diff --git a/.github/workflows/scb-bot.yaml b/.github/workflows/scb-bot.yaml index 8937e46899..131edf2d93 100644 --- a/.github/workflows/scb-bot.yaml +++ b/.github/workflows/scb-bot.yaml @@ -11,7 +11,7 @@ jobs: - amass - angularjs-csti-scanner - cmseek - # - gitleaks + - gitleaks - kube-hunter - kubeaudit - ncrack diff --git a/scanners/gitleaks/.helm-docs.gotmpl b/scanners/gitleaks/.helm-docs.gotmpl index 09bc80f39c..a90cd52c43 100644 --- a/scanners/gitleaks/.helm-docs.gotmpl +++ b/scanners/gitleaks/.helm-docs.gotmpl @@ -36,108 +36,52 @@ To learn more about gitleaks visit . {{- define "extra.scannerConfigurationSection" -}} ## Scanner Configuration +For a complete overview of the configuration options, see the +[Gitleaks documentation](https://github.com/zricethezav/gitleaks#usage). -For a complete overview of the configuration options checkout the -[Gitleaks documentation](https://github.com/zricethezav/gitleaks/wiki/Options). - -The only mandatory parameters are: -- `-r`: The link to the repository you want to scan. -- `--access-token`: Only for non-public repositories. -- `--username` and `--password`: Only for non-public repositories. -- `--config-path`: The ruleset you want to use. - -#### Ruleset - -At this point we provide three rulesets which you can pass to the `--config-path` oprtion: - -- `/home/config_all.toml`: Includes every rule. -- `/home/config_filenames_only.toml`: Gitleaks scans only file names and extensions. -- `/home/config_no_generics.toml`: No generic rules like searching for the word *password*. With this option you won't -find something like **password = Ej2ifDk2jfeo2**, but it will reduce resulting false positives. - -If you like to provide your custom ruleset, you can create a configMap and mount it into -the scan. Checkout the examples for more information about providing your own gitleaks rules config. -{{- end }} - -{{- define "extra.chartConfigurationSection" -}} -**Do not** override the option `--report-format` or `--report`. It is already configured for automatic findings parsing. - -## Additional Chart Configurations -### secureCodeBox extended GitLeaks Features - -:::info -If you run gitleaks based on a scheduledScan (e.g. one scan per day) it would be enough to scan all git-commits since the last executed schedule. -Instead of scanning all commits in the complete git history every day it would save a lot of resources to scan only all commits of the last day. - -_Problem is: This is a feature and configuration option gitleaks is currently not supporting._ - -That's why we created an [issue](https://github.com/zricethezav/gitleaks/issues/497) and a [pull request](https://github.com/zricethezav/gitleaks/pull/498) for that. -If you like the idea, please vote for our issue and PR. - -If you already want to use our implementation (fork) of this feature you can use our [gitleaks forked docker image](https://hub.docker.com/r/securecodebox/gitleaks) instead of the gitleaks original image. -::: +Starting with version 8.0, gitleaks no longer supports cloning the repository directly. +Instead, you will have to use an init container to do so. +[We provide example scan definitions below](https://docs.securecodebox.io/docs/scanners/gitleaks/#examples) that you can build on. +### Scanning Specific Timeframes +When running gitleaks as a [scheduled scan](https://docs.securecodebox.io/docs/how-tos/automatically-repeating-scans), you may not want to go through the entire repository history every time. +Gitleaks allows you to limit the commits it will scan using the `--log-opts` parameter, which accepts all parameters supported by `git log -p`. +For example, if you want to scan only commits made in the last 7 days, on all branches of the repository, use the following parameters: ```yaml -# Corresponding HelmChart Configuration -scanner: - image: - # scanner.image.repository -- Container Image to run the scan - repository: docker.io/securecodebox/scanner-gitleaks - # scanner.image.tag -- defaults to the charts version - tag: v7.3.0 -``` - -#### Deployment with extended GitLeaks -```bash -# Install HelmChart (use -n to configure another namespace) -helm upgrade --install gitleaks secureCodeBox/gitleaks \ - --set="scanner.image.repository=docker.io/securecodebox/scanner-gitleaks" \ - --set="scanner.image.tag=v7.3.0" -``` - -#### Additional (Fork) Scanner configuration options -```bash ---commit-since-duration= Scan commits more recent than a specific date expresed by an duration (now + duration). A duration string is a possibly signed sequence of decimal numbers, each - with optional fraction and a unit suffix, such as '300ms', '-1.5h' or '2h45m'. Valid time units are 'ns', 'us' (or 'µs'), 'ms', 's', 'm', 'h'. ---commit-until-duration= Scan commits older than a specific date expresed by an duration (now + duration). A duration string is a possibly signed sequence of decimal numbers, each with - optional fraction and a unit suffix, such as '300ms', '-1.5h' or '2h45m'. Valid time units are 'ns', 'us' (or 'µs'), 'ms', 's', 'm', 'h'. -``` - -#### Other useful options are: - -- `--commit-since`: Scan commits more recent than a specific date. Ex: '2006-01-02' or '2006-01-02T15:04:05-0700' format. -- `--commit-until`: Scan commits older than a specific date. Ex: '2006-01-02' or '2006-01-02T15:04:05-0700' format. -- `--repo-config`: Load config from target repo. Config file must be ".gitleaks.toml" or "gitleaks.toml". - -#### Finding format - -It is not an easy task to classify the severity of the scans because we can't tell for sure if the finding is e.g. a real -or a testing password. Another issue is that the rate of false positives for generic rules can be very high. Therefore, -we tried to classify the severity of the finding by looking at the accuracy of the rule which detected it. Rules for AWS -secrets or Artifactory tokens are very precise, so they get a high severity. Generic rules on the other hand get a low -severity because the often produce false positives. - -**Please keep in mind that findings with a low severity can be actually -very critical.** - -#### Cascading Rules - -If you want to scan multiple repositories from GitHub or gitlab automatically at once, you should -take a look at the cascading rules which get triggered by the **git-repo-scanner**. -For more information on how to use **git-repo-scanner** checkout the -[Readme](https://github.com/secureCodeBox/secureCodeBox/tree/main/scanners/git-repo-scanner). - -For cascading scans on public GitHub repositories you don't need any credentials. For the gitlab -and private GitHub rules you need to provide an access token via environment. You could do that with -the following commands: - -```bash -kubectl create secret generic github-access-token --from-literal="token=" -kubectl create secret generic gitlab-access-token --from-literal="token=" +parameters: + # Run gitleaks in "detect" mode + - "detect" + # Point it at the location of the repository + - "--source" + - "/repo/" + # Only consider commits within the last 7 days, on all branches + - "--log-opts=--since=7days --all --full-history" ``` +Note that the parameters to `--log-opts` are not quoted separately due to the way the scanner is called inside secureCodeBox - adding extra quotes will break the scan! +It is important to remember to pass `--all --full-history` when using `--log-opts`, as otherwise only the default branch will be scanned (when not using `--log-opts`, gitleaks adds these parameters implicitly). + +### Human-Friendly Commit URLs +Before gitleaks 8.0, the findings used to contain a direct link to the commit that contained the secret. +The base URL was pulled from the parameter given to gitleaks. +Since this is no longer possible, we cannot automatically infer which repository the commits belong to. +However, you can provide this information manually using a scan annotation called `metadata.scan.securecodebox.io/git-repo-url`. +See the examples below on how to use it. + +### Cascading Scans +Gitleaks works well in conjunction with [git-repo-scanner](https://docs.securecodebox.io/docs/scanners/git-repo-scanner) to enumerate Git repositories and scan them using cascading rules. +We do not ship default cascading rules for this purpose. +However, you can find instructions on running such cascading scans in [this article](https://docs.securecodebox.io/blog/2021/10/27/sast-scanning) - simply adapt it to use gitleaks instead of semgrep and you are good to go. + +### Providing Your Own Ruleset +SecureCodeBox used to ship a number of default rulesets. +We have stopped doing this, as the official ruleset of gitleaks is much more up-to-date and well-maintained. +However, if you still want to write and use your own rulesets, we [provide an example below](https://docs.securecodebox.io/docs/scanners/gitleaks#provide-own-rules). +The parser will set all found issues to `medium` severity by default. +To override the severity in your own rulesets, include the result tag "HIGH" or "LOW" in your gitleaks rule. +{{- end }} -For more information on how to use cascades take a look at -[Scanning Networks Example](https://docs.securecodebox.io/docs/how-tos/scanning-networks/) +{{- define "extra.chartConfigurationSection" -}} +**Do not** override the option `--report-format` or `--report-path`. It is already configured for automatic findings parsing. {{- end }} {{- define "extra.scannerLinksSection" -}} diff --git a/scanners/gitleaks/Chart.yaml b/scanners/gitleaks/Chart.yaml index e365ab6309..d835245945 100644 --- a/scanners/gitleaks/Chart.yaml +++ b/scanners/gitleaks/Chart.yaml @@ -5,16 +5,13 @@ apiVersion: v2 name: gitleaks description: A Helm chart for the gitleaks repository scanner that integrates with the secureCodeBox. - type: application # version - gets automatically set to the secureCodeBox release version when the helm charts gets published version: v3.1.0-alpha1 -appVersion: "v7.6.1" +appVersion: "v8.3.0" kubeVersion: ">=v1.11.0-0" - annotations: versionApi: https://api.github.com/repos/zricethezav/gitleaks/releases/latest - keywords: - security - gitleaks diff --git a/scanners/gitleaks/Makefile b/scanners/gitleaks/Makefile index 6893a472d1..d00842331d 100644 --- a/scanners/gitleaks/Makefile +++ b/scanners/gitleaks/Makefile @@ -7,7 +7,13 @@ include_guard = set scanner = gitleaks -custom_scanner = set include ../../scanners.mk +integration-tests: + @echo ".: 🩺 Starting integration test in kind namespace 'integration-tests'." + kubectl -n integration-tests delete scans --all + cd ../../tests/integration/ && npm ci + cd ../../scanners/${scanner} + npx --yes --package jest@$(JEST_VERSION) jest --verbose --ci --colors --coverage --passWithNoTests ${scanner}/integration-tests + diff --git a/scanners/gitleaks/README.md b/scanners/gitleaks/README.md index b433d6d62e..8fc17aaf3f 100644 --- a/scanners/gitleaks/README.md +++ b/scanners/gitleaks/README.md @@ -3,7 +3,7 @@ title: "Gitleaks" category: "scanner" type: "Repository" state: "released" -appVersion: "v7.6.1" +appVersion: "v8.3.0" usecase: "Find potential secrets in repositories" --- @@ -52,110 +52,54 @@ helm upgrade --install gitleaks secureCodeBox/gitleaks ``` ## Scanner Configuration +For a complete overview of the configuration options, see the +[Gitleaks documentation](https://github.com/zricethezav/gitleaks#usage). -For a complete overview of the configuration options checkout the -[Gitleaks documentation](https://github.com/zricethezav/gitleaks/wiki/Options). - -The only mandatory parameters are: -- `-r`: The link to the repository you want to scan. -- `--access-token`: Only for non-public repositories. -- `--username` and `--password`: Only for non-public repositories. -- `--config-path`: The ruleset you want to use. - -#### Ruleset - -At this point we provide three rulesets which you can pass to the `--config-path` oprtion: - -- `/home/config_all.toml`: Includes every rule. -- `/home/config_filenames_only.toml`: Gitleaks scans only file names and extensions. -- `/home/config_no_generics.toml`: No generic rules like searching for the word *password*. With this option you won't -find something like **password = Ej2ifDk2jfeo2**, but it will reduce resulting false positives. - -If you like to provide your custom ruleset, you can create a configMap and mount it into -the scan. Checkout the examples for more information about providing your own gitleaks rules config. - -## Requirements - -Kubernetes: `>=v1.11.0-0` - -**Do not** override the option `--report-format` or `--report`. It is already configured for automatic findings parsing. - -## Additional Chart Configurations -### secureCodeBox extended GitLeaks Features - -:::info -If you run gitleaks based on a scheduledScan (e.g. one scan per day) it would be enough to scan all git-commits since the last executed schedule. -Instead of scanning all commits in the complete git history every day it would save a lot of resources to scan only all commits of the last day. - -_Problem is: This is a feature and configuration option gitleaks is currently not supporting._ - -That's why we created an [issue](https://github.com/zricethezav/gitleaks/issues/497) and a [pull request](https://github.com/zricethezav/gitleaks/pull/498) for that. -If you like the idea, please vote for our issue and PR. - -If you already want to use our implementation (fork) of this feature you can use our [gitleaks forked docker image](https://hub.docker.com/r/securecodebox/gitleaks) instead of the gitleaks original image. -::: +Starting with version 8.0, gitleaks no longer supports cloning the repository directly. +Instead, you will have to use an init container to do so. +[We provide example scan definitions below](https://docs.securecodebox.io/docs/scanners/gitleaks/#examples) that you can build on. +### Scanning Specific Timeframes +When running gitleaks as a [scheduled scan](https://docs.securecodebox.io/docs/how-tos/automatically-repeating-scans), you may not want to go through the entire repository history every time. +Gitleaks allows you to limit the commits it will scan using the `--log-opts` parameter, which accepts all parameters supported by `git log -p`. +For example, if you want to scan only commits made in the last 7 days, on all branches of the repository, use the following parameters: ```yaml -# Corresponding HelmChart Configuration -scanner: - image: - # scanner.image.repository -- Container Image to run the scan - repository: docker.io/securecodebox/scanner-gitleaks - # scanner.image.tag -- defaults to the charts version - tag: v7.3.0 +parameters: + # Run gitleaks in "detect" mode + - "detect" + # Point it at the location of the repository + - "--source" + - "/repo/" + # Only consider commits within the last 7 days, on all branches + - "--log-opts=--since=7days --all --full-history" ``` +Note that the parameters to `--log-opts` are not quoted separately due to the way the scanner is called inside secureCodeBox - adding extra quotes will break the scan! +It is important to remember to pass `--all --full-history` when using `--log-opts`, as otherwise only the default branch will be scanned (when not using `--log-opts`, gitleaks adds these parameters implicitly). + +### Human-Friendly Commit URLs +Before gitleaks 8.0, the findings used to contain a direct link to the commit that contained the secret. +The base URL was pulled from the parameter given to gitleaks. +Since this is no longer possible, we cannot automatically infer which repository the commits belong to. +However, you can provide this information manually using a scan annotation called `metadata.scan.securecodebox.io/git-repo-url`. +See the examples below on how to use it. + +### Cascading Scans +Gitleaks works well in conjunction with [git-repo-scanner](https://docs.securecodebox.io/docs/scanners/git-repo-scanner) to enumerate Git repositories and scan them using cascading rules. +We do not ship default cascading rules for this purpose. +However, you can find instructions on running such cascading scans in [this article](https://docs.securecodebox.io/blog/2021/10/27/sast-scanning) - simply adapt it to use gitleaks instead of semgrep and you are good to go. + +### Providing Your Own Ruleset +SecureCodeBox used to ship a number of default rulesets. +We have stopped doing this, as the official ruleset of gitleaks is much more up-to-date and well-maintained. +However, if you still want to write and use your own rulesets, we [provide an example below](https://docs.securecodebox.io/docs/scanners/gitleaks#provide-own-rules). +The parser will set all found issues to `medium` severity by default. +To override the severity in your own rulesets, include the result tag "HIGH" or "LOW" in your gitleaks rule. -#### Deployment with extended GitLeaks -```bash -# Install HelmChart (use -n to configure another namespace) -helm upgrade --install gitleaks secureCodeBox/gitleaks \ - --set="scanner.image.repository=docker.io/securecodebox/scanner-gitleaks" \ - --set="scanner.image.tag=v7.3.0" -``` - -#### Additional (Fork) Scanner configuration options -```bash ---commit-since-duration= Scan commits more recent than a specific date expresed by an duration (now + duration). A duration string is a possibly signed sequence of decimal numbers, each - with optional fraction and a unit suffix, such as '300ms', '-1.5h' or '2h45m'. Valid time units are 'ns', 'us' (or 'µs'), 'ms', 's', 'm', 'h'. ---commit-until-duration= Scan commits older than a specific date expresed by an duration (now + duration). A duration string is a possibly signed sequence of decimal numbers, each with - optional fraction and a unit suffix, such as '300ms', '-1.5h' or '2h45m'. Valid time units are 'ns', 'us' (or 'µs'), 'ms', 's', 'm', 'h'. -``` - -#### Other useful options are: - -- `--commit-since`: Scan commits more recent than a specific date. Ex: '2006-01-02' or '2006-01-02T15:04:05-0700' format. -- `--commit-until`: Scan commits older than a specific date. Ex: '2006-01-02' or '2006-01-02T15:04:05-0700' format. -- `--repo-config`: Load config from target repo. Config file must be ".gitleaks.toml" or "gitleaks.toml". - -#### Finding format - -It is not an easy task to classify the severity of the scans because we can't tell for sure if the finding is e.g. a real -or a testing password. Another issue is that the rate of false positives for generic rules can be very high. Therefore, -we tried to classify the severity of the finding by looking at the accuracy of the rule which detected it. Rules for AWS -secrets or Artifactory tokens are very precise, so they get a high severity. Generic rules on the other hand get a low -severity because the often produce false positives. - -**Please keep in mind that findings with a low severity can be actually -very critical.** - -#### Cascading Rules - -If you want to scan multiple repositories from GitHub or gitlab automatically at once, you should -take a look at the cascading rules which get triggered by the **git-repo-scanner**. -For more information on how to use **git-repo-scanner** checkout the -[Readme](https://github.com/secureCodeBox/secureCodeBox/tree/main/scanners/git-repo-scanner). - -For cascading scans on public GitHub repositories you don't need any credentials. For the gitlab -and private GitHub rules you need to provide an access token via environment. You could do that with -the following commands: +## Requirements -```bash -kubectl create secret generic github-access-token --from-literal="token=" -kubectl create secret generic gitlab-access-token --from-literal="token=" -``` +Kubernetes: `>=v1.11.0-0` -For more information on how to use cascades take a look at -[Scanning Networks Example](https://docs.securecodebox.io/docs/how-tos/scanning-networks/) +**Do not** override the option `--report-format` or `--report-path`. It is already configured for automatic findings parsing. ## Values @@ -175,10 +119,10 @@ For more information on how to use cascades take a look at | scanner.backoffLimit | int | 3 | There are situations where you want to fail a scan Job after some amount of retries due to a logical error in configuration etc. To do so, set backoffLimit to specify the number of retries before considering a scan Job as failed. (see: https://kubernetes.io/docs/concepts/workloads/controllers/job/#pod-backoff-failure-policy) | | scanner.env | list | `[]` | Optional environment variables mapped into each scanJob (see: https://kubernetes.io/docs/tasks/inject-data-application/define-environment-variable-container/) | | scanner.extraContainers | list | `[]` | Optional additional Containers started with each scanJob (see: https://kubernetes.io/docs/concepts/workloads/pods/init-containers/) | -| scanner.extraVolumeMounts | list | `[{"mountPath":"/home/","name":"gitleaks-config"}]` | Optional VolumeMounts mapped into each scanJob (see: https://kubernetes.io/docs/concepts/storage/volumes/) | -| scanner.extraVolumes | list | `[{"configMap":{"name":"gitleaks-config"},"name":"gitleaks-config"}]` | Optional Volumes mapped into each scanJob (see: https://kubernetes.io/docs/concepts/storage/volumes/) | +| scanner.extraVolumeMounts | list | `[]` | Optional VolumeMounts mapped into each scanJob (see: https://kubernetes.io/docs/concepts/storage/volumes/) | +| scanner.extraVolumes | list | `[]` | Optional Volumes mapped into each scanJob (see: https://kubernetes.io/docs/concepts/storage/volumes/) | | scanner.image.pullPolicy | string | `"IfNotPresent"` | Image pull policy. One of Always, Never, IfNotPresent. Defaults to Always if :latest tag is specified, or IfNotPresent otherwise. More info: https://kubernetes.io/docs/concepts/containers/images#updating-images | -| scanner.image.repository | string | `"docker.io/securecodebox/scanner-gitleaks"` | Container Image to run the scan | +| scanner.image.repository | string | `"docker.io/zricethezav/gitleaks"` | Container Image to run the scan | | scanner.image.tag | string | `nil` | defaults to the charts appVersion | | scanner.nameAppend | string | `nil` | append a string to the default scantype name. | | scanner.resources | object | `{}` | CPU/memory resource requests/limits (see: https://kubernetes.io/docs/tasks/configure-pod-container/assign-memory-resource/, https://kubernetes.io/docs/tasks/configure-pod-container/assign-cpu-resource/) | diff --git a/scanners/gitleaks/cascading-rules/gitleaks-scan-github-private.yaml b/scanners/gitleaks/cascading-rules/gitleaks-scan-github-private.yaml deleted file mode 100644 index 3d0b50e4c2..0000000000 --- a/scanners/gitleaks/cascading-rules/gitleaks-scan-github-private.yaml +++ /dev/null @@ -1,34 +0,0 @@ -# SPDX-FileCopyrightText: the secureCodeBox authors -# -# SPDX-License-Identifier: Apache-2.0 - -apiVersion: "cascading.securecodebox.io/v1" -kind: CascadingRule -metadata: - name: "gitleaks-github-scan-private" - labels: - securecodebox.io/invasive: non-invasive - securecodebox.io/intensive: medium -spec: - matches: - anyOf: - - name: "GitHub Repo" - attributes: - visibility: private - scanSpec: - scanType: "gitleaks" - parameters: - - "-r" - - "{{{attributes.web_url}}}" - #Provide an access token - - "--access-token" - - "$(GITHUB_TOKEN)" - - "--config" - - "/home/config_all.toml" - env: - - name: GITHUB_TOKEN - valueFrom: - secretKeyRef: - name: github-access-token - key: token - diff --git a/scanners/gitleaks/cascading-rules/gitleaks-scan-github-public.yaml b/scanners/gitleaks/cascading-rules/gitleaks-scan-github-public.yaml deleted file mode 100644 index a8e6b0b0c7..0000000000 --- a/scanners/gitleaks/cascading-rules/gitleaks-scan-github-public.yaml +++ /dev/null @@ -1,34 +0,0 @@ -# SPDX-FileCopyrightText: the secureCodeBox authors -# -# SPDX-License-Identifier: Apache-2.0 - -apiVersion: "cascading.securecodebox.io/v1" -kind: CascadingRule -metadata: - name: "gitleaks-github-scan-public" - labels: - securecodebox.io/invasive: non-invasive - securecodebox.io/intensive: medium -spec: - matches: - anyOf: - - name: "GitHub Repo" - attributes: - visibility: public - scanSpec: - scanType: "gitleaks" - parameters: - - "-r" - - "{{{attributes.web_url}}}" - - "--config" - - "/home/config_all.toml" - #Provide an access token - - "--access-token" - - "$(GITHUB_TOKEN)" - env: - - name: GITHUB_TOKEN - valueFrom: - secretKeyRef: - name: github-access-token - key: token - diff --git a/scanners/gitleaks/cascading-rules/gitleaks-scan-gitlab-private.yaml b/scanners/gitleaks/cascading-rules/gitleaks-scan-gitlab-private.yaml deleted file mode 100644 index 0e2153d3ba..0000000000 --- a/scanners/gitleaks/cascading-rules/gitleaks-scan-gitlab-private.yaml +++ /dev/null @@ -1,33 +0,0 @@ -# SPDX-FileCopyrightText: the secureCodeBox authors -# -# SPDX-License-Identifier: Apache-2.0 - -apiVersion: "cascading.securecodebox.io/v1" -kind: CascadingRule -metadata: - name: "gitleaks-gitlab-scan-private" - labels: - securecodebox.io/invasive: non-invasive - securecodebox.io/intensive: medium -spec: - matches: - anyOf: - - name: "GitLab Repo" - attributes: - visibility: private - scanSpec: - scanType: "gitleaks" - parameters: - - "-r" - - "{{{attributes.web_url}}}" - - "--config" - - "/home/config_all.toml" - #Provide an access token - - "--access-token" - - "$(GITLAB_TOKEN)" - env: - - name: GITLAB_TOKEN - valueFrom: - secretKeyRef: - name: gitlab-access-token - key: token diff --git a/scanners/gitleaks/cascading-rules/gitleaks-scan-gitlab-public.yaml b/scanners/gitleaks/cascading-rules/gitleaks-scan-gitlab-public.yaml deleted file mode 100644 index 30998a47a3..0000000000 --- a/scanners/gitleaks/cascading-rules/gitleaks-scan-gitlab-public.yaml +++ /dev/null @@ -1,34 +0,0 @@ -# SPDX-FileCopyrightText: the secureCodeBox authors -# -# SPDX-License-Identifier: Apache-2.0 - -apiVersion: "cascading.securecodebox.io/v1" -kind: CascadingRule -metadata: - name: "gitleaks-gitlab-scan-public" - labels: - securecodebox.io/invasive: non-invasive - securecodebox.io/intensive: medium -spec: - matches: - anyOf: - - name: "GitLab Repo" - attributes: - visibility: public - scanSpec: - scanType: "gitleaks" - parameters: - - "-r" - - "{{{attributes.web_url}}}" - - "--config" - - "/home/config_all.toml" - #Provide an access token - - "--access-token" - - "$(GITLAB_TOKEN)" - env: - - name: GITLAB_TOKEN - valueFrom: - secretKeyRef: - name: gitlab-access-token - key: token - diff --git a/scanners/gitleaks/docs/README.ArtifactHub.md b/scanners/gitleaks/docs/README.ArtifactHub.md index 02165ba10b..02ca964550 100644 --- a/scanners/gitleaks/docs/README.ArtifactHub.md +++ b/scanners/gitleaks/docs/README.ArtifactHub.md @@ -57,110 +57,54 @@ helm upgrade --install gitleaks secureCodeBox/gitleaks ``` ## Scanner Configuration +For a complete overview of the configuration options, see the +[Gitleaks documentation](https://github.com/zricethezav/gitleaks#usage). -For a complete overview of the configuration options checkout the -[Gitleaks documentation](https://github.com/zricethezav/gitleaks/wiki/Options). - -The only mandatory parameters are: -- `-r`: The link to the repository you want to scan. -- `--access-token`: Only for non-public repositories. -- `--username` and `--password`: Only for non-public repositories. -- `--config-path`: The ruleset you want to use. - -#### Ruleset - -At this point we provide three rulesets which you can pass to the `--config-path` oprtion: - -- `/home/config_all.toml`: Includes every rule. -- `/home/config_filenames_only.toml`: Gitleaks scans only file names and extensions. -- `/home/config_no_generics.toml`: No generic rules like searching for the word *password*. With this option you won't -find something like **password = Ej2ifDk2jfeo2**, but it will reduce resulting false positives. - -If you like to provide your custom ruleset, you can create a configMap and mount it into -the scan. Checkout the examples for more information about providing your own gitleaks rules config. - -## Requirements - -Kubernetes: `>=v1.11.0-0` - -**Do not** override the option `--report-format` or `--report`. It is already configured for automatic findings parsing. - -## Additional Chart Configurations -### secureCodeBox extended GitLeaks Features - -:::info -If you run gitleaks based on a scheduledScan (e.g. one scan per day) it would be enough to scan all git-commits since the last executed schedule. -Instead of scanning all commits in the complete git history every day it would save a lot of resources to scan only all commits of the last day. - -_Problem is: This is a feature and configuration option gitleaks is currently not supporting._ - -That's why we created an [issue](https://github.com/zricethezav/gitleaks/issues/497) and a [pull request](https://github.com/zricethezav/gitleaks/pull/498) for that. -If you like the idea, please vote for our issue and PR. - -If you already want to use our implementation (fork) of this feature you can use our [gitleaks forked docker image](https://hub.docker.com/r/securecodebox/gitleaks) instead of the gitleaks original image. -::: +Starting with version 8.0, gitleaks no longer supports cloning the repository directly. +Instead, you will have to use an init container to do so. +[We provide example scan definitions below](https://docs.securecodebox.io/docs/scanners/gitleaks/#examples) that you can build on. +### Scanning Specific Timeframes +When running gitleaks as a [scheduled scan](https://docs.securecodebox.io/docs/how-tos/automatically-repeating-scans), you may not want to go through the entire repository history every time. +Gitleaks allows you to limit the commits it will scan using the `--log-opts` parameter, which accepts all parameters supported by `git log -p`. +For example, if you want to scan only commits made in the last 7 days, on all branches of the repository, use the following parameters: ```yaml -# Corresponding HelmChart Configuration -scanner: - image: - # scanner.image.repository -- Container Image to run the scan - repository: docker.io/securecodebox/scanner-gitleaks - # scanner.image.tag -- defaults to the charts version - tag: v7.3.0 +parameters: + # Run gitleaks in "detect" mode + - "detect" + # Point it at the location of the repository + - "--source" + - "/repo/" + # Only consider commits within the last 7 days, on all branches + - "--log-opts=--since=7days --all --full-history" ``` +Note that the parameters to `--log-opts` are not quoted separately due to the way the scanner is called inside secureCodeBox - adding extra quotes will break the scan! +It is important to remember to pass `--all --full-history` when using `--log-opts`, as otherwise only the default branch will be scanned (when not using `--log-opts`, gitleaks adds these parameters implicitly). + +### Human-Friendly Commit URLs +Before gitleaks 8.0, the findings used to contain a direct link to the commit that contained the secret. +The base URL was pulled from the parameter given to gitleaks. +Since this is no longer possible, we cannot automatically infer which repository the commits belong to. +However, you can provide this information manually using a scan annotation called `metadata.scan.securecodebox.io/git-repo-url`. +See the examples below on how to use it. + +### Cascading Scans +Gitleaks works well in conjunction with [git-repo-scanner](https://docs.securecodebox.io/docs/scanners/git-repo-scanner) to enumerate Git repositories and scan them using cascading rules. +We do not ship default cascading rules for this purpose. +However, you can find instructions on running such cascading scans in [this article](https://docs.securecodebox.io/blog/2021/10/27/sast-scanning) - simply adapt it to use gitleaks instead of semgrep and you are good to go. + +### Providing Your Own Ruleset +SecureCodeBox used to ship a number of default rulesets. +We have stopped doing this, as the official ruleset of gitleaks is much more up-to-date and well-maintained. +However, if you still want to write and use your own rulesets, we [provide an example below](https://docs.securecodebox.io/docs/scanners/gitleaks#provide-own-rules). +The parser will set all found issues to `medium` severity by default. +To override the severity in your own rulesets, include the result tag "HIGH" or "LOW" in your gitleaks rule. -#### Deployment with extended GitLeaks -```bash -# Install HelmChart (use -n to configure another namespace) -helm upgrade --install gitleaks secureCodeBox/gitleaks \ - --set="scanner.image.repository=docker.io/securecodebox/scanner-gitleaks" \ - --set="scanner.image.tag=v7.3.0" -``` - -#### Additional (Fork) Scanner configuration options -```bash ---commit-since-duration= Scan commits more recent than a specific date expresed by an duration (now + duration). A duration string is a possibly signed sequence of decimal numbers, each - with optional fraction and a unit suffix, such as '300ms', '-1.5h' or '2h45m'. Valid time units are 'ns', 'us' (or 'µs'), 'ms', 's', 'm', 'h'. ---commit-until-duration= Scan commits older than a specific date expresed by an duration (now + duration). A duration string is a possibly signed sequence of decimal numbers, each with - optional fraction and a unit suffix, such as '300ms', '-1.5h' or '2h45m'. Valid time units are 'ns', 'us' (or 'µs'), 'ms', 's', 'm', 'h'. -``` - -#### Other useful options are: - -- `--commit-since`: Scan commits more recent than a specific date. Ex: '2006-01-02' or '2006-01-02T15:04:05-0700' format. -- `--commit-until`: Scan commits older than a specific date. Ex: '2006-01-02' or '2006-01-02T15:04:05-0700' format. -- `--repo-config`: Load config from target repo. Config file must be ".gitleaks.toml" or "gitleaks.toml". - -#### Finding format - -It is not an easy task to classify the severity of the scans because we can't tell for sure if the finding is e.g. a real -or a testing password. Another issue is that the rate of false positives for generic rules can be very high. Therefore, -we tried to classify the severity of the finding by looking at the accuracy of the rule which detected it. Rules for AWS -secrets or Artifactory tokens are very precise, so they get a high severity. Generic rules on the other hand get a low -severity because the often produce false positives. - -**Please keep in mind that findings with a low severity can be actually -very critical.** - -#### Cascading Rules - -If you want to scan multiple repositories from GitHub or gitlab automatically at once, you should -take a look at the cascading rules which get triggered by the **git-repo-scanner**. -For more information on how to use **git-repo-scanner** checkout the -[Readme](https://github.com/secureCodeBox/secureCodeBox/tree/main/scanners/git-repo-scanner). - -For cascading scans on public GitHub repositories you don't need any credentials. For the gitlab -and private GitHub rules you need to provide an access token via environment. You could do that with -the following commands: +## Requirements -```bash -kubectl create secret generic github-access-token --from-literal="token=" -kubectl create secret generic gitlab-access-token --from-literal="token=" -``` +Kubernetes: `>=v1.11.0-0` -For more information on how to use cascades take a look at -[Scanning Networks Example](https://docs.securecodebox.io/docs/how-tos/scanning-networks/) +**Do not** override the option `--report-format` or `--report-path`. It is already configured for automatic findings parsing. ## Values @@ -180,10 +124,10 @@ For more information on how to use cascades take a look at | scanner.backoffLimit | int | 3 | There are situations where you want to fail a scan Job after some amount of retries due to a logical error in configuration etc. To do so, set backoffLimit to specify the number of retries before considering a scan Job as failed. (see: https://kubernetes.io/docs/concepts/workloads/controllers/job/#pod-backoff-failure-policy) | | scanner.env | list | `[]` | Optional environment variables mapped into each scanJob (see: https://kubernetes.io/docs/tasks/inject-data-application/define-environment-variable-container/) | | scanner.extraContainers | list | `[]` | Optional additional Containers started with each scanJob (see: https://kubernetes.io/docs/concepts/workloads/pods/init-containers/) | -| scanner.extraVolumeMounts | list | `[{"mountPath":"/home/","name":"gitleaks-config"}]` | Optional VolumeMounts mapped into each scanJob (see: https://kubernetes.io/docs/concepts/storage/volumes/) | -| scanner.extraVolumes | list | `[{"configMap":{"name":"gitleaks-config"},"name":"gitleaks-config"}]` | Optional Volumes mapped into each scanJob (see: https://kubernetes.io/docs/concepts/storage/volumes/) | +| scanner.extraVolumeMounts | list | `[]` | Optional VolumeMounts mapped into each scanJob (see: https://kubernetes.io/docs/concepts/storage/volumes/) | +| scanner.extraVolumes | list | `[]` | Optional Volumes mapped into each scanJob (see: https://kubernetes.io/docs/concepts/storage/volumes/) | | scanner.image.pullPolicy | string | `"IfNotPresent"` | Image pull policy. One of Always, Never, IfNotPresent. Defaults to Always if :latest tag is specified, or IfNotPresent otherwise. More info: https://kubernetes.io/docs/concepts/containers/images#updating-images | -| scanner.image.repository | string | `"docker.io/securecodebox/scanner-gitleaks"` | Container Image to run the scan | +| scanner.image.repository | string | `"docker.io/zricethezav/gitleaks"` | Container Image to run the scan | | scanner.image.tag | string | `nil` | defaults to the charts appVersion | | scanner.nameAppend | string | `nil` | append a string to the default scantype name. | | scanner.resources | object | `{}` | CPU/memory resource requests/limits (see: https://kubernetes.io/docs/tasks/configure-pod-container/assign-memory-resource/, https://kubernetes.io/docs/tasks/configure-pod-container/assign-cpu-resource/) | diff --git a/scanners/gitleaks/docs/README.DockerHub-Hook.md b/scanners/gitleaks/docs/README.DockerHub-Hook.md new file mode 100644 index 0000000000..2147991ec8 --- /dev/null +++ b/scanners/gitleaks/docs/README.DockerHub-Hook.md @@ -0,0 +1,86 @@ + + + +

+ License Apache-2.0 + GitHub release (latest SemVer) + OWASP Incubator Project + Artifact HUB + GitHub Repo stars + Twitter Follower +

+ +## What is OWASP secureCodeBox? + +

+ secureCodeBox Logo +

+ +_[OWASP secureCodeBox][scb-github]_ is an automated and scalable open source solution that can be used to integrate various *security vulnerability scanners* with a simple and lightweight interface. The _secureCodeBox_ mission is to support *DevSecOps* Teams to make it easy to automate security vulnerability testing in different scenarios. + +With the _secureCodeBox_ we provide a toolchain for continuous scanning of applications to find the low-hanging fruit issues early in the development process and free the resources of the penetration tester to concentrate on the major security issues. + +The secureCodeBox project is running on [Kubernetes](https://kubernetes.io/). To install it you need [Helm](https://helm.sh), a package manager for Kubernetes. It is also possible to start the different integrated security vulnerability scanners based on a docker infrastructure. + +### Quickstart with secureCodeBox on kubernetes + +You can find resources to help you get started on our [documentation website](https://docs.securecodebox.io) including instruction on how to [install the secureCodeBox project](https://docs.securecodebox.io/docs/getting-started/installation) and guides to help you [run your first scans](https://docs.securecodebox.io/docs/getting-started/first-scans) with it. + +## Supported Tags +- `latest` (represents the latest stable release build) +- tagged releases, e.g. `v8.2.7` + +## How to use this image +This `hook` image is intended to work in combination with other `parser` images to read or manipulate `findings` results. For more information details please take a look at the [project page][scb-docs] or [documentation page][https://docs.securecodebox.io/docs/scanners/gitleaks]. + +```bash +docker pull securecodebox/hook-gitleaks +``` + +## What is Gitleaks? +Gitleaks is a free and open source tool for finding secrets in git repositories. +These secrets could be passwords, API keys, tokens, private keys or suspicious file names or +file extensions like *id_rsa*, *.pem*, *htpasswd*. Furthermore, gitleaks can scan your whole repository's history +with all commits up to the initial one. + +To learn more about gitleaks visit . + +## Community + +You are welcome, please join us on... 👋 + +- [GitHub][scb-github] +- [Slack][scb-slack] +- [Twitter][scb-twitter] + +secureCodeBox is an official [OWASP][scb-owasp] project. + +## License +[![License](https://img.shields.io/badge/License-Apache%202.0-blue.svg)](https://opensource.org/licenses/Apache-2.0) + +As with all Docker images, these likely also contain other software which may be under other licenses (such as Bash, etc from the base distribution, along with any direct or indirect dependencies of the primary software being contained). + +As for any pre-built image usage, it is the image user's responsibility to ensure that any use of this image complies with any relevant licenses for all software contained within. + +[scb-owasp]: https://www.owasp.org/index.php/OWASP_secureCodeBox +[scb-docs]: https://docs.securecodebox.io/ +[scb-site]: https://www.securecodebox.io/ +[scb-github]: https://github.com/secureCodeBox/ +[scb-twitter]: https://twitter.com/secureCodeBox +[scb-slack]: https://join.slack.com/t/securecodebox/shared_invite/enQtNDU3MTUyOTM0NTMwLTBjOWRjNjVkNGEyMjQ0ZGMyNDdlYTQxYWQ4MzNiNGY3MDMxNThkZjJmMzY2NDRhMTk3ZWM3OWFkYmY1YzUxNTU +[scb-license]: https://github.com/secureCodeBox/secureCodeBox/blob/master/LICENSE + diff --git a/scanners/gitleaks/docs/README.DockerHub-Parser.md b/scanners/gitleaks/docs/README.DockerHub-Parser.md index 9745b5226e..1945aaa7b1 100644 --- a/scanners/gitleaks/docs/README.DockerHub-Parser.md +++ b/scanners/gitleaks/docs/README.DockerHub-Parser.md @@ -42,7 +42,7 @@ You can find resources to help you get started on our [documentation website](ht ## Supported Tags - `latest` (represents the latest stable release build) -- tagged releases, e.g. `v7.6.1` +- tagged releases, e.g. `v8.3.0` ## How to use this image This `parser` image is intended to work in combination with the corresponding security scanner docker image to parse the `findings` results. For more information details please take a look at the documentation page: https://docs.securecodebox.io/docs/scanners/gitleaks. diff --git a/scanners/gitleaks/docs/README.DockerHub-Scanner.md b/scanners/gitleaks/docs/README.DockerHub-Scanner.md index eab6b098ac..9459f2b0ad 100644 --- a/scanners/gitleaks/docs/README.DockerHub-Scanner.md +++ b/scanners/gitleaks/docs/README.DockerHub-Scanner.md @@ -42,7 +42,7 @@ You can find resources to help you get started on our [documentation website](ht ## Supported Tags - `latest` (represents the latest stable release build) -- tagged releases, e.g. `v7.6.1` +- tagged releases, e.g. `v8.0.0` ## How to use this image This `scanner` image is intended to work in combination with the corresponding `parser` image to parse the scanner `findings` to generic secureCodeBox results. For more information details please take a look at the [project page][scb-docs] or [documentation page][https://docs.securecodebox.io/docs/scanners/gitleaks]. diff --git a/scanners/gitleaks/examples/multi-juicer/findings.json b/scanners/gitleaks/examples/multi-juicer/findings.json deleted file mode 100644 index c9b35b099f..0000000000 --- a/scanners/gitleaks/examples/multi-juicer/findings.json +++ /dev/null @@ -1,302 +0,0 @@ -[ - { - "name": "Generic credentials", - "description": "The name of the rule which triggered the finding: Generic credentials", - "osi_layer": "APPLICATION", - "severity": "LOW", - "category": "Potential Secret", - "attributes": { - "commit": "194d89fb02c9bb6fd2ff1fcf42018d7e6dbaeae2", - "repo": "multi-juicer", - "offender": "key: metricsBasicAuthPassword", - "author": "J12934", - "email": "13718901+J12934@users.noreply.github.com", - "date": "2020-03-04T20:11:39+01:00", - "file": "helm/multi-juicer/templates/juice-balancer-deployment.yaml", - "line_number": 59, - "tags": [ - "key", - "Generic" - ], - "line": " key: metricsBasicAuthPassword" - }, - "id": "efaf1b50-3f7b-447d-92ea-7172c697f09c" - }, - { - "name": "Generic credentials", - "description": "The name of the rule which triggered the finding: Generic credentials", - "osi_layer": "APPLICATION", - "severity": "LOW", - "category": "Potential Secret", - "attributes": { - "commit": "194d89fb02c9bb6fd2ff1fcf42018d7e6dbaeae2", - "repo": "multi-juicer", - "offender": "key: metricsBasicAuthPassword", - "author": "J12934", - "email": "13718901+J12934@users.noreply.github.com", - "date": "2020-03-04T20:11:39+01:00", - "file": "helm/multi-juicer/templates/juice-balancer-servicemonitor.yaml", - "line_number": 20, - "tags": [ - "key", - "Generic" - ], - "line": " key: metricsBasicAuthPassword" - }, - "id": "43622169-a94f-4396-bb66-1ac020cdfb5b" - }, - { - "name": "Generic credentials", - "description": "The name of the rule which triggered the finding: Generic credentials", - "osi_layer": "APPLICATION", - "severity": "LOW", - "category": "Potential Secret", - "attributes": { - "commit": "194d89fb02c9bb6fd2ff1fcf42018d7e6dbaeae2", - "repo": "multi-juicer", - "offender": "password: ERzCT4pwBDxfCKRGmfrMa8KQ8sXf8GKy", - "author": "J12934", - "email": "13718901+J12934@users.noreply.github.com", - "date": "2020-03-04T20:11:39+01:00", - "file": "helm/multi-juicer/values.yaml", - "line_number": 48, - "tags": [ - "key", - "Generic" - ], - "line": " password: ERzCT4pwBDxfCKRGmfrMa8KQ8sXf8GKy" - }, - "id": "ece59401-d900-4de9-bda7-30b336c6833d" - }, - { - "name": "Generic credentials", - "description": "The name of the rule which triggered the finding: Generic credentials", - "osi_layer": "APPLICATION", - "severity": "LOW", - "category": "Potential Secret", - "attributes": { - "commit": "194d89fb02c9bb6fd2ff1fcf42018d7e6dbaeae2", - "repo": "multi-juicer", - "offender": "password\": \"ERzCT4pwBDxfCKRGmfrMa8KQ8sXf8GKy", - "author": "J12934", - "email": "13718901+J12934@users.noreply.github.com", - "date": "2020-03-04T20:11:39+01:00", - "file": "juice-balancer/config/config.json", - "line_number": 19, - "tags": [ - "key", - "Generic" - ], - "line": " \"password\": \"ERzCT4pwBDxfCKRGmfrMa8KQ8sXf8GKy\"" - }, - "id": "40d61a77-6fc1-48c3-9f73-7f772b54c749" - }, - { - "name": "Generic credentials", - "description": "The name of the rule which triggered the finding: Generic credentials", - "osi_layer": "APPLICATION", - "severity": "LOW", - "category": "Potential Secret", - "attributes": { - "commit": "4702700c71c422a6371accc5085466476dad5b3e", - "repo": "multi-juicer", - "offender": "Password: \"glaucoma-coupling-usurious-crayfish-dugout-acuity", - "author": "J12934", - "email": "13718901+J12934@users.noreply.github.com", - "date": "2020-02-29T11:24:21-05:00", - "file": "guides/monitoring-setup/prometheus-operator-config.yaml", - "line_number": 6, - "tags": [ - "key", - "Generic" - ], - "line": " adminPassword: \"glaucoma-coupling-usurious-crayfish-dugout-acuity\"" - }, - "id": "ddaca655-7f27-45ec-897f-67aa0d22cd44" - }, - { - "name": "Generic credentials", - "description": "The name of the rule which triggered the finding: Generic credentials", - "osi_layer": "APPLICATION", - "severity": "LOW", - "category": "Potential Secret", - "attributes": { - "commit": "d97c6ad68b246f4966fa496893246b19a695e781", - "repo": "multi-juicer", - "offender": "key: metricsBasicAuthPassword", - "author": "J12934", - "email": "13718901+J12934@users.noreply.github.com", - "date": "2020-02-28T17:37:24-05:00", - "file": "helm/multi-juicer/templates/juice-balancer-deployment.yaml", - "line_number": 59, - "tags": [ - "key", - "Generic" - ], - "line": " key: metricsBasicAuthPassword" - }, - "id": "c33cd638-f8b0-4b5e-b859-b167dffe5c12" - }, - { - "name": "Generic credentials", - "description": "The name of the rule which triggered the finding: Generic credentials", - "osi_layer": "APPLICATION", - "severity": "LOW", - "category": "Potential Secret", - "attributes": { - "commit": "d97c6ad68b246f4966fa496893246b19a695e781", - "repo": "multi-juicer", - "offender": "key: metricsBasicAuthPassword", - "author": "J12934", - "email": "13718901+J12934@users.noreply.github.com", - "date": "2020-02-28T17:37:24-05:00", - "file": "helm/multi-juicer/templates/juice-balancer-servicemonitor.yaml", - "line_number": 20, - "tags": [ - "key", - "Generic" - ], - "line": " key: metricsBasicAuthPassword" - }, - "id": "45e843b3-c453-41b5-8e63-928bdf58e745" - }, - { - "name": "Generic credentials", - "description": "The name of the rule which triggered the finding: Generic credentials", - "osi_layer": "APPLICATION", - "severity": "LOW", - "category": "Potential Secret", - "attributes": { - "commit": "d97c6ad68b246f4966fa496893246b19a695e781", - "repo": "multi-juicer", - "offender": "password: ERzCT4pwBDxfCKRGmfrMa8KQ8sXf8GKy", - "author": "J12934", - "email": "13718901+J12934@users.noreply.github.com", - "date": "2020-02-28T17:37:24-05:00", - "file": "helm/multi-juicer/values.yaml", - "line_number": 37, - "tags": [ - "key", - "Generic" - ], - "line": " password: ERzCT4pwBDxfCKRGmfrMa8KQ8sXf8GKy" - }, - "id": "186534f6-276e-4e50-b893-f8a95a2d0915" - }, - { - "name": "Generic credentials", - "description": "The name of the rule which triggered the finding: Generic credentials", - "osi_layer": "APPLICATION", - "severity": "LOW", - "category": "Potential Secret", - "attributes": { - "commit": "d97c6ad68b246f4966fa496893246b19a695e781", - "repo": "multi-juicer", - "offender": "password\": \"ERzCT4pwBDxfCKRGmfrMa8KQ8sXf8GKy", - "author": "J12934", - "email": "13718901+J12934@users.noreply.github.com", - "date": "2020-02-28T17:37:24-05:00", - "file": "juice-balancer/config/config.json", - "line_number": 19, - "tags": [ - "key", - "Generic" - ], - "line": " \"password\": \"ERzCT4pwBDxfCKRGmfrMa8KQ8sXf8GKy\"" - }, - "id": "99d860f7-2124-414d-83fe-634de61921af" - }, - { - "name": "Generic credentials", - "description": "The name of the rule which triggered the finding: Generic credentials", - "osi_layer": "APPLICATION", - "severity": "LOW", - "category": "Potential Secret", - "attributes": { - "commit": "eaf6864262dbbcbf19c972cd961121b340b9968f", - "repo": "multi-juicer", - "offender": "key: metricsBasicAuthPassword", - "author": "J12934", - "email": "13718901+J12934@users.noreply.github.com", - "date": "2020-02-18T22:28:53+01:00", - "file": "helm/multi-juicer/templates/juice-balancer-deployment.yaml", - "line_number": 59, - "tags": [ - "key", - "Generic" - ], - "line": " key: metricsBasicAuthPassword" - }, - "id": "9552da68-56c8-4599-a458-a10f28fb7f48" - }, - { - "name": "Generic credentials", - "description": "The name of the rule which triggered the finding: Generic credentials", - "osi_layer": "APPLICATION", - "severity": "LOW", - "category": "Potential Secret", - "attributes": { - "commit": "eaf6864262dbbcbf19c972cd961121b340b9968f", - "repo": "multi-juicer", - "offender": "key: metricsBasicAuthPassword", - "author": "J12934", - "email": "13718901+J12934@users.noreply.github.com", - "date": "2020-02-18T22:28:53+01:00", - "file": "helm/multi-juicer/templates/juice-balancer-servicemonitor.yaml", - "line_number": 20, - "tags": [ - "key", - "Generic" - ], - "line": " key: metricsBasicAuthPassword" - }, - "id": "cdb540bd-c558-43a8-a4f0-cb0d05ece5ba" - }, - { - "name": "Generic credentials", - "description": "The name of the rule which triggered the finding: Generic credentials", - "osi_layer": "APPLICATION", - "severity": "LOW", - "category": "Potential Secret", - "attributes": { - "commit": "eaf6864262dbbcbf19c972cd961121b340b9968f", - "repo": "multi-juicer", - "offender": "password: ERzCT4pwBDxfCKRGmfrMa8KQ8sXf8GKy", - "author": "J12934", - "email": "13718901+J12934@users.noreply.github.com", - "date": "2020-02-18T22:28:53+01:00", - "file": "helm/multi-juicer/values.yaml", - "line_number": 33, - "tags": [ - "key", - "Generic" - ], - "line": " password: ERzCT4pwBDxfCKRGmfrMa8KQ8sXf8GKy" - }, - "id": "e185c0d3-b060-4ae3-b292-82b89beb6a48" - }, - { - "name": "Generic credentials", - "description": "The name of the rule which triggered the finding: Generic credentials", - "osi_layer": "APPLICATION", - "severity": "LOW", - "category": "Potential Secret", - "attributes": { - "commit": "eaf6864262dbbcbf19c972cd961121b340b9968f", - "repo": "multi-juicer", - "offender": "password\": \"ERzCT4pwBDxfCKRGmfrMa8KQ8sXf8GKy", - "author": "J12934", - "email": "13718901+J12934@users.noreply.github.com", - "date": "2020-02-18T22:28:53+01:00", - "file": "juice-balancer/config/config.json", - "line_number": 19, - "tags": [ - "key", - "Generic" - ], - "line": " \"password\": \"ERzCT4pwBDxfCKRGmfrMa8KQ8sXf8GKy\"" - }, - "id": "0a48dd0c-d860-4d5d-b946-5e32f4a14f7f" - } -] - diff --git a/scanners/gitleaks/examples/multi-juicer/scan.yaml b/scanners/gitleaks/examples/multi-juicer/scan.yaml deleted file mode 100644 index 088dadd548..0000000000 --- a/scanners/gitleaks/examples/multi-juicer/scan.yaml +++ /dev/null @@ -1,15 +0,0 @@ -# SPDX-FileCopyrightText: the secureCodeBox authors -# -# SPDX-License-Identifier: Apache-2.0 - -apiVersion: "execution.securecodebox.io/v1" -kind: Scan -metadata: - name: "scan-multi-juicer-example" -spec: - scanType: "gitleaks" - parameters: - - "-r" - - "https://github.com/iteratec/multi-juicer" - - "--config" - - "/home/config_all.toml" diff --git a/scanners/gitleaks/examples/private-repository/README.md b/scanners/gitleaks/examples/private-repository/README.md index f825c39cf5..35d7f82d10 100644 --- a/scanners/gitleaks/examples/private-repository/README.md +++ b/scanners/gitleaks/examples/private-repository/README.md @@ -4,4 +4,15 @@ SPDX-FileCopyrightText: the secureCodeBox authors SPDX-License-Identifier: Apache-2.0 --> -Another example for how to scan a private GitLab repository: +In some cases, you may have to authenticate to clone a repository. +For this, you can place your relevant access token in a Kubernetes secret: + +```bash +# Don't forget the leading whitespace in the command to avoid +# having your GitHub access token in your shell history! + echo -n 'gh_abcdef...' > github-token.txt # use -n to avoid trailing line break +kubectl create secret generic github-access-token --from-file=token=github-token.txt +rm github-token.txt +``` + +Then, you can use this token to perform an authenticated HTTPS clone, like in the following example. \ No newline at end of file diff --git a/scanners/gitleaks/examples/private-repository/scan.yaml b/scanners/gitleaks/examples/private-repository/scan.yaml index 0775fd7c90..a9297dd40f 100644 --- a/scanners/gitleaks/examples/private-repository/scan.yaml +++ b/scanners/gitleaks/examples/private-repository/scan.yaml @@ -5,15 +5,47 @@ apiVersion: "execution.securecodebox.io/v1" kind: Scan metadata: - name: "scan-private-repository-example" + name: "authenticated-clone-example" + annotations: + metadata.scan.securecodebox.io/git-repo-url: "https://github.com/yourOrg/yourRepo" spec: scanType: "gitleaks" + # Define a volume and mount it at /repo in the scan container + volumes: + - name: repo + emptyDir: {} + volumeMounts: + - name: repo + mountPath: "/repo/" + # Define an init container to run the git clone for us + initContainers: + - name: "git-clone" + image: bitnami/git + # Specify that the "repo" volume should also be mounted on the + # initContainer + volumeMounts: + - name: repo + mountPath: "/repo/" + # Clone to /repo in the init container + command: + - git + - clone + # Use the --mirror clone to get the complete repository, otherwise findings may be + # incomplete. See https://wwws.nightwatchcybersecurity.com/2022/02/11/gitbleed/ + - "--mirror" + # Add access token to the URL for authenticated HTTPS clone + - "https://$(GITHUB_TOKEN)@github.com/yourOrg/yourRepo" + - /repo/ + # Pull the access token into an env variable + env: + - name: GITHUB_TOKEN + valueFrom: + secretKeyRef: + name: github-access-token + key: token parameters: - - "-r" - - "https://gitlab.yourcompany.com/group/project" - - "--access-token" - - "" - - "--config" - - "/home/config_filenames_only.toml" - - "--commit-since" - - "2020-04-20" + # Run Gitleaks in "detect" mode + - "detect" + # Point it at the location of the repository + - "--source" + - "/repo/" \ No newline at end of file diff --git a/scanners/gitleaks/examples/provide-own-rules/README.md b/scanners/gitleaks/examples/provide-own-rules/README.md index 45f28a4c82..553e6b05ca 100644 --- a/scanners/gitleaks/examples/provide-own-rules/README.md +++ b/scanners/gitleaks/examples/provide-own-rules/README.md @@ -5,7 +5,7 @@ SPDX-License-Identifier: Apache-2.0 --> If you don't want to use our predefined rule files you can easily provide your own -gitleaks rules config file. Therefore create a configMap from your rules file. +gitleaks rules config file. To do this, create a `configMap` from your rules file: ```bash kubectl create configmap --from-file /path/to/my/gitleaks-config.toml gitleaks-config diff --git a/scanners/gitleaks/examples/provide-own-rules/scan.yaml b/scanners/gitleaks/examples/provide-own-rules/scan.yaml index edbce8e01f..857a0ce92d 100644 --- a/scanners/gitleaks/examples/provide-own-rules/scan.yaml +++ b/scanners/gitleaks/examples/provide-own-rules/scan.yaml @@ -5,7 +5,9 @@ apiVersion: "execution.securecodebox.io/v1" kind: Scan metadata: - name: "scan-multi-juicer-with-own-rules" + name: "scan-scb-with-own-rules" + annotations: + metadata.scan.securecodebox.io/git-repo-url: "https://github.com/secureCodeBox/secureCodeBox" spec: scanType: "gitleaks" parameters: @@ -20,3 +22,53 @@ spec: volumeMounts: - name: "gitleaks-config" mountPath: "/config/" + +# SPDX-FileCopyrightText: 2021 iteratec GmbH +# +# SPDX-License-Identifier: Apache-2.0 + +apiVersion: "execution.securecodebox.io/v1" +kind: Scan +metadata: + name: "scan-scb-with-own-rules" +spec: + scanType: "gitleaks" + # Define a volume and mount it at /repo in the scan container + volumes: + - name: "repo" + emptyDir: {} + - name: "gitleaks-config" + configMap: + name: "gitleaks-config" + volumeMounts: + - name: "repo" + mountPath: "/repo/" + - name: "gitleaks-config" + mountPath: "/config/" + # Define an init container to run the git clone for us + initContainers: + - name: "git-clone" + image: bitnami/git + # Specify that the "repo" volume should also be mounted on the + # initContainer + volumeMounts: + - name: "repo" + mountPath: "/repo/" + # Clone to /repo in the init container + command: + - git + - clone + # Use the --mirror clone to get the complete repository, otherwise findings may be + # incomplete. See https://wwws.nightwatchcybersecurity.com/2022/02/11/gitbleed/ + - "--mirror" + - "https://github.com/secureCodeBox/secureCodeBox" + - /repo/ + parameters: + # Run Gitleaks in "detect" mode + - "detect" + # Point it at the location of the repository + - "--source" + - "/repo/" + # Point it at your own config file + - "--config" + - "/config/gitleaks-config.toml" \ No newline at end of file diff --git a/scanners/gitleaks/examples/multi-juicer/README.md b/scanners/gitleaks/examples/secureCodeBox/README.md similarity index 56% rename from scanners/gitleaks/examples/multi-juicer/README.md rename to scanners/gitleaks/examples/secureCodeBox/README.md index ab34793ac1..d5feef44d6 100644 --- a/scanners/gitleaks/examples/multi-juicer/README.md +++ b/scanners/gitleaks/examples/secureCodeBox/README.md @@ -4,4 +4,4 @@ SPDX-FileCopyrightText: the secureCodeBox authors SPDX-License-Identifier: Apache-2.0 --> -An Example for scanning all history of the multi juicer project on GitHub: +An Example for scanning all history of the secureCodeBox project on GitHub: diff --git a/scanners/gitleaks/examples/secureCodeBox/findings.json b/scanners/gitleaks/examples/secureCodeBox/findings.json new file mode 100644 index 0000000000..a4fbdcbc57 --- /dev/null +++ b/scanners/gitleaks/examples/secureCodeBox/findings.json @@ -0,0 +1,47 @@ +[ + { + "name": "PKCS8-PK", + "description": "The name of the rule which triggered the finding: PKCS8-PK", + "osi_layer": "APPLICATION", + "severity": "MEDIUM", + "category": "Potential Secret", + "attributes": { + "commit": "https://github.com/secureCodeBox/secureCodeBox/commit/a674a178e0b7eb2975718e31ac2fb80f4f39f110", + "description": "PKCS8 private key", + "offender": "-----BEGIN PRIVATE KEY-----", + "author": "Max Maass", + "email": "max.maass@iteratec.com", + "date": "2022-01-25T12:30:04Z", + "file": "scanners/gitleaks/integration-tests/gitleaks.test.js", + "line_number": 40, + "tags": [], + "line": "-----BEGIN PRIVATE KEY-----" + }, + "id": "fd1914a4-5a3e-4656-a532-ab1a0f645515", + "parsed_at": "2022-01-25T13:31:05.257Z" + }, + { + "name": "PKCS8-PK", + "description": "The name of the rule which triggered the finding: PKCS8-PK", + "osi_layer": "APPLICATION", + "severity": "MEDIUM", + "category": "Potential Secret", + "attributes": { + "commit": "https://github.com/secureCodeBox/secureCodeBox/commit/1020a6520656922355d84eb6f3560650e40c722e", + "description": "PKCS8 private key", + "offender": "-----BEGIN PRIVATE KEY-----", + "author": "Max Maass", + "email": "max.maass@iteratec.com", + "date": "2022-01-24T08:24:50Z", + "file": "scanners/gitleaks/parser/__testFiles__/test-report-tags.json", + "line_number": 8, + "tags": [], + "line": "-----BEGIN PRIVATE KEY-----" + }, + "id": "9b767656-48a8-45b3-aabd-c0a788ddec03", + "parsed_at": "2022-01-25T13:31:05.257Z" + }, + { + "note": "Results truncated for space reasons" + } +] \ No newline at end of file diff --git a/scanners/gitleaks/examples/multi-juicer/findings.json.license b/scanners/gitleaks/examples/secureCodeBox/findings.json.license similarity index 100% rename from scanners/gitleaks/examples/multi-juicer/findings.json.license rename to scanners/gitleaks/examples/secureCodeBox/findings.json.license diff --git a/scanners/gitleaks/examples/secureCodeBox/scan.yaml b/scanners/gitleaks/examples/secureCodeBox/scan.yaml new file mode 100644 index 0000000000..9b5ea5be9c --- /dev/null +++ b/scanners/gitleaks/examples/secureCodeBox/scan.yaml @@ -0,0 +1,43 @@ +# SPDX-FileCopyrightText: 2021 iteratec GmbH +# +# SPDX-License-Identifier: Apache-2.0 + +apiVersion: "execution.securecodebox.io/v1" +kind: Scan +metadata: + name: "scan-scb-example" + annotations: + metadata.scan.securecodebox.io/git-repo-url: "https://github.com/secureCodeBox/secureCodeBox" +spec: + scanType: "gitleaks" + # Define a volume and mount it at /repo in the scan container + volumes: + - name: repo + emptyDir: {} + volumeMounts: + - name: repo + mountPath: "/repo/" + # Define an init container to run the git clone for us + initContainers: + - name: "git-clone" + image: bitnami/git + # Specify that the "repo" volume should also be mounted on the + # initContainer + volumeMounts: + - name: repo + mountPath: "/repo/" + # Clone to /repo in the init container + command: + - git + - clone + # Use the --mirror clone to get the complete repository, otherwise findings may be + # incomplete. See https://wwws.nightwatchcybersecurity.com/2022/02/11/gitbleed/ + - "--mirror" + - "https://github.com/secureCodeBox/secureCodeBox" + - /repo/ + parameters: + # Run Gitleaks in "detect" mode + - "detect" + # Point it at the location of the repository + - "--source" + - "/repo/" \ No newline at end of file diff --git a/scanners/gitleaks/integration-tests/gitleaks.test.js b/scanners/gitleaks/integration-tests/gitleaks.test.js index 214fd21e52..19d6ef2e73 100644 --- a/scanners/gitleaks/integration-tests/gitleaks.test.js +++ b/scanners/gitleaks/integration-tests/gitleaks.test.js @@ -4,22 +4,49 @@ const { scan } = require("../../../tests/integration/helpers"); -jest.retryTimes(3); +jest.retryTimes(0); test( - "gitleaks should find 1 credential in the testfiles", + "Gitleaks should find one secret in a demo target", async () => { const { categories, severities, count } = await scan( "gitleaks-dummy-scan", "gitleaks", [ - "-r", - "https://github.com/secureCodeBox/secureCodeBox", - "--commit=ec0fe179ccf178b56fcd51d1730448bc64bb9ab5", - "--config-path", - "/home/config_all.toml", + "detect", + "--source", + "/repo/" ], - 90 + 90, + // volumes + [{ + "name": "test-dir", + "emptyDir": {} + }], + // volumeMounts + [{ + "mountPath": "/repo/", + "name": "test-dir" + }], + // initContainers + [{ + "name": "init-git", + "image": "bitnami/git", + "command": ["bash", + "-c", + // Bash script to create a git repo with a demo file + `cd /repo && \\ + git init && \\ + echo '-----BEGIN PRIVATE KEY-----' > secret.pem && \\ + git config --global user.name test && \\ + git config --global user.email user@example.com && \\ + git add secret.pem && \\ + git commit -m test`], + "volumeMounts": [{ + "mountPath": "/repo/", + "name": "test-dir" + }] + }] ); expect(count).toBe(1); @@ -27,8 +54,8 @@ test( "Potential Secret": 1, }); expect(severities).toEqual({ - high: 1, + medium: 1 }); }, 3 * 60 * 1000 -); +); \ No newline at end of file diff --git a/scanners/gitleaks/parser/Dockerfile b/scanners/gitleaks/parser/Dockerfile index db81b85e66..52d29be937 100644 --- a/scanners/gitleaks/parser/Dockerfile +++ b/scanners/gitleaks/parser/Dockerfile @@ -2,15 +2,18 @@ # # SPDX-License-Identifier: Apache-2.0 +# Commented out the dependency management as there are no dependencies in the +# parser at the moment. Add the commented-out parts of the Dockerfile again +# if the parser starts needing packages once again. ARG namespace ARG baseImageTag -FROM node:16-alpine as build -RUN mkdir -p /home/app -WORKDIR /home/app -COPY package.json package-lock.json ./ -RUN npm ci --production +# FROM node:16-alpine as build +# RUN mkdir -p /home/app +# WORKDIR /home/app +# COPY package.json package-lock.json ./ +# RUN npm ci --production FROM ${namespace:-securecodebox}/parser-sdk-nodejs:${baseImageTag:-latest} WORKDIR /home/app/parser-wrapper/parser/ -COPY --from=build --chown=app:app /home/app/node_modules/ ./node_modules/ +# COPY --from=build --chown=app:app /home/app/node_modules/ ./node_modules/ COPY --chown=app:app ./parser.js ./parser.js diff --git a/scanners/gitleaks/parser/__testFiles__/test-report-small.json b/scanners/gitleaks/parser/__testFiles__/test-report-small.json deleted file mode 100644 index cecf8f2cf3..0000000000 --- a/scanners/gitleaks/parser/__testFiles__/test-report-small.json +++ /dev/null @@ -1,17 +0,0 @@ -[ - { - "line": " - aws --profile default configure set aws_access_key_id \"AKIAS2QBEJFO232FJDO\"", - "lineNumber": 67, - "offender": "AKIAS2QBEJFO232FJDO", - "commit": "2a42fc73f76e3fd9d015d0a98030037a8972e3d1", - "repo": "web-app", - "rule": "AWS Manager ID", - "commitMessage": "ci trials\n", - "author": "Max Mustermann", - "email": "max.mustermann@host.de", - "file": ".gitlab-ci.yml", - "date": "2019-12-11T12:45:48+01:00", - "tags": "key, AWS", - "operation": "addition" - } -] diff --git a/scanners/gitleaks/parser/__testFiles__/test-report-tags.json b/scanners/gitleaks/parser/__testFiles__/test-report-tags.json new file mode 100644 index 0000000000..d03b19b01c --- /dev/null +++ b/scanners/gitleaks/parser/__testFiles__/test-report-tags.json @@ -0,0 +1,56 @@ +[ + { + "Description": "PKCS8 private key", + "StartLine": 167, + "EndLine": 167, + "StartColumn": 22, + "EndColumn": 48, + "Match": "-----BEGIN PRIVATE KEY-----", + "Secret": "-----BEGIN PRIVATE KEY-----", + "File": "scanners/gitleaks/parser/parser.test.js", + "Commit": "604ca16251cd6e528328605420890f2d55a5464d", + "Entropy": 0, + "Author": "Commit Author", + "Email": "committer@some-domain.tld", + "Date": "2020-10-15T11:35:39Z", + "Message": "feature/gitleaks-scanner", + "Tags": ["HIGH"], + "RuleID": "PKCS8-PK" + }, + { + "Description": "PKCS8 private key", + "StartLine": 167, + "EndLine": 167, + "StartColumn": 22, + "EndColumn": 48, + "Match": "-----BEGIN PRIVATE KEY-----", + "Secret": "-----BEGIN PRIVATE KEY-----", + "File": "scanners/gitleaks/parser/parser.test.js", + "Commit": "604ca16251cd6e528328605420890f2d55a5464d", + "Entropy": 0, + "Author": "Commit Author", + "Email": "committer@some-domain.tld", + "Date": "2020-10-15T11:35:39Z", + "Message": "feature/gitleaks-scanner", + "Tags": [], + "RuleID": "PKCS8-PK" + }, + { + "Description": "PKCS8 private key", + "StartLine": 167, + "EndLine": 167, + "StartColumn": 22, + "EndColumn": 48, + "Match": "-----BEGIN PRIVATE KEY-----", + "Secret": "-----BEGIN PRIVATE KEY-----", + "File": "scanners/gitleaks/parser/parser.test.js", + "Commit": "604ca16251cd6e528328605420890f2d55a5464d", + "Entropy": 0, + "Author": "Commit Author", + "Email": "committer@some-domain.tld", + "Date": "2020-10-15T11:35:39Z", + "Message": "feature/gitleaks-scanner", + "Tags": ["LOW"], + "RuleID": "PKCS8-PK" + } +] diff --git a/scanners/gitleaks/parser/__testFiles__/test-report-small.json.license b/scanners/gitleaks/parser/__testFiles__/test-report-tags.json.license similarity index 100% rename from scanners/gitleaks/parser/__testFiles__/test-report-small.json.license rename to scanners/gitleaks/parser/__testFiles__/test-report-tags.json.license diff --git a/scanners/gitleaks/parser/__testFiles__/test-report.json b/scanners/gitleaks/parser/__testFiles__/test-report.json index 4b2bde7eee..dfcfdc6f4f 100644 --- a/scanners/gitleaks/parser/__testFiles__/test-report.json +++ b/scanners/gitleaks/parser/__testFiles__/test-report.json @@ -1,107 +1,74 @@ [ { - "line": " - aws --profile default configure set aws_access_key_id \"AKIAS2QBEJFO232FJDO\"", - "lineNumber": 67, - "offender": "AKIAS2QBEJFO232FJDO", - "commit": "2a42fc73f76e3fd9d015d0a98030037a8972e3d1", - "repo": "web-app", - "rule": "AWS Manager ID", - "commitMessage": "ci trials\n", - "author": "Max Mustermann", - "email": "max.mustermann@host.de", - "file": ".gitlab-ci.yml", - "date": "2019-12-11T12:45:48+01:00", - "tags": "key, AWS", - "operation": "addition" + "Description": "Generic API Key", + "StartLine": 51, + "EndLine": 51, + "StartColumn": 11, + "EndColumn": 45, + "Match": "Key: \"aGVsbG8taS1hbS1hLXRlc3Qta2V5\"", + "Secret": "aGVsbG8taS1hbS1hLXRlc3Qta2V5", + "File": "hooks/persistence-azure-monitor/hook/hook.test.js", + "Commit": "20202220306db37c13792bc672e57b0598ab680c", + "Entropy": 4.1375375, + "Author": "Commit Author", + "Email": "committer@some-domain.tld", + "Date": "2022-01-06T15:19:51Z", + "Message": "Use a base64-encoded key for testing", + "Tags": [], + "RuleID": "generic-api-key" }, { - "line": " - aws --profile default configure set aws_secret_access_key \"IccA5EboL5foAY3uUyG+zh5OA3rWdpL4C1ePuUOv\"", - "lineNumber": 68, - "offender": "aws_secret_access_key \"IccA5EboL5foAY3uUyG+zh5OA3rWdpL4C1ePuUOv\"", - "commit": "2a42fc73f76e3fd9d015d0a98030037a8972e3d1", - "repo": "paul-web", - "rule": "AWS Secret Key", - "commitMessage": "ci trials\n", - "author": "Max Mustermann", - "email": "max.mustermann@host.de", - "file": ".gitlab-ci.yml", - "date": "2019-12-11T12:45:48+01:00", - "tags": "key, AWS", - "operation": "addition" + "Description": "PKCS8 private key", + "StartLine": 1, + "EndLine": 1, + "StartColumn": 1, + "EndColumn": 27, + "Match": "-----BEGIN PRIVATE KEY-----", + "Secret": "-----BEGIN PRIVATE KEY-----", + "File": "demo-targets/unsafe-https/container/site.key", + "Commit": "e064eb8bd2094287fdeb64474798a8fd53e77bd3", + "Entropy": 0, + "Author": "Commit Author", + "Email": "committer@some-domain.tld", + "Date": "2021-09-06T13:53:58Z", + "Message": "Added the corresponding dockerfile to the 'unsafe-https' demo-target.", + "Tags": ["PrivateKey"], + "RuleID": "PKCS8-PK" }, { - "line":" password: ERzCT4pwBDxfCKRGmfrMa8KQ8sXf8GKy", - "lineNumber":33, - "offender":"password: ERzCT4pwBDxfCKRGmfrMa8KQ8sXf8GKy", - "commit":"eaf6864262dbbcbf19c972cd961121b340b9968f", - "repo":"multi-juicer", - "rule":"Generic credentials", - "commitMessage":"Add metrics to balancer\n", - "author":"Max Mustermann", - "email":"max.mustermann@host.de", - "file":"helm/multi-juicer/values.yaml", - "date":"2020-02-18T22:28:53+01:00", - "tags":"key, Generic", - "operation":"addition" + "Description": "Slack token", + "StartLine": 164, + "EndLine": 164, + "StartColumn": 293, + "EndColumn": 297, + "Match": "xoxb-", + "Secret": "xoxb-", + "File": "hooks/notification/README.md", + "Commit": "ae9e923125a0409025316a970fa16e0271e1734a", + "Entropy": 0, + "Author": "Commit Author", + "Email": "committer@some-domain.tld", + "Date": "2021-07-02T12:25:00Z", + "Message": "Updating Helm Docs", + "Tags": [], + "RuleID": "slack-access-token" }, { - "line":" \"password\": \"dRzCT4pwBDxfjfeRel23mMlKQ8sX\"", - "lineNumber":19, - "offender":"password\": \"dRzCT4pwBDxfjfeRel23mMlKQ8sX", - "commit":"eaf6864262dbbcbf19c972cd961121b340b9968f", - "repo":"multi-juicer", - "rule":"Generic credentials", - "commitMessage":"Add metrics to balancer\n", - "author":"Max Mustermann", - "email":"max.mustermann@host.de", - "file":"juice-balancer/config/config.json", - "date":"2020-02-18T22:28:53+01:00", - "tags":"key, Generic", - "operation":"addition" - }, - { - "line":"N/A", - "lineNumber":-1, - "offender":"Filename/path offender: .env", - "commit":"88cf8694d4202bb7361f6779588f566e8eae2ff2", - "repo":"secureCodeBox-v2", - "rule":"File names with potential keys and credentials", - "commitMessage":"minor change\n", - "author":"Max Mustermann", - "email":"max.mustermann@host.de", - "file":".env", - "date":"2019-01-16T19:18:54+01:00", - "tags":"key, FileName", - "operation":"addition" - }, - { - "line":" facebook_api_key: sj20gj2ß0kofepo2ṕf02", - "lineNumber":30, - "offender":"sj20gj2ß0kofepo2ṕf02", - "commit":"eaf6864262dbbcbf19c972cd961121b340b9968f", - "repo":"madeuprepo", - "rule":"Facebook Secret Key", - "commitMessage":"Adds secret\n", - "author":"Max Mustermann", - "email":"max.mustermann@host.de", - "file":".env", - "date":"2019-01-16T19:18:54+01:00", - "tags":"key, Facebook", - "operation":"addition" - }, - { - "line":" -----BEGIN PRIVATE KEY-----", - "lineNumber":1, - "offender":"-----BEGIN PRIVATE KEY-----", - "commit":"2a42fc73f76e3fd9d015d0a98030037a8972e3d1", - "repo":"madeuprepo", - "rule":"Asymmetric Private Key", - "commitMessage":"Adds secret\n", - "author":"Max Mustermann", - "email":"max.mustermann@host.de", - "file":"key.pem", - "date":"2019-01-16T19:18:54+01:00", - "tags":"key, PrivateKey", - "operation":"addition" + "Description": "Generic API Key", + "StartLine": 37, + "EndLine": 37, + "StartColumn": 10, + "EndColumn": 47, + "Match": "api_key = 'eor898q1luuq8054e0e5r9s3jh'", + "Secret": "eor898q1luuq8054e0e5r9s3jh", + "File": "scanners/zap-extended/scanner/scbzapv2/__main__.py", + "Commit": "549b29afa8644c6385c385bed3327e6131557ecb", + "Entropy": 3.8731406, + "Author": "Commit Author", + "Email": "committer@some-domain.tld", + "Date": "2021-05-02T17:17:57Z", + "Message": "Introduces a complete new implementation of the ZAP-Extended scantype based on a more simple sidecar pattern.", + "Tags": [], + "RuleID": "generic-api-key" } -] +] \ No newline at end of file diff --git a/scanners/gitleaks/parser/package-lock.json b/scanners/gitleaks/parser/package-lock.json index f24e6f808d..a2ac44e3f4 100644 --- a/scanners/gitleaks/parser/package-lock.json +++ b/scanners/gitleaks/parser/package-lock.json @@ -8,22 +8,7 @@ "name": "@securecodebox/parser-gitleaks", "version": "1.0.0", "license": "Apache-2.0", - "dependencies": { - "arg": "^5.0.0" - }, "devDependencies": {} - }, - "node_modules/arg": { - "version": "5.0.0", - "resolved": "https://registry.npmjs.org/arg/-/arg-5.0.0.tgz", - "integrity": "sha512-4P8Zm2H+BRS+c/xX1LrHw0qKpEhdlZjLCgWy+d78T9vqa2Z2SiD2wMrYuWIAFy5IZUD7nnNXroRttz+0RzlrzQ==" - } - }, - "dependencies": { - "arg": { - "version": "5.0.0", - "resolved": "https://registry.npmjs.org/arg/-/arg-5.0.0.tgz", - "integrity": "sha512-4P8Zm2H+BRS+c/xX1LrHw0qKpEhdlZjLCgWy+d78T9vqa2Z2SiD2wMrYuWIAFy5IZUD7nnNXroRttz+0RzlrzQ==" } } } diff --git a/scanners/gitleaks/parser/package.json b/scanners/gitleaks/parser/package.json index cbd20df804..1e962db784 100644 --- a/scanners/gitleaks/parser/package.json +++ b/scanners/gitleaks/parser/package.json @@ -6,9 +6,5 @@ "scripts": {}, "keywords": [], "author": "iteratec GmbH", - "license": "Apache-2.0", - "dependencies": { - "arg": "^5.0.0" - }, - "devDependencies": {} + "license": "Apache-2.0" } diff --git a/scanners/gitleaks/parser/parser.js b/scanners/gitleaks/parser/parser.js index 6697e4e1f7..efc0b2cd26 100644 --- a/scanners/gitleaks/parser/parser.js +++ b/scanners/gitleaks/parser/parser.js @@ -2,44 +2,43 @@ // // SPDX-License-Identifier: Apache-2.0 -const arg = require("arg"); +const HIGH_TAGS = ["HIGH"]; +const LOW_TAGS = ["LOW"]; -const HIGH_TAGS = ['JWT', 'Artifactory', 'AWS', 'PrivateKey']; -const MEDIUM_TAGS = ['Hash', 'Facebook', 'Twitter', 'Github', 'LinkedIn', 'Slack', 'Google', 'Heroku', - 'Mailchimp', 'Mailgun', 'Paypal', 'Picatic', 'Teams', 'Jenkins', 'Stripe', 'Square', 'Twilio']; +const repoUrlAnnotationKey = "metadata.scan.securecodebox.io/git-repo-url" async function parse (fileContent, scan) { - const commitUrl = prepareCommitUrl(scan) - if (fileContent) { + const commitUrlBase = prepareCommitUrl(scan); + return fileContent.map(finding => { - let severity = 'LOW'; + let severity = 'MEDIUM'; - if (containsTag(finding.tags, HIGH_TAGS)) { + if (containsTag(finding.Tags, HIGH_TAGS)) { severity = 'HIGH' - } else if (containsTag(finding.tags, MEDIUM_TAGS)) { - severity = 'MEDIUM' + } else if (containsTag(finding.Tags, LOW_TAGS)) { + severity = 'LOW' } return { - name: finding.rule, - description: 'The name of the rule which triggered the finding: ' + finding.rule, + name: finding.RuleID, + description: 'The name of the rule which triggered the finding: ' + finding.RuleID, osi_layer: 'APPLICATION', severity: severity, category: 'Potential Secret', attributes: { - commit: commitUrl + finding.commit, - repo: finding.repo, - offender: finding.offender, - author: finding.author, - email: finding.email, - date: finding.date, - file: finding.file, - line_number: finding.lineNumber, - tags: finding.tags.split(',').map(tag => tag.trim()), - line: finding.line + commit: commitUrlBase + finding.Commit, + description: finding.Description, + offender: finding.Secret, + author: finding.Author, + email: finding.Email, + date: finding.Date, + file: finding.File, + line_number: finding.StartLine, + tags: finding.Tags, + line: finding.Match } } }); @@ -50,33 +49,21 @@ async function parse (fileContent, scan) { } } +function containsTag (tag, tags) { + let result = tags.filter(longTag => tag.includes(longTag)); + return result.length > 0; +} + function prepareCommitUrl (scan) { - if (!scan) { + if (!scan || !scan.metadata.annotations || !scan.metadata.annotations[repoUrlAnnotationKey]) { return ''; } - const args = arg( - { - '-r': String, - '--repo': '-r' - }, - { permissive: true, argv: scan.spec.parameters } - ); - - const repositoryUrl = args['-r']; - - if (!repositoryUrl) { - return ''; - } + var repositoryUrl = scan.metadata.annotations[repoUrlAnnotationKey]; return repositoryUrl.endsWith('/') ? repositoryUrl + 'commit/' : repositoryUrl + '/commit/' } -function containsTag (tag, tags) { - let result = tags.filter(longTag => tag.includes(longTag)); - return result.length > 0; -} - module.exports.parse = parse; diff --git a/scanners/gitleaks/parser/parser.test.js b/scanners/gitleaks/parser/parser.test.js index 50926eff6f..3643ce7cc1 100644 --- a/scanners/gitleaks/parser/parser.test.js +++ b/scanners/gitleaks/parser/parser.test.js @@ -50,177 +50,179 @@ test("should properly parse gitleaks json file", async () => { Array [ Object { "attributes": Object { - "author": "Max Mustermann", - "commit": "2a42fc73f76e3fd9d015d0a98030037a8972e3d1", - "date": "2019-12-11T12:45:48+01:00", - "email": "max.mustermann@host.de", - "file": ".gitlab-ci.yml", - "line": " - aws --profile default configure set aws_access_key_id \\"AKIAS2QBEJFO232FJDO\\"", - "line_number": 67, - "offender": "AKIAS2QBEJFO232FJDO", - "repo": "web-app", - "tags": Array [ - "key", - "AWS", - ], + "author": "Commit Author", + "commit": "20202220306db37c13792bc672e57b0598ab680c", + "date": "2022-01-06T15:19:51Z", + "description": "Generic API Key", + "email": "committer@some-domain.tld", + "file": "hooks/persistence-azure-monitor/hook/hook.test.js", + "line": "Key: \\"aGVsbG8taS1hbS1hLXRlc3Qta2V5\\"", + "line_number": 51, + "offender": "aGVsbG8taS1hbS1hLXRlc3Qta2V5", + "tags": Array [], }, "category": "Potential Secret", - "description": "The name of the rule which triggered the finding: AWS Manager ID", - "name": "AWS Manager ID", + "description": "The name of the rule which triggered the finding: generic-api-key", + "name": "generic-api-key", "osi_layer": "APPLICATION", - "severity": "HIGH", + "severity": "MEDIUM", }, Object { "attributes": Object { - "author": "Max Mustermann", - "commit": "2a42fc73f76e3fd9d015d0a98030037a8972e3d1", - "date": "2019-12-11T12:45:48+01:00", - "email": "max.mustermann@host.de", - "file": ".gitlab-ci.yml", - "line": " - aws --profile default configure set aws_secret_access_key \\"IccA5EboL5foAY3uUyG+zh5OA3rWdpL4C1ePuUOv\\"", - "line_number": 68, - "offender": "aws_secret_access_key \\"IccA5EboL5foAY3uUyG+zh5OA3rWdpL4C1ePuUOv\\"", - "repo": "paul-web", + "author": "Commit Author", + "commit": "e064eb8bd2094287fdeb64474798a8fd53e77bd3", + "date": "2021-09-06T13:53:58Z", + "description": "PKCS8 private key", + "email": "committer@some-domain.tld", + "file": "demo-targets/unsafe-https/container/site.key", + "line": "-----BEGIN PRIVATE KEY-----", + "line_number": 1, + "offender": "-----BEGIN PRIVATE KEY-----", "tags": Array [ - "key", - "AWS", + "PrivateKey", ], }, "category": "Potential Secret", - "description": "The name of the rule which triggered the finding: AWS Secret Key", - "name": "AWS Secret Key", + "description": "The name of the rule which triggered the finding: PKCS8-PK", + "name": "PKCS8-PK", "osi_layer": "APPLICATION", - "severity": "HIGH", + "severity": "MEDIUM", }, Object { "attributes": Object { - "author": "Max Mustermann", - "commit": "eaf6864262dbbcbf19c972cd961121b340b9968f", - "date": "2020-02-18T22:28:53+01:00", - "email": "max.mustermann@host.de", - "file": "helm/multi-juicer/values.yaml", - "line": " password: ERzCT4pwBDxfCKRGmfrMa8KQ8sXf8GKy", - "line_number": 33, - "offender": "password: ERzCT4pwBDxfCKRGmfrMa8KQ8sXf8GKy", - "repo": "multi-juicer", - "tags": Array [ - "key", - "Generic", - ], + "author": "Commit Author", + "commit": "ae9e923125a0409025316a970fa16e0271e1734a", + "date": "2021-07-02T12:25:00Z", + "description": "Slack token", + "email": "committer@some-domain.tld", + "file": "hooks/notification/README.md", + "line": "xoxb-", + "line_number": 164, + "offender": "xoxb-", + "tags": Array [], }, "category": "Potential Secret", - "description": "The name of the rule which triggered the finding: Generic credentials", - "name": "Generic credentials", + "description": "The name of the rule which triggered the finding: slack-access-token", + "name": "slack-access-token", "osi_layer": "APPLICATION", - "severity": "LOW", + "severity": "MEDIUM", }, Object { "attributes": Object { - "author": "Max Mustermann", - "commit": "eaf6864262dbbcbf19c972cd961121b340b9968f", - "date": "2020-02-18T22:28:53+01:00", - "email": "max.mustermann@host.de", - "file": "juice-balancer/config/config.json", - "line": " \\"password\\": \\"dRzCT4pwBDxfjfeRel23mMlKQ8sX\\"", - "line_number": 19, - "offender": "password\\": \\"dRzCT4pwBDxfjfeRel23mMlKQ8sX", - "repo": "multi-juicer", - "tags": Array [ - "key", - "Generic", - ], + "author": "Commit Author", + "commit": "549b29afa8644c6385c385bed3327e6131557ecb", + "date": "2021-05-02T17:17:57Z", + "description": "Generic API Key", + "email": "committer@some-domain.tld", + "file": "scanners/zap-extended/scanner/scbzapv2/__main__.py", + "line": "api_key = 'eor898q1luuq8054e0e5r9s3jh'", + "line_number": 37, + "offender": "eor898q1luuq8054e0e5r9s3jh", + "tags": Array [], }, "category": "Potential Secret", - "description": "The name of the rule which triggered the finding: Generic credentials", - "name": "Generic credentials", + "description": "The name of the rule which triggered the finding: generic-api-key", + "name": "generic-api-key", "osi_layer": "APPLICATION", - "severity": "LOW", + "severity": "MEDIUM", }, + ] + `); +}); + +test("should define severity based on tags in result file", async () => { + const jsonContent = await readFile( + __dirname + "/__testFiles__/test-report-tags.json", + { + encoding: "utf8", + } + ); + const findings = await parse(JSON.parse(jsonContent)); + await expect(validateParser(findings)).resolves.toBeUndefined(); + + expect(findings).toMatchInlineSnapshot(` + Array [ Object { "attributes": Object { - "author": "Max Mustermann", - "commit": "88cf8694d4202bb7361f6779588f566e8eae2ff2", - "date": "2019-01-16T19:18:54+01:00", - "email": "max.mustermann@host.de", - "file": ".env", - "line": "N/A", - "line_number": -1, - "offender": "Filename/path offender: .env", - "repo": "secureCodeBox-v2", + "author": "Commit Author", + "commit": "604ca16251cd6e528328605420890f2d55a5464d", + "date": "2020-10-15T11:35:39Z", + "description": "PKCS8 private key", + "email": "committer@some-domain.tld", + "file": "scanners/gitleaks/parser/parser.test.js", + "line": "-----BEGIN PRIVATE KEY-----", + "line_number": 167, + "offender": "-----BEGIN PRIVATE KEY-----", "tags": Array [ - "key", - "FileName", + "HIGH", ], }, "category": "Potential Secret", - "description": "The name of the rule which triggered the finding: File names with potential keys and credentials", - "name": "File names with potential keys and credentials", + "description": "The name of the rule which triggered the finding: PKCS8-PK", + "name": "PKCS8-PK", "osi_layer": "APPLICATION", - "severity": "LOW", + "severity": "HIGH", }, Object { "attributes": Object { - "author": "Max Mustermann", - "commit": "eaf6864262dbbcbf19c972cd961121b340b9968f", - "date": "2019-01-16T19:18:54+01:00", - "email": "max.mustermann@host.de", - "file": ".env", - "line": " facebook_api_key: sj20gj2ß0kofepo2ṕf02", - "line_number": 30, - "offender": "sj20gj2ß0kofepo2ṕf02", - "repo": "madeuprepo", - "tags": Array [ - "key", - "Facebook", - ], + "author": "Commit Author", + "commit": "604ca16251cd6e528328605420890f2d55a5464d", + "date": "2020-10-15T11:35:39Z", + "description": "PKCS8 private key", + "email": "committer@some-domain.tld", + "file": "scanners/gitleaks/parser/parser.test.js", + "line": "-----BEGIN PRIVATE KEY-----", + "line_number": 167, + "offender": "-----BEGIN PRIVATE KEY-----", + "tags": Array [], }, "category": "Potential Secret", - "description": "The name of the rule which triggered the finding: Facebook Secret Key", - "name": "Facebook Secret Key", + "description": "The name of the rule which triggered the finding: PKCS8-PK", + "name": "PKCS8-PK", "osi_layer": "APPLICATION", "severity": "MEDIUM", }, Object { "attributes": Object { - "author": "Max Mustermann", - "commit": "2a42fc73f76e3fd9d015d0a98030037a8972e3d1", - "date": "2019-01-16T19:18:54+01:00", - "email": "max.mustermann@host.de", - "file": "key.pem", - "line": " -----BEGIN PRIVATE KEY-----", - "line_number": 1, + "author": "Commit Author", + "commit": "604ca16251cd6e528328605420890f2d55a5464d", + "date": "2020-10-15T11:35:39Z", + "description": "PKCS8 private key", + "email": "committer@some-domain.tld", + "file": "scanners/gitleaks/parser/parser.test.js", + "line": "-----BEGIN PRIVATE KEY-----", + "line_number": 167, "offender": "-----BEGIN PRIVATE KEY-----", - "repo": "madeuprepo", "tags": Array [ - "key", - "PrivateKey", + "LOW", ], }, "category": "Potential Secret", - "description": "The name of the rule which triggered the finding: Asymmetric Private Key", - "name": "Asymmetric Private Key", + "description": "The name of the rule which triggered the finding: PKCS8-PK", + "name": "PKCS8-PK", "osi_layer": "APPLICATION", - "severity": "HIGH", + "severity": "LOW", }, ] `); }); -test("should properly construct commit URL if present with -r option", async () => { +test("should properly construct commit URL if given in scan annotation without trailing slash", async () => { const scan = { spec: { - scanType: "gitleaks", - parameters: [ - "-r", - "https://github.com/iteratec/multi-juicer", - "--config", - "/home/config_all.toml", - ], + scanType: "gitleaks", + parameters: ["detect"], + }, + metadata: { + annotations: { + "metadata.scan.securecodebox.io/git-repo-url": + "https://github.com/secureCodeBox/secureCodeBox", + }, }, }; const jsonContent = await readFile( - __dirname + "/__testFiles__/test-report-small.json", + __dirname + "/__testFiles__/test-report.json", { encoding: "utf8", } @@ -229,79 +231,192 @@ test("should properly construct commit URL if present with -r option", async () await expect(validateParser(findings)).resolves.toBeUndefined(); expect(findings).toMatchInlineSnapshot(` - Array [ - Object { - "attributes": Object { - "author": "Max Mustermann", - "commit": "https://github.com/iteratec/multi-juicer/commit/2a42fc73f76e3fd9d015d0a98030037a8972e3d1", - "date": "2019-12-11T12:45:48+01:00", - "email": "max.mustermann@host.de", - "file": ".gitlab-ci.yml", - "line": " - aws --profile default configure set aws_access_key_id \\"AKIAS2QBEJFO232FJDO\\"", - "line_number": 67, - "offender": "AKIAS2QBEJFO232FJDO", - "repo": "web-app", - "tags": Array [ - "key", - "AWS", - ], - }, - "category": "Potential Secret", - "description": "The name of the rule which triggered the finding: AWS Manager ID", - "name": "AWS Manager ID", - "osi_layer": "APPLICATION", - "severity": "HIGH", - }, - ] - `); +Array [ + Object { + "attributes": Object { + "author": "Commit Author", + "commit": "https://github.com/secureCodeBox/secureCodeBox/commit/20202220306db37c13792bc672e57b0598ab680c", + "date": "2022-01-06T15:19:51Z", + "description": "Generic API Key", + "email": "committer@some-domain.tld", + "file": "hooks/persistence-azure-monitor/hook/hook.test.js", + "line": "Key: \\"aGVsbG8taS1hbS1hLXRlc3Qta2V5\\"", + "line_number": 51, + "offender": "aGVsbG8taS1hbS1hLXRlc3Qta2V5", + "tags": Array [], + }, + "category": "Potential Secret", + "description": "The name of the rule which triggered the finding: generic-api-key", + "name": "generic-api-key", + "osi_layer": "APPLICATION", + "severity": "MEDIUM", + }, + Object { + "attributes": Object { + "author": "Commit Author", + "commit": "https://github.com/secureCodeBox/secureCodeBox/commit/e064eb8bd2094287fdeb64474798a8fd53e77bd3", + "date": "2021-09-06T13:53:58Z", + "description": "PKCS8 private key", + "email": "committer@some-domain.tld", + "file": "demo-targets/unsafe-https/container/site.key", + "line": "-----BEGIN PRIVATE KEY-----", + "line_number": 1, + "offender": "-----BEGIN PRIVATE KEY-----", + "tags": Array [ + "PrivateKey", + ], + }, + "category": "Potential Secret", + "description": "The name of the rule which triggered the finding: PKCS8-PK", + "name": "PKCS8-PK", + "osi_layer": "APPLICATION", + "severity": "MEDIUM", + }, + Object { + "attributes": Object { + "author": "Commit Author", + "commit": "https://github.com/secureCodeBox/secureCodeBox/commit/ae9e923125a0409025316a970fa16e0271e1734a", + "date": "2021-07-02T12:25:00Z", + "description": "Slack token", + "email": "committer@some-domain.tld", + "file": "hooks/notification/README.md", + "line": "xoxb-", + "line_number": 164, + "offender": "xoxb-", + "tags": Array [], + }, + "category": "Potential Secret", + "description": "The name of the rule which triggered the finding: slack-access-token", + "name": "slack-access-token", + "osi_layer": "APPLICATION", + "severity": "MEDIUM", + }, + Object { + "attributes": Object { + "author": "Commit Author", + "commit": "https://github.com/secureCodeBox/secureCodeBox/commit/549b29afa8644c6385c385bed3327e6131557ecb", + "date": "2021-05-02T17:17:57Z", + "description": "Generic API Key", + "email": "committer@some-domain.tld", + "file": "scanners/zap-extended/scanner/scbzapv2/__main__.py", + "line": "api_key = 'eor898q1luuq8054e0e5r9s3jh'", + "line_number": 37, + "offender": "eor898q1luuq8054e0e5r9s3jh", + "tags": Array [], + }, + "category": "Potential Secret", + "description": "The name of the rule which triggered the finding: generic-api-key", + "name": "generic-api-key", + "osi_layer": "APPLICATION", + "severity": "MEDIUM", + }, +] +`); }); -test("should properly construct commit URL if present with --repo option", async () => { +test("should properly construct commit URL if given in scan annotation with trailing slash", async () => { const scan = { spec: { scanType: "gitleaks", - parameters: [ - "--repo", - "https://github.com/iteratec/multi-juicer/", - "--config", - "/home/config_all.toml", - ], + parameters: ["detect"], + }, + metadata: { + annotations: { + "metadata.scan.securecodebox.io/git-repo-url": + "https://github.com/secureCodeBox/secureCodeBox/", + }, }, }; const jsonContent = await readFile( - __dirname + "/__testFiles__/test-report-small.json", + __dirname + "/__testFiles__/test-report.json", { encoding: "utf8", } ); - const findings = await parse(JSON.parse(jsonContent), scan); await expect(validateParser(findings)).resolves.toBeUndefined(); + expect(findings).toMatchInlineSnapshot(` - Array [ - Object { - "attributes": Object { - "author": "Max Mustermann", - "commit": "https://github.com/iteratec/multi-juicer/commit/2a42fc73f76e3fd9d015d0a98030037a8972e3d1", - "date": "2019-12-11T12:45:48+01:00", - "email": "max.mustermann@host.de", - "file": ".gitlab-ci.yml", - "line": " - aws --profile default configure set aws_access_key_id \\"AKIAS2QBEJFO232FJDO\\"", - "line_number": 67, - "offender": "AKIAS2QBEJFO232FJDO", - "repo": "web-app", - "tags": Array [ - "key", - "AWS", - ], - }, - "category": "Potential Secret", - "description": "The name of the rule which triggered the finding: AWS Manager ID", - "name": "AWS Manager ID", - "osi_layer": "APPLICATION", - "severity": "HIGH", - }, - ] - `); -}); +Array [ + Object { + "attributes": Object { + "author": "Commit Author", + "commit": "https://github.com/secureCodeBox/secureCodeBox/commit/20202220306db37c13792bc672e57b0598ab680c", + "date": "2022-01-06T15:19:51Z", + "description": "Generic API Key", + "email": "committer@some-domain.tld", + "file": "hooks/persistence-azure-monitor/hook/hook.test.js", + "line": "Key: \\"aGVsbG8taS1hbS1hLXRlc3Qta2V5\\"", + "line_number": 51, + "offender": "aGVsbG8taS1hbS1hLXRlc3Qta2V5", + "tags": Array [], + }, + "category": "Potential Secret", + "description": "The name of the rule which triggered the finding: generic-api-key", + "name": "generic-api-key", + "osi_layer": "APPLICATION", + "severity": "MEDIUM", + }, + Object { + "attributes": Object { + "author": "Commit Author", + "commit": "https://github.com/secureCodeBox/secureCodeBox/commit/e064eb8bd2094287fdeb64474798a8fd53e77bd3", + "date": "2021-09-06T13:53:58Z", + "description": "PKCS8 private key", + "email": "committer@some-domain.tld", + "file": "demo-targets/unsafe-https/container/site.key", + "line": "-----BEGIN PRIVATE KEY-----", + "line_number": 1, + "offender": "-----BEGIN PRIVATE KEY-----", + "tags": Array [ + "PrivateKey", + ], + }, + "category": "Potential Secret", + "description": "The name of the rule which triggered the finding: PKCS8-PK", + "name": "PKCS8-PK", + "osi_layer": "APPLICATION", + "severity": "MEDIUM", + }, + Object { + "attributes": Object { + "author": "Commit Author", + "commit": "https://github.com/secureCodeBox/secureCodeBox/commit/ae9e923125a0409025316a970fa16e0271e1734a", + "date": "2021-07-02T12:25:00Z", + "description": "Slack token", + "email": "committer@some-domain.tld", + "file": "hooks/notification/README.md", + "line": "xoxb-", + "line_number": 164, + "offender": "xoxb-", + "tags": Array [], + }, + "category": "Potential Secret", + "description": "The name of the rule which triggered the finding: slack-access-token", + "name": "slack-access-token", + "osi_layer": "APPLICATION", + "severity": "MEDIUM", + }, + Object { + "attributes": Object { + "author": "Commit Author", + "commit": "https://github.com/secureCodeBox/secureCodeBox/commit/549b29afa8644c6385c385bed3327e6131557ecb", + "date": "2021-05-02T17:17:57Z", + "description": "Generic API Key", + "email": "committer@some-domain.tld", + "file": "scanners/zap-extended/scanner/scbzapv2/__main__.py", + "line": "api_key = 'eor898q1luuq8054e0e5r9s3jh'", + "line_number": 37, + "offender": "eor898q1luuq8054e0e5r9s3jh", + "tags": Array [], + }, + "category": "Potential Secret", + "description": "The name of the rule which triggered the finding: generic-api-key", + "name": "generic-api-key", + "osi_layer": "APPLICATION", + "severity": "MEDIUM", + }, +] +`); +}); \ No newline at end of file diff --git a/scanners/gitleaks/scanner/Dockerfile b/scanners/gitleaks/scanner/Dockerfile deleted file mode 100644 index 33411090db..0000000000 --- a/scanners/gitleaks/scanner/Dockerfile +++ /dev/null @@ -1,11 +0,0 @@ -# SPDX-FileCopyrightText: the secureCodeBox authors -# -# SPDX-License-Identifier: Apache-2.0 - -ARG scannerVersion=latest -FROM zricethezav/gitleaks:${scannerVersion} -USER root -COPY wrapper.sh /wrapper.sh -RUN chmod o+x ./wrapper.sh -USER gitleaks -ENTRYPOINT ["./wrapper.sh" ] diff --git a/scanners/gitleaks/scanner/wrapper.sh b/scanners/gitleaks/scanner/wrapper.sh deleted file mode 100644 index 041c16a3c3..0000000000 --- a/scanners/gitleaks/scanner/wrapper.sh +++ /dev/null @@ -1,10 +0,0 @@ -#!/bin/sh -# SPDX-FileCopyrightText: the secureCodeBox authors -# -# SPDX-License-Identifier: Apache-2.0 - -# Gitleaks Entrypoint Script to avoid problems gitleaks exiting with a non zero exit code -# This would cause the kubernetes job to fail no matter what -echo '[]' > /home/securecodebox/report.json # If no leaks found the file is not created -gitleaks $@ -exit 0 diff --git a/scanners/gitleaks/templates/gitleaks-scan-type.yaml b/scanners/gitleaks/templates/gitleaks-scan-type.yaml index 8d7425a54c..680f0f98ef 100644 --- a/scanners/gitleaks/templates/gitleaks-scan-type.yaml +++ b/scanners/gitleaks/templates/gitleaks-scan-type.yaml @@ -31,13 +31,15 @@ spec: image: "{{ .Values.scanner.image.repository }}:{{ .Values.scanner.image.tag | default .Chart.AppVersion }}" imagePullPolicy: {{ .Values.scanner.image.pullPolicy }} command: - - "sh" - - "/wrapper.sh" + - "gitleaks" - "--verbose" - - "--format" + - "--report-format" - "json" - - "--report" + - "--report-path" - "/home/securecodebox/report.json" + - "--exit-code" + - "0" + - "detect" resources: {{- toYaml .Values.scanner.resources | nindent 16 }} securityContext: @@ -51,424 +53,3 @@ spec: {{- end }} volumes: {{- toYaml .Values.scanner.extraVolumes | nindent 12 }} ---- -apiVersion: v1 -kind: ConfigMap -metadata: - name: gitleaks-config -data: - config_all.toml: |- - title = "gitleaks config" - [[rules]] - description = "JWT Token Format" - regex = '''eyJ[a-zA-Z0-9\-_]{17,}\.[a-zA-Z0-9\-_]{20,}\.[a-zA-Z0-9\-_]{20,}''' - tags = ["key", "JWT"] - - #TODO need a matcher for other typical hash-types - [[rules]] - description = "32 char hash (e.g. MD5 Checksum used for zah payment gateway, or zah-keys)" - regex = '''=[a-f0-9]{32}[^a-f0-9]''' - tags = ["key", "Hash", "Generic"] - - [[rules]] - description = "Format of Artifactory access keys" - regex = '''[^a-zA-Z0-9]AKC[a-zA-Z0-9]{70}[^a-zA-Z0-9]''' - tags = ["key", "Artifactory"] - - [[rules]] - description = "Generic credentials" - regex = '''(?i)(dbpasswd|api_key|apikey|secret|key|password|passwort|key|token|secret|guid|pw|auth)(.{0,20})?[^\S\r\n]?[:=][^\S\r\n]?["']?([0-9a-zA-Z-_\/+!{}\/=]{6,80})''' - tags = ["key", "Generic"] - [[rules.Entropies]] - Min = "3.8" - Max = "8.0" - Group = "3" - [rules.allowlist] - regexes = [ - - # *** generic whitelist *** - # excludes ${...} format - '''[:=]\s?\"?\'?\${.*?}''', - # excludes $... format - '''[:=]\s?\$[a-zA-z0-9_\-]+''', - # for parameter replacement, url, ... - '''(env.DOCKER_PASSWORT|credentials\[)''', - '''https://packages.instana.io/Instana.gpg''', - '''key=sonar\.(webhooks|forceAuthentication)''', - '''key=https:\/\/(openresty\.org|packages\.grafana)''', - '''(key=file:\/\/\/etc\/pki\/rpm-gpg|KEY: \"\$ARTIFACTORY_OPS)''', - '''(token|TOKEN)\s?=\s?(conn\.assume_role|\(\[a-zA-Z0-9)''', - '''(key|KEY)=(\/tmp\/helm\/\$VENDO_PROJECT|\$\(_get_key|\"?\/app(-security)?\/secret-service-volume\/tls\.key|\"\$EXTERNAL_CERTIFICATE)''', - '''(password|PASSWORD)\s?=\s?(getpass\.getpass|\$\(_get_key)''', - # Ignore JWT - they have an own rule with own whitelist - '''eyJ[a-zA-Z0-9\-_]{17,}\.[a-zA-Z0-9\-_]{20,}\.[a-zA-Z0-9\-_]{20,}''', - # Ignore AWS Manager ID rules - they have an own rule with own whitelist - '''(A3T[A-Z0-9]|AKIA|AGPA|AIDA|AROA|AIPA|ANPA|ANVA|ASIA)[A-Z0-9]{16}''', - # Ignore AWS Secret rules - they have an own rule with own whitelist - '''(?i)aws(.{0,20})?(?-i)['\"]?[0-9a-zA-Z\/+]{40}['\"]?''', - # Ignore Slack - '''xox[baprs]-([0-9a-zA-Z]{10,48})''', - # Ignore mailchimp - '''(?i)(.{0,20})?['"][0-9a-f]{32}-us[0-9]{1,2}['"]''' - ] - #files = [ - # '''\.java$''' - #] - - [[rules]] - description = "AWS Manager ID" - regex = '''(A3T[A-Z0-9]|AKIA|AGPA|AIDA|AROA|AIPA|ANPA|ANVA|ASIA)[A-Z0-9]{16}[\"\s]''' - tags = ["key", "AWS"] - - [[rules]] - description = "AWS cred file info" - regex = '''(?i)(aws_access_key_id|aws_secret_access_key)(.{0,20})?=.[0-9a-zA-Z\/+]{20,40}''' - tags = ["key", "AWS"] - - [[rules]] - description = "AWS Secret Key" - regex = '''(?i)aws(.{0,20})?[=:\s](?-i)['\"]?[0-9a-zA-Z\/+]{40}['\"]?''' - tags = ["key", "AWS"] - - [[rules]] - description = "AWS MWS key" - regex = '''amzn\.mws\.[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}''' - tags = ["key", "AWS", "MWS"] - - - [[rules]] - description = "Asymmetric Private Key" - regex = '''-----BEGIN ((EC|PGP|DSA|RSA|OPENSSH) )?PRIVATE KEY( BLOCK)?-----''' - tags = ["key", "PrivateKey"] - [rules.allowlist] - paths = ['''vagrant/\.vagrant\/machines\/default\/virtualbox'''] - description = "SSH key used to connect to local development machine" - - [[rules]] - description = "Facebook Secret Key" - regex = '''(?i)(facebook|fb)(.{0,20})?[=:\s](?-i)['\"][0-9a-f]{32}['\"]''' - tags = ["key", "Facebook"] - - [[rules]] - description = "Facebook Client ID" - regex = '''(?i)(facebook|fb)(.{0,20})?[=:\s]['\"][0-9]{13,17}['\"]''' - tags = ["key", "Facebook"] - - [[rules]] - description = "Twitter Secret Key" - regex = '''(?i)twitter(.{0,20})?[=:\s]['\"][0-9a-z]{35,44}['\"]''' - tags = ["key", "Twitter"] - - [[rules]] - description = "Twitter Client ID" - regex = '''(?i)twitter(.{0,20})?[=:\s]['\"][0-9a-z]{18,25}['\"]''' - tags = ["client", "Twitter"] - - [[rules]] - description = "Github" - regex = '''(?i)github(.{0,20})?[=:\s](?-i)['\"][0-9a-zA-Z]{35,40}['\"]''' - tags = ["key", "Github"] - - [[rules]] - description = "LinkedIn Client ID" - regex = '''(?i)linkedin(.{0,20})?[=:\s](?-i)['\"][0-9a-z]{12}['\"]''' - tags = ["client", "LinkedIn"] - - [[rules]] - description = "LinkedIn Secret Key" - regex = '''(?i)linkedin(.{0,20})?[=:\s]['\"][0-9a-z]{16}['\"]''' - tags = ["secret", "LinkedIn"] - - [[rules]] - description = "Slack" - regex = '''xox[baprs]-([0-9a-zA-Z]{10,48})?''' - tags = ["key", "Slack"] - - [[rules]] - description = "Google API key" - regex = '''AIza[0-9A-Za-z\\-_]{35}''' - tags = ["key", "Google"] - - - [[rules]] - description = "Heroku API key" - regex = '''(?i)heroku(.{0,20})?['"][0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}['"]''' - tags = ["key", "Heroku"] - - [[rules]] - description = "MailChimp API key" - regex = '''(?i)(mailchimp|mc)(.{0,20})?['"][0-9a-f]{32}-us[0-9]{1,2}['"]''' - tags = ["key", "Mailchimp"] - - [[rules]] - description = "Mailgun API key" - regex = '''(?i)(mailgun|mg)(.{0,20})?[=:\s]['"][0-9a-z]{32}['"]''' - tags = ["key", "Mailgun"] - - [[rules]] - description = "PayPal Braintree access token" - regex = '''access_token\$production\$[0-9a-z]{16}\$[0-9a-f]{32}''' - tags = ["key", "Paypal"] - - [[rules]] - description = "Picatic API key" - regex = '''sk_live_[0-9a-z]{32}''' - tags = ["key", "Picatic"] - - [[rules]] - description = "Slack Webhook" - regex = '''https://hooks.slack.com/services/T[a-zA-Z0-9_]{8}/B[a-zA-Z0-9_]{8}/[a-zA-Z0-9_]{24}''' - tags = ["key", "Slack"] - - #TODO Optimize - [[rules]] - description = "Teams Webhook" - regex = '''https://outlook.office.com/webhook/.{1,120}''' - tags = ["key", "Teams"] - - #TODO Optimize - [[rules]] - description = "Jenkins Webhook" - regex = '''https://.{6,100}/generic-webhook-trigger/invoke''' - tags = ["key", "Jenkins"] - - [[rules]] - description = "Stripe API key" - regex = '''(?i)stripe(.{0,20})?[=:\s]['\"][sk|rk]_live_[0-9a-zA-Z]{24}''' - tags = ["key", "Stripe"] - - [[rules]] - description = "Square access token" - regex = '''sq0atp-[0-9A-Za-z\-_]{22}''' - tags = ["key", "Square"] - - [[rules]] - description = "Square OAuth secret" - regex = '''sq0csp-[0-9A-Za-z\\-_]{43}''' - tags = ["key", "Square"] - - [[rules]] - description = "Twilio API key" - regex = '''(?i)twilio(.{0,20})?['\"][0-9a-f]{32}['\"]''' - tags = ["key", "Twilio"] - - [[rules]] - description = "File names with potential keys and credentials" - file = '''(?i)(id_rsa|id_dsa|id_ed25519|id_ecdsa|passwd|pgpass|pem|key|shadow - |npmrc_auth|s3cfg|dockercfg|wp-config\.php|htpasswd|env|git-credentials|tugboat|netrc|_netrc|ftpconfig - |remote-sync\.json|sftp\.json|sftp-config\.json|webservers\.xml|logins\.json|dbeaver-data-sources\.xml - |sshd_config|sh_history|history|bash_history|dhcpd\.conf|connections\.xml|pgpass|secret_token\.rb - |credentials\.xml|robomongo\.json|terraform\.tfvars)''' - tags = ["key", "FileName"] - - [[rules]] - description = "File extension with potential keys and credentials" - file = '''(?i)\.(pem|ppk|bashrc|pkcs12|p12|pfx|asc|ovpn|cscfg|rdp|mdf|sdf|sqlite|sqlite3|bek - |tpm|fve|jks|psafe3|keychain|pcap|gnucash|kwallet|tblk|s3cfg|kdbx|sqldumb|htpasswd|dockercfg)''' - tags = ["key", "FileExtension"] - - [allowlist] - description = "Whitelisted files" - files = [ - '''^.*gitleaks(config)?.*\.toml$''', - '''(.*?)(jpg|gif|doc|pdf|jepg|png|bin|yarn\.lock|svg)$''', - '''(go\.mod|go\.sum)$''', - '''(swagger-ui.*)(js|css|map)$''', - '''package-lock\.json''' - ] - paths = ["node_modules"] - - config_no_generics.toml: |- - title = "gitleaks config" - [[rules]] - description = "JWT Token Format" - regex = '''eyJ[a-zA-Z0-9\-_]{17,}\.[a-zA-Z0-9\-_]{20,}\.[a-zA-Z0-9\-_]{20,}''' - tags = ["key", "JWT"] - - [[rules]] - description = "Format of Artifactory access keys" - regex = '''[^a-zA-Z0-9]AKC[a-zA-Z0-9]{70}[^a-zA-Z0-9]''' - tags = ["key", "Artifactory"] - - [[rules]] - description = "AWS Manager ID" - regex = '''(A3T[A-Z0-9]|AKIA|AGPA|AIDA|AROA|AIPA|ANPA|ANVA|ASIA)[A-Z0-9]{16}[\"\s]''' - tags = ["key", "AWS"] - - [[rules]] - description = "AWS cred file info" - regex = '''(?i)(aws_access_key_id|aws_secret_access_key)(.{0,20})?=.[0-9a-zA-Z\/+]{20,40}''' - tags = ["key", "AWS"] - - [[rules]] - description = "AWS Secret Key" - regex = '''(?i)aws(.{0,20})?[=:\s](?-i)['\"]?[0-9a-zA-Z\/+]{40}['\"]?''' - tags = ["key", "AWS"] - - [[rules]] - description = "AWS MWS key" - regex = '''amzn\.mws\.[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}''' - tags = ["key", "AWS", "MWS"] - - - [[rules]] - description = "Asymmetric Private Key" - regex = '''-----BEGIN ((EC|PGP|DSA|RSA|OPENSSH) )?PRIVATE KEY( BLOCK)?-----''' - tags = ["key", "PrivateKey"] - [rules.allowlist] - paths = ['''vagrant/\.vagrant\/machines\/default\/virtualbox'''] - description = "SSH key used to connect to local development machine" - - [[rules]] - description = "Facebook Secret Key" - regex = '''(?i)(facebook|fb)(.{0,20})?[=:\s](?-i)['\"][0-9a-f]{32}['\"]''' - tags = ["key", "Facebook"] - - [[rules]] - description = "Facebook Client ID" - regex = '''(?i)(facebook|fb)(.{0,20})?[=:\s]['\"][0-9]{13,17}['\"]''' - tags = ["key", "Facebook"] - - [[rules]] - description = "Twitter Secret Key" - regex = '''(?i)twitter(.{0,20})?[=:\s]['\"][0-9a-z]{35,44}['\"]''' - tags = ["key", "Twitter"] - - [[rules]] - description = "Twitter Client ID" - regex = '''(?i)twitter(.{0,20})?[=:\s]['\"][0-9a-z]{18,25}['\"]''' - tags = ["client", "Twitter"] - - [[rules]] - description = "Github" - regex = '''(?i)github(.{0,20})?[=:\s](?-i)['\"][0-9a-zA-Z]{35,40}['\"]''' - tags = ["key", "Github"] - - [[rules]] - description = "LinkedIn Client ID" - regex = '''(?i)linkedin(.{0,20})?[=:\s](?-i)['\"][0-9a-z]{12}['\"]''' - tags = ["client", "LinkedIn"] - - [[rules]] - description = "LinkedIn Secret Key" - regex = '''(?i)linkedin(.{0,20})?[=:\s]['\"][0-9a-z]{16}['\"]''' - tags = ["secret", "LinkedIn"] - - [[rules]] - description = "Slack" - regex = '''xox[baprs]-([0-9a-zA-Z]{10,48})?''' - tags = ["key", "Slack"] - - [[rules]] - description = "Google API key" - regex = '''AIza[0-9A-Za-z\\-_]{35}''' - tags = ["key", "Google"] - - - [[rules]] - description = "Heroku API key" - regex = '''(?i)heroku(.{0,20})?['"][0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}['"]''' - tags = ["key", "Heroku"] - - [[rules]] - description = "MailChimp API key" - regex = '''(?i)(mailchimp|mc)(.{0,20})?['"][0-9a-f]{32}-us[0-9]{1,2}['"]''' - tags = ["key", "Mailchimp"] - - [[rules]] - description = "Mailgun API key" - regex = '''(?i)(mailgun|mg)(.{0,20})?[=:\s]['"][0-9a-z]{32}['"]''' - tags = ["key", "Mailgun"] - - [[rules]] - description = "PayPal Braintree access token" - regex = '''access_token\$production\$[0-9a-z]{16}\$[0-9a-f]{32}''' - tags = ["key", "Paypal"] - - [[rules]] - description = "Picatic API key" - regex = '''sk_live_[0-9a-z]{32}''' - tags = ["key", "Picatic"] - - [[rules]] - description = "Slack Webhook" - regex = '''https://hooks.slack.com/services/T[a-zA-Z0-9_]{8}/B[a-zA-Z0-9_]{8}/[a-zA-Z0-9_]{24}''' - tags = ["key", "Slack"] - - #TODO Optimize - [[rules]] - description = "Teams Webhook" - regex = '''https://outlook.office.com/webhook/.{1,120}''' - tags = ["key", "Teams"] - - #TODO Optimize - [[rules]] - description = "Jenkins Webhook" - regex = '''https://.{6,100}/generic-webhook-trigger/invoke''' - tags = ["key", "Jenkins"] - - [[rules]] - description = "Stripe API key" - regex = '''(?i)stripe(.{0,20})?[=:\s]['\"][sk|rk]_live_[0-9a-zA-Z]{24}''' - tags = ["key", "Stripe"] - - [[rules]] - description = "Square access token" - regex = '''sq0atp-[0-9A-Za-z\-_]{22}''' - tags = ["key", "Square"] - - [[rules]] - description = "Square OAuth secret" - regex = '''sq0csp-[0-9A-Za-z\\-_]{43}''' - tags = ["key", "Square"] - - [[rules]] - description = "Twilio API key" - regex = '''(?i)twilio(.{0,20})?['\"][0-9a-f]{32}['\"]''' - tags = ["key", "Twilio"] - - [allowlist] - description = "Whitelisted files" - files = [ - '''^.*gitleaks(config)?.*\.toml$''', - '''(.*?)(jpg|gif|doc|pdf|jepg|png|bin|yarn\.lock|svg)$''', - '''(go\.mod|go\.sum)$''', - '''(swagger-ui.*)(js|css|map)$''', - '''package-lock\.json''' - ] - paths = ["node_modules"] - - config_filenames_only.toml: |- - title = "gitleaks config" - - [[rules]] - description = "File names with potential keys and credentials" - file = '''(?i)(id_rsa|id_dsa|id_ed25519|id_ecdsa|passwd|pgpass|pem|key|shadow - |npmrc_auth|s3cfg|dockercfg|wp-config\.php|htpasswd|env|git-credentials|tugboat|netrc|_netrc|ftpconfig - |remote-sync\.json|sftp\.json|sftp-config\.json|webservers\.xml|logins\.json|dbeaver-data-sources\.xml - |sshd_config|sh_history|history|bash_history|dhcpd\.conf|connections\.xml|pgpass|secret_token\.rb - |credentials\.xml|robomongo\.json|terraform\.tfvars)''' - tags = ["key", "FileName"] - - [[rules]] - description = "File extension with potential keys and credentials" - file = '''(?i)\.(pem|ppk|bashrc|pkcs12|p12|pfx|asc|ovpn|cscfg|rdp|mdf|sdf|sqlite|sqlite3|bek - |tpm|fve|jks|psafe3|keychain|pcap|gnucash|kwallet|tblk|s3cfg|kdbx|sqldumb|htpasswd|dockercfg)''' - tags = ["key", "FileExtension"] - - - - [allowlist] - description = "Whitelisted files" - files = [ - '''^.*gitleaks(config)?.*\.toml$''', - '''(.*?)(jpg|gif|doc|pdf|jepg|png|bin|yarn\.lock|svg)$''', - '''(go\.mod|go\.sum)$''', - '''(swagger-ui.*)(js|css|map)$''', - '''package-lock\.json''' - ] - paths = ["node_modules"] - - - - diff --git a/scanners/gitleaks/values.yaml b/scanners/gitleaks/values.yaml index d069ae7339..f21dad0768 100644 --- a/scanners/gitleaks/values.yaml +++ b/scanners/gitleaks/values.yaml @@ -29,7 +29,7 @@ parser: scanner: image: # scanner.image.repository -- Container Image to run the scan - repository: docker.io/securecodebox/scanner-gitleaks + repository: docker.io/zricethezav/gitleaks # scanner.image.tag -- defaults to the charts appVersion tag: null # -- Image pull policy. One of Always, Never, IfNotPresent. Defaults to Always if :latest tag is specified, or IfNotPresent otherwise. More info: https://kubernetes.io/docs/concepts/containers/images#updating-images @@ -60,15 +60,10 @@ scanner: env: [] # scanner.extraVolumes -- Optional Volumes mapped into each scanJob (see: https://kubernetes.io/docs/concepts/storage/volumes/) - extraVolumes: - - name: "gitleaks-config" - configMap: - name: "gitleaks-config" + extraVolumes: [] # scanner.extraVolumeMounts -- Optional VolumeMounts mapped into each scanJob (see: https://kubernetes.io/docs/concepts/storage/volumes/) - extraVolumeMounts: - - name: "gitleaks-config" - mountPath: "/home/" + extraVolumeMounts: [] # scanner.extraContainers -- Optional additional Containers started with each scanJob (see: https://kubernetes.io/docs/concepts/workloads/pods/init-containers/) extraContainers: []