README
¶
HungryFox
State: In development now! You probably will get many bugs!
HungryFox is a software for continuous search for leaks of sensitive information like passwords, api-keys, private certificates and etc in your repositories.
HungryFox differs from other solutions as it can work as a daemon and efficiently scans each new commit in repo and sends notification about found leaks.
HungryFor works on regex-patterns only and does not use analyze by entropy because in my opinion this way generates a lot of false positive events. Maybe analyse by entropy will be added in future.
It is hard to write a good enough regex-pattern that could simultaneously find all leaks and not to generate a lot of false positive events so HungryFox in addition with regex-patterns has regex-filters. You can write weak regex-pattern for search leaks and skip known false positive with the help of regex-filters.
Features
- Patterns and filters
- State support
- Notifications by email
- History limit by time
- GitHub-support
- Written on pure go and no requirement of external git (wait)
- Line number of leak (wait)
- GitHook support
- HTTP Api
- WebUI
- Tests
- Integration with Hashicorp Vault
Installation
From Sources
go get github.com/AlexAkulov/hungryfox/cmd/hungryfox
From packagecloud.io
Configuation
common:
state_file: /var/lib/hungryfox/state.yml
history_limit: 1y
scan_interval: 30m
log_level: debug
leaks_file: /var/lib/hungryfox/leaks.json
smtp:
enable: true
host: smtp.kontur
port: 25
mail_from: hungryfox@example.com
disable_tls: true
recipient: security@example.com
sent_to_author: false
webhook:
enable: true
method: POST
url: https://example.com/webhook
headers:
x-sample-header: value
inspect:
# Inspects for leaks in your local repositories without clone or fetch. It is suitable for running on git-server
- type: path
trim_prefix: "/var/volume/repositories"
trim_suffix: ".git"
url: https://gitlab.example.com
paths:
- "/data/gitlab/repositories/*/*.git"
- "/data/gitlab/repositories/*/*/*.git"
- "!/data/gitlab/repositories/excluded/repo.git"
# Inspects for leaks on GitHub. HungryFox will clone the repositories into work_dir and fetch them before scannig
- type: github
token: # is required for scanning private repositories
work_dir: "/var/hungryfox/github"
users:
- AlexAkulov
repos:
- moira-alert/moira
orgs:
- skbkontur
patterns:
- name: secret in my code # not required
file: \.go$ # .+ by default
content: (?i)secret = ".+" # .+ by default
filters:
- name: skip any leaks in tests # not required
file: /IntegrationTests/.+_test\.go$ # .+ by default
# content: # .+ by default
Performance
We use HungryFox for scanning ~3,5K repositories on our GitLab server and about one hundred repositories on GitHub
Alternatives
Documentation
¶
Index ¶
Constants ¶
This section is empty.
Variables ¶
This section is empty.
Functions ¶
This section is empty.
Types ¶
type ILeakSearcher ¶
type IStateManager ¶
type IStateManager interface {
Load(string) (RepoState, ScanStatus)
Save(Repo)
}
type Leak ¶
type Leak struct {
PatternName string `json:"pattern_name"`
Regexp string `json:"pattern"`
FilePath string `json:"filepath"`
RepoPath string `json:"repo_path"`
LeakString string `json:"leak"`
RepoURL string `json:"repo_url"`
CommitHash string `json:"commit"`
TimeStamp time.Time `json:"ts"`
Line int `json:"line"`
CommitAuthor string `json:"author"`
CommitEmail string `json:"email"`
}
type Repo ¶
type Repo struct {
Options RepoOptions
Location RepoLocation
State RepoState
Scan ScanStatus
Repo IRepo
}
type RepoLocation ¶
type RepoOptions ¶
type RepoOptions struct {
AllowUpdate bool
}
Source Files
Directories