secrets

package

v5.0.0-preview.1+incom... Latest Latest Go to latest Published: Jan 13, 2022 License: Apache-2.0 Imports: 14 Imported by: 0

Details

Valid go.mod file
Redistributable license
Tagged version
Stable version
Learn more about best practices

Repository

github.com/zeus08-coder/neuvector

Links

Open Source Insights

Documentation ¶

Index ¶

Variables
func FindSecretsByFilePathMap(fileMap map[string]string, envVars []byte, config Config) ([]share.CLUSSecretLog, []share.CLUSSetIdPermLog, error)
func FindSecretsByRootpath(rootPath string, envVars []byte, config Config) ([]share.CLUSSecretLog, []share.CLUSSetIdPermLog, error)
func InspectFile(fullpath, reportPath string, config Config) ([]share.CLUSSecretLog, bool)
type Config
type Entropy
type FileType
type Rule

Constants ¶

This section is empty.

Variables ¶

View Source

var DefaultFileType []FileType = []FileType{
	FileType{Description: "ALL", Expression: `.*`},
}

DefaultFileType is for default profile

View Source

var DefaultRules []Rule = []Rule{

	Rule{Description: "Private.Key",
		Expression: `^-----BEGIN ((EC|PGP|DSA|RSA|OPENSSH|SSH2) )?PRIVATE KEY( BLOCK)?-----`, Tags: []string{share.SecretPrivateKey, "GeneralPrivateKey"},
		Suggestion: msgRemove},
	Rule{Description: "Private.Key",
		Expression: `^PuTTY-User-Key-File-2:`, Tags: []string{share.SecretPrivateKey, "PuttyPrivateKey"},
		Suggestion: msgRemove},
	Rule{Description: "XML.Signature.Private.Key",
		Expression: `(?m)^<RSAKeyValue>`, Tags: []string{share.SecretPrivateKey, "XmlPrivateKey"},
		Suggestion: msgRemove},

	Rule{Description: "AWS.Manager.ID",
		Expression: `(?m)[\s|"|'|=|:]+(A3T[A-Z0-9]|ACCA|AKIA|AGPA|AIDA|AIPA|AKIA|ANPA|ANVA|APKA|AROA|ASCA|ASIA)([A-Z0-9]{16})(?:\s|$|"|')`, Tags: []string{share.SecretRegular, "AWs"},
		Suggestion: msgReferVender,
		Entropies:  []Entropy{Entropy{Group: 2, Min: 3.375, Max: 6.0}}},

	Rule{Description: "AWS.MWS.Key",
		Expression: `(?m)[\s|"|'|=|:]+amzn\.mws\.[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}(?:\s|"|')`, Tags: []string{share.SecretRegular, "AWS", "MWS"},
		Suggestion: msgReferVender},

	Rule{Description: "Facebook.Client.Secret",
		Expression: `(?im)(facebook|fb)\S{0,32}access_token(.{0,128})client_secret=(?-i)([0-9a-f]{32}\b)`, Tags: []string{share.SecretProgram, "Facebook"},
		Suggestion: msgReferVender},
	Rule{Description: "Facebook.Endpoint.Secret",
		Expression: `(?im)(facebook|fb)\S{0,32}&access_token=([0-9a-f]{32}\b)`, Tags: []string{share.SecretProgram, "Facebook"},
		Suggestion: msgReferVender},
	Rule{Description: "Facebook.App.Secret",
		Expression: `(?im)^\s*\w*(facebook|fb)\S*\s*[:=]+\s*['"]?([0-9a-f]{32})(?:\s|$|"|')`, Tags: []string{share.SecretRegular, "Facebook"},
		Suggestion: msgReferVender,
		Entropies:  []Entropy{Entropy{Group: 2, Min: 3.6, Max: 6.0}}},

	Rule{Description: "Twitter.Client.ID",
		Expression: `(?im)^\s*\w*twitter\S*\s*[:=]+\s*['"]?([0-9a-z]{18,25})(?:\s|$|"|')`, Tags: []string{share.SecretRegular, "Twitter"},
		Suggestion: msgReferVender,
		Entropies:  []Entropy{Entropy{Group: 1, Min: 3.75, Max: 6.0}}},
	Rule{Description: "Twitter.Secret.Key",
		Expression: `(?im)^\s*\w*twitter\S*\s*[:=]+\s*['"]?([0-9a-z]{35,44})(?:\s|$|"|')`, Tags: []string{share.SecretRegular, "Twitter"},
		Suggestion: msgReferVender,
		Entropies:  []Entropy{Entropy{Group: 1, Min: 4.0, Max: 6.0}}},

	Rule{Description: "Github.Secret",
		Expression: `(?im)^\s*\w*github\S*\s*[:=]+\s*['"]?([0-9a-z]{35,40})(?:\s|$|"|')`, Tags: []string{share.SecretRegular, "Github"},
		Suggestion: msgReferVender,
		Entropies:  []Entropy{Entropy{Group: 1, Min: 4.0, Max: 6.0}}},

	Rule{Description: "Square.Product.ID",
		Expression: `(?m)[\s|"|'|=|:]+sq0(at|id)p-[0-9A-Za-z\-_]{22}(?:\s|$|"|')`, Tags: []string{share.SecretRegular, "square"},
		Suggestion: msgReferVender},
	Rule{Description: "Square.OAuth.Secret",
		Expression: `(?m)[\s|"|'|=|:]+sq0csp-[0-9A-Za-z]{10}-[0-9A-Za-z]{6}_[0-9A-Za-z]{25}(?:\s|$|"|')`, Tags: []string{share.SecretRegular, "square"},
		Suggestion: msgReferVender},

	Rule{Description: "Stripe.Access.Key",
		Expression: `(?m)[\s|"|'|=|:]+(?:r|s|p)k_(live|test)_([0-9a-zA-Z]{24,34})(?:\s|$|"|')`, Tags: []string{share.SecretRegular, "Stripe"},
		Suggestion: msgReferVender,
		Entropies:  []Entropy{Entropy{Group: 2, Min: 4.0, Max: 6.0}}},

	Rule{Description: "Slack.API.tokens",
		Expression: `(?m)[\s|"|'|=|:]+xox[baprs]-[0-9a-zA-Z]{4,21}-[0-9a-zA-Z]{4,21}(?:\s|$|"|')`, Tags: []string{share.SecretRegular, "Slack"},
		Suggestion: msgReferVender},
	Rule{Description: "Slack Webhook",
		Expression: `(?m)\shttps://hooks.slack.com/services/T[a-zA-Z0-9_]{8}/B[a-zA-Z0-9_]{8}/[a-zA-Z0-9_]{24}`, Tags: []string{share.SecretProgram, "slack"},
		Suggestion: msgReferVender},

	Rule{Description: "LinkedIn.Client.ID",
		Expression: `(?im)^\s*\w*linkedin\S*\s*[:=]+\s*['"]?(?-i)([0-9a-z]{14})(?:\s|$|"|')`, Tags: []string{share.SecretRegular, "LinkedIn"},
		Suggestion: msgReferVender,
		Entropies:  []Entropy{Entropy{Group: 1, Min: 3.5, Max: 6.0}}},
	Rule{Description: "LinkedIn.Secret.Key",
		Expression: `(?im)^\s*\w*linkedin\S*\s*[:=]+\s*['"]?([0-9a-zA-Z]{16})(?:\s|$|"|')`, Tags: []string{share.SecretRegular, "LinkedIn"},
		Suggestion: msgReferVender,
		Entropies:  []Entropy{Entropy{Group: 1, Min: 3.75, Max: 6.0}}},

	Rule{Description: "Google.API.Key",
		Expression: `(?m)[\s|"|'|=|:]+AIza([0-9A-Za-z\\-_]{35})(?:\s|$|"|')`, Tags: []string{share.SecretRegular, "Google"},
		Suggestion: msgReferVender,
		Entropies:  []Entropy{Entropy{Group: 1, Min: 4.0, Max: 6.0}}},

	Rule{Description: "SendGrid.API.Key",
		Expression: `(?m)\sSG\.[\w_]{16,32}\.[\w_]{16,64}(?:\s|"|')`, Tags: []string{share.SecretRegular, "SendGrid"},
		Suggestion: msgReferVender,
		Entropies:  []Entropy{Entropy{Group: 0, Min: 4.0, Max: 6.0}}},
	Rule{Description: "Twilio.API.Key",
		Expression: `(?im)^\s*\w*twilio\S*\s*[:=]+\s*['"]?(SK[0-9a-f]{32})(?:\s|$|"|')`, Tags: []string{share.SecretRegular, "twilio"},
		Suggestion: msgReferVender,
		Entropies:  []Entropy{Entropy{Group: 1, Min: 4.0, Max: 6.0}}},
	Rule{Description: "Heroku.API.Key",
		Expression: `(?im)^\s*\w*wheroku\S*\s*[:=]+\s*['"]?([0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12})(?:\s|$|"|)'`, Tags: []string{share.SecretRegular, "Heroku"},
		Suggestion: msgReferVender,
		Entropies:  []Entropy{Entropy{Group: 1, Min: 4.0, Max: 6.0}}},
	Rule{Description: "MailChimp.API.Key",
		Expression: `(?im)^\s*\w*(mailchimp|mc)\S*\s*[:=]+\s*['"]?([0-9a-f]{32}-us[0-9]{1,2})(?:\s|$|"|')`, Tags: []string{share.SecretRegular, "Mailchimp"},
		Suggestion: msgReferVender,
		Entropies:  []Entropy{Entropy{Group: 2, Min: 4.0, Max: 6.0}}},
	Rule{Description: "Mailgun.API.Key",
		Expression: `(?im)^\s*\w*(mailgun|mg)\S*\s*[:=]+\s*['"]?(key-[0-9a-z]{32})(?:\s|$|"|')`, Tags: []string{share.SecretRegular, "Mailgun"},
		Suggestion: msgReferVender,
		Entropies:  []Entropy{Entropy{Group: 2, Min: 4.0, Max: 6.0}}},

	Rule{Description: "Credential",
		Expression: `(?im)^\s*\w*(passwd|api_key|apikey|password|secret)\S*\s*[:=]+\s*['"]?([0-9a-z-_.\|!"$%&\/\(\)\?\^\'\\\+\-\*@~\[\];]{20,120})(?:\s|$|"|')`, Tags: []string{share.SecretRegular, "API", "generic"},
		Suggestion: msgCloak,
		Entropies:  []Entropy{Entropy{Group: 2, Min: 4.00, Max: 6.0}}},

	Rule{Description: "Password.in.YML",
		Expression: `(?i)(password|passwd|api_token)\S{0,32}\s*:\s*(?-i)([0-9a-zA-Z\/+]{16,40}\b)`, ExprFName: `.*\.ya?ml`, Tags: []string{share.SecretProgram, "yaml", "yml"},
		Suggestion: msgReferVender},
}

DefaultRules defines a default rule set

Functions ¶

func FindSecretsByFilePathMap ¶

func FindSecretsByFilePathMap(fileMap map[string]string, envVars []byte, config Config) ([]share.CLUSSecretLog, []share.CLUSSetIdPermLog, error)

For registry scan

func FindSecretsByRootpath ¶

func FindSecretsByRootpath(rootPath string, envVars []byte, config Config) ([]share.CLUSSecretLog, []share.CLUSSetIdPermLog, error)

$EnvVariables provides a common function for recursive search

func InspectFile ¶

func InspectFile(fullpath, reportPath string, config Config) ([]share.CLUSSecretLog, bool)

InspectFile provides a method to scan files

Types ¶

type Config ¶

type Config struct {
	RuleList    []Rule
	Whitelist   []FileType
	Blacklist   []FileType // most common
	SkipFolder  []FileType //
	MaxFileSize int        // default: 0 as 4kb, -1 as any size
	MiniWeight  float64    // minimum portion of a secret file, excluding x.509, <= 0.0: no minimum
	TimeoutSec  uint       // in seconds
}

Config is a configuration is a composite struct of RuleList and file lists

type Entropy ¶

type Entropy struct {
	Group int // index of capturing groups, 0: all
	Min   float64
	Max   float64 // 5.95 for key[56]1..0A..Z..az
}

Entropy represents an entropy range

type FileType ¶

type FileType struct {
	Description string
	Expression  string
	Regex       *regexp.Regexp
	MinEntropy  float64
}

FileType is a file spefification

type Rule ¶

type Rule struct {
	Description string
	Expression  string
	ExprFName   string
	ExprFPath   string
	Regex       *regexp.Regexp
	FNameRegex  *regexp.Regexp
	FPathRegex  *regexp.Regexp
	Tags        []string
	Entropies   []Entropy
	Suggestion  string
}

Rule is used in the Config struct as an array of Rules and is iterated over during an audit. Each rule will be checked.

Source Files ¶

View all Source files

secrets.go

?	: This menu
/	: Search site
f or F	: Jump to
y or Y	: Canonical URL