xGitGuard is a tool built by Comcast to keep inadvertently uploaded authentication secrets out of GitHub repositories that is now available as open-source software.
It can be used to scan GitHub at scale and identify proprietary authentication secrets, specifically passwords, API keys, and tokens. Development teams can use xGitGuard to identify credentials in their own repositories.
xGitGuard uses advanced natural language processing to detect authentication secrets and has one mode for detecting credentials and another for detecting API tokens and keys. The tool follows a six-step process: search GitHub at scale, filter results, detect and extract secrets, developer identification, validate secrets and then submit for remediation.
Search: xGitGuard uses primary keywords which search for documents that are related to the organization and secondary keys to target documents that potentially contain secrets.
Filter Results is a query engine within the project that runs multiple queries simultaneously to more rapidly cover the scale of GitHub.
The detect and extract secrets functionality is the project’s core AI model that processes the filtered results for secrets.
The tool also includes other functionalities such as ‘developer identification’, ‘validate secrets’, and ‘submit for remediation’.
Additional details regarding the tool are available here.