<span style="color:#5af78e">&#34;, &#34;</span>service_account<span style="color:#5af78e">&#34;] </span></span></span><span style="display:flex;"><span><span style="color:#5af78e"> </span></span></span><span style="display:flex;"><span><span style="color:#5af78e">[[rules]] </span></span></span><span style="display:flex;"><span><span style="color:#5af78e"> description = &#34;</span>Database Connection String<span style="color:#5af78e">&#34; </span></span></span><span style="display:flex;"><span><span style="color:#5af78e"> regex = &#39;&#39;&#39;(?i)(mysql|postgresql|mongodb)://[^:]+:[^@]+@[^/]+/[^\s&#34;</span><span style="color:#5af78e">&#39;]+&#39;&#39;&#39;</span> </span></span><span style="display:flex;"><span> entropy = <span style="color:#ff9f43">3.0</span> </span></span><span style="display:flex;"><span> tags = [<span style="color:#5af78e">&#34;database&#34;</span>, <span style="color:#5af78e">&#34;connection_string&#34;</span>] </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span>[[rules]] </span></span><span style="display:flex;"><span> description = <span style="color:#5af78e">&#34;Private Key File&#34;</span> </span></span><span style="display:flex;"><span> regex = <span style="color:#5af78e">&#39;&#39;&#39;-----BEGIN (RSA|EC|DSA|OPENSSH) PRIVATE KEY-----&#39;&#39;&#39;</span> </span></span><span style="display:flex;"><span> entropy = <span style="color:#ff9f43">4.5</span> </span></span><span style="display:flex;"><span> tags = [<span style="color:#5af78e">&#34;key&#34;</span>, <span style="color:#5af78e">&#34;private_key&#34;</span>] </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span>[[rules]] </span></span><span style="display:flex;"><span> description = <span style="color:#5af78e">&#34;JWT Token&#34;</span> </span></span><span style="display:flex;"><span> regex = <span style="color:#5af78e">&#39;&#39;&#39;eyJ[a-zA-Z0-9_-]*\.eyJ[a-zA-Z0-9_-]*\.[a-zA-Z0-9_-]*&#39;&#39;&#39;</span> </span></span><span style="display:flex;"><span> entropy = <span style="color:#ff9f43">3.5</span> </span></span><span style="display:flex;"><span> tags = [<span style="color:#5af78e">&#34;token&#34;</span>, <span style="color:#5af78e">&#34;JWT&#34;</span>] </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span>[[rules]] </span></span><span style="display:flex;"><span> description = <span style="color:#5af78e">&#34;Base64 Encoded Secret&#34;</span> </span></span><span style="display:flex;"><span> regex = <span style="color:#5af78e">&#39;&#39;&#39;[A-Za-z0-9+/]{32,}={0,2}&#39;&#39;&#39;</span> </span></span><span style="display:flex;"><span> entropy = <span style="color:#ff9f43">4.0</span> </span></span><span style="display:flex;"><span> tags = [<span style="color:#5af78e">&#34;base64&#34;</span>, <span style="color:#5af78e">&#34;secret&#34;</span>]</span></span></code></pre></div><h4 id="使用高级规则">使用高级规则<a class="anchor" href="#%e4%bd%bf%e7%94%a8%e9%ab%98%e7%ba%a7%e8%a7%84%e5%88%99">#</a></h4> <div class="highlight"><pre tabindex="0" style="color:#e2e4e5;background-color:#282a36;-moz-tab-size:4;-o-tab-size:4;tab-size:4;-webkit-text-size-adjust:none;"><code class="language-bash" data-lang="bash"><span style="display:flex;"><span><span style="color:#78787e"># 使用高级规则扫描</span> </span></span><span style="display:flex;"><span>gitleaks detect --source . --config advanced-rules.toml --verbose </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span><span style="color:#78787e"># 结合多个规则文件</span> </span></span><span style="display:flex;"><span>gitleaks detect --source . --config default-rules.toml --config advanced-rules.toml</span></span></code></pre></div><hr> <h2 id="大师级使用">大师级使用<a class="anchor" href="#%e5%a4%a7%e5%b8%88%e7%ba%a7%e4%bd%bf%e7%94%a8">#</a></h2> <h3 id="企业级部署">企业级部署<a class="anchor" href="#%e4%bc%81%e4%b8%9a%e7%ba%a7%e9%83%a8%e7%bd%b2">#</a></h3> <h4 id="集中式扫描服务">集中式扫描服务<a class="anchor" href="#%e9%9b%86%e4%b8%ad%e5%bc%8f%e6%89%ab%e6%8f%8f%e6%9c%8d%e5%8a%a1">#</a></h4> <div class="highlight"><pre tabindex="0" style="color:#e2e4e5;background-color:#282a36;-moz-tab-size:4;-o-tab-size:4;tab-size:4;-webkit-text-size-adjust:none;"><code class="language-bash" data-lang="bash"><span style="display:flex;"><span><span style="color:#78787e">#!/bin/bash </span></span></span><span style="display:flex;"><span><span style="color:#78787e"># 集中式扫描服务脚本</span> </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span><span style="color:#ff5c57">SCAN_QUEUE</span><span style="color:#ff6ac1">=</span><span style="color:#5af78e">&#34;/path/to/scan_queue&#34;</span> </span></span><span style="display:flex;"><span><span style="color:#ff5c57">SCAN_RESULTS</span><span style="color:#ff6ac1">=</span><span style="color:#5af78e">&#34;/path/to/scan_results&#34;</span> </span></span><span style="display:flex;"><span><span style="color:#ff5c57">LOG_FILE</span><span style="color:#ff6ac1">=</span><span style="color:#5af78e">&#34;/var/log/gitleaks-service.log&#34;</span> </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span><span style="color:#78787e"># 初始化队列</span> </span></span><span style="display:flex;"><span>mkdir -p <span style="color:#5af78e">&#34;</span><span style="color:#ff5c57">$SCAN_QUEUE</span><span style="color:#5af78e">&#34;</span> <span style="color:#5af78e">&#34;</span><span style="color:#ff5c57">$SCAN_RESULTS</span><span style="color:#5af78e">&#34;</span> </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span><span style="color:#78787e"># 扫描函数</span> </span></span><span style="display:flex;"><span>scan_repo<span style="color:#ff6ac1">()</span> <span style="color:#ff6ac1">{</span> </span></span><span style="display:flex;"><span> <span style="color:#ff5c57">local</span> <span style="color:#ff5c57">repo_path</span><span style="color:#ff6ac1">=</span><span style="color:#ff5c57">$1</span> </span></span><span style="display:flex;"><span> <span style="color:#ff5c57">local</span> <span style="color:#ff5c57">repo_name</span><span style="color:#ff6ac1">=</span><span style="color:#ff6ac1">$(</span>basename <span style="color:#5af78e">&#34;</span><span style="color:#ff5c57">$repo_path</span><span style="color:#5af78e">&#34;</span><span style="color:#ff6ac1">)</span> </span></span><span style="display:flex;"><span> <span style="color:#ff5c57">local</span> <span style="color:#ff5c57">result_dir</span><span style="color:#ff6ac1">=</span><span style="color:#5af78e">&#34;</span><span style="color:#ff5c57">$SCAN_RESULTS</span><span style="color:#5af78e">/</span><span style="color:#ff5c57">$repo_name</span><span style="color:#5af78e">&#34;</span> </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span> <span style="color:#ff5c57">echo</span> <span style="color:#5af78e">&#34;</span><span style="color:#ff6ac1">$(</span>date<span style="color:#ff6ac1">)</span><span style="color:#5af78e">: 开始扫描 </span><span style="color:#ff5c57">$repo_name</span><span style="color:#5af78e">&#34;</span> &gt;&gt; <span style="color:#5af78e">&#34;</span><span style="color:#ff5c57">$LOG_FILE</span><span style="color:#5af78e">&#34;</span> </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span> <span style="color:#78787e"># 创建结果目录</span> </span></span><span style="display:flex;"><span> mkdir -p <span style="color:#5af78e">&#34;</span><span style="color:#ff5c57">$result_dir</span><span style="color:#5af78e">&#34;</span> </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span> <span style="color:#78787e"># 运行扫描</span> </span></span><span style="display:flex;"><span> gitleaks detect --source <span style="color:#5af78e">&#34;</span><span style="color:#ff5c57">$repo_path</span><span style="color:#5af78e">&#34;</span> --git <span style="color:#5af78e">\ </span></span></span><span style="display:flex;"><span> --report-format json <span style="color:#5af78e">\ </span></span></span><span style="display:flex;"><span> --report-path <span style="color:#5af78e">&#34;</span><span style="color:#ff5c57">$result_dir</span><span style="color:#5af78e">/scan_</span><span style="color:#ff6ac1">$(</span>date +%Y%m%d_%H%M%S<span style="color:#ff6ac1">)</span><span style="color:#5af78e">.json&#34;</span> </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span> <span style="color:#78787e"># 记录结果</span> </span></span><span style="display:flex;"><span> <span style="color:#ff6ac1">if</span> <span style="color:#ff6ac1">[</span> <span style="color:#ff5c57">$?</span> -eq <span style="color:#ff9f43">0</span> <span style="color:#ff6ac1">]</span>; <span style="color:#ff6ac1">then</span> </span></span><span style="display:flex;"><span> <span style="color:#ff5c57">echo</span> <span style="color:#5af78e">&#34;</span><span style="color:#ff6ac1">$(</span>date<span style="color:#ff6ac1">)</span><span style="color:#5af78e">: </span><span style="color:#ff5c57">$repo_name</span><span style="color:#5af78e"> 扫描成功&#34;</span> &gt;&gt; <span style="color:#5af78e">&#34;</span><span style="color:#ff5c57">$LOG_FILE</span><span style="color:#5af78e">&#34;</span> </span></span><span style="display:flex;"><span> <span style="color:#ff6ac1">else</span> </span></span><span style="display:flex;"><span> <span style="color:#ff5c57">echo</span> <span style="color:#5af78e">&#34;</span><span style="color:#ff6ac1">$(</span>date<span style="color:#ff6ac1">)</span><span style="color:#5af78e">: </span><span style="color:#ff5c57">$repo_name</span><span style="color:#5af78e"> 扫描失败&#34;</span> &gt;&gt; <span style="color:#5af78e">&#34;</span><span style="color:#ff5c57">$LOG_FILE</span><span style="color:#5af78e">&#34;</span> </span></span><span style="display:flex;"><span> <span style="color:#ff6ac1">fi</span> </span></span><span style="display:flex;"><span><span style="color:#ff6ac1">}</span> </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span><span style="color:#78787e"># 监控队列</span> </span></span><span style="display:flex;"><span><span style="color:#ff6ac1">while</span> true; <span style="color:#ff6ac1">do</span> </span></span><span style="display:flex;"><span> <span style="color:#ff6ac1">for</span> task in <span style="color:#5af78e">&#34;</span><span style="color:#ff5c57">$SCAN_QUEUE</span><span style="color:#5af78e">&#34;</span>/*; <span style="color:#ff6ac1">do</span> </span></span><span style="display:flex;"><span> <span style="color:#ff6ac1">if</span> <span style="color:#ff6ac1">[</span> -f <span style="color:#5af78e">&#34;</span><span style="color:#ff5c57">$task</span><span style="color:#5af78e">&#34;</span> <span style="color:#ff6ac1">]</span>; <span style="color:#ff6ac1">then</span> </span></span><span style="display:flex;"><span> <span style="color:#ff5c57">repo_path</span><span style="color:#ff6ac1">=</span><span style="color:#ff6ac1">$(</span>cat <span style="color:#5af78e">&#34;</span><span style="color:#ff5c57">$task</span><span style="color:#5af78e">&#34;</span><span style="color:#ff6ac1">)</span> </span></span><span style="display:flex;"><span> scan_repo <span style="color:#5af78e">&#34;</span><span style="color:#ff5c57">$repo_path</span><span style="color:#5af78e">&#34;</span> </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span> <span style="color:#78787e"># 移除已处理的任务</span> </span></span><span style="display:flex;"><span> rm <span style="color:#5af78e">&#34;</span><span style="color:#ff5c57">$task</span><span style="color:#5af78e">&#34;</span> </span></span><span style="display:flex;"><span> <span style="color:#ff6ac1">fi</span> </span></span><span style="display:flex;"><span> <span style="color:#ff6ac1">done</span> </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span> sleep <span style="color:#ff9f43">60</span> <span style="color:#78787e"># 每分钟检查一次</span> </span></span><span style="display:flex;"><span><span style="color:#ff6ac1">done</span></span></span></code></pre></div><h4 id="分布式扫描">分布式扫描<a class="anchor" href="#%e5%88%86%e5%b8%83%e5%bc%8f%e6%89%ab%e6%8f%8f">#</a></h4> <div class="highlight"><pre tabindex="0" style="color:#e2e4e5;background-color:#282a36;-moz-tab-size:4;-o-tab-size:4;tab-size:4;-webkit-text-size-adjust:none;"><code class="language-python" data-lang="python"><span style="display:flex;"><span><span style="color:#78787e">#!/usr/bin/env python3</span> </span></span><span style="display:flex;"><span><span style="color:#ff6ac1">import</span> subprocess </span></span><span style="display:flex;"><span><span style="color:#ff6ac1">import</span> multiprocessing </span></span><span style="display:flex;"><span><span style="color:#ff6ac1">import</span> os </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span><span style="color:#ff6ac1">def</span> <span style="color:#57c7ff">scan_repo</span>(repo_path, output_dir): </span></span><span style="display:flex;"><span> <span style="color:#5af78e">&#34;&#34;&#34;扫描单个仓库&#34;&#34;&#34;</span> </span></span><span style="display:flex;"><span> repo_name <span style="color:#ff6ac1">=</span> os<span style="color:#ff6ac1">.</span>path<span style="color:#ff6ac1">.</span>basename(repo_path) </span></span><span style="display:flex;"><span> output_file <span style="color:#ff6ac1">=</span> os<span style="color:#ff6ac1">.</span>path<span style="color:#ff6ac1">.</span>join(output_dir, <span style="color:#5af78e">f</span><span style="color:#5af78e">&#34;</span><span style="color:#5af78e">{</span>repo_name<span style="color:#5af78e">}</span><span style="color:#5af78e">.json&#34;</span>) </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span> cmd <span style="color:#ff6ac1">=</span> [ </span></span><span style="display:flex;"><span> <span style="color:#5af78e">&#34;gitleaks&#34;</span>, <span style="color:#5af78e">&#34;detect&#34;</span>, </span></span><span style="display:flex;"><span> <span style="color:#5af78e">&#34;--source&#34;</span>, repo_path, </span></span><span style="display:flex;"><span> <span style="color:#5af78e">&#34;--git&#34;</span>, </span></span><span style="display:flex;"><span> <span style="color:#5af78e">&#34;--report-format&#34;</span>, <span style="color:#5af78e">&#34;json&#34;</span>, </span></span><span style="display:flex;"><span> <span style="color:#5af78e">&#34;--report-path&#34;</span>, output_file </span></span><span style="display:flex;"><span> ] </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span> result <span style="color:#ff6ac1">=</span> subprocess<span style="color:#ff6ac1">.</span>run(cmd, capture_output<span style="color:#ff6ac1">=</span><span style="color:#ff6ac1">True</span>, text<span style="color:#ff6ac1">=</span><span style="color:#ff6ac1">True</span>) </span></span><span style="display:flex;"><span> <span style="color:#ff6ac1">return</span> result<span style="color:#ff6ac1">.</span>returncode, result<span style="color:#ff6ac1">.</span>stdout, result<span style="color:#ff6ac1">.</span>stderr </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span><span style="color:#ff6ac1">def</span> <span style="color:#57c7ff">distributed_scan</span>(repos, output_base_dir, workers<span style="color:#ff6ac1">=</span><span style="color:#ff9f43">4</span>): </span></span><span style="display:flex;"><span> <span style="color:#5af78e">&#34;&#34;&#34;分布式扫描&#34;&#34;&#34;</span> </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span> os<span style="color:#ff6ac1">.</span>makedirs(output_base_dir, exist_ok<span style="color:#ff6ac1">=</span><span style="color:#ff6ac1">True</span>) </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span> <span style="color:#78787e"># 创建进程池</span> </span></span><span style="display:flex;"><span> <span style="color:#ff6ac1">with</span> multiprocessing<span style="color:#ff6ac1">.</span>Pool(workers) <span style="color:#ff6ac1">as</span> pool: </span></span><span style="display:flex;"><span> results <span style="color:#ff6ac1">=</span> [] </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span> <span style="color:#ff6ac1">for</span> repo <span style="color:#ff6ac1">in</span> repos: </span></span><span style="display:flex;"><span> result <span style="color:#ff6ac1">=</span> pool<span style="color:#ff6ac1">.</span>apply_async(scan_repo, (repo, output_base_dir)) </span></span><span style="display:flex;"><span> results<span style="color:#ff6ac1">.</span>append(result) </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span> <span style="color:#78787e"># 等待所有任务完成</span> </span></span><span style="display:flex;"><span> <span style="color:#ff6ac1">for</span> result <span style="color:#ff6ac1">in</span> results: </span></span><span style="display:flex;"><span> returncode, stdout, stderr <span style="color:#ff6ac1">=</span> result<span style="color:#ff6ac1">.</span>get() </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span> <span style="color:#ff6ac1">if</span> returncode <span style="color:#ff6ac1">!=</span> <span style="color:#ff9f43">0</span>: </span></span><span style="display:flex;"><span> <span style="color:#ff5c57">print</span>(<span style="color:#5af78e">f</span><span style="color:#5af78e">&#34;扫描失败: </span><span style="color:#5af78e">{</span>stderr<span style="color:#5af78e">}</span><span style="color:#5af78e">&#34;</span>) </span></span><span style="display:flex;"><span> <span style="color:#ff6ac1">else</span>: </span></span><span style="display:flex;"><span> <span style="color:#ff5c57">print</span>(<span style="color:#5af78e">f</span><span style="color:#5af78e">&#34;扫描成功: </span><span style="color:#5af78e">{</span>stdout<span style="color:#5af78e">}</span><span style="color:#5af78e">&#34;</span>) </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span><span style="color:#78787e"># 使用示例</span> </span></span><span style="display:flex;"><span>repos <span style="color:#ff6ac1">=</span> [ </span></span><span style="display:flex;"><span> <span style="color:#5af78e">&#34;/path/to/repo1&#34;</span>, </span></span><span style="display:flex;"><span> <span style="color:#5af78e">&#34;/path/to/repo2&#34;</span>, </span></span><span style="display:flex;"><span> <span style="color:#5af78e">&#34;/path/to/repo3&#34;</span> </span></span><span style="display:flex;"><span>] </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span>distributed_scan(repos, <span style="color:#5af78e">&#34;./scan_results&#34;</span>, workers<span style="color:#ff6ac1">=</span><span style="color:#ff9f43">4</span>)</span></span></code></pre></div><h3 id="高级集成">高级集成<a class="anchor" href="#%e9%ab%98%e7%ba%a7%e9%9b%86%e6%88%90">#</a></h3> <h4 id="与jira集成">与Jira集成<a class="anchor" href="#%e4%b8%8ejira%e9%9b%86%e6%88%90">#</a></h4> <div class="highlight"><pre tabindex="0" style="color:#e2e4e5;background-color:#282a36;-moz-tab-size:4;-o-tab-size:4;tab-size:4;-webkit-text-size-adjust:none;"><code class="language-python" data-lang="python"><span style="display:flex;"><span><span style="color:#78787e">#!/usr/bin/env python3</span> </span></span><span style="display:flex;"><span><span style="color:#ff6ac1">import</span> json </span></span><span style="display:flex;"><span><span style="color:#ff6ac1">from</span> jira <span style="color:#ff6ac1">import</span> JIRA </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span><span style="color:#ff6ac1">def</span> <span style="color:#57c7ff">create_jira_issue</span>(leak, project_key): </span></span><span style="display:flex;"><span> <span style="color:#5af78e">&#34;&#34;&#34;创建Jira问题&#34;&#34;&#34;</span> </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span> jira <span style="color:#ff6ac1">=</span> JIRA(server<span style="color:#ff6ac1">=</span><span style="color:#5af78e">&#39;https://your-jira-instance.com&#39;</span>, </span></span><span style="display:flex;"><span> basic_auth<span style="color:#ff6ac1">=</span>(<span style="color:#5af78e">&#39;username&#39;</span>, <span style="color:#5af78e">&#39;password&#39;</span>)) </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span> issue_dict <span style="color:#ff6ac1">=</span> { </span></span><span style="display:flex;"><span> <span style="color:#5af78e">&#39;project&#39;</span>: {<span style="color:#5af78e">&#39;key&#39;</span>: project_key}, </span></span><span style="display:flex;"><span> <span style="color:#5af78e">&#39;summary&#39;</span>: <span style="color:#5af78e">f</span><span style="color:#5af78e">&#34;Sensitive Information Leak: </span><span style="color:#5af78e">{</span>leak[<span style="color:#5af78e">&#39;rule&#39;</span>]<span style="color:#5af78e">}</span><span style="color:#5af78e">&#34;</span>, </span></span><span style="display:flex;"><span> <span style="color:#5af78e">&#39;description&#39;</span>: <span style="color:#5af78e">f</span><span style="color:#5af78e">&#34;&#34;&#34; </span></span></span><span style="display:flex;"><span><span style="color:#5af78e"> File: </span><span style="color:#5af78e">{</span>leak[<span style="color:#5af78e">&#39;file&#39;</span>]<span style="color:#5af78e">}</span><span style="color:#5af78e"> </span></span></span><span style="display:flex;"><span><span style="color:#5af78e"> Line: </span><span style="color:#5af78e">{</span>leak[<span style="color:#5af78e">&#39;line&#39;</span>]<span style="color:#5af78e">}</span><span style="color:#5af78e"> </span></span></span><span style="display:flex;"><span><span style="color:#5af78e"> </span></span></span><span style="display:flex;"><span><span style="color:#5af78e"> Secret: </span><span style="color:#5af78e">{</span>leak[<span style="color:#5af78e">&#39;secret&#39;</span>]<span style="color:#5af78e">}</span><span style="color:#5af78e"> </span></span></span><span style="display:flex;"><span><span style="color:#5af78e"> </span></span></span><span style="display:flex;"><span><span style="color:#5af78e"> Rule: </span><span style="color:#5af78e">{</span>leak[<span style="color:#5af78e">&#39;rule&#39;</span>]<span style="color:#5af78e">}</span><span style="color:#5af78e"> </span></span></span><span style="display:flex;"><span><span style="color:#5af78e"> </span></span></span><span style="display:flex;"><span><span style="color:#5af78e"> Please investigate and remediate this leak immediately. </span></span></span><span style="display:flex;"><span><span style="color:#5af78e"> &#34;&#34;&#34;</span>, </span></span><span style="display:flex;"><span> <span style="color:#5af78e">&#39;issuetype&#39;</span>: {<span style="color:#5af78e">&#39;name&#39;</span>: <span style="color:#5af78e">&#39;Bug&#39;</span>}, </span></span><span style="display:flex;"><span> <span style="color:#5af78e">&#39;priority&#39;</span>: {<span style="color:#5af78e">&#39;name&#39;</span>: <span style="color:#5af78e">&#39;High&#39;</span>} </span></span><span style="display:flex;"><span> } </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span> new_issue <span style="color:#ff6ac1">=</span> jira<span style="color:#ff6ac1">.</span>create_issue(fields<span style="color:#ff6ac1">=</span>issue_dict) </span></span><span style="display:flex;"><span> <span style="color:#ff6ac1">return</span> new_issue<span style="color:#ff6ac1">.</span>key </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span><span style="color:#ff6ac1">def</span> <span style="color:#57c7ff">create_jira_issues</span>(report_file, project_key): </span></span><span style="display:flex;"><span> <span style="color:#5af78e">&#34;&#34;&#34;为所有泄露创建Jira问题&#34;&#34;&#34;</span> </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span> <span style="color:#ff6ac1">with</span> <span style="color:#ff5c57">open</span>(report_file) <span style="color:#ff6ac1">as</span> f: </span></span><span style="display:flex;"><span> report <span style="color:#ff6ac1">=</span> json<span style="color:#ff6ac1">.</span>load(f) </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span> <span style="color:#ff6ac1">for</span> leak <span style="color:#ff6ac1">in</span> report: </span></span><span style="display:flex;"><span> issue_key <span style="color:#ff6ac1">=</span> create_jira_issue(leak, project_key) </span></span><span style="display:flex;"><span> <span style="color:#ff5c57">print</span>(<span style="color:#5af78e">f</span><span style="color:#5af78e">&#34;Created Jira issue: </span><span style="color:#5af78e">{</span>issue_key<span style="color:#5af78e">}</span><span style="color:#5af78e">&#34;</span>) </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span><span style="color:#78787e"># 使用示例</span> </span></span><span style="display:flex;"><span>create_jira_issues(<span style="color:#5af78e">&#39;gitleaks-report.json&#39;</span>, <span style="color:#5af78e">&#39;SEC&#39;</span>)</span></span></code></pre></div><h4 id="与slack集成">与Slack集成<a class="anchor" href="#%e4%b8%8eslack%e9%9b%86%e6%88%90">#</a></h4> <div class="highlight"><pre tabindex="0" style="color:#e2e4e5;background-color:#282a36;-moz-tab-size:4;-o-tab-size:4;tab-size:4;-webkit-text-size-adjust:none;"><code class="language-python" data-lang="python"><span style="display:flex;"><span><span style="color:#78787e">#!/usr/bin/env python3</span> </span></span><span style="display:flex;"><span><span style="color:#ff6ac1">import</span> json </span></span><span style="display:flex;"><span><span style="color:#ff6ac1">import</span> requests </span></span><span style="display:flex;"><span><span style="color:#ff6ac1">from</span> datetime <span style="color:#ff6ac1">import</span> datetime </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span><span style="color:#ff6ac1">def</span> <span style="color:#57c7ff">send_slack_notification</span>(webhook_url, message): </span></span><span style="display:flex;"><span> <span style="color:#5af78e">&#34;&#34;&#34;发送Slack通知&#34;&#34;&#34;</span> </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span> payload <span style="color:#ff6ac1">=</span> { </span></span><span style="display:flex;"><span> <span style="color:#5af78e">&#39;text&#39;</span>: message, </span></span><span style="display:flex;"><span> <span style="color:#5af78e">&#39;username&#39;</span>: <span style="color:#5af78e">&#39;GitLeaks Bot&#39;</span>, </span></span><span style="display:flex;"><span> <span style="color:#5af78e">&#39;icon_emoji&#39;</span>: <span style="color:#5af78e">&#39;:shield:&#39;</span> </span></span><span style="display:flex;"><span> } </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span> response <span style="color:#ff6ac1">=</span> requests<span style="color:#ff6ac1">.</span>post(webhook_url, json<span style="color:#ff6ac1">=</span>payload) </span></span><span style="display:flex;"><span> <span style="color:#ff6ac1">return</span> response<span style="color:#ff6ac1">.</span>status_code <span style="color:#ff6ac1">==</span> <span style="color:#ff9f43">200</span> </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span><span style="color:#ff6ac1">def</span> <span style="color:#57c7ff">create_slack_message</span>(report): </span></span><span style="display:flex;"><span> <span style="color:#5af78e">&#34;&#34;&#34;创建Slack消息&#34;&#34;&#34;</span> </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span> total_leaks <span style="color:#ff6ac1">=</span> <span style="color:#ff5c57">len</span>(report) </span></span><span style="display:flex;"><span> high_severity <span style="color:#ff6ac1">=</span> <span style="color:#ff5c57">len</span>([r <span style="color:#ff6ac1">for</span> r <span style="color:#ff6ac1">in</span> report <span style="color:#ff6ac1">if</span> <span style="color:#5af78e">&#39;key&#39;</span> <span style="color:#ff6ac1">in</span> r<span style="color:#ff6ac1">.</span>get(<span style="color:#5af78e">&#39;rule&#39;</span>, <span style="color:#5af78e">&#39;&#39;</span>)<span style="color:#ff6ac1">.</span>lower()]) </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span> message <span style="color:#ff6ac1">=</span> <span style="color:#5af78e">f</span><span style="color:#5af78e">&#34;&#34;&#34; </span></span></span><span style="display:flex;"><span><span style="color:#5af78e"> 🚨 *Sensitive Information Leaks Detected* </span></span></span><span style="display:flex;"><span><span style="color:#5af78e"> </span></span></span><span style="display:flex;"><span><span style="color:#5af78e"> *Scan Time:* </span><span style="color:#5af78e">{</span>datetime<span style="color:#ff6ac1">.</span>now()<span style="color:#ff6ac1">.</span>strftime(<span style="color:#5af78e">&#39;%Y-%m-</span><span style="color:#5af78e">%d</span><span style="color:#5af78e"> %H:%M:%S&#39;</span>)<span style="color:#5af78e">}</span><span style="color:#5af78e"> </span></span></span><span style="display:flex;"><span><span style="color:#5af78e"> </span></span></span><span style="display:flex;"><span><span style="color:#5af78e"> *Summary:* </span></span></span><span style="display:flex;"><span><span style="color:#5af78e"> • Total Leaks: </span><span style="color:#5af78e">{</span>total_leaks<span style="color:#5af78e">}</span><span style="color:#5af78e"> </span></span></span><span style="display:flex;"><span><span style="color:#5af78e"> • High Severity: </span><span style="color:#5af78e">{</span>high_severity<span style="color:#5af78e">}</span><span style="color:#5af78e"> </span></span></span><span style="display:flex;"><span><span style="color:#5af78e"> </span></span></span><span style="display:flex;"><span><span style="color:#5af78e"> *Top Leaks:* </span></span></span><span style="display:flex;"><span><span style="color:#5af78e"> &#34;&#34;&#34;</span> </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span> <span style="color:#ff6ac1">for</span> leak <span style="color:#ff6ac1">in</span> report[:<span style="color:#ff9f43">5</span>]: </span></span><span style="display:flex;"><span> message <span style="color:#ff6ac1">+=</span> <span style="color:#5af78e">f</span><span style="color:#5af78e">&#34;</span><span style="color:#5af78e">\n</span><span style="color:#5af78e">• </span><span style="color:#5af78e">{</span>leak[<span style="color:#5af78e">&#39;rule&#39;</span>]<span style="color:#5af78e">}</span><span style="color:#5af78e"> in </span><span style="color:#5af78e">{</span>leak[<span style="color:#5af78e">&#39;file&#39;</span>]<span style="color:#5af78e">}</span><span style="color:#5af78e">:</span><span style="color:#5af78e">{</span>leak[<span style="color:#5af78e">&#39;line&#39;</span>]<span style="color:#5af78e">}</span><span style="color:#5af78e">&#34;</span> </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span> <span style="color:#ff6ac1">if</span> total_leaks <span style="color:#ff6ac1">&gt;</span> <span style="color:#ff9f43">5</span>: </span></span><span style="display:flex;"><span> message <span style="color:#ff6ac1">+=</span> <span style="color:#5af78e">f</span><span style="color:#5af78e">&#34;</span><span style="color:#5af78e">\n</span><span style="color:#5af78e">• ... and </span><span style="color:#5af78e">{</span>total_leaks <span style="color:#ff6ac1">-</span> <span style="color:#ff9f43">5</span><span style="color:#5af78e">}</span><span style="color:#5af78e"> more&#34;</span> </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span> <span style="color:#ff6ac1">return</span> message </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span><span style="color:#78787e"># 使用示例</span> </span></span><span style="display:flex;"><span><span style="color:#ff6ac1">with</span> <span style="color:#ff5c57">open</span>(<span style="color:#5af78e">&#39;gitleaks-report.json&#39;</span>) <span style="color:#ff6ac1">as</span> f: </span></span><span style="display:flex;"><span> report <span style="color:#ff6ac1">=</span> json<span style="color:#ff6ac1">.</span>load(f) </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span>message <span style="color:#ff6ac1">=</span> create_slack_message(report) </span></span><span style="display:flex;"><span>webhook_url <span style="color:#ff6ac1">=</span> <span style="color:#5af78e">&#39;https://hooks.slack.com/services/YOUR/WEBHOOK/URL&#39;</span> </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span>send_slack_notification(webhook_url, message)</span></span></code></pre></div><hr> <h2 id="实战案例">实战案例<a class="anchor" href="#%e5%ae%9e%e6%88%98%e6%a1%88%e4%be%8b">#</a></h2> <h3 id="案例1-企业代码库安全审计">案例1: 企业代码库安全审计<a class="anchor" href="#%e6%a1%88%e4%be%8b1-%e4%bc%81%e4%b8%9a%e4%bb%a3%e7%a0%81%e5%ba%93%e5%ae%89%e5%85%a8%e5%ae%a1%e8%ae%a1">#</a></h3> <h4 id="场景描述">场景描述<a class="anchor" href="#%e5%9c%ba%e6%99%af%e6%8f%8f%e8%bf%b0">#</a></h4> <p>对企业代码库进行全面的安全审计,识别所有敏感信息泄露。</p>