SourceClear has open sourced its Commit Watcher tool which identifies accidental disclosure of sensitive information (SSH keys, AWS credentials, etc.) and security patches for vulnerabilities that are not explicitly disclosed.
In a blog post the company commented, “We initially built Commit Watcher to discover these undisclosed (but public) security patches, which are fed into the
Source Clear Registry once they have been verified. When we added the ability to find accidentally disclosed secrets in projects, we realized how valuable this tool can be for every company releasing open source software. Companies can watch their own projects, public and private, for accidental disclosures, and take remedial action as soon as possible.”
Commit Watcher ships with dozens of rules to find commits containing credentials from services like Amazon Web Services and Salesforce, to SSH keys, API tokens, database dump files, and more. The platform also looks for commits and commit messages that contain keywords that are often associated with security vulnerabilities.