Last Updated on
Sometimes, if a CVE comes out or when credentials leaked, we need to check code in Git repo to find the related projects. It will be annoying to scan code in Git when there are many projects, especially because Gitlab does not support code snippet search in the CE version.
This script iterator with *.git directories, and check each Git repo with git command, let’s explain it in details.
Get the files in Git repo
git ls-tree will display the file paths in branch
git ls-tree -r master --name-only
git show HEAD:file-path will show the file content of a tracking file, with a gripe to filter with the keyword.
git show HEAD:$f | grep -n -A4 -B4 'nokogiri' ;
Find the related user
If we want to do some fix, we need to find the latest author to review the fix.
git log will display the author:
git log -1 pretty=format:'%ae'
Code scan snippet in git Repos
Combine the commands into final check scripts.
for x in **/*.git; do ## echo "checking $x" pushd $x > /dev/null while read -r f; do git show HEAD:$f | grep -n -A4 -B4 'nokogiri' ; if [ $? == 0 ]; then last=`git log -1 --pretty=format:'%ae'` printf "found at: $(pwd)/$f\nlast user: $last\n\n" fi done <<< "`git ls-tree -r master --name-only|grep -E '(Gemfile.lock)'`" popd > /dev/null done
For more study please refer to Version Control with Git: Powerful tools and techniques for collaborative software development