README
¶
Veles: secret scanning
Veles – Slavic god, a permanent guardian on the border of the worlds, a spiritual mentor, he knows all the secrets of the universe.
Veles is a standalone library for secret scanning that ships as part of Scalibr. It can detect and (where possible) validate credentials and other things colloquially referred to as "secrets".
The API is designed to make it easy to add new Detectors and corresponding Validators. The DetectionEngine is deliberately kept simple for now. In the future, if Veles supports hundreds or thousands of credential types, the engine might require optimization (e.g. using the Aho-Corasick algorithm).
It can be used via Scalibr via the corresponding extractor and enricher. Some parts of that integration are still under development.
Documentation
¶
Overview ¶
Package veles is a standalone secret scanning library.
Index ¶
- Constants
- func AddGenericValidator(e *ValidationEngine, v GenericValidator, typ reflect.Type) bool
- func AddValidator[S Secret](e *ValidationEngine, v Validator[S]) bool
- type DetectionEngine
- type DetectionEngineOption
- type Detector
- type GenericValidator
- type Secret
- type ValidationEngine
- type ValidationEngineOption
- type ValidationStatus
- type Validator
Constants ¶
const ( // KiB is one binary Kilobyte (Kibibyte) i.e. 1024 bytes. KiB = 1 << 10 // MiB is one binary Megabyte (Mibibyte). MiB = 1 << 20 // GiB is one binary Gigabyte (Gibibyte). GiB = 1 << 30 // MinReadLen is the minimum buffer size for reading chunks from an io.Reader. MinReadLen = 64 * KiB // MinRetainLen is the minimum number of bytes from the end of a chunk to // retain to avoid false negatives from Secrets overlapping the edge of two // chunks. MinRetainLen = 1 * KiB )
Variables ¶
This section is empty.
Functions ¶
func AddGenericValidator ¶ added in v0.3.4
func AddGenericValidator(e *ValidationEngine, v GenericValidator, typ reflect.Type) bool
AddGenericValidator adds a new GenericValidator for a concrete Secret type typ to the engine.
Returns whether there was already a GenericValidator in place that now got replaced.
func AddValidator ¶
func AddValidator[S Secret](e *ValidationEngine, v Validator[S]) bool
AddValidator adds a new Validator for a concrete Secret type S to the engine.
Returns whether there was already a Validator in place that now got replaced.
Types ¶
type DetectionEngine ¶
type DetectionEngine struct {
// contains filtered or unexported fields
}
DetectionEngine combines multiple Veles Detectors into a single engine that can read from an io.Reader. It outputs the results of applying all Detectors to that stream.
Future optimizations might change how the engine works under the hood but its API should stay stable. It makes no guarantee about the order in which Secrets are found so calling code should not depend on it.
func NewDetectionEngine ¶
func NewDetectionEngine(ds []Detector, opts ...DetectionEngineOption) (*DetectionEngine, error)
NewDetectionEngine creates a new DetectionEngine with the given Detectors.
This will choose sensible defaults for the internal buffers but those can be overridden via DetectionEngineOptions if needed.
Returns an error if no detectors are provided or if the retain buffer would be too small to accommodate the detectors.
func (*DetectionEngine) Detect ¶
Detect reads from an io.Reader and returns the results of applying all of the DetectionEngine's Detectors to that stream.
It reads the input stream in chunks making sure that no matches are accidentally missed at the edges between chunks.
The secrets are returned in no particular order and calling code should not depend on it (hyrumslaw.com).
An error is returned if the provided context is done or if the io.Reader returned any error other than io.EOF.
type DetectionEngineOption ¶
type DetectionEngineOption func(*DetectionEngine)
DetectionEngineOption is an option to configure a DetectionEngine during creation via NewDetectionEngine.
This allows user to fine tune the engine by overriding its defaults. For most use-cases, the defaults should be sensible enough.
func WithReadLen ¶
func WithReadLen(readLen uint32) DetectionEngineOption
WithReadLen overrides the buffer size used for reading chunks from io.Reader.
The value can be smaller than MinReadLen.
func WithRetainLen ¶
func WithRetainLen(retainLen uint32) DetectionEngineOption
WithRetainLen overrides the buffer size used for keeping parts of a previous read to avoid false negatives at the edge of two neighboring chunks.
These should usually be small against readLen. While it's technically possible to have retainLen > readLen, that doesn't make a lot of semantic sense and should be avoided.
type Detector ¶
type Detector interface {
// MaxSecretLen is the maximum length a secret from this detector can have.
//
// It can be set to 0 but then the detector isn't guaranteed any minimum input
// length and should instead implement its own mechanism to ensure it can find
// its secrets; i.e. maintain an internal buffer.
MaxSecretLen() uint32
// Detect finds Secrets inside data and returns them alongside indices to the
// start of the corresponding match.
// The latter is only used internally to avoid duplicates.
Detect(data []byte) ([]Secret, []int)
}
Detector finds instances of Secrets inside a chunk of text.
While most commonly a detector will emit one specific type of secret, we also allow for Detectors to return multiple distinct types - thus the []Secret return type.
type GenericValidator ¶ added in v0.3.4
type GenericValidator interface {
Validate(ctx context.Context, s Secret) (ValidationStatus, error)
}
GenericValidator is used to type erase type-erase Validator[S] using a shared interface.
func NewGenericValidator ¶ added in v0.3.4
func NewGenericValidator[S Secret](v Validator[S]) GenericValidator
NewGenericValidator wraps a specific validator around a type-erased one.
type Secret ¶
type Secret any
Secret is a secret that can be found by a Detector and validated by a Validator.
Detectors return slices of Secret and validators accept concrete types. That allows them to be used independently with maximum flexibility.
While the interface is empty, each Secret should be convertible to and from the Veles protocol buffer message format; see the velesproto package. In order to not have the library explicitly depend on protocol buffers, we did not make that requirement part of the interface.
type ValidationEngine ¶
type ValidationEngine struct {
// contains filtered or unexported fields
}
ValidationEngine bundles a number of Validators together.
There can only be one Validator[S] for each concrete S.
func NewValidationEngine ¶
func NewValidationEngine(opts ...ValidationEngineOption) *ValidationEngine
NewValidationEngine creates a new ValidationEngine that bundles a number of Validators together.
Validators are provided via the WithValidator ValidationEngineOption.
Returns an error if no Validators are provided or if there are multiple Validators for the same Secret type.
func (*ValidationEngine) Validate ¶
func (e *ValidationEngine) Validate(ctx context.Context, s Secret) (ValidationStatus, error)
Validate validates a given Secret using one of the configured Validators.
If no Validator for the Secret's type is configured, it will return a result with Status ValidationUnsupported. This is not an error because some Secrets might just not have corresponding Validators.
An error is returned if something went wrong during validation, e.g. connection issues or timeouts. In that case ValidationStatus will be ValidationStatusFailed.
type ValidationEngineOption ¶
type ValidationEngineOption func(*ValidationEngine)
ValidationEngineOption is an option that can be used to configure a ValidationEngine at creation via NewValidationEngine.
func WithGenericValidator ¶ added in v0.3.4
func WithGenericValidator(v GenericValidator, typ reflect.Type) ValidationEngineOption
WithGenericValidator configures the ValidationEngine to use the provided type-erased GenericValidator with the secret type explicitly specified.
func WithValidator ¶
func WithValidator[S Secret](v Validator[S]) ValidationEngineOption
WithValidator configures the ValidationEngine to use the provided Validator.
This will fail if a Validator for the given Secret Type S has already been registered with the ValidationEngine.
type ValidationStatus ¶
type ValidationStatus string
ValidationStatus represents the result status of validating a Secret using a corresponding Validator.
const ( // ValidationUnspecified is the default value for ValidationStatus. It should // not be returned by a concrete Validator. // // The value of ValidationUnspecified is the empty string instead of a // meaningful value so it is the automatic default. ValidationUnspecified ValidationStatus = "" // ValidationUnsupported occurs only if a ValidationEngine has no Validator // for a given Secret type. ValidationUnsupported ValidationStatus = "VALIDATION_UNSUPPORTED" // ValidationFailed occurs if a Validator was not able to make a validation // decision because an error occurred. // This will be returned alongside the error so calling code can decide // whether it's worth retrying. ValidationFailed ValidationStatus = "VALIDATION_FAILED" // ValidationInvalid occurs if a validation was successful but the result is // negative: the Secret is not valid. ValidationInvalid ValidationStatus = "VALIDATION_INVALID" // ValidationValid occurs if the validation was successful and the result is // positive: the Secret is valid. ValidationValid ValidationStatus = "VALIDATION_VALID" )
type Validator ¶
type Validator[S Secret] interface { Validate(ctx context.Context, secret S) (ValidationStatus, error) }
Validator is a Validator for the concrete Secret type S.
It is used to validate Secrets of type S and returns the corresponding ValidationStatus or an error (in which case the ValidationStatus is ValidationStatusFailed).
Source Files
Directories
¶
| Path | Synopsis |
|---|---|
|
secrets
|
|
|
anthropicapikey
Package anthropicapikey contains Veles Secret types and Detectors for Anthropic API keys.
|
Package anthropicapikey contains Veles Secret types and Detectors for Anthropic API keys. |
|
awsaccesskey
Package awsaccesskey contains Veles Secret types and Detectors for AWS access and secret key.
|
Package awsaccesskey contains Veles Secret types and Detectors for AWS access and secret key. |
|
azurestorageaccountaccesskey
Package azurestorageaccountaccesskey contains a Veles Secret type and a Detector for [Azure storage account access key](https://learn.microsoft.com/en-us/purview/sit-defn-azure-storage-account-key-generic)
|
Package azurestorageaccountaccesskey contains a Veles Secret type and a Detector for [Azure storage account access key](https://learn.microsoft.com/en-us/purview/sit-defn-azure-storage-account-key-generic) |
|
azuretoken
Package azuretoken contains a Veles Secret type and a Detector for [Azure Tokens](https://learn.microsoft.com/en-us/entra/identity-platform/security-tokens#token-endpoints-and-issuers).
|
Package azuretoken contains a Veles Secret type and a Detector for [Azure Tokens](https://learn.microsoft.com/en-us/entra/identity-platform/security-tokens#token-endpoints-and-issuers). |
|
circleci
Package circleci contains detectors for CircleCI API credentials.
|
Package circleci contains detectors for CircleCI API credentials. |
|
common/awssignerv4
Package awssignerv4 provides an implementation of AWS Signature Version 4 signing.
|
Package awssignerv4 provides an implementation of AWS Signature Version 4 signing. |
|
common/flatjson
Package flatjson contains facilities to extract credentials that are expressed as a single (flat) JSON object whose values are all strings.
|
Package flatjson contains facilities to extract credentials that are expressed as a single (flat) JSON object whose values are all strings. |
|
common/jwt
Package jwt provides utilities for parsing JSON Web Tokens (JWT).
|
Package jwt provides utilities for parsing JSON Web Tokens (JWT). |
|
common/ntuple
Package ntuple provides a generic mechanism to detect ordered tuples of related secrets (e.g., access key + client ID + client secret) within a raw byte buffer.
|
Package ntuple provides a generic mechanism to detect ordered tuples of related secrets (e.g., access key + client ID + client secret) within a raw byte buffer. |
|
common/pair
Package pair contains common logic to find secret pairs
|
Package pair contains common logic to find secret pairs |
|
common/simpletoken
Package simpletoken contains a Detector for tokens that can be extracted by scanning a byte array with a regular expression.
|
Package simpletoken contains a Detector for tokens that can be extracted by scanning a byte array with a regular expression. |
|
common/simplevalidate
Package simplevalidate contains a Validator for secrets that can be validated with simple HTTP queries and result code comparison.
|
Package simplevalidate contains a Validator for secrets that can be validated with simple HTTP queries and result code comparison. |
|
cratesioapitoken
Package cratesioapitoken contains a Veles Secret type and a Detector for Crates.io API Tokens (prefix `cio`).
|
Package cratesioapitoken contains a Veles Secret type and a Detector for Crates.io API Tokens (prefix `cio`). |
|
cursorapikey
Package cursorapikey contains Veles Secret types and Detectors for Cursor Admin API keys.
|
Package cursorapikey contains Veles Secret types and Detectors for Cursor Admin API keys. |
|
digitaloceanapikey
Package digitaloceanapikey contains a Veles Secret type and a Detector for DigitalOcean API Tokens (prefix `dop_v1_`).
|
Package digitaloceanapikey contains a Veles Secret type and a Detector for DigitalOcean API Tokens (prefix `dop_v1_`). |
|
dockerhubpat
Package dockerhubpat contains a Veles Secret type and a Detector for Docker Hub Personal Access Tokens (prefix `dckr_pat_`).
|
Package dockerhubpat contains a Veles Secret type and a Detector for Docker Hub Personal Access Tokens (prefix `dckr_pat_`). |
|
elasticcloudapikey
Package elasticcloudapikey contains detectors and validators for Elastic Cloud API keys.
|
Package elasticcloudapikey contains detectors and validators for Elastic Cloud API keys. |
|
gcpapikey
Package gcpapikey contains a Veles Secret type and a Detector for [GCP API keys](https://cloud.google.com/api-keys/docs/overview).
|
Package gcpapikey contains a Veles Secret type and a Detector for [GCP API keys](https://cloud.google.com/api-keys/docs/overview). |
|
gcpexpressmode
Package gcpexpressmode contains a Veles Detector for GCP Express Mode API keys.
|
Package gcpexpressmode contains a Veles Detector for GCP Express Mode API keys. |
|
gcpoauth2access
Package gcpoauth2access contains a Veles Secret type and a Detector for GCP OAuth2 access tokens https://cloud.google.com/docs/authentication/token-types#access
|
Package gcpoauth2access contains a Veles Secret type and a Detector for GCP OAuth2 access tokens https://cloud.google.com/docs/authentication/token-types#access |
|
gcpoauth2client
Package gcpoauth2client contains Veles Secret types and Detectors for GCP OAuth2 client credentials.
|
Package gcpoauth2client contains Veles Secret types and Detectors for GCP OAuth2 client credentials. |
|
gcpsak
Package gcpsak contains a Veles Secret type, a Detector, and a Validator for GCP service account keys.
|
Package gcpsak contains a Veles Secret type, a Detector, and a Validator for GCP service account keys. |
|
gcshmackey
Package gcshmackey contains a Veles Secret type, a Detector, and a Validator for Google Cloud Storage HMAC keys
|
Package gcshmackey contains a Veles Secret type, a Detector, and a Validator for Google Cloud Storage HMAC keys |
|
gitbasicauth
Package gitbasicauth contains common logic for Git Basic Auth plugins.
|
Package gitbasicauth contains common logic for Git Basic Auth plugins. |
|
gitbasicauth/bitbucket
Package bitbucket contains the logic to extract BitBucket URLs with basic auth credentials.
|
Package bitbucket contains the logic to extract BitBucket URLs with basic auth credentials. |
|
gitbasicauth/codecatalyst
Package codecatalyst contains the logic to extract Amazon CodeCatalyst URLs with basic auth credentials.
|
Package codecatalyst contains the logic to extract Amazon CodeCatalyst URLs with basic auth credentials. |
|
gitbasicauth/codecommit
Package codecommit contains the logic to extract Amazon CodeCommit URLs with basic auth credentials.
|
Package codecommit contains the logic to extract Amazon CodeCommit URLs with basic auth credentials. |
|
gitbasicauth/mockserver
Package mockserver contains a mock implementation of a git server for testing purposes.
|
Package mockserver contains a mock implementation of a git server for testing purposes. |
|
github
Package github implements the logic to detect Github tokens
|
Package github implements the logic to detect Github tokens |
|
github/checksum
Package checksum contains the checksum validation logic for github tokens
|
Package checksum contains the checksum validation logic for github tokens |
|
github/mockgithub
Package mockgithub contains a mock implementation of the Github APIss
|
Package mockgithub contains a mock implementation of the Github APIss |
|
github/validate
Package validate contains common logic to validate github tokens
|
Package validate contains common logic to validate github tokens |
|
gitlabpat
Package gitlabpat contains a Veles Secret type and a Detector for Gitlab Personal Access Tokens (prefix `glpat-`).
|
Package gitlabpat contains a Veles Secret type and a Detector for Gitlab Personal Access Tokens (prefix `glpat-`). |
|
grokxaiapikey
Package grokxaiapikey contains a detector and validator for Grok XAI API keys
|
Package grokxaiapikey contains a detector and validator for Grok XAI API keys |
|
hashicorpvault
Package hashicorpvault contains Veles Secret types and Detectors for HashiCorp Vault credentials.
|
Package hashicorpvault contains Veles Secret types and Detectors for HashiCorp Vault credentials. |
|
hcp
Package hcp contains Veles Secret types and Detectors for HashiCorp Cloud Platform credentials.
|
Package hcp contains Veles Secret types and Detectors for HashiCorp Cloud Platform credentials. |
|
huggingfaceapikey
Package huggingfaceapikey contains a Veles Secret type and a Detector for Huggingface API keys (prefix `hf_`).
|
Package huggingfaceapikey contains a Veles Secret type and a Detector for Huggingface API keys (prefix `hf_`). |
|
jwt
Package jwt contains the logic to detect JWT tokens
|
Package jwt contains the logic to detect JWT tokens |
|
mistralapikey
Package mistralapikey contains a Veles Secret type, Detector and Validator for Mistral API keys.
|
Package mistralapikey contains a Veles Secret type, Detector and Validator for Mistral API keys. |
|
onepasswordkeys
Package onepasswordkeys contains detectors and validators for 1Password credentials.
|
Package onepasswordkeys contains detectors and validators for 1Password credentials. |
|
openai
Package openai contains Veles Secret types and Detectors for OpenAI Project API keys.
|
Package openai contains Veles Secret types and Detectors for OpenAI Project API keys. |
|
openrouter
Package openrouter contains Veles Secret types and Detectors for OpenRouter API keys.
|
Package openrouter contains Veles Secret types and Detectors for OpenRouter API keys. |
|
paystacksecretkey
Package paystacksecretkey contains a Veles Secret type and a Detector for Paystack Secret Keys (https://paystack.com/docs/api/authentication/).
|
Package paystacksecretkey contains a Veles Secret type and a Detector for Paystack Secret Keys (https://paystack.com/docs/api/authentication/). |
|
perplexityapikey
Package perplexityapikey contains a Veles Secret type and a Detector for Perplexity API keys (prefix `pplx-`).
|
Package perplexityapikey contains a Veles Secret type and a Detector for Perplexity API keys (prefix `pplx-`). |
|
postmanapikey
Package postmanapikey contains detectors and validators for Postman API credentials.
|
Package postmanapikey contains detectors and validators for Postman API credentials. |
|
privatekey
Package privatekey provides a detector for identifying private key material in scanned files and data streams.
|
Package privatekey provides a detector for identifying private key material in scanned files and data streams. |
|
pypiapitoken
Package pypiapitoken contains a Veles Secret type and a Detector for PyPI API Tokens (prefix `pypi-`).
|
Package pypiapitoken contains a Veles Secret type and a Detector for PyPI API Tokens (prefix `pypi-`). |
|
pyxkeyv1
Package pyxkeyv1 contains a Veles Secret type and a Detector for pyx v1 user keys.
|
Package pyxkeyv1 contains a Veles Secret type and a Detector for pyx v1 user keys. |
|
pyxkeyv2
Package pyxkeyv2 contains a Veles Secret type and a Detector for pyx v2 user keys.
|
Package pyxkeyv2 contains a Veles Secret type and a Detector for pyx v2 user keys. |
|
recaptchakey
Package recaptchakey detects reCAPTCHA keys
|
Package recaptchakey detects reCAPTCHA keys |
|
rubygemsapikey
Package rubygemsapikey contains a Veles Secret type and a Detector for [RubyGems API keys](https://guides.rubygems.org/api-key-scopes/).
|
Package rubygemsapikey contains a Veles Secret type and a Detector for [RubyGems API keys](https://guides.rubygems.org/api-key-scopes/). |
|
salesforceoauth2access
Package salesforceoauth2access contains Veles Secret types and Detectors for Salesforce OAuth2 Access Tokens.
|
Package salesforceoauth2access contains Veles Secret types and Detectors for Salesforce OAuth2 Access Tokens. |
|
salesforceoauth2client
Package salesforceoauth2client contains Veles Secret types and Detectors for Salesforce OAuth2 Client Credentials.
|
Package salesforceoauth2client contains Veles Secret types and Detectors for Salesforce OAuth2 Client Credentials. |
|
salesforceoauth2refresh
Package salesforceoauth2refresh contains Veles Secret types and Detectors for Salesforce OAuth2 client credentials.
|
Package salesforceoauth2refresh contains Veles Secret types and Detectors for Salesforce OAuth2 client credentials. |
|
slacktoken
Package slacktoken contains a Veles Secret type and a Detector for Slack App Tokens including App Level Tokens (prefix `xapp-`), App Configuration Access Tokens (prefix `xoxe.xoxp-`), and App Configuration Refresh Tokens (prefix `xoxe-`).
|
Package slacktoken contains a Veles Secret type and a Detector for Slack App Tokens including App Level Tokens (prefix `xapp-`), App Configuration Access Tokens (prefix `xoxe.xoxp-`), and App Configuration Refresh Tokens (prefix `xoxe-`). |
|
stripeapikeys
Package stripeapikeys contains detectors and validators for Stripe API credentials.
|
Package stripeapikeys contains detectors and validators for Stripe API credentials. |
|
telegrambotapitoken
Package telegrambotapitoken contains a Veles Secret type and a Detector for [Telegram Bot API](https://core.telegram.org/bots/api)
|
Package telegrambotapitoken contains a Veles Secret type and a Detector for [Telegram Bot API](https://core.telegram.org/bots/api) |
|
tinkkeyset
Package tinkkeyset package implements the logic to detect [Tink keyset](https://developers.google.com/tink/design/keysets) stored as plaintext
|
Package tinkkeyset package implements the logic to detect [Tink keyset](https://developers.google.com/tink/design/keysets) stored as plaintext |
|
urlcreds
Package urlcreds contains the logic to extract URLs with credentials.
|
Package urlcreds contains the logic to extract URLs with credentials. |
|
urlcreds/validators
Package validators implements schema-specific validation logic for credentials contained in URLs.
|
Package validators implements schema-specific validation logic for credentials contained in URLs. |
|
vapid
Package vapid contain the logic for finding VAPID keys (Voluntary Application Server Identification)
|
Package vapid contain the logic for finding VAPID keys (Voluntary Application Server Identification) |
|
Package velestest contains tools to support testing Veles Detectors and Validator.
|
Package velestest contains tools to support testing Veles Detectors and Validator. |