Why no use GitLeaks?

[cr0hn]

As a suggestion, instead of reinvent the wheel and create rules and regex from scratch, why no use Gitleaks as part of the project and inherit all their capabilities and builtin rules?

https://github.com/zricethezav/gitleaks

[d3jk]

Hi @cr0hn, thanks for reaching out. We took a look at gitleaks and it seems to provide different functionality than SEDATED, being SEDATED runs as a blocking pre-recieve hook (works server-side) and that is not how gitleaks is intended to be used from what we could see. gitleaks it appears can run as a pre-commit hook, which is great, but that runs client-side and is dependent upon the dev's implementation and could be easily bypassed.

The SEDATED use case boils down to being a lightweight, quick scanner (5 second limitation in GitHub), while gitleaks appears to be more of an offline git repo history scanner. gitleaks could be a great compliment to SEDATED since SEDATED functions as a preventative control to prevent new credentials from getting added to git servers while gitleaks could retroactively go through the git history of repos and flag what is already there.

We also took a look at their rules/regexes and we feel that ours are more comprehensive, however gitleaks did appear to have some rules that we do not have, so we can look at possibly incorporating some of their's into SEDATED.

Are there any rules in particular that you feel SEDATED is missing?