github.com/pierrelalanne/src-fingerprint
Advanced tools
The purpose of src-fingerprint is to provide an easy way to extract git related information (namely all file shas of a repository) from your hosted source version control system.
This util supports 3 main version control systems:
If you're using Homebrew you can add GitGuardian's tap and then install src-fingerprint. Just run the following commands:
brew tap gitguardian/tap
brew install src-fingerprint
Deb and RPM packages are available on Cloudsmith.
Setup instructions:
Open a PowerShell prompt and run this command:
iwr -useb https://raw.githubusercontent.com/GitGuardian/src-fingerprint/main/scripts/windows-installer.ps1 | iex
The script asks for the installation directory. To install silently, use these commands instead:
iwr -useb https://raw.githubusercontent.com/GitGuardian/src-fingerprint/main/scripts/windows-installer.ps1 -Outfile install.ps1
.\install.ps1 C:\Destination\Dir
rm install.ps1
Note that src-fingerprint requires Unix commands such as bash to be available, so it runs better from a "Git Bash" prompt.
You can also download the archives directly from the releases page.
You need go installed and GOBIN in your PATH. Once that is done, run the command:
$ go get -u github.com/gitguardian/src-fingerprint/cmd/src-fingerprint
Generate a new tokenrepo box. This is the only scope we needGenerate token. The token will only be available at this time so make sure you keep it in a safe placeAccess Tokensread repository box. This is the only scope we need. You can set an end-date for the token validity if you want more securityCreate personal token. The token will only be available at this time so make sure you keep it in a safe placeThe output format can be chosen between jsonl, json, gzip-jsonl and gzip-json with the option --export-format.
The default format is gzip-jsonl to minimize the size of the output file.
The default output filepath is ./fingerprints.jsonl.gz. Use --output to override this behavior.
Also, note that if you were to download fingerprints for repositories of a big organization, src-fingerprint has a limit to process no more than 100
repositories. You can override this limit with the option --limit, a limit of 0 will process all repos of the organization.
Here is an example of some lines of a .jsonl format output:
{"repository_name":"src-fingerprint","private":false,"sha":"a0c16efce5e767f04ba0c6988d121147099a17df","type":"blob","filepath":".env.example","size":"31"}
{"repository_name":"src-fingerprint","private":false,"sha":"d425eb0f8af66203dbeef50c921ea5bff0f2acba","type":"blob","filepath":".github/workflows/tag.yml","size":"882"}
{"repository_name":"src-fingerprint","private":false,"sha":"c7f341033d78474b125dd56d8adaa3f0fc47faf2","type":"blob","filepath":".github/workflows/test.yml","size":"899"}
{"repository_name":"src-fingerprint","private":false,"sha":"f4409d88950abd4585d8938571864726533a7fa5","type":"blob","filepath":".gitignore","size":"356"}
{"repository_name":"src-fingerprint","private":false,"sha":"f733f951ace2e032c270d2f3cf79c2efb8187b5b","type":"blob","filepath":".gitlab-ci.yml","size":"85"}
{"repository_name":"src-fingerprint","private":false,"sha":"d17ae66a017477bc65a2f433bf23d551ffc6bd75","type":"blob","filepath":".golangci.yml","size":"1196"}
{"repository_name":"src-fingerprint","private":false,"sha":"ee08a617cfb1c63c1c55fa4cb15e8bac0095346f","type":"blob","filepath":".goreleaser.yml","size":"2127"}
Note that by default, src-fingerprint will exclude forked repositories from the fingerprints computation. For GitHub provider archived repositories and public repositories will also be excluded by default. Use flags --include-forked-repos, --include-archived-repos or include-public-repos to change this behavior.
./fingerprints.jsonl.gz with logs:env VCS_TOKEN="<token>" src-fingerprint -v --provider github --object ORG_NAME
./fingerprints.jsonl.gz:env VCS_TOKEN="<token>" src-fingerprint -v --provider github --include-public-repos --include-forked-repos --include-archived-repos
./fingerprints.jsonl.gz with logs:env VCS_TOKEN="<token>" src-fingerprint -v --provider gitlab --object "GitGuardian-dev-group"
./fingerprints.jsonl.gz with logs:env VCS_TOKEN="<token>" src-fingerprint -v --provider gitlab --include-forked-repos
./fingerprints.jsonl.gz with logs:env VCS_TOKEN="<token>" src-fingerprint -v --provider bitbucket --object "GitGuardian Project"
./fingerprints.jsonl.gz with logs:env VCS_TOKEN="<token>" src-fingerprint -v --provider bitbucket
Allows the processing of a single repository given a git clone URL
src-fingerprint -p repository -u 'git@github.com:GitGuardian/gg-shield.git'
src-fingerprint -p repository -u 'https://user:password@github.com/GitGuardian/gg-shield.git'
src-fingerprint -p repository -u 'https://github.com/GitGuardian/gg-shield.git'
src-fingerprint -p repository -u /projects/gitlab/src-fingerprint
src-fingerprint -p repository -u .
GitGuardian src-fingerprint is MIT licensed.
FAQs
Unknown package
Did you know?
Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.
Security News
OWASP’s 2025 Top 10 introduces Software Supply Chain Failures as a new category, reflecting rising concern over dependency and build system risks.
Research
/Security News
Socket researchers discovered nine malicious NuGet packages that use time-delayed payloads to crash applications and corrupt industrial control systems.
Security News
Socket CTO Ahmad Nassri discusses why supply chain attacks now target developer machines and what AI means for the future of enterprise security.