Code scan in Git repos

Code scan in Git repos 1

Last Updated on

Motivation

Sometimes, if a CVE comes out or when credentials leaked, we need to check code in Git repo to find the related projects. It will be annoying to scan code in Git when there are many projects, especially because Gitlab does not support code snippet search in the CE version.

This script iterator with *.git directories, and check each Git repo with git command, let’s explain it in details.

Get the files in Git repo

git ls-tree will display the file paths in branch

git ls-tree -r master --name-only

File checking

git show HEAD:file-path will show the file content of a tracking file, with a gripe to filter with the keyword.

git show HEAD:$f | grep -n -A4 -B4 'nokogiri' ;

Find the related user

If we want to do some fix, we need to find the latest author to review the fix.

git log will display the author:

git log -1 pretty=format:'%ae'

Code scan snippet in git Repos

Combine the commands into final check scripts.

for x in **/*.git; do
    ## echo "checking $x"
    pushd $x > /dev/null
    while read -r f; do
        git show HEAD:$f | grep -n -A4 -B4 'nokogiri' ;
        if [ $? == 0 ]; then
            last=`git log -1 --pretty=format:'%ae'`
            printf "found at: $(pwd)/$f\nlast user: $last\n\n"
        fi
    done <<< "`git ls-tree -r master --name-only|grep -E '(Gemfile.lock)'`"
    popd > /dev/null
done

For more study please refer to Version Control with Git: Powerful tools and techniques for collaborative software development