Probes
Bagel uses probes to examine different aspects of your developer environment. Each probe focuses on a specific tool or configuration area and generates findings when it detects security issues.
| Probe | Description | Platforms |
|---|---|---|
| git | Git configuration security | All |
| ssh | SSH configuration and key security | All |
| npm | NPM/Yarn package manager configuration | All |
| cloud | Cloud provider credential files | All |
| env | Environment variables and shell configs | All |
| shell_history | Shell command history | All |
| gh | GitHub CLI authentication | All |
| jetbrains | JetBrains IDE configurations | All |
| ai_cli | AI CLI tool credentials and chat logs | All |
Each probe:
- Locates relevant files using a pre-built file index
- Analyzes configuration for insecure settings
- Runs detectors to find exposed secrets
- Generates findings with actionable remediation guidance
The pre-built file index has a cache functionality to speed up subsequent scans by avoiding redundant file system operations. It has a TTL of 30 minutes and detects modification to folders. You can disable the cache with the --no-cache flag.
These probes check tool configurations for insecure settings:
- git - SSL verification, credential storage, hooks
- ssh - Host key checking, agent forwarding, key permissions
- npm - SSL verification, registry security
These probes scan content for exposed credentials:
- env - Environment variables and .env files
- shell_history - Command history files
- cloud - Cloud provider credential files
- jetbrains - IDE run configurations
- ai_cli - AI CLI credential files and chat logs
These probes check for active authentication sessions:
- gh - GitHub CLI authenticated sessions
You can enable or disable probes in the configuration file:
probes:
shell_history:
enabled: false # Skip shell history scanning
git:
enabled: true
Or via command line:
# Run only specific probes
bagel scan --probe git,ssh
# Exclude specific probes
bagel scan --exclude-probe shell_history