Documentation
¶
Index ¶
Constants ¶
This section is empty.
Variables ¶
View Source
var DefaultDynamicRules = []DynamicRule{ { FilePattern: regexp.MustCompile(`^(.*/)*[-\w._]*\.env(\.[-\w._]*)?$`), Name: ".env file", }, { Name: "Terraform state file", FilePattern: regexp.MustCompile(`^(.*/)*terraform.tfstate$`), }, { Name: "AWS credentials file", FilePattern: regexp.MustCompile(`^(.*/)*\.aws/credentials$`), }, }
View Source
var DefaultStaticRules = []StaticRule{ { Pattern: regexp.MustCompile(`[1-9][0-9]+-[0-9a-zA-Z]{40}`), Name: "Twitter", }, { Pattern: regexp.MustCompile(`/(^|[^@\w])@(\w{1,15})\b/`), Name: "Twitter", }, { Pattern: regexp.MustCompile(`EAACEdEose0cBA[0-9A-Za-z]+`), Name: "Facebook", }, { Pattern: regexp.MustCompile(`[A-Za-z0-9]{125}`), Name: "Facebook", }, { Pattern: regexp.MustCompile(`[0-9a-fA-F]{7}\.[0-9a-fA-F]{32}`), Name: "Instagram", }, { Pattern: regexp.MustCompile(`AIza[0-9A-Za-z-_]{35}`), Name: "Google", }, { Pattern: regexp.MustCompile(`[0-9a-zA-Z\-_]{24}`), Name: "Google", }, { Pattern: regexp.MustCompile(`4/[0-9A-Za-z\-_]+`), Name: "Google", }, { Pattern: regexp.MustCompile(`1/[0-9A-Za-z\-_]{43}|1/[0-9A-Za-z\-_]{64}`), Name: "Google", }, { Pattern: regexp.MustCompile(`ya29\.[0-9A-Za-z\-_]+`), Name: "Google", }, { Pattern: regexp.MustCompile(`^ghp_[a-zA-Z0-9]{36}$`), Name: "GitHub", }, { Pattern: regexp.MustCompile(`^github_pat_[a-zA-Z0-9]{22}_[a-zA-Z0-9]{59}$`), Name: "GitHub", }, { Pattern: regexp.MustCompile(`^gho_[a-zA-Z0-9]{36}$`), Name: "GitHub", }, { Pattern: regexp.MustCompile(`^ghu_[a-zA-Z0-9]{36}$`), Name: "GitHub", }, { Pattern: regexp.MustCompile(`^ghs_[a-zA-Z0-9]{36}$`), Name: "GitHub", }, { Pattern: regexp.MustCompile(`^ghr_[a-zA-Z0-9]{36}$`), Name: "GitHub", }, { Pattern: regexp.MustCompile(`([s,p]k.eyJ1Ijoi[\w\.-]+)`), Name: "Mapbox", }, { Pattern: regexp.MustCompile(`([s,p]k.eyJ1Ijoi[\w\.-]+)`), Name: "Mapbox", }, { Pattern: regexp.MustCompile(`R_[0-9a-f]{32}`), Name: "Foursquare", }, { Pattern: regexp.MustCompile(`sk_live_[0-9a-z]{32}`), Name: "Picatic", }, { Pattern: regexp.MustCompile(`sk_live_[0-9a-zA-Z]{24}`), Name: "Stripe", }, { Pattern: regexp.MustCompile(`sk_live_[0-9a-zA-Z]{24}`), Name: "Stripe", }, { Pattern: regexp.MustCompile(`sqOatp-[0-9A-Za-z\-_]{22}`), Name: "Square", }, { Pattern: regexp.MustCompile(`q0csp-[0-9A-Za-z\-_]{43}`), Name: "Square", }, { Pattern: regexp.MustCompile(`access_token\,production\$[0-9a-z]{161}[0-9a,]{32}`), Name: "Paypal / Braintree", }, { Pattern: regexp.MustCompile(`amzn\.mws\.[0-9a-f]{8}-[0-9a-f]{4}-10-9a-f1{4}-[0-9a,]{4}-[0-9a-f]{12}`), Name: "Amazon Marketing Services", }, { Pattern: regexp.MustCompile(`55[0-9a-fA-F]{32}`), Name: "Twilio", }, { Pattern: regexp.MustCompile(`key-[0-9a-zA-Z]{32}`), Name: "MailGun", }, { Pattern: regexp.MustCompile(`[ 0-9a-f ]{ 32 }-us[0-9]{1,2}`), Name: "MailChimp", }, { Pattern: regexp.MustCompile(`xoxb-[0-9]{11}-[0-9]{11}-[0-9a-zA-Z]{24}`), Name: "Slack", }, { Pattern: regexp.MustCompile(`xoxp-[0-9]{11}-[0-9]{11}-[0-9a-zA-Z]{24}`), Name: "Slack", }, { Pattern: regexp.MustCompile(`xoxe.xoxp-1-[0-9a-zA-Z]{166}`), Name: "Slack", }, { Pattern: regexp.MustCompile(`xoxe-1-[0-9a-zA-Z]{147}`), Name: "Slack", }, { Pattern: regexp.MustCompile(`T[a-zA-Z0-9_]{8}/B[a-zA-Z0-9_]{8}/[a-zA-Z0-9_]{24}`), Name: "Slack", }, { Pattern: regexp.MustCompile(`A[KS]IA[0-9A-Z]{16}`), Name: "Amazon Web Services", }, { Pattern: regexp.MustCompile(`[0-9a-zA-Z/+]{40}`), Name: "Amazon Web Services", }, { Pattern: regexp.MustCompile(`[0-9a-fA-F]{8}-[0-9a-fA-F]{4}-[0-9a-fA-F]{12}`), Name: "Google Cloud Platform", }, { Pattern: regexp.MustCompile(`[A-Za-z0-9_]{21}--[A-Za-z0-9_]{8}`), Name: "Google Cloud Platform", }, { Pattern: regexp.MustCompile(`[0-9a-fA-F]{8}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{12}`), Name: "Heroku", }, { Pattern: regexp.MustCompile(`[0-9a-fA-F]{8}-[0-9a-fA-F]{4}-[0-9a-fA-F]{12}`), Name: "Heroku", }, }
DefaultStaticRules is the default list of rules this list contains rules to match a common set of secrets TODO(improve this list)
Functions ¶
func CalculateShannonEntropy ¶
CalculateShannonEntropy will calculate the shannon entropy of a string
Types ¶
type Detector ¶
type Detector interface {
StaticDetector
DynamicDetector
}
Detector is the interface for a secrets detector. It is used to search for secrets in a static image and a dynamic image's tarball.
func NewDetector ¶
func NewDetector(opts Opts, staticRules []StaticRule, dynamicRules []DynamicRule) Detector
NewDetector creates a new Detector with the given rules, and configured with the given Opts.
type DynamicDetector ¶ added in v1.3.0
type DynamicDetector interface {
// SearchFile searches for secrets in the given file.
SearchFile(path string, body io.Reader) ([]FileMatch, error)
}
DynamicDetector is the interface for a secrets detector. It is used to search for secrets in a dynamic image's tarball.
type DynamicRule ¶ added in v1.3.0
type DynamicRule struct {
// Name is the human-readable name secret that this
// rule detects
Name string `json:"name"`
// FilePattern is the regular expression to match the files to search
// a nil value means that the rule will match all files
FilePattern *regexp.Regexp `json:"file_pattern,omitempty"`
// Pattern is the regular expression to match text in the file
// a nil value means that the rule will return true if only the file is matched
// (matching all the file)
Pattern *regexp.Regexp `json:"pattern,omitempty"`
// MinEntropy is the minimum entropy the string must be.
// This will only be used if Pattern is not nil
// a value of 0 means that the entropy will not be checked
MinEntropy float64 `json:"min_entropy,omitempty"`
}
func ParseDynamicRules ¶ added in v1.3.0
func ParseDynamicRules(userRules []config.UserDynamicRule) (rules []DynamicRule, errors []config.UserDynamicRule)
ParseDynamicRules will parse a list of UserRule patterns into regexp.Regexp and a common.SecretStringRule. All rules that result in error are returned in the second variables
func (DynamicRule) String ¶ added in v1.3.0
func (r DynamicRule) String() string
type FileMatch ¶ added in v1.3.0
type FileMatch struct {
// Rule is the rule that matches this string
Rule DynamicRule
// Secret is the actual value of the string
Secret Secret
// Path is the path of the file that was searched
Path string
}
FileMatch represents a match of string that is detected to be a secret value
type Opts ¶
type Opts struct {
// UseDefaultStaticRules will include the default rules in the Detector.
UseDefaultStaticRules bool
// UseDefaultDynamicRules will include the default rules in the Detector.
UseDefaultDynamicRules bool
}
Opts is used to configure a Detector.
type Rule ¶
type Rule interface {
String() string
}
Rule represents a rule for matching secret strings
type Secret ¶
type StaticDetector ¶ added in v1.3.0
type StaticDetector interface {
// SearchText searches for secrets in the given text.
// It returns a slice of matches and an error.
SearchText(text string) ([]TextMatch, error)
}
StaticDetector is the interface for a secrets detector. It is used to search for secrets in a static image
type StaticRule ¶ added in v1.3.0
type StaticRule struct {
// Name is the human-readable name secret that this
// rule detects
Name string `json:"name"`
// Pattern is the regular expression to match this secret
Pattern *regexp.Regexp `json:"pattern"`
// MinEntropy is the minimum entropy the string must be
MinEntropy float64 `json:"min_entropy,omitempty"`
}
StaticRule represents a pattern and entropy rule for matching secret string in a static context
func ParseStaticRules ¶ added in v1.3.0
func ParseStaticRules(userRules []config.UserStaticRule) (rules []StaticRule, errors []config.UserStaticRule)
ParseStaticRules will parse a list of UserRule patterns into regexp.Regexp and a common.SecretStringRule. All rules that result in error are returned in the second variables
func (StaticRule) String ¶ added in v1.3.0
func (r StaticRule) String() string
type TextMatch ¶ added in v1.3.0
type TextMatch struct {
// Rule is the rule that matches this string
Rule StaticRule
// Secret is the actual value of the string
Secret Secret
// FullText is the full text that was searches
FullText string
// StartPos is the starting position of the match
StartPos int
// EndPos is the ending position of the match
EndPos int
}
TextMatch represents a match of string that is detected to be a secret value
Source Files
Click to show internal directories.
Click to hide internal directories.