veles

package
v0.3.2 Latest Latest
Warning

This package is not in the latest version of its module.

Go to latest
Published: Aug 20, 2025 License: Apache-2.0 Imports: 5 Imported by: 0

README

Veles: secret scanning

Veles – Slavic god, a permanent guardian on the border of the worlds, a spiritual mentor, he knows all the secrets of the universe.

Veles is a standalone library for secret scanning that ships as part of Scalibr. It can detect and (where possible) validate credentials and other things colloquially referred to as "secrets".

The API is designed to make it easy to add new Detectors and corresponding Validators. The DetectionEngine is deliberately kept simple for now. In the future, if Veles supports hundreds or thousands of credential types, the engine might require optimization (e.g. using the Aho-Corasick algorithm).

It can be used via Scalibr via the corresponding extractor and enricher. Some parts of that integration are still under development.

Documentation

Overview

Package veles is a standalone secret scanning library.

Index

Constants

View Source
const (
	// KiB is one binary Kilobyte (Kibibyte) i.e. 1024 bytes.
	KiB = 1 << 10
	// MiB is one binary Megabyte (Mibibyte).
	MiB = 1 << 20
	// GiB is one binary Gigabyte (Gibibyte).
	GiB = 1 << 30

	// MinReadLen is the minimum buffer size for reading chunks from an io.Reader.
	MinReadLen = 64 * KiB

	// MinRetainLen is the minimum number of bytes from the end of a chunk to
	// retain to avoid false negatives from Secrets overlapping the edge of two
	// chunks.
	MinRetainLen = 1 * KiB
)

Variables

This section is empty.

Functions

func AddValidator

func AddValidator[S Secret](e *ValidationEngine, v Validator[S]) bool

AddValidator adds a new Validator for a concrete Secret type S to the engine.

Returns whether there was already a Validator in place that now got replaced.

Types

type DetectionEngine

type DetectionEngine struct {
	// contains filtered or unexported fields
}

DetectionEngine combines multiple Veles Detectors into a single engine that can read from an io.Reader. It outputs the results of applying all Detectors to that stream.

Future optimizations might change how the engine works under the hood but its API should stay stable. It makes no guarantee about the order in which Secrets are found so calling code should not depend on it.

func NewDetectionEngine

func NewDetectionEngine(ds []Detector, opts ...DetectionEngineOption) (*DetectionEngine, error)

NewDetectionEngine creates a new DetectionEngine with the given Detectors.

This will choose sensible defaults for the internal buffers but those can be overridden via DetectionEngineOptions if needed.

Returns an error if no detectors are provided or if the retain buffer would be too small to accommodate the detectors.

func (*DetectionEngine) Detect

func (e *DetectionEngine) Detect(ctx context.Context, r io.Reader) ([]Secret, error)

Detect reads from an io.Reader and returns the results of applying all of the DetectionEngine's Detectors to that stream.

It reads the input stream in chunks making sure that no matches are accidentally missed at the edges between chunks.

The secrets are returned in no particular order and calling code should not depend on it (hyrumslaw.com).

An error is returned if the provided context is done or if the io.Reader returned any error other than io.EOF.

type DetectionEngineOption

type DetectionEngineOption func(*DetectionEngine)

DetectionEngineOption is an option to configure a DetectionEngine during creation via NewDetectionEngine.

This allows user to fine tune the engine by overriding its defaults. For most use-cases, the defaults should be sensible enough.

func WithReadLen

func WithReadLen(readLen uint32) DetectionEngineOption

WithReadLen overrides the buffer size used for reading chunks from io.Reader.

The value can be smaller than MinReadLen.

func WithRetainLen

func WithRetainLen(retainLen uint32) DetectionEngineOption

WithRetainLen overrides the buffer size used for keeping parts of a previous read to avoid false negatives at the edge of two neighboring chunks.

These should usually be small against readLen. While it's technically possible to have retainLen > readLen, that doesn't make a lot of semantic sense and should be avoided.

type Detector

type Detector interface {
	// MaxSecretLen is the maximum length a secret from this detector can have.
	//
	// It can be set to 0 but then the detector isn't guaranteed any minimum input
	// length and should instead implement its own mechanism to ensure it can find
	// its secrets; i.e. maintain an internal buffer.
	MaxSecretLen() uint32
	// Detect finds Secrets inside data and returns them alongside indices to the
	// start of the corresponding match.
	// The latter is only used internally to avoid duplicates.
	Detect(data []byte) ([]Secret, []int)
}

Detector finds instances of Secrets inside a chunk of text.

While most commonly a detector will emit one specific type of secret, we also allow for Detectors to return multiple distinct types - thus the []Secret return type.

type Secret

type Secret any

Secret is a secret that can be found by a Detector and validated by a Validator.

Detectors return slices of Secret and validators accept concrete types. That allows them to be used independently with maximum flexibility.

While the interface is empty, each Secret should be convertible to and from the Veles protocol buffer message format; see the velesproto package. In order to not have the library explicitly depend on protocol buffers, we did not make that requirement part of the interface.

type ValidationEngine

type ValidationEngine struct {
	// contains filtered or unexported fields
}

ValidationEngine bundles a number of Validators together.

There can only be one Validator[S] for each concrete S.

func NewValidationEngine

func NewValidationEngine(opts ...ValidationEngineOption) *ValidationEngine

NewValidationEngine creates a new ValidationEngine that bundles a number of Validators together.

Validators are provided via the WithValidator ValidationEngineOption.

Returns an error if no Validators are provided or if there are multiple Validators for the same Secret type.

func (*ValidationEngine) Validate

Validate validates a given Secret using one of the configured Validators.

If no Validator for the Secret's type is configured, it will return a result with Status ValidationUnsupported. This is not an error because some Secrets might just not have corresponding Validators.

An error is returned if something went wrong during validation, e.g. connection issues or timeouts. In that case ValidationStatus will be ValidationStatusFailed.

type ValidationEngineOption

type ValidationEngineOption func(*ValidationEngine)

ValidationEngineOption is an option that can be used to configure a ValidationEngine at creation via NewValidationEngine.

func WithValidator

func WithValidator[S Secret](v Validator[S]) ValidationEngineOption

WithValidator configures the ValidationEngine to use the provided Validator.

This will fail if a Validator for the given Secret Type S has already been registered with the ValidationEngine.

type ValidationStatus

type ValidationStatus string

ValidationStatus represents the result status of validating a Secret using a corresponding Validator.

const (
	// ValidationUnspecified is the default value for ValidationStatus. It should
	// not be returned by a concrete Validator.
	//
	// The value of ValidationUnspecified is the empty string instead of a
	// meaningful value so it is the automatic default.
	ValidationUnspecified ValidationStatus = ""
	// ValidationUnsupported occurs only if a ValidationEngine has no Validator
	// for a given Secret type.
	ValidationUnsupported ValidationStatus = "VALIDATION_UNSUPPORTED"
	// ValidationFailed occurs if a Validator was not able to make a validation
	// decision because an error occurred.
	// This will be returned alongside the error so calling code can decide
	// whether it's worth retrying.
	ValidationFailed ValidationStatus = "VALIDATION_FAILED"
	// ValidationInvalid occurs if a validation was successful but the result is
	// negative: the Secret is not valid.
	ValidationInvalid ValidationStatus = "VALIDATION_INVALID"
	// ValidationValid occurs if the validation was successful and the result is
	// positive: the Secret is valid.
	ValidationValid ValidationStatus = "VALIDATION_VALID"
)

type Validator

type Validator[S Secret] interface {
	Validate(ctx context.Context, secret S) (ValidationStatus, error)
}

Validator is a Validator for the concrete Secret type S.

It is used to validate Secrets of type S and returns the corresponding ValidationStatus or an error (in which case the ValidationStatus is ValidationStatusFailed).

Directories

Path Synopsis
secrets
common/flatjson
Package flatjson contains facilities to extract credentials that are expressed as a single (flat) JSON object whose values are all strings.
Package flatjson contains facilities to extract credentials that are expressed as a single (flat) JSON object whose values are all strings.
common/simpletoken
Package simpletoken contains a Detector for tokens that can be extracted by scanning a byte array with a regular expression.
Package simpletoken contains a Detector for tokens that can be extracted by scanning a byte array with a regular expression.
gcpapikey
Package gcpapikey contains a Veles Secret type and a Detector for [GCP API keys](https://cloud.google.com/api-keys/docs/overview).
Package gcpapikey contains a Veles Secret type and a Detector for [GCP API keys](https://cloud.google.com/api-keys/docs/overview).
gcpexpressmode
Package gcpexpressmode contains a Veles Detector for GCP Express Mode API keys.
Package gcpexpressmode contains a Veles Detector for GCP Express Mode API keys.
gcpsak
Package gcpsak contains a Veles Secret type, a Detector, and a Validator for GCP service account keys.
Package gcpsak contains a Veles Secret type, a Detector, and a Validator for GCP service account keys.
rubygemsapikey
Package rubygemsapikey contains a Veles Secret type and a Detector for [RubyGems API keys](https://guides.rubygems.org/api-key-scopes/).
Package rubygemsapikey contains a Veles Secret type and a Detector for [RubyGems API keys](https://guides.rubygems.org/api-key-scopes/).
Package velestest contains fakes that can be used to test parts of Veles as well as integrations.
Package velestest contains fakes that can be used to test parts of Veles as well as integrations.

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL