MOSS

a rolling secret gathers no MOSS - @robbkidd

MOSS is the Multi-Organization Secret Scanner. It is designed to handle scanning many repositories from multiple github orgs as efficiently as possible. Scanning for secrets is done with Gitleaks

Setting Access Tokens

Organization access tokens (PATs) are passed as env vars in the format PAT_<orgname>. So if your orgname is foo you would pass the PAT for the account running the scan as: PAT_foo.

MOSS looks for these PATs based on the organizations configured in the github_config.orgs_to_scan section of the config file documented below.

MOSS Config File

A sample configuration file with annotations is here

Output

The currently supported formats are markdown and json. Markdown files are written by default to /output/output.md but the path where output.md can be written to can be set using an environmental variable.

Json files are named output.json by default and will also be written to the /output folder unless overridden.

Other Environmental Variables

The following environmental variables may be configured to change the behavior of MOSS:

Variable Name	Required	Description	Default
MOSS_OUTDIR	False	Sets the directory for MOSS output	/output/{output filename}
MOSS_DEBUG	False	Enabled verbose debug logs	False
MOSS_CONFDIR	False	Sets the path to the MOSS configuration file	./configs/conf.yml
MOSS_GITLEAKSCONF	False	Sets the path to the GitLeaks toml file	./configs/gitleaks.toml
MOSS_DEBUG_LIMIT	False	Sets a limit for the number of repos to scan	If not set, it does nothing. If set to an int it is the upper limit, if another string is passed it will default to 10

Running with Docker

Docker is the preferred method for running MOSS. A sample run command would be:

docker run --rm \
    -e PAT_someorg=$(GH_TOKEN) \
    -v `pwd`/configs/conf.yml:/usr/src/moss/configs/conf.yml \
    -v `pwd`/configs/gitleaks.toml:/usr/src/moss/configs/gitleaks.toml \
    -v `pwd`/sample_output:/output \
    --name moss_r \
    ghcr.io/livinginsyn/moss:latest

Download

MOSS.zip

MOSS is the Multi-Organization Secret Scanner

MOSS

Setting Access Tokens

MOSS Config File

Output

Other Environmental Variables

Running with Docker

Download

Popular Tag

Related

A Kubernetes mutating webhook that performs templated replacements on Secrets and ConfigMaps using providers like GCP Secret Manager. Simple and flexible secret management.

Proviesec Fuzz Scanner - dir/path web scanner

Audio sample organization via symlinks (WIP)

CLI audit tool for GitHub organization with OPA/Rego

A GitHub Action to audit all your organization's repositories using Reposaur.

A 🍔 "glutton" CLI, which devours repositories within a GitHub organization. Use it with precaution. 👀

🔑 A CLI frontend for Hashicorp Vault's Shamir's Secret Sharing implementation.

Encode public and secret keys from PEM => Cryptocurrency specific formats to derive usable cryptocurrency keys from an HSM or other secure environment

An earthly secret provider for Hashicorp Vault.

Kubernetes config (Secret and ConfigMap) reloader

This scanner will recursively scan paths including archives for spring libraries and classes that are vulnerable to CVE-2022-22965 and CVE-2022-22963.

A port scanner and service detection tool that uses 1000 goroutines at once to scan any hosts's ip or fqdn with the sole purpose of testing your own network to ensure there are no malicious services running.

A "Spring4Shell" vulnerability scanner.

Vulnerability scanner for Spring4Shell (CVE-2022-22965)

Blazing fast SYN port scanner written in Pure Go.

A non-sophisticated logfile scanner writte in go.

🔍🔍 Malware scanner for cloud-native, as part of CI/CD and at Runtime 🔍🔍

Sushi's Internet Protocol Scanner (for Minecraft)

🔍🔍 Malware scanner for cloud-native, as part of CI/CD and at Runtime 🔍🔍

Multithreaded Microsoft SharePoint version / vulnerability scanner