Instructions for deploying the Git Sensor to scan for cryptographic assets and deliver findings to the AgileSec Platform for processing and analysis.
Overview
The Git Sensor integrates any Git-based version control system (GitHub, GitLab, Bitbucket, Azure DevOps, etc.) with Keyfactor’s AgileSec Platform. This Sensor allows you to discover, inventory, and analyze cryptographic assets in individual source code repositories.
What Gets Scanned
The Git Sensor downloads the target repository (or specific branch) and scans for use of cryptography in source code. The following cryptographic assets can be discovered:
-
X.509 Certificates: SSL/TLS certificates, code signing certificates, client authentication certificates
-
Keys: RSA, DSA, EC asymmetric public keys in PEM, DER, and PKCS8 formats as well as unencrypted private keys
-
Java Keystores: JKS, JCEKS, PKCS12 keystores
-
Tokens: JWT and JWE tokens
-
Cryptographic Libraries: OpenSSL, BouncyCastle, cryptography.io, and other crypto implementations
-
Code Artifacts: Embedded certificates in compiled code (JAR, WAR, EAR files)
Prerequisites
Ensure you meet the following requirements to enable scanning.
Network Access
Ensure HTTPS network connectivity from AgileSec platform or remote execution machine to the Git server.
Git REST API must be accessible.
Git Provider Requirements
|
Requirement |
Details |
|---|---|
|
Protocol |
HTTPS required for cloning. |
|
Access |
Network connectivity from the Sensor machine to the Git server. |
|
Git Client |
|
Supported Authentication Methods
No credentials (Anonymous auth) may be used for public repos if supported by the chosen Git provider.
The Git Sensor supports the following authentication methods for private repos:
-
Username/Password Authentication: Authenticate using Git provider credentials with a username and password combination. Suitable for basic authentication scenarios and legacy systems.
-
Token-based Authentication: Authenticate using personal access tokens (PAT), OAuth tokens, or API tokens provided by the Git provider. Recommended for enhanced security, fine-grained access control, and automated workflows.
Note: If password is provided but username is omitted, the Sensor defaults to using "oauth2" as the username.
Test your credentials before setting up the Sensor:
# Username/Password Auth
git clone https://<username>:<password>@github.com/org/repo.git
or
# Token Auth
git clone https://oauth2:<token>@github.com/org/repo.git
Required Access Rights
The Git account must have the following permissions to successfully authenticate to a private repository:
|
Permission |
Scope |
Purpose |
Required |
|---|---|---|---|
|
Read/Pull |
Repository |
Clone code and fetch history |
✅ Yes |
Remote Execution Requirements
If running the Sensor remotely using CLI, the remote execution machine must meet these requirements:
|
Component |
Requirement |
|---|---|
|
Operating System |
|
|
RAM |
3 GB minimum, 4 GB recommended for large repositories. |
|
Disk Space |
Minimum 2x size of your repository. |
|
Permissions |
Read/write access to remote sensor working directory (remote sensor install location) |
Note: The Remote Sensor binary requires git to be installed and in the PATH
Running the Sensor
AgileSec Git scans can be executed using the following methods:
-
Platform Scan Execution: Configure and execute scans directly through the Keyfactor AgileSec web UI with on-demand or scheduled execution options.
-
API Scan Execution: Programmatically trigger scans through REST API calls, enabling integration with CI/CD pipelines and automation workflows.
-
Remote Scan Execution: Deploy and run the sensor via CLI on customer-managed infrastructure for scenarios such as:
-
Scanning air-gapped or internal instances the platform cannot directly reach
-
Customers wanting to manage their own scheduling and execution environment.
-
Refer to Scan Execution Flows for additional scan execution information.
Configuration Fields
The following parameters are used to configure AgileSec Git scans.
|
Field Name |
UI Display Name |
Type |
Required |
Description |
|---|---|---|---|---|
|
|
Git Repo URL |
String |
✅ Yes |
The HTTPS URL of the Git repository to scan. |
|
|
Branch |
String |
✅ Yes |
Branch to scan. |
|
|
Username |
String |
❌ No |
Git username for authentication. Leave blank for Anonymous or token auth. |
|
|
Password |
String |
❌ No |
Git password/token for authentication. Leave blank for Anonymous auth. |
|
|
Incremental Scan |
Boolean |
✅ Yes Note: for Platform Scan Executions via UI, incremental scan defaults to Yes. |
Enable to scan only updates since last run. See Incremental Scanning. |
|
|
Auto-Resolution Interval |
Number |
✅ Yes
|
Only used when |
Platform Scan Execution
Running scans through the user interface is the simplest and fastest way to get started. The platform enables running on-demand or scheduled scans in a dedicated environment.
Platform Scan Configuration
-
Open your browser and navigate to the Keyfactor AgileSec Platform Web URL
-
Log in with your credentials
-
Click on "Sensors" in the left navigation menu under Scan
-
Click "+ New Sensor".
-
Click on the correct card to open the configuration interface.
Configure Parameters and Start Scan
-
Fill in the required configuration parameters.
-
Click Save.
-
Click Action then Scan to begin a scan.
Note: Click Edit to reconfigure parameters.
API Scan Execution
Scans may be programmatically triggered through REST API calls, enabling seamless integration with CI/CD pipelines, automation workflows, and custom applications. API execution provides flexibility for developers to incorporate cryptographic scanning into their existing development and deployment processes.
Note: For complete API reference, see API.
Generate AgileSec API Access Token
-
Open your browser and navigate to AgileSec Platform UI
-
Log in with your Keyfactor credentials
-
Click "Access Tokens" in the main navigation menu
-
Click "Generate Token" button
-
Set Token Type to API Token and provide the required details
-
Click "Generate" and copy the generated token
AgileSec API Endpoint
POST https://<platform-url>/v3/scan/create/
Request Format
Headers
Content-Type: application/json
isg-api-token: <your-api-token>
Request Body
{
"sensorName": "<sensor name>",
"sensorType": "GIT Sensor",
"sensorConfig": {
"giturl": "<git repository url>",
"branch": "<branch>",
"username": "<optional username>",
"password": "<password or token>"
},
"callbackId": "<callback id>",
"labels": [
{
"<label name>": "<label value>"
}
],
"priority": "<priority>",
"incrementalScan": true,
"autoResolutionInterval": 5
}
Remote Scan Execution
Scans may be run on remote host machines with the AgileSec Remote Sensor Package.
Download Remote Sensor Package
Generate Platform Token
-
In the Download Remote UI, click "Generate Token"
-
Copy the generated token
-
Store securely in an environment variable such as
SENSOR_TOKEN:export SENSOR_TOKEN="your-generated-token"
Create Configuration File
Create a YAML configuration file (e.g., git-config.yml) with your scan settings. An example configuration can be found in config/sample-configs/git.yml.
Step 4: Run the Sensor
Execute the Sensor with your configuration file:
-
Linux
Bash# Set environment variables export SENSOR_TOKEN="your-sensor-token" export GIT_PASS="your-git-password" # Run Sensor ./unified_sensor_linux -c git-config.yml
Remote Scan Execution Configuration Examples
-
Scan All Repos in an Org (Public)
YAMLscan_config: plugins: - isg_git - trigger_discover - export config: isg_git: name: git plugin_config: url: "<https://github.com/myorg/public-repo.git>" branch: "main" -
Private Repository (With Auth)
YAMLscan_config: plugins: - isg_git - trigger_discover - export config: isg_git: name: git plugin_config: url: "<https://github.com/myorg/public-repo.git>" branch: "main" username: "myuser" password: "${env:GIT_PASS}" -
Gitlab Example
YAMLscan_config: plugins: - isg_git - trigger_discover - export config: isg_git: name: git plugin_config: url: "<https://gitlab.com/myorg/myrepo.git>" branch: "develop" username: "myuser" password: "${env:GIT_PASS}"
Known Limitations
Binary Scan Limitations
While the Sensor scans files, opaque binary blobs without recognized headers may not be deeply analyzed
Troubleshooting Common Errors
-
repository not found(404)-
Cause: The URL is incorrect OR the credentials provided do not have access to the private repository.
-
Fix: Check the URL.
-
-
authentication failed(401)-
Cause: Invalid credentials.
-
Fix: Verify the credentials are correct by testing with a manual
git clonecommand.
-
-
unable to access(402/Connection Refused)-
Cause: Network connectivity issue.
-
Fix: Ensure the machine running the Sensor can reach the Git server URL. Check firewalls and proxies.
-
-
could not find remote branch-
Cause: The specified branch does not exist on the remote.
-
Fix: Verify the branch name matches exactly (case-sensitive).
-
Getting Support
Collect diagnostic information:
-
Sensor version
-
Configuration file (redact tokens)
-
Log output
-
Git provider details (type, URL, version)
Contact Support
-
Portal: https://support.keyfactor.com