a rolling secret gathers no MOSS - @robbkidd
MOSS is the Multi-Organization Secret Scanner. It is designed to handle scanning many repositories from multiple github AND gitlab orgs as efficiently as possible. Scanning for secrets is done with Gitleaks
Organization access tokens (PATs) are passed as env vars.
GitHub tokens will be in the form: GITHUB_PAT_<orgname>
Gitlab tokens will be in the format GITLAB_PAT_<orgname>.
So if you're scanning a github org and the orgname is foo you would pass the PAT for the account running the scan as: GITHUB_PAT_foo.
MOSS looks for these PATs based on the organizations configured in the github_config.orgs_to_scan section of the config file documented below.
A sample configuration file with annotations is here
Care should be taken with max_concurrency. Larger values of max concurrency will result in faster scans* with increased parallelization up to the point of instability. 20 seems to be a reasonable default value.
Specific repositories in an organization can be scanned by adding a flag repo to the binary. repo in this case is the HTML URL of the repository. It can be done in the following way
docker run --rm \
-e GITLAB_PAT_someorg=$(GL_TOKEN) \
-v `pwd`/configs/conf.yml:/usr/src/moss/configs/conf.yml \
-v `pwd`/configs/gitleaks.toml:/usr/src/moss/configs/gitleaks.toml \
-v `pwd`/sample_output:/output \
--name moss_r \
ghcr.io/livinginsyn/moss:latest -repo=https://gitlab.com/<path_to_repository>The currently supported formats are markdown and json. Markdown files are written by default to /output/output.md but the path where output.md can be written to can be set using an environmental variable.
Json files are named output.json by default and will also be written to the /output folder unless overridden.
Supported formats can be overriden with command-line arguments while running moss
moss -format=<json|markdown>The following environmental variables may be configured to change the behavior of MOSS:
| Variable Name | Required | Description | Default |
|---|---|---|---|
| MOSS_OUTDIR | False | Sets the directory for MOSS output | /output/{output filename} |
| MOSS_DEBUG | False | Enabled verbose debug logs | False |
| MOSS_CONFDIR | False | Sets the path to the MOSS configuration file | ./configs/conf.yml |
| MOSS_GITLEAKSCONF | False | Sets the path to the GitLeaks toml file | ./configs/gitleaks.toml |
| MOSS_DEBUG_LIMIT | False | Sets a limit for the number of repos to scan | If not set, it does nothing. If set to an int it is the upper limit, if another string is passed it will default to 10 |
Docker is the preferred method for running MOSS. A sample run command would be:
docker run --rm \
-e GITHUB_PAT_someorg=$(GH_TOKEN) \
-v `pwd`/configs/conf.yml:/usr/src/moss/configs/conf.yml \
-v `pwd`/configs/gitleaks.toml:/usr/src/moss/configs/gitleaks.toml \
-v `pwd`/sample_output:/output \
--name moss_r \
ghcr.io/livinginsyn/moss:latest