Site icon API Security Blog

Leaktopus – Keep Your Source Code Under Control

[![](https://blogger.googleusercontent.com/img/a/AVvXsEjwepVjOYic17vJd7-z6Dxa-PuoPvndyFPkIPiWIrYS5bwapyZQMrmQdBaGNywphCTrmgaLp06COgw8Tcl6XtWYgaY0lOFTqUMTKmHGwig5BTb_3JAyBFcoCg03EcGya4MRuFU0HoQNz_HiE4JaAKz4W8Q8z0mSprDBoN5gOvUjfhdDr1imfC1pQktrwg=w320-h320)]()

Keep your source code under control.

### **Key Features**

* **Plug&Play** – one line installation with Docker.

* **Scan various sources** containing a set of keywords, e.g. `ORGANIZATION-NAME.com`.

Currently supports:

* GitHub
* Repositories
* Gists _(coming soon)_
* Paste sites (e.g., PasteBin) _(coming soon)_
* **Filter results** with a built-in heuristic engine.

* **Enhance results with IOLs** (Indicators Of Leak):

* Secrets in the found sources (including Git repos commits history):
* With [Shhgit]( “Shhgit” ) (using a customized rules list).
* With [TruffleHog]( “TruffleHog” ).
* URIs (Including indication of your organization’s domains)
* Emails (Including indication of your organization’s email addresses)
* Contributors
* Sensitive keywords (e.g., canary token, internal domains)
* Allows to **ignore** public sources, (e.g., “junk” [repositories]( “repositories” ) by web crawlers).

* **OOTB ignore list** of common “junk” sources.

* **Acknowledge a leak**, and only get notified if the source has been modified since the previous scan.

* **Built-in ELK** to search for data in leaks (including full index of Git repositories with IOLs).

* **Notify on new leaks**

* MS Teams Webhook.
* Slack Bot.
* Cortex XSOAR® (by Palo Alto Networks) Integration _(WIP)_.

## Technology Stack

* Fully Dockerized.
* API-first Python Flask backend.
* Decoupled Vue.js (3.x) frontend.
* SQLite DB.
* Async tasks with Celery + Redis queues.

## Prerequisites

* Docker-Compose

## Installation

* Clone the repository
* Create a local .env file

cd Leaktopus
cp .env.example .env

* Edit .env according to your local setup (see the internal comments).
* Run Leaktopus

docker-compose up -d

* Initiate the installation sequence by accessing the installation API. Just open https://{LEAKTOPUS_HOST}:8000/api/install in your browser.
* Check that the API is up and running at https://{LEAKTOPUS_HOST}:8000/up
* The UI should be available at https://{LEAKTOPUS_HOST}:8080

### Using Github App

In addition to the basic personal [access token]( “access token” ) option, Leaktopus supports Github App authentication. Using Github App is recommended due to the increased rate limits.

1. To use Github App authentication, you need to create a Github App and install it on your organization/account. See [Github’s documentation]( “Github’s documentation” ) for more details.

2. After creating the app, you need to set the following environment variables:

* `GITHUB_USE_APP=True`
* `GITHUB_APP_ID`
* `GITHUB_INSTALLATION_ID` – The installation id can be found in [your app installation]( “your app installation” ).
* `GITHUB_APP_PRIVATE_KEY_PATH` (defaults to `/app/private-key.pem`)
3. Mount the private key file to the [container]( “container” ) (see `docker-compose.yml` for an example). `./leaktopus_backend/private-key.pem:/app/private-key.pem`

_* Note that `GITHUB_ACCESS_TOKEN` will be ignored if `GITHUB_USE_APP` is set to `True`._

## Updating Leaktopus

If you wish to update your Leaktopus version (pulling a newer version), just follow the next steps.

* Pull the latest version.

git pull

* Rebuild Docker images (data won’t be deleted).

# Force image recreation
docker-compose up –force-recreate –build

* Run the DB update by calling its API (should be required after some updates). https://{LEAKTOPUS_HOST}/api/updatedb

## Results Filtering Heuristic Engine

The built-in heuristic engine is filtering the search results to reduce false positives by:

* Content:
* More than X emails containing non-organizational domains.
* More than X URIs containing non-organizational domains.
* Metadata:
* More than X stars.
* More than X forks.
* Sources ignore list.

## API Documentation

OpenAPI documentation is available in https://{LEAKTOPUS_HOST}:8000/apidocs.

## Leaktopus Services

Service | Port | Mandatory/Optional
—|—|—
Backend (API) | 8000 | Mandatory
Backend (Worker) | N/A | Mandatory
Redis | 6379 | Mandatory
Frontend | 8080 | Optional
Elasticsearch | 9200 | Optional
Logstash | 5000 | Optional
Kibana | 5601 | Optional

_The above can be customized by using a custom docker-compose.yml file._

## Security Notes

As for now, Leaktopus does not provide any [authentication]( “authentication” ) mechanism. Make sure that you are not [exposing]( “exposing” ) it to the world, and doing your best to **restrict access to your Leaktopus instance(s)**.

## Contributing

Contributions are very welcomed.

Please follow our [contribution guidelines and documentation]( “contribution guidelines and documentation” ).

**[Download Leaktopus]( “Download Leaktopus” )**Read More

Exit mobile version