.png){kind=logo}
Git Sensor User Guide
The Git Sensor User Guide provides instructions for deploying and operating the Git Sensor within the Keyfactor AgileSec Platform. This guide covers supported authentication methods, execution methods, configuration options, and troubleshooting.
Refer to Sensors Architecture and Overview for additional details on sensor architecture, data flows, incremental scanning, and auto-resolution.
Overview
The Git Sensor integrates any Git-based version control system (GitHub, GitLab, Bitbucket, Azure DevOps, etc.) with Keyfactor’s AgileSec Platform. It allows you to discover, inventory, and analyze cryptographic assets across your source code repositories.
Key Features
Universal Git Support: Works with any standard Git repository (cloud or on-premise).
Deep Cryptographic Discovery: Automatically identifies certificates, private keys, keystores, and cryptographic libraries embedded in source code.
Archive Scanning: Extracts and scans archives (ZIP, TAR, etc.) found within the repository.
Incremental Scanning: Efficiently scans only new or modified files in subsequent runs.
Flexible Authentication: Supports username/password and token based authentication.
What Gets Scanned
The sensor clones the target repository (or specific branch) and analyzes all files to discover:
X.509 Certificates: SSL/TLS certificates, code signing certificates, client authentication certificates
Private Keys: RSA, DSA, EC private keys in PEM, DER, and PKCS8 formats
Java Keystores: JKS, JCEKS, PKCS12 keystores
Tokens: JWT and JWE tokens
Cryptographic Libraries: OpenSSL, BouncyCastle, http://cryptography.io , and other crypto implementations
Code Artifacts: Embedded certificates in compiled code (JAR, WAR, EAR files)
Prerequisites
Git Provider Requirements
Requirement | Details |
|---|---|
Protocol | HTTPS required for cloning. |
Access | Network connectivity from the sensor machine to the Git server. |
Git Client | The sensor binary requires |
Remote Execution Requirements
If running the unified sensor remotely using CLI:
Component | Requirement |
|---|---|
Operating System |
|
RAM | 3 GB minimum, 4 GB recommended for large repositories |
Disk Space | Minimum 2x Size of your repository. |
Permissions | Read/Write access to working directory |
Supported Authentication Methods
The Git sensor supports the following authentication methods:
Username/Password Authentication: Authenticate using Git provider credentials with a username and password combination. Suitable for basic authentication scenarios and legacy systems.
Token-based Authentication: Authenticate using personal access tokens (PAT), OAuth tokens, or API tokens provided by the Git provider. Recommended for enhanced security, fine-grained access control, and automated workflows.
Note: If password is provided but username is omitted, the sensor defaults to using "oauth2" as the username.
It is recommended to test your credentials before setting up the sensor:
git clone https://<username>:<password>@github.com/org/repo.gitor
git clone https://oauth2:<token>@github.com/org/repo.gitRequired Access Rights
The Git account must have the following permissions to successfully authenticate to a private repository:
Permission | Scope | Purpose | Required |
|---|---|---|---|
Read/Pull | Repository | Clone, code, and fetch history | ✅ Yes |
Write/Push | Repository | Not required | ❌ No |
Running the Sensor
The Git sensor can be executed using the following methods:
Platform Scan Execution: Configure and execute scans directly though the Keyfactor AgileSec web UI with on-demand or scheduled execution options.
Using API: Programmatically trigger scans through REST API calls, enabling integration with CI/CD pipelines and automation workflows.
Remote Scan Execution: Deploy and run the sensor via CLI on customer-managed infrastructure for scenarios such as:
Scanning air-gapped or internal instances the platform cannot directly reach
Customers wanting to manage their own scheduling and execution environment.
Refer to Sensors Architecture and Overview: Running the Sensor for additional execution and flow details.
Platform Scan Execution
Running the sensor through the user interface is the simplest and fastest way to get started. The platform enables running on-demand or scheduled scans in a dedicated environment.
Platform Scan Configuration
Step 1: Navigate to Sensors Setup Page
1.1 Open your browser and navigate to the Keyfactor AgileSec Platform Web URL
1.2 Log in with your credentials
1.3 Click on "Sensors" in the navigation bar.
Step 2: Select Git Sensor
2.1 Click the "Choose a Sensor" button
2.2 Browse or search for "Git"
2.3 Click on the Git sensor card
This will open the sensor configuration interface.
Step 3: Configure Sensor Parameters
3.1 Fill in the required configuration parameters:
Platform Scan Configuration Fields
Field Name | Display Name | Type | Required | Description | Tooltip |
|---|---|---|---|---|---|
| Git Repo URL | Single-line text | ✅ Yes | The HTTPS URL of the Git repository to scan. |
|
| Branch | Single-line text | ✅ Yes | The branch to scan | Specify branch name |
| Username | Single-line text | ❌ No | Git username for authentication | Leave blank for anonymous |
| Password | Password field | ❌ No | Git password | Leave blank for anonymous |
| Incremental Scan | Boolean | ✅ Yes | Enable to scan only updates since last run. See Incremental Scanning | Default: true |
| Auto-Resolution Interval | Number | ✅ Yes | Number of scans before doing a full-scan. See Incremental Scanning | Only used with incremental scan |
Scan Execution Using API
Scans may be programmatically triggered through REST API calls, enabling seamless integration with CI/CD pipelines, automation workflows, and custom applications. API execution provides flexibility for developers to incorporate cryptographic scanning into their existing development and deployment processes.
Note: For complete API reference, see the API document.
API Access Token
Open your browser and navigate to the AgileSec Platform UI.
Log in with your Keyfactor credentials.
Click "Access Tokens" in the main navigation menu.
Click "Generate Token".
Set Token Type to API Token and provide the required details.
Click "Generate" and copy the generated token.
API Endpoint
POST https://<platform-url>/v3/scan/createRequest Format
Headers
Content-Type: application/json
isg-api-token: <your-api-token>Request Body
The complete request body contains sensor configuration in the sensorConfig field, i.e:
{
"sensorName": "<sensor name>",
"sensorType": "GIT Sensor",
"sensorConfig": {
"giturl": "<git repository url>",
"branch": "<branch>",
"username": "<optional username>",
"password": "<password or token>"
},
"callbackId": "<callback id>",
"labels": [
{
"<label name>": "<label value>"
}
],
"priority": "<priority>",
"incrementalScan": true,
"autoResolutionInterval": 5
}API Field Descriptions
See Platform Scan Configuration Fields.
Remote Scan Execution
Remote Execution Flow allows you to run the sensor on a host using the Unified Sensor binary.
Remote Scan Execution Configuration
Step 1: Download Unified Sensor
1.1 Navigate to AgileSec Platform UI → Sensors → Remote Scan.
1.2 Download the sensor binary for your operating system.
Step 2: Generate Remote Sensor Token
2.1 In the Remote Scan UI, click "Generate Token".
2.2 Copy the generated token.
2.3 Store the token securely in an environment variable or set it in the sensor config:
export SENSOR_TOKEN="your-generated-token"Step 3: Create Configuration File
Create a YAML configuration file (e.g., git-config.yml) with your scan settings. An example configuration can be found in config/sample-configs/git.yml.
Step 4: Run the Sensor
Execute the sensor with your configuration file:
Linux/macOS
BASH# Set environment variables export SENSOR_TOKEN="your-sensor-token" export GIT_PASS="your-git-password" # Run sensor ./unified_sensor_linux -c git-config.ymlWindows (PowerShell)
POWERSHELL# Set environment variables $env:SENSOR_TOKEN = "your-sensor-token" $env:GIT_PASS = "your-git-password" # Run sensor .\\unified_sensor_windows.exe -c .\\git-config.yml
Remote Scan Execution Configuration Examples
Scan All Repos in an Org (Public)
YAMLscan_config: plugins: - isg_git - trigger_discover - export config: isg_git: name: git plugin_config: url: "<https://github.com/myorg/public-repo.git>" branch: "main"Private Repository (With Auth)
YAMLscan_config: plugins: - isg_git - trigger_discover - export config: isg_git: name: git plugin_config: url: "<https://github.com/myorg/public-repo.git>" branch: "main" username: "myuser" password: "${env:GIT_PASS}"Gitlab Example
YAMLscan_config: plugins: - isg_git - trigger_discover - export config: isg_git: name: git plugin_config: url: "<https://gitlab.com/myorg/myrepo.git>" branch: "develop" username: "myuser" password: "${env:GIT_PASS}"
Known Limitations
Binary Scan Limitations
Description: While the sensor scans files, opaque binary blobs without recognized headers may not be deeply analyzed
Troubleshooting
Common Errors
repository not found(404)Cause: The URL is incorrect OR the credentials provided do not have access to the private repository.
Fix: Check the URL.
authentication failed(401)Cause: Invalid credentials.
Fix: Verify the credentials are correct by testing with a manual
git clonecommand.
unable to access(402/Connection Refused)Cause: Network connectivity issue.
Fix: Ensure the machine running the sensor can reach the Git server URL. Check firewalls and proxies.
could not find remote branchCause: The specified branch does not exist on the remote.
Fix: Verify the branch name matches exactly (case-sensitive).
Getting Support
Collect diagnostic information:
Sensor version
Configuration file (redact tokens)
Log output
Git provider details (type, URL, version)
Contact Support:
Portal: https://support.keyfactor.com