Documentation
¶
Index ¶
Constants ¶
View Source
const ( // EnvVarSecret is a secret that was found in an // environment variable EnvVarSecret SecretSource = "environment variable" // BuildArgSecret is a secret that was found within // a supplied build argument BuildArgSecret = "build argument" // FileSecret is a secret that was found within the // contents of a file FileSecret = "file content" // FileSystem is a secret that is just an entire file, // identified by its path or name. (e.g. terraform.tfstate) FileSystem = "file path" )
View Source
const ( // RegexDetection is a detection that identifies secrets using a list // of regular expressions RegexDetection DetectionType = "regular expression" // EntropyDetection is a detection that identifies secrets by // calculating the entropy of a string, and checking if that entropy is greater // than a given threshold EntropyDetection = "entropy" // FileDetection is a detection that identified a secret by the path or // name of a file. (e.g. terraform.tfstate) FileDetection = "file" )
Variables ¶
View Source
var DefaultPatterns = []Pattern{ { RegExp: regexp.MustCompile(`[1-9][0-9]+-[0-9a-zA-Z]{40}`), Name: "Twitter", }, { RegExp: regexp.MustCompile(`/(^|[^@\w])@(\w{1,15})\b/`), Name: "Twitter", }, { RegExp: regexp.MustCompile(`EAACEdEose0cBA[0-9A-Za-z]+`), Name: "Facebook", }, { RegExp: regexp.MustCompile(`[A-Za-z0-9]{125}`), Name: "Facebook", }, { RegExp: regexp.MustCompile(`[0-9a-fA-F]{7}\.[0-9a-fA-F]{32}`), Name: "Instagram", }, { RegExp: regexp.MustCompile(`AIza[0-9A-Za-z-_]{35}`), Name: "Google", }, { RegExp: regexp.MustCompile(`[0-9a-zA-Z\-_]{24}`), Name: "Google", }, { RegExp: regexp.MustCompile(`4/[0-9A-Za-z\-_]+`), Name: "Google", }, { RegExp: regexp.MustCompile(`1/[0-9A-Za-z\-_]{43}|1/[0-9A-Za-z\-_]{64}`), Name: "Google", }, { RegExp: regexp.MustCompile(`ya29\.[0-9A-Za-z\-_]+`), Name: "Google", }, { RegExp: regexp.MustCompile(`^ghp_[a-zA-Z0-9]{36}$`), Name: "GitHub", }, { RegExp: regexp.MustCompile(`^github_pat_[a-zA-Z0-9]{22}_[a-zA-Z0-9]{59}$`), Name: "GitHub", }, { RegExp: regexp.MustCompile(`^gho_[a-zA-Z0-9]{36}$`), Name: "GitHub", }, { RegExp: regexp.MustCompile(`^ghu_[a-zA-Z0-9]{36}$`), Name: "GitHub", }, { RegExp: regexp.MustCompile(`^ghs_[a-zA-Z0-9]{36}$`), Name: "GitHub", }, { RegExp: regexp.MustCompile(`^ghr_[a-zA-Z0-9]{36}$`), Name: "GitHub", }, { RegExp: regexp.MustCompile(`([s,p]k.eyJ1Ijoi[\w\.-]+)`), Name: "Mapbox", }, { RegExp: regexp.MustCompile(`([s,p]k.eyJ1Ijoi[\w\.-]+)`), Name: "Mapbox", }, { RegExp: regexp.MustCompile(`R_[0-9a-f]{32}`), Name: "Foursquare", }, { RegExp: regexp.MustCompile(`sk_live_[0-9a-z]{32}`), Name: "Picatic", }, { RegExp: regexp.MustCompile(`sk_live_[0-9a-zA-Z]{24}`), Name: "Stripe", }, { RegExp: regexp.MustCompile(`sk_live_[0-9a-zA-Z]{24}`), Name: "Stripe", }, { RegExp: regexp.MustCompile(`sqOatp-[0-9A-Za-z\-_]{22}`), Name: "Square", }, { RegExp: regexp.MustCompile(`q0csp-[0-9A-Za-z\-_]{43}`), Name: "Square", }, { RegExp: regexp.MustCompile(`access_token\,production\$[0-9a-z]{161}[0-9a,]{32}`), Name: "Paypal / Braintree", }, { RegExp: regexp.MustCompile(`amzn\.mws\.[0-9a-f]{8}-[0-9a-f]{4}-10-9a-f1{4}-[0-9a,]{4}-[0-9a-f]{12}`), Name: "Amazon Marketing Services", }, { RegExp: regexp.MustCompile(`55[0-9a-fA-F]{32}`), Name: "Twilio", }, { RegExp: regexp.MustCompile(`key-[0-9a-zA-Z]{32}`), Name: "MailGun", }, { RegExp: regexp.MustCompile(`[ 0-9a-f ]{ 32 }-us[0-9]{1,2}`), Name: "MailChimp", }, { RegExp: regexp.MustCompile(`xoxb-[0-9]{11}-[0-9]{11}-[0-9a-zA-Z]{24}`), Name: "Slack", }, { RegExp: regexp.MustCompile(`xoxp-[0-9]{11}-[0-9]{11}-[0-9a-zA-Z]{24}`), Name: "Slack", }, { RegExp: regexp.MustCompile(`xoxe.xoxp-1-[0-9a-zA-Z]{166}`), Name: "Slack", }, { RegExp: regexp.MustCompile(`xoxe-1-[0-9a-zA-Z]{147}`), Name: "Slack", }, { RegExp: regexp.MustCompile(`T[a-zA-Z0-9_]{8}/B[a-zA-Z0-9_]{8}/[a-zA-Z0-9_]{24}`), Name: "Slack", }, { RegExp: regexp.MustCompile(`A[KS]IA[0-9A-Z]{16}`), Name: "Amazon Web Services", }, { RegExp: regexp.MustCompile(`[0-9a-zA-Z/+]{40}`), Name: "Amazon Web Services", }, { RegExp: regexp.MustCompile(`[0-9a-fA-F]{8}-[0-9a-fA-F]{4}-[0-9a-fA-F]{12}`), Name: "Google Cloud Platform", }, { RegExp: regexp.MustCompile(`[A-Za-z0-9_]{21}--[A-Za-z0-9_]{8}`), Name: "Google Cloud Platform", }, { RegExp: regexp.MustCompile(`[0-9a-fA-F]{8}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{12}`), Name: "Heroku", }, { RegExp: regexp.MustCompile(`[0-9a-fA-F]{8}-[0-9a-fA-F]{4}-[0-9a-fA-F]{12}`), Name: "Heroku", }}
DefaultPatterns is a list of patterns to include in the detector by default
Functions ¶
This section is empty.
Types ¶
type Detection ¶
type Detection struct {
// Type is the DetectionType of this secret, or rather
// how this secret was detected
Type DetectionType `json:"type"`
// Name is the name of the secret, i.e. what does
// the secret itself belong to/represent
// i.e. AWS Access Token, GitLab API Key
Name string `json:"name"`
// Location is the line in the docker file or
// filesystem path where the secret was found
Location string `json:"location"`
// Value is the actual value of the secret
Value string `json:"value"`
// Source is the SecretSource of where the secret originated from.
Source SecretSource `json:"source"`
}
Detection represents a detected secret
type DetectionType ¶
type DetectionType = string
DetectionType is the method by which the secret was found
type Detector ¶
type Detector interface {
// EvalBuildArgs will attempt to detect any
// secrets in the given build arguments of an image.
// It will return a list of Detection representing the
// detected secrets found
EvalBuildArgs([]image.BuildArg) []Detection
// EvalEnvVars will attempt to detect any
// secrets in the given environment variables of an image.
// It will return a list of Detection representing the
// detected secrets found
EvalEnvVars([]image.EnvVar) []Detection
// String returns the formatted name of the detector
String() string
}
func NewRegexDetector ¶
NewRegexDetector will construct a new Detector that will search all environment variables, build arguments and contents of files on the file system for strings that matches any of the given Pattern
type Pattern ¶
type Pattern struct {
// RegExp is the compiled regular expression to search for
RegExp *regexp.Regexp
// Name is a human-readable name of the secret the expression
// searches for (i.e. AWS Secret Key, OAuth token, etc.)
Name string
}
Pattern is a regular expression to search for in docker image environment variables, files and build arguments
type Regexp ¶
type Regexp struct {
// contains filtered or unexported fields
}
Regexp is a Detector implementation for detecting secrets using regular expression.
func (Regexp) EvalBuildArgs ¶
EvalBuildArgs will evaluate the build arguments to see if any of them have a value that matches one of the configured Pattern
func (Regexp) EvalEnvVars ¶
EvalEnvVars will evaluate the environment variables to see if any of them have a value that matches one of the configured Pattern
type SecretSource ¶
type SecretSource = string
SecretSource represents the source of where the secret was found within the image
Source Files
Click to show internal directories.
Click to hide internal directories.