detectors

package
v3.71.1 Latest Latest
Warning

This package is not in the latest version of its module.

Go to latest
Published: Mar 26, 2024 License: AGPL-3.0 Imports: 17 Imported by: 2

Documentation

Index

Constants

This section is empty.

Variables

View Source
var DefaultFalsePositives = []FalsePositive{"example", "xxxxxx", "aaaaaa", "abcde", "00000", "sample", "www"}

Functions

func HasDigit

func HasDigit(key string) bool

func IsKnownFalsePositive

func IsKnownFalsePositive(match string, falsePositives []FalsePositive, wordCheck bool) bool

IsKnownFalsePositives will not return a valid secret finding if any of the disqualifying conditions are met Currently that includes: No number, english word in key, or matches common example pattens. Only the secret key material should be passed into this function

func KeyIsRandom

func KeyIsRandom(key string) bool

KeyIsRandom is a Low cost check to make sure that 'keys' include a number to reduce FPs. Golang doesn't support regex lookaheads, so must be done in separate calls. TODO improve checks. Shannon entropy did not work well.

func MustGetBenchmarkData

func MustGetBenchmarkData() map[string][]byte

func PrefixRegex

func PrefixRegex(keywords []string) string

PrefixRegex ensures that at least one of the given keywords is within 20 characters of the capturing group that follows. This can help prevent false positives.

func RedactURL added in v3.40.0

func RedactURL(u url.URL) string

func StringShannonEntropy added in v3.60.0

func StringShannonEntropy(input string) float64

Types

type Detector

type Detector interface {
	// FromData will scan bytes for results, and optionally verify them.
	FromData(ctx context.Context, verify bool, data []byte) ([]Result, error)
	// Keywords are used for efficiently pre-filtering chunks using substring operations.
	// Use unique identifiers that are part of the secret if you can, or the provider name.
	Keywords() []string
	// Type returns the DetectorType number from detectors.proto for the given detector.
	Type() detectorspb.DetectorType
}

Detector defines an interface for scanning for and verifying secrets.

type EndpointCustomizer added in v3.34.0

type EndpointCustomizer interface {
	SetEndpoints(...string) error
	DefaultEndpoint() string
}

EndpointCustomizer is an optional interface that a detector can implement to support verifying against user-supplied endpoints.

type EndpointSetter added in v3.34.0

type EndpointSetter struct {
	// contains filtered or unexported fields
}

EndpointSetter implements a sensible default for the SetEndpoints function of the EndpointCustomizer interface. A detector can embed this struct to gain the functionality.

func (*EndpointSetter) Endpoints added in v3.34.0

func (e *EndpointSetter) Endpoints(defaultEndpoint string) []string

func (*EndpointSetter) SetEndpoints added in v3.34.0

func (e *EndpointSetter) SetEndpoints(endpoints ...string) error

type FalsePositive

type FalsePositive string

type Result

type Result struct {
	// DetectorType is the type of Detector.
	DetectorType detectorspb.DetectorType
	// DetectorName is the name of the Detector. Used for custom detectors.
	DetectorName string
	// DecoderType is the type of Decoder.
	DecoderType detectorspb.DecoderType
	Verified    bool
	// Raw contains the raw secret identifier data. Prefer IDs over secrets since it is used for deduping after hashing.
	Raw []byte
	// RawV2 contains the raw secret identifier that is a combination of both the ID and the secret.
	// This is used for secrets that are multi part and could have the same ID. Ex: AWS credentials
	RawV2 []byte
	// Redacted contains the redacted version of the raw secret identification data for display purposes.
	// A secret ID should be used if available.
	Redacted       string
	ExtraData      map[string]string
	StructuredData *detectorspb.StructuredData
	// contains filtered or unexported fields
}

func CleanResults

func CleanResults(results []Result) []Result

CleanResults returns all verified secrets, and if there are no verified secrets, just one unverified secret if there are any.

func FilterResultsWithEntropy added in v3.60.0

func FilterResultsWithEntropy(results []Result, entropy float64) []Result

FilterResultsWithEntropy filters out determinately unverified results that have a shannon entropy below the given value.

func (*Result) SetVerificationError added in v3.63.2

func (r *Result) SetVerificationError(err error, secrets ...string)

SetVerificationError is the only way to set a verification error. Any sensetive values should be passed-in as secrets to be redacted.

func (*Result) VerificationError added in v3.44.0

func (r *Result) VerificationError() error

Public accessors for the fields could also be provided if needed.

type ResultWithMetadata

type ResultWithMetadata struct {
	// SourceMetadata contains source-specific contextual information.
	SourceMetadata *source_metadatapb.MetaData
	// SourceID is the ID of the source that the API uses to map secrets to specific sources.
	SourceID sources.SourceID
	// SourceType is the type of Source.
	SourceType sourcespb.SourceType
	// SourceName is the name of the Source.
	SourceName string
	Result
	// Data from the sources.Chunk which this result was emitted for
	Data []byte
}

func CopyMetadata

func CopyMetadata(chunk *sources.Chunk, result Result) ResultWithMetadata

CopyMetadata returns a detector result with included metadata from the source chunk.

type Versioner added in v3.28.7

type Versioner interface {
	Version() int
}

Versioner is an optional interface that a detector can implement to differentiate instances of the same detector type.

Directories

Path Synopsis
dockerhub
v1
v2
figmapersonalaccesstoken
v1
v2
fullstory
v1
v2
github
v1
v2
gitlab
v1
v2
jiratoken
v1
v2
maxmindlicense
v1
v2

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL