From a8db88002357520159e32217d186214347c3b26f Mon Sep 17 00:00:00 2001 From: secureCodeBoxBot Date: Tue, 23 Nov 2021 09:30:46 +0000 Subject: [PATCH 01/30] Upgrading gitleaks from v7.6.1 to v8.0.0 Signed-off-by: secureCodeBoxBot --- scanners/gitleaks/Chart.yaml | 5 +---- scanners/gitleaks/README.md | 2 +- 2 files changed, 2 insertions(+), 5 deletions(-) diff --git a/scanners/gitleaks/Chart.yaml b/scanners/gitleaks/Chart.yaml index 309af18ce1..ca5b3d82a4 100644 --- a/scanners/gitleaks/Chart.yaml +++ b/scanners/gitleaks/Chart.yaml @@ -5,16 +5,13 @@ apiVersion: v2 name: gitleaks description: A Helm chart for the gitleaks repository scanner that integrates with the secureCodeBox. - type: application # version - gets automatically set to the secureCodeBox release version when the helm charts gets published version: v3.1.0-alpha1 -appVersion: "v7.6.1" +appVersion: "v8.0.0" kubeVersion: ">=v1.11.0-0" - annotations: versionApi: https://api.github.com/repos/zricethezav/gitleaks/releases/latest - keywords: - security - gitleaks diff --git a/scanners/gitleaks/README.md b/scanners/gitleaks/README.md index 89fcca6a03..c8e0382763 100644 --- a/scanners/gitleaks/README.md +++ b/scanners/gitleaks/README.md @@ -3,7 +3,7 @@ title: "Gitleaks" category: "scanner" type: "Repository" state: "released" -appVersion: "v7.6.1" +appVersion: "v8.0.0" usecase: "Find potential secrets in repositories" --- From 42fdbb657b5ebe33e0fdd9610f82553f6f9ed68d Mon Sep 17 00:00:00 2001 From: malexmave Date: Tue, 11 Jan 2022 07:34:58 +0000 Subject: [PATCH 02/30] Updating Helm Docs Signed-off-by: GitHub Actions --- scanners/gitleaks/docs/README.DockerHub-Parser.md | 2 +- scanners/gitleaks/docs/README.DockerHub-Scanner.md | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/scanners/gitleaks/docs/README.DockerHub-Parser.md b/scanners/gitleaks/docs/README.DockerHub-Parser.md index 5a7da09532..f167354168 100644 --- a/scanners/gitleaks/docs/README.DockerHub-Parser.md +++ b/scanners/gitleaks/docs/README.DockerHub-Parser.md @@ -42,7 +42,7 @@ You can find resources to help you get started on our [documentation website](ht ## Supported Tags - `latest` (represents the latest stable release build) -- tagged releases, e.g. `v7.6.1` +- tagged releases, e.g. `v8.0.0` ## How to use this image This `parser` image is intended to work in combination with the corresponding security scanner docker image to parse the `findings` results. For more information details please take a look at the documentation page: https://docs.securecodebox.io/docs/scanners/gitleaks. diff --git a/scanners/gitleaks/docs/README.DockerHub-Scanner.md b/scanners/gitleaks/docs/README.DockerHub-Scanner.md index 62c99bafda..222194eb59 100644 --- a/scanners/gitleaks/docs/README.DockerHub-Scanner.md +++ b/scanners/gitleaks/docs/README.DockerHub-Scanner.md @@ -42,7 +42,7 @@ You can find resources to help you get started on our [documentation website](ht ## Supported Tags - `latest` (represents the latest stable release build) -- tagged releases, e.g. `v7.6.1` +- tagged releases, e.g. `v8.0.0` ## How to use this image This `scanner` image is intended to work in combination with the corresponding `parser` image to parse the scanner `findings` to generic secureCodeBox results. For more information details please take a look at the [project page][scb-docs] or [documentation page][https://docs.securecodebox.io/docs/scanners/gitleaks]. From a7296dcaef571b9f1858069511f6678c1a6541ef Mon Sep 17 00:00:00 2001 From: Max Maass Date: Tue, 11 Jan 2022 08:44:55 +0100 Subject: [PATCH 03/30] Bump gitleaks to v8.2.7 Signed-off-by: Max Maass --- scanners/gitleaks/Chart.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/scanners/gitleaks/Chart.yaml b/scanners/gitleaks/Chart.yaml index ca5b3d82a4..bfccd73b27 100644 --- a/scanners/gitleaks/Chart.yaml +++ b/scanners/gitleaks/Chart.yaml @@ -8,7 +8,7 @@ description: A Helm chart for the gitleaks repository scanner that integrates wi type: application # version - gets automatically set to the secureCodeBox release version when the helm charts gets published version: v3.1.0-alpha1 -appVersion: "v8.0.0" +appVersion: "v8.2.7" kubeVersion: ">=v1.11.0-0" annotations: versionApi: https://api.github.com/repos/zricethezav/gitleaks/releases/latest From 531d4bb6cc1189621d15b785afe34c877d4933a6 Mon Sep 17 00:00:00 2001 From: Max Maass Date: Thu, 20 Jan 2022 15:55:02 +0100 Subject: [PATCH 04/30] Update gitleaks parser and tests Signed-off-by: Max Maass --- .../__testFiles__/test-report-small.json | 29 +- .../parser/__testFiles__/test-report.json | 163 ++++----- scanners/gitleaks/parser/parser.js | 29 +- scanners/gitleaks/parser/parser.test.js | 340 +++++++----------- 4 files changed, 228 insertions(+), 333 deletions(-) diff --git a/scanners/gitleaks/parser/__testFiles__/test-report-small.json b/scanners/gitleaks/parser/__testFiles__/test-report-small.json index cecf8f2cf3..732dc4180b 100644 --- a/scanners/gitleaks/parser/__testFiles__/test-report-small.json +++ b/scanners/gitleaks/parser/__testFiles__/test-report-small.json @@ -1,17 +1,20 @@ [ { - "line": " - aws --profile default configure set aws_access_key_id \"AKIAS2QBEJFO232FJDO\"", - "lineNumber": 67, - "offender": "AKIAS2QBEJFO232FJDO", - "commit": "2a42fc73f76e3fd9d015d0a98030037a8972e3d1", - "repo": "web-app", - "rule": "AWS Manager ID", - "commitMessage": "ci trials\n", - "author": "Max Mustermann", - "email": "max.mustermann@host.de", - "file": ".gitlab-ci.yml", - "date": "2019-12-11T12:45:48+01:00", - "tags": "key, AWS", - "operation": "addition" + "Description": "PKCS8 private key", + "StartLine": 167, + "EndLine": 167, + "StartColumn": 22, + "EndColumn": 48, + "Match": "-----BEGIN PRIVATE KEY-----", + "Secret": "-----BEGIN PRIVATE KEY-----", + "File": "scanners/gitleaks/parser/parser.test.js", + "Commit": "604ca16251cd6e528328605420890f2d55a5464d", + "Entropy": 0, + "Author": "Commit Author", + "Email": "committer@some-domain.tld", + "Date": "2020-10-15T11:35:39Z", + "Message": "feature/gitleaks-scanner", + "Tags": [], + "RuleID": "PKCS8-PK" } ] diff --git a/scanners/gitleaks/parser/__testFiles__/test-report.json b/scanners/gitleaks/parser/__testFiles__/test-report.json index 4b2bde7eee..dfcfdc6f4f 100644 --- a/scanners/gitleaks/parser/__testFiles__/test-report.json +++ b/scanners/gitleaks/parser/__testFiles__/test-report.json @@ -1,107 +1,74 @@ [ { - "line": " - aws --profile default configure set aws_access_key_id \"AKIAS2QBEJFO232FJDO\"", - "lineNumber": 67, - "offender": "AKIAS2QBEJFO232FJDO", - "commit": "2a42fc73f76e3fd9d015d0a98030037a8972e3d1", - "repo": "web-app", - "rule": "AWS Manager ID", - "commitMessage": "ci trials\n", - "author": "Max Mustermann", - "email": "max.mustermann@host.de", - "file": ".gitlab-ci.yml", - "date": "2019-12-11T12:45:48+01:00", - "tags": "key, AWS", - "operation": "addition" + "Description": "Generic API Key", + "StartLine": 51, + "EndLine": 51, + "StartColumn": 11, + "EndColumn": 45, + "Match": "Key: \"aGVsbG8taS1hbS1hLXRlc3Qta2V5\"", + "Secret": "aGVsbG8taS1hbS1hLXRlc3Qta2V5", + "File": "hooks/persistence-azure-monitor/hook/hook.test.js", + "Commit": "20202220306db37c13792bc672e57b0598ab680c", + "Entropy": 4.1375375, + "Author": "Commit Author", + "Email": "committer@some-domain.tld", + "Date": "2022-01-06T15:19:51Z", + "Message": "Use a base64-encoded key for testing", + "Tags": [], + "RuleID": "generic-api-key" }, { - "line": " - aws --profile default configure set aws_secret_access_key \"IccA5EboL5foAY3uUyG+zh5OA3rWdpL4C1ePuUOv\"", - "lineNumber": 68, - "offender": "aws_secret_access_key \"IccA5EboL5foAY3uUyG+zh5OA3rWdpL4C1ePuUOv\"", - "commit": "2a42fc73f76e3fd9d015d0a98030037a8972e3d1", - "repo": "paul-web", - "rule": "AWS Secret Key", - "commitMessage": "ci trials\n", - "author": "Max Mustermann", - "email": "max.mustermann@host.de", - "file": ".gitlab-ci.yml", - "date": "2019-12-11T12:45:48+01:00", - "tags": "key, AWS", - "operation": "addition" + "Description": "PKCS8 private key", + "StartLine": 1, + "EndLine": 1, + "StartColumn": 1, + "EndColumn": 27, + "Match": "-----BEGIN PRIVATE KEY-----", + "Secret": "-----BEGIN PRIVATE KEY-----", + "File": "demo-targets/unsafe-https/container/site.key", + "Commit": "e064eb8bd2094287fdeb64474798a8fd53e77bd3", + "Entropy": 0, + "Author": "Commit Author", + "Email": "committer@some-domain.tld", + "Date": "2021-09-06T13:53:58Z", + "Message": "Added the corresponding dockerfile to the 'unsafe-https' demo-target.", + "Tags": ["PrivateKey"], + "RuleID": "PKCS8-PK" }, { - "line":" password: ERzCT4pwBDxfCKRGmfrMa8KQ8sXf8GKy", - "lineNumber":33, - "offender":"password: ERzCT4pwBDxfCKRGmfrMa8KQ8sXf8GKy", - "commit":"eaf6864262dbbcbf19c972cd961121b340b9968f", - "repo":"multi-juicer", - "rule":"Generic credentials", - "commitMessage":"Add metrics to balancer\n", - "author":"Max Mustermann", - "email":"max.mustermann@host.de", - "file":"helm/multi-juicer/values.yaml", - "date":"2020-02-18T22:28:53+01:00", - "tags":"key, Generic", - "operation":"addition" + "Description": "Slack token", + "StartLine": 164, + "EndLine": 164, + "StartColumn": 293, + "EndColumn": 297, + "Match": "xoxb-", + "Secret": "xoxb-", + "File": "hooks/notification/README.md", + "Commit": "ae9e923125a0409025316a970fa16e0271e1734a", + "Entropy": 0, + "Author": "Commit Author", + "Email": "committer@some-domain.tld", + "Date": "2021-07-02T12:25:00Z", + "Message": "Updating Helm Docs", + "Tags": [], + "RuleID": "slack-access-token" }, { - "line":" \"password\": \"dRzCT4pwBDxfjfeRel23mMlKQ8sX\"", - "lineNumber":19, - "offender":"password\": \"dRzCT4pwBDxfjfeRel23mMlKQ8sX", - "commit":"eaf6864262dbbcbf19c972cd961121b340b9968f", - "repo":"multi-juicer", - "rule":"Generic credentials", - "commitMessage":"Add metrics to balancer\n", - "author":"Max Mustermann", - "email":"max.mustermann@host.de", - "file":"juice-balancer/config/config.json", - "date":"2020-02-18T22:28:53+01:00", - "tags":"key, Generic", - "operation":"addition" - }, - { - "line":"N/A", - "lineNumber":-1, - "offender":"Filename/path offender: .env", - "commit":"88cf8694d4202bb7361f6779588f566e8eae2ff2", - "repo":"secureCodeBox-v2", - "rule":"File names with potential keys and credentials", - "commitMessage":"minor change\n", - "author":"Max Mustermann", - "email":"max.mustermann@host.de", - "file":".env", - "date":"2019-01-16T19:18:54+01:00", - "tags":"key, FileName", - "operation":"addition" - }, - { - "line":" facebook_api_key: sj20gj2ß0kofepo2ṕf02", - "lineNumber":30, - "offender":"sj20gj2ß0kofepo2ṕf02", - "commit":"eaf6864262dbbcbf19c972cd961121b340b9968f", - "repo":"madeuprepo", - "rule":"Facebook Secret Key", - "commitMessage":"Adds secret\n", - "author":"Max Mustermann", - "email":"max.mustermann@host.de", - "file":".env", - "date":"2019-01-16T19:18:54+01:00", - "tags":"key, Facebook", - "operation":"addition" - }, - { - "line":" -----BEGIN PRIVATE KEY-----", - "lineNumber":1, - "offender":"-----BEGIN PRIVATE KEY-----", - "commit":"2a42fc73f76e3fd9d015d0a98030037a8972e3d1", - "repo":"madeuprepo", - "rule":"Asymmetric Private Key", - "commitMessage":"Adds secret\n", - "author":"Max Mustermann", - "email":"max.mustermann@host.de", - "file":"key.pem", - "date":"2019-01-16T19:18:54+01:00", - "tags":"key, PrivateKey", - "operation":"addition" + "Description": "Generic API Key", + "StartLine": 37, + "EndLine": 37, + "StartColumn": 10, + "EndColumn": 47, + "Match": "api_key = 'eor898q1luuq8054e0e5r9s3jh'", + "Secret": "eor898q1luuq8054e0e5r9s3jh", + "File": "scanners/zap-extended/scanner/scbzapv2/__main__.py", + "Commit": "549b29afa8644c6385c385bed3327e6131557ecb", + "Entropy": 3.8731406, + "Author": "Commit Author", + "Email": "committer@some-domain.tld", + "Date": "2021-05-02T17:17:57Z", + "Message": "Introduces a complete new implementation of the ZAP-Extended scantype based on a more simple sidecar pattern.", + "Tags": [], + "RuleID": "generic-api-key" } -] +] \ No newline at end of file diff --git a/scanners/gitleaks/parser/parser.js b/scanners/gitleaks/parser/parser.js index 521b128b01..c990887681 100644 --- a/scanners/gitleaks/parser/parser.js +++ b/scanners/gitleaks/parser/parser.js @@ -17,29 +17,29 @@ async function parse (fileContent, scan) { let severity = 'LOW'; - if (containsTag(finding.tags, HIGH_TAGS)) { + if (containsTag(finding.Tags, HIGH_TAGS)) { severity = 'HIGH' - } else if (containsTag(finding.tags, MEDIUM_TAGS)) { + } else if (containsTag(finding.Tags, MEDIUM_TAGS)) { severity = 'MEDIUM' } return { - name: finding.rule, - description: 'The name of the rule which triggered the finding: ' + finding.rule, + name: finding.RuleID, + description: 'The name of the rule which triggered the finding: ' + finding.RuleID, osi_layer: 'APPLICATION', severity: severity, category: 'Potential Secret', attributes: { - commit: commitUrl + finding.commit, - repo: finding.repo, - offender: finding.offender, - author: finding.author, - email: finding.email, - date: finding.date, - file: finding.file, - line_number: finding.lineNumber, - tags: finding.tags.split(',').map(tag => tag.trim()), - line: finding.line + commit: commitUrl + finding.Commit, + description: finding.Description, + offender: finding.Secret, + author: finding.Author, + email: finding.Email, + date: finding.Date, + file: finding.File, + line_number: finding.StartLine, + tags: finding.Tags, + line: finding.Match } } }); @@ -50,6 +50,7 @@ async function parse (fileContent, scan) { } } +// FIXME: Update this function to use init container data function prepareCommitUrl (scan) { if (!scan) { return ''; diff --git a/scanners/gitleaks/parser/parser.test.js b/scanners/gitleaks/parser/parser.test.js index 81ee9180f4..3c05d45f61 100644 --- a/scanners/gitleaks/parser/parser.test.js +++ b/scanners/gitleaks/parser/parser.test.js @@ -47,169 +47,97 @@ test("should properly parse gitleaks json file", async () => { const findings = await parse(JSON.parse(jsonContent)); await expect(validateParser(findings)).resolves.toBeUndefined(); expect(findings).toMatchInlineSnapshot(` - Array [ - Object { - "attributes": Object { - "author": "Max Mustermann", - "commit": "2a42fc73f76e3fd9d015d0a98030037a8972e3d1", - "date": "2019-12-11T12:45:48+01:00", - "email": "max.mustermann@host.de", - "file": ".gitlab-ci.yml", - "line": " - aws --profile default configure set aws_access_key_id \\"AKIAS2QBEJFO232FJDO\\"", - "line_number": 67, - "offender": "AKIAS2QBEJFO232FJDO", - "repo": "web-app", - "tags": Array [ - "key", - "AWS", - ], - }, - "category": "Potential Secret", - "description": "The name of the rule which triggered the finding: AWS Manager ID", - "name": "AWS Manager ID", - "osi_layer": "APPLICATION", - "severity": "HIGH", - }, - Object { - "attributes": Object { - "author": "Max Mustermann", - "commit": "2a42fc73f76e3fd9d015d0a98030037a8972e3d1", - "date": "2019-12-11T12:45:48+01:00", - "email": "max.mustermann@host.de", - "file": ".gitlab-ci.yml", - "line": " - aws --profile default configure set aws_secret_access_key \\"IccA5EboL5foAY3uUyG+zh5OA3rWdpL4C1ePuUOv\\"", - "line_number": 68, - "offender": "aws_secret_access_key \\"IccA5EboL5foAY3uUyG+zh5OA3rWdpL4C1ePuUOv\\"", - "repo": "paul-web", - "tags": Array [ - "key", - "AWS", - ], - }, - "category": "Potential Secret", - "description": "The name of the rule which triggered the finding: AWS Secret Key", - "name": "AWS Secret Key", - "osi_layer": "APPLICATION", - "severity": "HIGH", - }, - Object { - "attributes": Object { - "author": "Max Mustermann", - "commit": "eaf6864262dbbcbf19c972cd961121b340b9968f", - "date": "2020-02-18T22:28:53+01:00", - "email": "max.mustermann@host.de", - "file": "helm/multi-juicer/values.yaml", - "line": " password: ERzCT4pwBDxfCKRGmfrMa8KQ8sXf8GKy", - "line_number": 33, - "offender": "password: ERzCT4pwBDxfCKRGmfrMa8KQ8sXf8GKy", - "repo": "multi-juicer", - "tags": Array [ - "key", - "Generic", - ], - }, - "category": "Potential Secret", - "description": "The name of the rule which triggered the finding: Generic credentials", - "name": "Generic credentials", - "osi_layer": "APPLICATION", - "severity": "LOW", - }, - Object { - "attributes": Object { - "author": "Max Mustermann", - "commit": "eaf6864262dbbcbf19c972cd961121b340b9968f", - "date": "2020-02-18T22:28:53+01:00", - "email": "max.mustermann@host.de", - "file": "juice-balancer/config/config.json", - "line": " \\"password\\": \\"dRzCT4pwBDxfjfeRel23mMlKQ8sX\\"", - "line_number": 19, - "offender": "password\\": \\"dRzCT4pwBDxfjfeRel23mMlKQ8sX", - "repo": "multi-juicer", - "tags": Array [ - "key", - "Generic", - ], - }, - "category": "Potential Secret", - "description": "The name of the rule which triggered the finding: Generic credentials", - "name": "Generic credentials", - "osi_layer": "APPLICATION", - "severity": "LOW", - }, - Object { - "attributes": Object { - "author": "Max Mustermann", - "commit": "88cf8694d4202bb7361f6779588f566e8eae2ff2", - "date": "2019-01-16T19:18:54+01:00", - "email": "max.mustermann@host.de", - "file": ".env", - "line": "N/A", - "line_number": -1, - "offender": "Filename/path offender: .env", - "repo": "secureCodeBox-v2", - "tags": Array [ - "key", - "FileName", - ], - }, - "category": "Potential Secret", - "description": "The name of the rule which triggered the finding: File names with potential keys and credentials", - "name": "File names with potential keys and credentials", - "osi_layer": "APPLICATION", - "severity": "LOW", - }, - Object { - "attributes": Object { - "author": "Max Mustermann", - "commit": "eaf6864262dbbcbf19c972cd961121b340b9968f", - "date": "2019-01-16T19:18:54+01:00", - "email": "max.mustermann@host.de", - "file": ".env", - "line": " facebook_api_key: sj20gj2ß0kofepo2ṕf02", - "line_number": 30, - "offender": "sj20gj2ß0kofepo2ṕf02", - "repo": "madeuprepo", - "tags": Array [ - "key", - "Facebook", - ], - }, - "category": "Potential Secret", - "description": "The name of the rule which triggered the finding: Facebook Secret Key", - "name": "Facebook Secret Key", - "osi_layer": "APPLICATION", - "severity": "MEDIUM", - }, - Object { - "attributes": Object { - "author": "Max Mustermann", - "commit": "2a42fc73f76e3fd9d015d0a98030037a8972e3d1", - "date": "2019-01-16T19:18:54+01:00", - "email": "max.mustermann@host.de", - "file": "key.pem", - "line": " -----BEGIN PRIVATE KEY-----", - "line_number": 1, - "offender": "-----BEGIN PRIVATE KEY-----", - "repo": "madeuprepo", - "tags": Array [ - "key", - "PrivateKey", - ], - }, - "category": "Potential Secret", - "description": "The name of the rule which triggered the finding: Asymmetric Private Key", - "name": "Asymmetric Private Key", - "osi_layer": "APPLICATION", - "severity": "HIGH", - }, - ] - `); +Array [ + Object { + "attributes": Object { + "author": "Commit Author", + "commit": "20202220306db37c13792bc672e57b0598ab680c", + "date": "2022-01-06T15:19:51Z", + "description": "Generic API Key", + "email": "committer@some-domain.tld", + "end_line": "51:45", + "file": "hooks/persistence-azure-monitor/hook/hook.test.js", + "line": "Key: \\"aGVsbG8taS1hbS1hLXRlc3Qta2V5\\"", + "offender": "aGVsbG8taS1hbS1hLXRlc3Qta2V5", + "start_line": "51:11", + "tags": Array [], + }, + "category": "Potential Secret", + "description": "The name of the rule which triggered the finding: generic-api-key", + "name": "generic-api-key", + "osi_layer": "APPLICATION", + "severity": "LOW", + }, + Object { + "attributes": Object { + "author": "Commit Author", + "commit": "e064eb8bd2094287fdeb64474798a8fd53e77bd3", + "date": "2021-09-06T13:53:58Z", + "description": "PKCS8 private key", + "email": "committer@some-domain.tld", + "end_line": "1:27", + "file": "demo-targets/unsafe-https/container/site.key", + "line": "-----BEGIN PRIVATE KEY-----", + "offender": "-----BEGIN PRIVATE KEY-----", + "start_line": "1:1", + "tags": Array [ + "PrivateKey", + ], + }, + "category": "Potential Secret", + "description": "The name of the rule which triggered the finding: PKCS8-PK", + "name": "PKCS8-PK", + "osi_layer": "APPLICATION", + "severity": "HIGH", + }, + Object { + "attributes": Object { + "author": "Commit Author", + "commit": "ae9e923125a0409025316a970fa16e0271e1734a", + "date": "2021-07-02T12:25:00Z", + "description": "Slack token", + "email": "committer@some-domain.tld", + "end_line": "164:297", + "file": "hooks/notification/README.md", + "line": "xoxb-", + "offender": "xoxb-", + "start_line": "164:293", + "tags": Array [], + }, + "category": "Potential Secret", + "description": "The name of the rule which triggered the finding: slack-access-token", + "name": "slack-access-token", + "osi_layer": "APPLICATION", + "severity": "LOW", + }, + Object { + "attributes": Object { + "author": "Commit Author", + "commit": "549b29afa8644c6385c385bed3327e6131557ecb", + "date": "2021-05-02T17:17:57Z", + "description": "Generic API Key", + "email": "committer@some-domain.tld", + "end_line": "37:47", + "file": "scanners/zap-extended/scanner/scbzapv2/__main__.py", + "line": "api_key = 'eor898q1luuq8054e0e5r9s3jh'", + "offender": "eor898q1luuq8054e0e5r9s3jh", + "start_line": "37:10", + "tags": Array [], + }, + "category": "Potential Secret", + "description": "The name of the rule which triggered the finding: generic-api-key", + "name": "generic-api-key", + "osi_layer": "APPLICATION", + "severity": "LOW", + }, +] +`); }); test("should properly construct commit URL if present with -r option", async () => { const scan = { spec: { - scanType: "gitleaks", + scanType: "gitleaks", parameters: [ "-r", "https://github.com/iteratec/multi-juicer", @@ -229,31 +157,29 @@ test("should properly construct commit URL if present with -r option", async () await expect(validateParser(findings)).resolves.toBeUndefined(); expect(findings).toMatchInlineSnapshot(` - Array [ - Object { - "attributes": Object { - "author": "Max Mustermann", - "commit": "https://github.com/iteratec/multi-juicer/commit/2a42fc73f76e3fd9d015d0a98030037a8972e3d1", - "date": "2019-12-11T12:45:48+01:00", - "email": "max.mustermann@host.de", - "file": ".gitlab-ci.yml", - "line": " - aws --profile default configure set aws_access_key_id \\"AKIAS2QBEJFO232FJDO\\"", - "line_number": 67, - "offender": "AKIAS2QBEJFO232FJDO", - "repo": "web-app", - "tags": Array [ - "key", - "AWS", - ], - }, - "category": "Potential Secret", - "description": "The name of the rule which triggered the finding: AWS Manager ID", - "name": "AWS Manager ID", - "osi_layer": "APPLICATION", - "severity": "HIGH", - }, - ] - `); +Array [ + Object { + "attributes": Object { + "author": "Commit Author", + "commit": "https://github.com/iteratec/multi-juicer/commit/604ca16251cd6e528328605420890f2d55a5464d", + "date": "2020-10-15T11:35:39Z", + "description": "PKCS8 private key", + "email": "committer@some-domain.tld", + "end_line": "167:48", + "file": "scanners/gitleaks/parser/parser.test.js", + "line": "-----BEGIN PRIVATE KEY-----", + "offender": "-----BEGIN PRIVATE KEY-----", + "start_line": "167:22", + "tags": Array [], + }, + "category": "Potential Secret", + "description": "The name of the rule which triggered the finding: PKCS8-PK", + "name": "PKCS8-PK", + "osi_layer": "APPLICATION", + "severity": "LOW", + }, +] +`); }); test("should properly construct commit URL if present with --repo option", async () => { @@ -279,29 +205,27 @@ test("should properly construct commit URL if present with --repo option", async const findings = await parse(JSON.parse(jsonContent), scan); await expect(validateParser(findings)).resolves.toBeUndefined(); expect(findings).toMatchInlineSnapshot(` - Array [ - Object { - "attributes": Object { - "author": "Max Mustermann", - "commit": "https://github.com/iteratec/multi-juicer/commit/2a42fc73f76e3fd9d015d0a98030037a8972e3d1", - "date": "2019-12-11T12:45:48+01:00", - "email": "max.mustermann@host.de", - "file": ".gitlab-ci.yml", - "line": " - aws --profile default configure set aws_access_key_id \\"AKIAS2QBEJFO232FJDO\\"", - "line_number": 67, - "offender": "AKIAS2QBEJFO232FJDO", - "repo": "web-app", - "tags": Array [ - "key", - "AWS", - ], - }, - "category": "Potential Secret", - "description": "The name of the rule which triggered the finding: AWS Manager ID", - "name": "AWS Manager ID", - "osi_layer": "APPLICATION", - "severity": "HIGH", - }, - ] - `); +Array [ + Object { + "attributes": Object { + "author": "Commit Author", + "commit": "https://github.com/iteratec/multi-juicer/commit/604ca16251cd6e528328605420890f2d55a5464d", + "date": "2020-10-15T11:35:39Z", + "description": "PKCS8 private key", + "email": "committer@some-domain.tld", + "end_line": "167:48", + "file": "scanners/gitleaks/parser/parser.test.js", + "line": "-----BEGIN PRIVATE KEY-----", + "offender": "-----BEGIN PRIVATE KEY-----", + "start_line": "167:22", + "tags": Array [], + }, + "category": "Potential Secret", + "description": "The name of the rule which triggered the finding: PKCS8-PK", + "name": "PKCS8-PK", + "osi_layer": "APPLICATION", + "severity": "LOW", + }, +] +`); }); From ed441adfb75d78064908e2812e54eacf244abc78 Mon Sep 17 00:00:00 2001 From: Max Maass Date: Thu, 20 Jan 2022 15:55:16 +0100 Subject: [PATCH 05/30] Switch to official docker image Signed-off-by: Max Maass --- scanners/gitleaks/scanner/Dockerfile | 11 ----------- scanners/gitleaks/scanner/wrapper.sh | 10 ---------- scanners/gitleaks/templates/gitleaks-scan-type.yaml | 6 ++++-- scanners/gitleaks/values.yaml | 2 +- 4 files changed, 5 insertions(+), 24 deletions(-) delete mode 100644 scanners/gitleaks/scanner/Dockerfile delete mode 100644 scanners/gitleaks/scanner/wrapper.sh diff --git a/scanners/gitleaks/scanner/Dockerfile b/scanners/gitleaks/scanner/Dockerfile deleted file mode 100644 index 733670ca14..0000000000 --- a/scanners/gitleaks/scanner/Dockerfile +++ /dev/null @@ -1,11 +0,0 @@ -# SPDX-FileCopyrightText: 2021 iteratec GmbH -# -# SPDX-License-Identifier: Apache-2.0 - -ARG scannerVersion=latest -FROM zricethezav/gitleaks:${scannerVersion} -USER root -COPY wrapper.sh /wrapper.sh -RUN chmod o+x ./wrapper.sh -USER gitleaks -ENTRYPOINT ["./wrapper.sh" ] diff --git a/scanners/gitleaks/scanner/wrapper.sh b/scanners/gitleaks/scanner/wrapper.sh deleted file mode 100644 index 7b63464395..0000000000 --- a/scanners/gitleaks/scanner/wrapper.sh +++ /dev/null @@ -1,10 +0,0 @@ -#!/bin/sh -# SPDX-FileCopyrightText: 2021 iteratec GmbH -# -# SPDX-License-Identifier: Apache-2.0 - -# Gitleaks Entrypoint Script to avoid problems gitleaks exiting with a non zero exit code -# This would cause the kubernetes job to fail no matter what -echo '[]' > /home/securecodebox/report.json # If no leaks found the file is not created -gitleaks $@ -exit 0 diff --git a/scanners/gitleaks/templates/gitleaks-scan-type.yaml b/scanners/gitleaks/templates/gitleaks-scan-type.yaml index bcbc465a0d..badf185a60 100644 --- a/scanners/gitleaks/templates/gitleaks-scan-type.yaml +++ b/scanners/gitleaks/templates/gitleaks-scan-type.yaml @@ -31,13 +31,15 @@ spec: image: "{{ .Values.scanner.image.repository }}:{{ .Values.scanner.image.tag | default .Chart.AppVersion }}" imagePullPolicy: {{ .Values.scanner.image.pullPolicy }} command: - - "sh" - - "/wrapper.sh" + - "gitleaks" - "--verbose" - "--format" - "json" - "--report" - "/home/securecodebox/report.json" + - "--exit-code" + - "0" + - "detect" resources: {{- toYaml .Values.scanner.resources | nindent 16 }} securityContext: diff --git a/scanners/gitleaks/values.yaml b/scanners/gitleaks/values.yaml index d2c7f198f2..8e17ca86b7 100644 --- a/scanners/gitleaks/values.yaml +++ b/scanners/gitleaks/values.yaml @@ -29,7 +29,7 @@ parser: scanner: image: # scanner.image.repository -- Container Image to run the scan - repository: docker.io/securecodebox/scanner-gitleaks + repository: docker.io/zricethezav/gitleaks # scanner.image.tag -- defaults to the charts appVersion tag: null # -- Image pull policy. One of Always, Never, IfNotPresent. Defaults to Always if :latest tag is specified, or IfNotPresent otherwise. More info: https://kubernetes.io/docs/concepts/containers/images#updating-images From 0ef3a6f56a36714cddf85cb75f9dc8a3ede2f3d5 Mon Sep 17 00:00:00 2001 From: Max Maass Date: Thu, 20 Jan 2022 15:57:02 +0100 Subject: [PATCH 06/30] Remove default cascading rules Signed-off-by: Max Maass --- .../gitleaks-scan-github-private.yaml | 34 ------------------- .../gitleaks-scan-github-public.yaml | 34 ------------------- .../gitleaks-scan-gitlab-private.yaml | 33 ------------------ .../gitleaks-scan-gitlab-public.yaml | 34 ------------------- 4 files changed, 135 deletions(-) delete mode 100644 scanners/gitleaks/cascading-rules/gitleaks-scan-github-private.yaml delete mode 100644 scanners/gitleaks/cascading-rules/gitleaks-scan-github-public.yaml delete mode 100644 scanners/gitleaks/cascading-rules/gitleaks-scan-gitlab-private.yaml delete mode 100644 scanners/gitleaks/cascading-rules/gitleaks-scan-gitlab-public.yaml diff --git a/scanners/gitleaks/cascading-rules/gitleaks-scan-github-private.yaml b/scanners/gitleaks/cascading-rules/gitleaks-scan-github-private.yaml deleted file mode 100644 index f574f772d0..0000000000 --- a/scanners/gitleaks/cascading-rules/gitleaks-scan-github-private.yaml +++ /dev/null @@ -1,34 +0,0 @@ -# SPDX-FileCopyrightText: 2021 iteratec GmbH -# -# SPDX-License-Identifier: Apache-2.0 - -apiVersion: "cascading.securecodebox.io/v1" -kind: CascadingRule -metadata: - name: "gitleaks-github-scan-private" - labels: - securecodebox.io/invasive: non-invasive - securecodebox.io/intensive: medium -spec: - matches: - anyOf: - - name: "GitHub Repo" - attributes: - visibility: private - scanSpec: - scanType: "gitleaks" - parameters: - - "-r" - - "{{{attributes.web_url}}}" - #Provide an access token - - "--access-token" - - "$(GITHUB_TOKEN)" - - "--config" - - "/home/config_all.toml" - env: - - name: GITHUB_TOKEN - valueFrom: - secretKeyRef: - name: github-access-token - key: token - diff --git a/scanners/gitleaks/cascading-rules/gitleaks-scan-github-public.yaml b/scanners/gitleaks/cascading-rules/gitleaks-scan-github-public.yaml deleted file mode 100644 index c3fdad5a55..0000000000 --- a/scanners/gitleaks/cascading-rules/gitleaks-scan-github-public.yaml +++ /dev/null @@ -1,34 +0,0 @@ -# SPDX-FileCopyrightText: 2021 iteratec GmbH -# -# SPDX-License-Identifier: Apache-2.0 - -apiVersion: "cascading.securecodebox.io/v1" -kind: CascadingRule -metadata: - name: "gitleaks-github-scan-public" - labels: - securecodebox.io/invasive: non-invasive - securecodebox.io/intensive: medium -spec: - matches: - anyOf: - - name: "GitHub Repo" - attributes: - visibility: public - scanSpec: - scanType: "gitleaks" - parameters: - - "-r" - - "{{{attributes.web_url}}}" - - "--config" - - "/home/config_all.toml" - #Provide an access token - - "--access-token" - - "$(GITHUB_TOKEN)" - env: - - name: GITHUB_TOKEN - valueFrom: - secretKeyRef: - name: github-access-token - key: token - diff --git a/scanners/gitleaks/cascading-rules/gitleaks-scan-gitlab-private.yaml b/scanners/gitleaks/cascading-rules/gitleaks-scan-gitlab-private.yaml deleted file mode 100644 index bb74e4b388..0000000000 --- a/scanners/gitleaks/cascading-rules/gitleaks-scan-gitlab-private.yaml +++ /dev/null @@ -1,33 +0,0 @@ -# SPDX-FileCopyrightText: 2021 iteratec GmbH -# -# SPDX-License-Identifier: Apache-2.0 - -apiVersion: "cascading.securecodebox.io/v1" -kind: CascadingRule -metadata: - name: "gitleaks-gitlab-scan-private" - labels: - securecodebox.io/invasive: non-invasive - securecodebox.io/intensive: medium -spec: - matches: - anyOf: - - name: "GitLab Repo" - attributes: - visibility: private - scanSpec: - scanType: "gitleaks" - parameters: - - "-r" - - "{{{attributes.web_url}}}" - - "--config" - - "/home/config_all.toml" - #Provide an access token - - "--access-token" - - "$(GITLAB_TOKEN)" - env: - - name: GITLAB_TOKEN - valueFrom: - secretKeyRef: - name: gitlab-access-token - key: token diff --git a/scanners/gitleaks/cascading-rules/gitleaks-scan-gitlab-public.yaml b/scanners/gitleaks/cascading-rules/gitleaks-scan-gitlab-public.yaml deleted file mode 100644 index a385fef8dd..0000000000 --- a/scanners/gitleaks/cascading-rules/gitleaks-scan-gitlab-public.yaml +++ /dev/null @@ -1,34 +0,0 @@ -# SPDX-FileCopyrightText: 2021 iteratec GmbH -# -# SPDX-License-Identifier: Apache-2.0 - -apiVersion: "cascading.securecodebox.io/v1" -kind: CascadingRule -metadata: - name: "gitleaks-gitlab-scan-public" - labels: - securecodebox.io/invasive: non-invasive - securecodebox.io/intensive: medium -spec: - matches: - anyOf: - - name: "GitLab Repo" - attributes: - visibility: public - scanSpec: - scanType: "gitleaks" - parameters: - - "-r" - - "{{{attributes.web_url}}}" - - "--config" - - "/home/config_all.toml" - #Provide an access token - - "--access-token" - - "$(GITLAB_TOKEN)" - env: - - name: GITLAB_TOKEN - valueFrom: - secretKeyRef: - name: gitlab-access-token - key: token - From 2b823054a5f094b29ad03b815a6c48cc8091656a Mon Sep 17 00:00:00 2001 From: Max Maass Date: Thu, 20 Jan 2022 15:58:36 +0100 Subject: [PATCH 07/30] Remove default config files Signed-off-by: Max Maass --- .../templates/gitleaks-scan-type.yaml | 421 ------------------ 1 file changed, 421 deletions(-) diff --git a/scanners/gitleaks/templates/gitleaks-scan-type.yaml b/scanners/gitleaks/templates/gitleaks-scan-type.yaml index badf185a60..efa9a1361a 100644 --- a/scanners/gitleaks/templates/gitleaks-scan-type.yaml +++ b/scanners/gitleaks/templates/gitleaks-scan-type.yaml @@ -53,424 +53,3 @@ spec: {{- end }} volumes: {{- toYaml .Values.scanner.extraVolumes | nindent 12 }} ---- -apiVersion: v1 -kind: ConfigMap -metadata: - name: gitleaks-config -data: - config_all.toml: |- - title = "gitleaks config" - [[rules]] - description = "JWT Token Format" - regex = '''eyJ[a-zA-Z0-9\-_]{17,}\.[a-zA-Z0-9\-_]{20,}\.[a-zA-Z0-9\-_]{20,}''' - tags = ["key", "JWT"] - - #TODO need a matcher for other typical hash-types - [[rules]] - description = "32 char hash (e.g. MD5 Checksum used for zah payment gateway, or zah-keys)" - regex = '''=[a-f0-9]{32}[^a-f0-9]''' - tags = ["key", "Hash", "Generic"] - - [[rules]] - description = "Format of Artifactory access keys" - regex = '''[^a-zA-Z0-9]AKC[a-zA-Z0-9]{70}[^a-zA-Z0-9]''' - tags = ["key", "Artifactory"] - - [[rules]] - description = "Generic credentials" - regex = '''(?i)(dbpasswd|api_key|apikey|secret|key|password|passwort|key|token|secret|guid|pw|auth)(.{0,20})?[^\S\r\n]?[:=][^\S\r\n]?["']?([0-9a-zA-Z-_\/+!{}\/=]{6,80})''' - tags = ["key", "Generic"] - [[rules.Entropies]] - Min = "3.8" - Max = "8.0" - Group = "3" - [rules.allowlist] - regexes = [ - - # *** generic whitelist *** - # excludes ${...} format - '''[:=]\s?\"?\'?\${.*?}''', - # excludes $... format - '''[:=]\s?\$[a-zA-z0-9_\-]+''', - # for parameter replacement, url, ... - '''(env.DOCKER_PASSWORT|credentials\[)''', - '''https://packages.instana.io/Instana.gpg''', - '''key=sonar\.(webhooks|forceAuthentication)''', - '''key=https:\/\/(openresty\.org|packages\.grafana)''', - '''(key=file:\/\/\/etc\/pki\/rpm-gpg|KEY: \"\$ARTIFACTORY_OPS)''', - '''(token|TOKEN)\s?=\s?(conn\.assume_role|\(\[a-zA-Z0-9)''', - '''(key|KEY)=(\/tmp\/helm\/\$VENDO_PROJECT|\$\(_get_key|\"?\/app(-security)?\/secret-service-volume\/tls\.key|\"\$EXTERNAL_CERTIFICATE)''', - '''(password|PASSWORD)\s?=\s?(getpass\.getpass|\$\(_get_key)''', - # Ignore JWT - they have an own rule with own whitelist - '''eyJ[a-zA-Z0-9\-_]{17,}\.[a-zA-Z0-9\-_]{20,}\.[a-zA-Z0-9\-_]{20,}''', - # Ignore AWS Manager ID rules - they have an own rule with own whitelist - '''(A3T[A-Z0-9]|AKIA|AGPA|AIDA|AROA|AIPA|ANPA|ANVA|ASIA)[A-Z0-9]{16}''', - # Ignore AWS Secret rules - they have an own rule with own whitelist - '''(?i)aws(.{0,20})?(?-i)['\"]?[0-9a-zA-Z\/+]{40}['\"]?''', - # Ignore Slack - '''xox[baprs]-([0-9a-zA-Z]{10,48})''', - # Ignore mailchimp - '''(?i)(.{0,20})?['"][0-9a-f]{32}-us[0-9]{1,2}['"]''' - ] - #files = [ - # '''\.java$''' - #] - - [[rules]] - description = "AWS Manager ID" - regex = '''(A3T[A-Z0-9]|AKIA|AGPA|AIDA|AROA|AIPA|ANPA|ANVA|ASIA)[A-Z0-9]{16}[\"\s]''' - tags = ["key", "AWS"] - - [[rules]] - description = "AWS cred file info" - regex = '''(?i)(aws_access_key_id|aws_secret_access_key)(.{0,20})?=.[0-9a-zA-Z\/+]{20,40}''' - tags = ["key", "AWS"] - - [[rules]] - description = "AWS Secret Key" - regex = '''(?i)aws(.{0,20})?[=:\s](?-i)['\"]?[0-9a-zA-Z\/+]{40}['\"]?''' - tags = ["key", "AWS"] - - [[rules]] - description = "AWS MWS key" - regex = '''amzn\.mws\.[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}''' - tags = ["key", "AWS", "MWS"] - - - [[rules]] - description = "Asymmetric Private Key" - regex = '''-----BEGIN ((EC|PGP|DSA|RSA|OPENSSH) )?PRIVATE KEY( BLOCK)?-----''' - tags = ["key", "PrivateKey"] - [rules.allowlist] - paths = ['''vagrant/\.vagrant\/machines\/default\/virtualbox'''] - description = "SSH key used to connect to local development machine" - - [[rules]] - description = "Facebook Secret Key" - regex = '''(?i)(facebook|fb)(.{0,20})?[=:\s](?-i)['\"][0-9a-f]{32}['\"]''' - tags = ["key", "Facebook"] - - [[rules]] - description = "Facebook Client ID" - regex = '''(?i)(facebook|fb)(.{0,20})?[=:\s]['\"][0-9]{13,17}['\"]''' - tags = ["key", "Facebook"] - - [[rules]] - description = "Twitter Secret Key" - regex = '''(?i)twitter(.{0,20})?[=:\s]['\"][0-9a-z]{35,44}['\"]''' - tags = ["key", "Twitter"] - - [[rules]] - description = "Twitter Client ID" - regex = '''(?i)twitter(.{0,20})?[=:\s]['\"][0-9a-z]{18,25}['\"]''' - tags = ["client", "Twitter"] - - [[rules]] - description = "Github" - regex = '''(?i)github(.{0,20})?[=:\s](?-i)['\"][0-9a-zA-Z]{35,40}['\"]''' - tags = ["key", "Github"] - - [[rules]] - description = "LinkedIn Client ID" - regex = '''(?i)linkedin(.{0,20})?[=:\s](?-i)['\"][0-9a-z]{12}['\"]''' - tags = ["client", "LinkedIn"] - - [[rules]] - description = "LinkedIn Secret Key" - regex = '''(?i)linkedin(.{0,20})?[=:\s]['\"][0-9a-z]{16}['\"]''' - tags = ["secret", "LinkedIn"] - - [[rules]] - description = "Slack" - regex = '''xox[baprs]-([0-9a-zA-Z]{10,48})?''' - tags = ["key", "Slack"] - - [[rules]] - description = "Google API key" - regex = '''AIza[0-9A-Za-z\\-_]{35}''' - tags = ["key", "Google"] - - - [[rules]] - description = "Heroku API key" - regex = '''(?i)heroku(.{0,20})?['"][0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}['"]''' - tags = ["key", "Heroku"] - - [[rules]] - description = "MailChimp API key" - regex = '''(?i)(mailchimp|mc)(.{0,20})?['"][0-9a-f]{32}-us[0-9]{1,2}['"]''' - tags = ["key", "Mailchimp"] - - [[rules]] - description = "Mailgun API key" - regex = '''(?i)(mailgun|mg)(.{0,20})?[=:\s]['"][0-9a-z]{32}['"]''' - tags = ["key", "Mailgun"] - - [[rules]] - description = "PayPal Braintree access token" - regex = '''access_token\$production\$[0-9a-z]{16}\$[0-9a-f]{32}''' - tags = ["key", "Paypal"] - - [[rules]] - description = "Picatic API key" - regex = '''sk_live_[0-9a-z]{32}''' - tags = ["key", "Picatic"] - - [[rules]] - description = "Slack Webhook" - regex = '''https://hooks.slack.com/services/T[a-zA-Z0-9_]{8}/B[a-zA-Z0-9_]{8}/[a-zA-Z0-9_]{24}''' - tags = ["key", "Slack"] - - #TODO Optimize - [[rules]] - description = "Teams Webhook" - regex = '''https://outlook.office.com/webhook/.{1,120}''' - tags = ["key", "Teams"] - - #TODO Optimize - [[rules]] - description = "Jenkins Webhook" - regex = '''https://.{6,100}/generic-webhook-trigger/invoke''' - tags = ["key", "Jenkins"] - - [[rules]] - description = "Stripe API key" - regex = '''(?i)stripe(.{0,20})?[=:\s]['\"][sk|rk]_live_[0-9a-zA-Z]{24}''' - tags = ["key", "Stripe"] - - [[rules]] - description = "Square access token" - regex = '''sq0atp-[0-9A-Za-z\-_]{22}''' - tags = ["key", "Square"] - - [[rules]] - description = "Square OAuth secret" - regex = '''sq0csp-[0-9A-Za-z\\-_]{43}''' - tags = ["key", "Square"] - - [[rules]] - description = "Twilio API key" - regex = '''(?i)twilio(.{0,20})?['\"][0-9a-f]{32}['\"]''' - tags = ["key", "Twilio"] - - [[rules]] - description = "File names with potential keys and credentials" - file = '''(?i)(id_rsa|id_dsa|id_ed25519|id_ecdsa|passwd|pgpass|pem|key|shadow - |npmrc_auth|s3cfg|dockercfg|wp-config\.php|htpasswd|env|git-credentials|tugboat|netrc|_netrc|ftpconfig - |remote-sync\.json|sftp\.json|sftp-config\.json|webservers\.xml|logins\.json|dbeaver-data-sources\.xml - |sshd_config|sh_history|history|bash_history|dhcpd\.conf|connections\.xml|pgpass|secret_token\.rb - |credentials\.xml|robomongo\.json|terraform\.tfvars)''' - tags = ["key", "FileName"] - - [[rules]] - description = "File extension with potential keys and credentials" - file = '''(?i)\.(pem|ppk|bashrc|pkcs12|p12|pfx|asc|ovpn|cscfg|rdp|mdf|sdf|sqlite|sqlite3|bek - |tpm|fve|jks|psafe3|keychain|pcap|gnucash|kwallet|tblk|s3cfg|kdbx|sqldumb|htpasswd|dockercfg)''' - tags = ["key", "FileExtension"] - - [allowlist] - description = "Whitelisted files" - files = [ - '''^.*gitleaks(config)?.*\.toml$''', - '''(.*?)(jpg|gif|doc|pdf|jepg|png|bin|yarn\.lock|svg)$''', - '''(go\.mod|go\.sum)$''', - '''(swagger-ui.*)(js|css|map)$''', - '''package-lock\.json''' - ] - paths = ["node_modules"] - - config_no_generics.toml: |- - title = "gitleaks config" - [[rules]] - description = "JWT Token Format" - regex = '''eyJ[a-zA-Z0-9\-_]{17,}\.[a-zA-Z0-9\-_]{20,}\.[a-zA-Z0-9\-_]{20,}''' - tags = ["key", "JWT"] - - [[rules]] - description = "Format of Artifactory access keys" - regex = '''[^a-zA-Z0-9]AKC[a-zA-Z0-9]{70}[^a-zA-Z0-9]''' - tags = ["key", "Artifactory"] - - [[rules]] - description = "AWS Manager ID" - regex = '''(A3T[A-Z0-9]|AKIA|AGPA|AIDA|AROA|AIPA|ANPA|ANVA|ASIA)[A-Z0-9]{16}[\"\s]''' - tags = ["key", "AWS"] - - [[rules]] - description = "AWS cred file info" - regex = '''(?i)(aws_access_key_id|aws_secret_access_key)(.{0,20})?=.[0-9a-zA-Z\/+]{20,40}''' - tags = ["key", "AWS"] - - [[rules]] - description = "AWS Secret Key" - regex = '''(?i)aws(.{0,20})?[=:\s](?-i)['\"]?[0-9a-zA-Z\/+]{40}['\"]?''' - tags = ["key", "AWS"] - - [[rules]] - description = "AWS MWS key" - regex = '''amzn\.mws\.[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}''' - tags = ["key", "AWS", "MWS"] - - - [[rules]] - description = "Asymmetric Private Key" - regex = '''-----BEGIN ((EC|PGP|DSA|RSA|OPENSSH) )?PRIVATE KEY( BLOCK)?-----''' - tags = ["key", "PrivateKey"] - [rules.allowlist] - paths = ['''vagrant/\.vagrant\/machines\/default\/virtualbox'''] - description = "SSH key used to connect to local development machine" - - [[rules]] - description = "Facebook Secret Key" - regex = '''(?i)(facebook|fb)(.{0,20})?[=:\s](?-i)['\"][0-9a-f]{32}['\"]''' - tags = ["key", "Facebook"] - - [[rules]] - description = "Facebook Client ID" - regex = '''(?i)(facebook|fb)(.{0,20})?[=:\s]['\"][0-9]{13,17}['\"]''' - tags = ["key", "Facebook"] - - [[rules]] - description = "Twitter Secret Key" - regex = '''(?i)twitter(.{0,20})?[=:\s]['\"][0-9a-z]{35,44}['\"]''' - tags = ["key", "Twitter"] - - [[rules]] - description = "Twitter Client ID" - regex = '''(?i)twitter(.{0,20})?[=:\s]['\"][0-9a-z]{18,25}['\"]''' - tags = ["client", "Twitter"] - - [[rules]] - description = "Github" - regex = '''(?i)github(.{0,20})?[=:\s](?-i)['\"][0-9a-zA-Z]{35,40}['\"]''' - tags = ["key", "Github"] - - [[rules]] - description = "LinkedIn Client ID" - regex = '''(?i)linkedin(.{0,20})?[=:\s](?-i)['\"][0-9a-z]{12}['\"]''' - tags = ["client", "LinkedIn"] - - [[rules]] - description = "LinkedIn Secret Key" - regex = '''(?i)linkedin(.{0,20})?[=:\s]['\"][0-9a-z]{16}['\"]''' - tags = ["secret", "LinkedIn"] - - [[rules]] - description = "Slack" - regex = '''xox[baprs]-([0-9a-zA-Z]{10,48})?''' - tags = ["key", "Slack"] - - [[rules]] - description = "Google API key" - regex = '''AIza[0-9A-Za-z\\-_]{35}''' - tags = ["key", "Google"] - - - [[rules]] - description = "Heroku API key" - regex = '''(?i)heroku(.{0,20})?['"][0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}['"]''' - tags = ["key", "Heroku"] - - [[rules]] - description = "MailChimp API key" - regex = '''(?i)(mailchimp|mc)(.{0,20})?['"][0-9a-f]{32}-us[0-9]{1,2}['"]''' - tags = ["key", "Mailchimp"] - - [[rules]] - description = "Mailgun API key" - regex = '''(?i)(mailgun|mg)(.{0,20})?[=:\s]['"][0-9a-z]{32}['"]''' - tags = ["key", "Mailgun"] - - [[rules]] - description = "PayPal Braintree access token" - regex = '''access_token\$production\$[0-9a-z]{16}\$[0-9a-f]{32}''' - tags = ["key", "Paypal"] - - [[rules]] - description = "Picatic API key" - regex = '''sk_live_[0-9a-z]{32}''' - tags = ["key", "Picatic"] - - [[rules]] - description = "Slack Webhook" - regex = '''https://hooks.slack.com/services/T[a-zA-Z0-9_]{8}/B[a-zA-Z0-9_]{8}/[a-zA-Z0-9_]{24}''' - tags = ["key", "Slack"] - - #TODO Optimize - [[rules]] - description = "Teams Webhook" - regex = '''https://outlook.office.com/webhook/.{1,120}''' - tags = ["key", "Teams"] - - #TODO Optimize - [[rules]] - description = "Jenkins Webhook" - regex = '''https://.{6,100}/generic-webhook-trigger/invoke''' - tags = ["key", "Jenkins"] - - [[rules]] - description = "Stripe API key" - regex = '''(?i)stripe(.{0,20})?[=:\s]['\"][sk|rk]_live_[0-9a-zA-Z]{24}''' - tags = ["key", "Stripe"] - - [[rules]] - description = "Square access token" - regex = '''sq0atp-[0-9A-Za-z\-_]{22}''' - tags = ["key", "Square"] - - [[rules]] - description = "Square OAuth secret" - regex = '''sq0csp-[0-9A-Za-z\\-_]{43}''' - tags = ["key", "Square"] - - [[rules]] - description = "Twilio API key" - regex = '''(?i)twilio(.{0,20})?['\"][0-9a-f]{32}['\"]''' - tags = ["key", "Twilio"] - - [allowlist] - description = "Whitelisted files" - files = [ - '''^.*gitleaks(config)?.*\.toml$''', - '''(.*?)(jpg|gif|doc|pdf|jepg|png|bin|yarn\.lock|svg)$''', - '''(go\.mod|go\.sum)$''', - '''(swagger-ui.*)(js|css|map)$''', - '''package-lock\.json''' - ] - paths = ["node_modules"] - - config_filenames_only.toml: |- - title = "gitleaks config" - - [[rules]] - description = "File names with potential keys and credentials" - file = '''(?i)(id_rsa|id_dsa|id_ed25519|id_ecdsa|passwd|pgpass|pem|key|shadow - |npmrc_auth|s3cfg|dockercfg|wp-config\.php|htpasswd|env|git-credentials|tugboat|netrc|_netrc|ftpconfig - |remote-sync\.json|sftp\.json|sftp-config\.json|webservers\.xml|logins\.json|dbeaver-data-sources\.xml - |sshd_config|sh_history|history|bash_history|dhcpd\.conf|connections\.xml|pgpass|secret_token\.rb - |credentials\.xml|robomongo\.json|terraform\.tfvars)''' - tags = ["key", "FileName"] - - [[rules]] - description = "File extension with potential keys and credentials" - file = '''(?i)\.(pem|ppk|bashrc|pkcs12|p12|pfx|asc|ovpn|cscfg|rdp|mdf|sdf|sqlite|sqlite3|bek - |tpm|fve|jks|psafe3|keychain|pcap|gnucash|kwallet|tblk|s3cfg|kdbx|sqldumb|htpasswd|dockercfg)''' - tags = ["key", "FileExtension"] - - - - [allowlist] - description = "Whitelisted files" - files = [ - '''^.*gitleaks(config)?.*\.toml$''', - '''(.*?)(jpg|gif|doc|pdf|jepg|png|bin|yarn\.lock|svg)$''', - '''(go\.mod|go\.sum)$''', - '''(swagger-ui.*)(js|css|map)$''', - '''package-lock\.json''' - ] - paths = ["node_modules"] - - - - From 888af2394d5fa55c424103e1086eb8be32e934d4 Mon Sep 17 00:00:00 2001 From: malexmave Date: Thu, 20 Jan 2022 15:12:18 +0000 Subject: [PATCH 08/30] Updating Helm Docs Signed-off-by: GitHub Actions --- scanners/gitleaks/README.md | 4 ++-- scanners/gitleaks/docs/README.ArtifactHub.md | 2 +- scanners/gitleaks/docs/README.DockerHub-Parser.md | 2 +- 3 files changed, 4 insertions(+), 4 deletions(-) diff --git a/scanners/gitleaks/README.md b/scanners/gitleaks/README.md index c8e0382763..b6f52e7540 100644 --- a/scanners/gitleaks/README.md +++ b/scanners/gitleaks/README.md @@ -3,7 +3,7 @@ title: "Gitleaks" category: "scanner" type: "Repository" state: "released" -appVersion: "v8.0.0" +appVersion: "v8.2.7" usecase: "Find potential secrets in repositories" --- @@ -178,7 +178,7 @@ For more information on how to use cascades take a look at | scanner.extraVolumeMounts | list | `[{"mountPath":"/home/","name":"gitleaks-config"}]` | Optional VolumeMounts mapped into each scanJob (see: https://kubernetes.io/docs/concepts/storage/volumes/) | | scanner.extraVolumes | list | `[{"configMap":{"name":"gitleaks-config"},"name":"gitleaks-config"}]` | Optional Volumes mapped into each scanJob (see: https://kubernetes.io/docs/concepts/storage/volumes/) | | scanner.image.pullPolicy | string | `"IfNotPresent"` | Image pull policy. One of Always, Never, IfNotPresent. Defaults to Always if :latest tag is specified, or IfNotPresent otherwise. More info: https://kubernetes.io/docs/concepts/containers/images#updating-images | -| scanner.image.repository | string | `"docker.io/securecodebox/scanner-gitleaks"` | Container Image to run the scan | +| scanner.image.repository | string | `"docker.io/zricethezav/gitleaks"` | Container Image to run the scan | | scanner.image.tag | string | `nil` | defaults to the charts appVersion | | scanner.nameAppend | string | `nil` | append a string to the default scantype name. | | scanner.resources | object | `{}` | CPU/memory resource requests/limits (see: https://kubernetes.io/docs/tasks/configure-pod-container/assign-memory-resource/, https://kubernetes.io/docs/tasks/configure-pod-container/assign-cpu-resource/) | diff --git a/scanners/gitleaks/docs/README.ArtifactHub.md b/scanners/gitleaks/docs/README.ArtifactHub.md index 6f7fea6fc8..81cf7822b3 100644 --- a/scanners/gitleaks/docs/README.ArtifactHub.md +++ b/scanners/gitleaks/docs/README.ArtifactHub.md @@ -183,7 +183,7 @@ For more information on how to use cascades take a look at | scanner.extraVolumeMounts | list | `[{"mountPath":"/home/","name":"gitleaks-config"}]` | Optional VolumeMounts mapped into each scanJob (see: https://kubernetes.io/docs/concepts/storage/volumes/) | | scanner.extraVolumes | list | `[{"configMap":{"name":"gitleaks-config"},"name":"gitleaks-config"}]` | Optional Volumes mapped into each scanJob (see: https://kubernetes.io/docs/concepts/storage/volumes/) | | scanner.image.pullPolicy | string | `"IfNotPresent"` | Image pull policy. One of Always, Never, IfNotPresent. Defaults to Always if :latest tag is specified, or IfNotPresent otherwise. More info: https://kubernetes.io/docs/concepts/containers/images#updating-images | -| scanner.image.repository | string | `"docker.io/securecodebox/scanner-gitleaks"` | Container Image to run the scan | +| scanner.image.repository | string | `"docker.io/zricethezav/gitleaks"` | Container Image to run the scan | | scanner.image.tag | string | `nil` | defaults to the charts appVersion | | scanner.nameAppend | string | `nil` | append a string to the default scantype name. | | scanner.resources | object | `{}` | CPU/memory resource requests/limits (see: https://kubernetes.io/docs/tasks/configure-pod-container/assign-memory-resource/, https://kubernetes.io/docs/tasks/configure-pod-container/assign-cpu-resource/) | diff --git a/scanners/gitleaks/docs/README.DockerHub-Parser.md b/scanners/gitleaks/docs/README.DockerHub-Parser.md index f167354168..1a9dc5ccdf 100644 --- a/scanners/gitleaks/docs/README.DockerHub-Parser.md +++ b/scanners/gitleaks/docs/README.DockerHub-Parser.md @@ -42,7 +42,7 @@ You can find resources to help you get started on our [documentation website](ht ## Supported Tags - `latest` (represents the latest stable release build) -- tagged releases, e.g. `v8.0.0` +- tagged releases, e.g. `v8.2.7` ## How to use this image This `parser` image is intended to work in combination with the corresponding security scanner docker image to parse the `findings` results. For more information details please take a look at the documentation page: https://docs.securecodebox.io/docs/scanners/gitleaks. From 799d4e77ae3e8848911c7561d96f6e5b1523ff27 Mon Sep 17 00:00:00 2001 From: Max Maass Date: Thu, 20 Jan 2022 16:18:14 +0100 Subject: [PATCH 09/30] Update jest snapshots for unit tests Signed-off-by: Max Maass --- scanners/gitleaks/parser/parser.test.js | 18 ++++++------------ 1 file changed, 6 insertions(+), 12 deletions(-) diff --git a/scanners/gitleaks/parser/parser.test.js b/scanners/gitleaks/parser/parser.test.js index 3c05d45f61..a99cb4143a 100644 --- a/scanners/gitleaks/parser/parser.test.js +++ b/scanners/gitleaks/parser/parser.test.js @@ -55,11 +55,10 @@ Array [ "date": "2022-01-06T15:19:51Z", "description": "Generic API Key", "email": "committer@some-domain.tld", - "end_line": "51:45", "file": "hooks/persistence-azure-monitor/hook/hook.test.js", "line": "Key: \\"aGVsbG8taS1hbS1hLXRlc3Qta2V5\\"", + "line_number": 51, "offender": "aGVsbG8taS1hbS1hLXRlc3Qta2V5", - "start_line": "51:11", "tags": Array [], }, "category": "Potential Secret", @@ -75,11 +74,10 @@ Array [ "date": "2021-09-06T13:53:58Z", "description": "PKCS8 private key", "email": "committer@some-domain.tld", - "end_line": "1:27", "file": "demo-targets/unsafe-https/container/site.key", "line": "-----BEGIN PRIVATE KEY-----", + "line_number": 1, "offender": "-----BEGIN PRIVATE KEY-----", - "start_line": "1:1", "tags": Array [ "PrivateKey", ], @@ -97,11 +95,10 @@ Array [ "date": "2021-07-02T12:25:00Z", "description": "Slack token", "email": "committer@some-domain.tld", - "end_line": "164:297", "file": "hooks/notification/README.md", "line": "xoxb-", + "line_number": 164, "offender": "xoxb-", - "start_line": "164:293", "tags": Array [], }, "category": "Potential Secret", @@ -117,11 +114,10 @@ Array [ "date": "2021-05-02T17:17:57Z", "description": "Generic API Key", "email": "committer@some-domain.tld", - "end_line": "37:47", "file": "scanners/zap-extended/scanner/scbzapv2/__main__.py", "line": "api_key = 'eor898q1luuq8054e0e5r9s3jh'", + "line_number": 37, "offender": "eor898q1luuq8054e0e5r9s3jh", - "start_line": "37:10", "tags": Array [], }, "category": "Potential Secret", @@ -165,11 +161,10 @@ Array [ "date": "2020-10-15T11:35:39Z", "description": "PKCS8 private key", "email": "committer@some-domain.tld", - "end_line": "167:48", "file": "scanners/gitleaks/parser/parser.test.js", "line": "-----BEGIN PRIVATE KEY-----", + "line_number": 167, "offender": "-----BEGIN PRIVATE KEY-----", - "start_line": "167:22", "tags": Array [], }, "category": "Potential Secret", @@ -213,11 +208,10 @@ Array [ "date": "2020-10-15T11:35:39Z", "description": "PKCS8 private key", "email": "committer@some-domain.tld", - "end_line": "167:48", "file": "scanners/gitleaks/parser/parser.test.js", "line": "-----BEGIN PRIVATE KEY-----", + "line_number": 167, "offender": "-----BEGIN PRIVATE KEY-----", - "start_line": "167:22", "tags": Array [], }, "category": "Potential Secret", From 9717a01533f226ed3f0ba5da2745ee5a879ec202 Mon Sep 17 00:00:00 2001 From: Max Maass Date: Thu, 20 Jan 2022 16:25:36 +0100 Subject: [PATCH 10/30] Remove configmap volumes from values.yaml Signed-off-by: Max Maass --- scanners/gitleaks/values.yaml | 9 ++------- 1 file changed, 2 insertions(+), 7 deletions(-) diff --git a/scanners/gitleaks/values.yaml b/scanners/gitleaks/values.yaml index 8e17ca86b7..b1c136f6f1 100644 --- a/scanners/gitleaks/values.yaml +++ b/scanners/gitleaks/values.yaml @@ -60,15 +60,10 @@ scanner: env: [] # scanner.extraVolumes -- Optional Volumes mapped into each scanJob (see: https://kubernetes.io/docs/concepts/storage/volumes/) - extraVolumes: - - name: "gitleaks-config" - configMap: - name: "gitleaks-config" + extraVolumes: [] # scanner.extraVolumeMounts -- Optional VolumeMounts mapped into each scanJob (see: https://kubernetes.io/docs/concepts/storage/volumes/) - extraVolumeMounts: - - name: "gitleaks-config" - mountPath: "/home/" + extraVolumeMounts: [] # scanner.extraContainers -- Optional additional Containers started with each scanJob (see: https://kubernetes.io/docs/concepts/workloads/pods/init-containers/) extraContainers: [] From 4c7424c2883180bc6a67e4e3d42d73c9a182a775 Mon Sep 17 00:00:00 2001 From: malexmave Date: Thu, 20 Jan 2022 15:26:06 +0000 Subject: [PATCH 11/30] Updating Helm Docs Signed-off-by: GitHub Actions --- scanners/gitleaks/README.md | 4 ++-- scanners/gitleaks/docs/README.ArtifactHub.md | 4 ++-- 2 files changed, 4 insertions(+), 4 deletions(-) diff --git a/scanners/gitleaks/README.md b/scanners/gitleaks/README.md index b6f52e7540..77ce832a3b 100644 --- a/scanners/gitleaks/README.md +++ b/scanners/gitleaks/README.md @@ -175,8 +175,8 @@ For more information on how to use cascades take a look at | scanner.backoffLimit | int | 3 | There are situations where you want to fail a scan Job after some amount of retries due to a logical error in configuration etc. To do so, set backoffLimit to specify the number of retries before considering a scan Job as failed. (see: https://kubernetes.io/docs/concepts/workloads/controllers/job/#pod-backoff-failure-policy) | | scanner.env | list | `[]` | Optional environment variables mapped into each scanJob (see: https://kubernetes.io/docs/tasks/inject-data-application/define-environment-variable-container/) | | scanner.extraContainers | list | `[]` | Optional additional Containers started with each scanJob (see: https://kubernetes.io/docs/concepts/workloads/pods/init-containers/) | -| scanner.extraVolumeMounts | list | `[{"mountPath":"/home/","name":"gitleaks-config"}]` | Optional VolumeMounts mapped into each scanJob (see: https://kubernetes.io/docs/concepts/storage/volumes/) | -| scanner.extraVolumes | list | `[{"configMap":{"name":"gitleaks-config"},"name":"gitleaks-config"}]` | Optional Volumes mapped into each scanJob (see: https://kubernetes.io/docs/concepts/storage/volumes/) | +| scanner.extraVolumeMounts | list | `[]` | Optional VolumeMounts mapped into each scanJob (see: https://kubernetes.io/docs/concepts/storage/volumes/) | +| scanner.extraVolumes | list | `[]` | Optional Volumes mapped into each scanJob (see: https://kubernetes.io/docs/concepts/storage/volumes/) | | scanner.image.pullPolicy | string | `"IfNotPresent"` | Image pull policy. One of Always, Never, IfNotPresent. Defaults to Always if :latest tag is specified, or IfNotPresent otherwise. More info: https://kubernetes.io/docs/concepts/containers/images#updating-images | | scanner.image.repository | string | `"docker.io/zricethezav/gitleaks"` | Container Image to run the scan | | scanner.image.tag | string | `nil` | defaults to the charts appVersion | diff --git a/scanners/gitleaks/docs/README.ArtifactHub.md b/scanners/gitleaks/docs/README.ArtifactHub.md index 81cf7822b3..dcd7cc0ee8 100644 --- a/scanners/gitleaks/docs/README.ArtifactHub.md +++ b/scanners/gitleaks/docs/README.ArtifactHub.md @@ -180,8 +180,8 @@ For more information on how to use cascades take a look at | scanner.backoffLimit | int | 3 | There are situations where you want to fail a scan Job after some amount of retries due to a logical error in configuration etc. To do so, set backoffLimit to specify the number of retries before considering a scan Job as failed. (see: https://kubernetes.io/docs/concepts/workloads/controllers/job/#pod-backoff-failure-policy) | | scanner.env | list | `[]` | Optional environment variables mapped into each scanJob (see: https://kubernetes.io/docs/tasks/inject-data-application/define-environment-variable-container/) | | scanner.extraContainers | list | `[]` | Optional additional Containers started with each scanJob (see: https://kubernetes.io/docs/concepts/workloads/pods/init-containers/) | -| scanner.extraVolumeMounts | list | `[{"mountPath":"/home/","name":"gitleaks-config"}]` | Optional VolumeMounts mapped into each scanJob (see: https://kubernetes.io/docs/concepts/storage/volumes/) | -| scanner.extraVolumes | list | `[{"configMap":{"name":"gitleaks-config"},"name":"gitleaks-config"}]` | Optional Volumes mapped into each scanJob (see: https://kubernetes.io/docs/concepts/storage/volumes/) | +| scanner.extraVolumeMounts | list | `[]` | Optional VolumeMounts mapped into each scanJob (see: https://kubernetes.io/docs/concepts/storage/volumes/) | +| scanner.extraVolumes | list | `[]` | Optional Volumes mapped into each scanJob (see: https://kubernetes.io/docs/concepts/storage/volumes/) | | scanner.image.pullPolicy | string | `"IfNotPresent"` | Image pull policy. One of Always, Never, IfNotPresent. Defaults to Always if :latest tag is specified, or IfNotPresent otherwise. More info: https://kubernetes.io/docs/concepts/containers/images#updating-images | | scanner.image.repository | string | `"docker.io/zricethezav/gitleaks"` | Container Image to run the scan | | scanner.image.tag | string | `nil` | defaults to the charts appVersion | From d11f29e246104e1b1a19fba732023428b34ca28f Mon Sep 17 00:00:00 2001 From: Max Maass Date: Fri, 21 Jan 2022 11:40:03 +0100 Subject: [PATCH 12/30] Remove flag for custom scanner image for gitleaks Signed-off-by: Max Maass --- scanners/gitleaks/Makefile | 1 - 1 file changed, 1 deletion(-) diff --git a/scanners/gitleaks/Makefile b/scanners/gitleaks/Makefile index 48ce7e2b39..5a8e684fc9 100644 --- a/scanners/gitleaks/Makefile +++ b/scanners/gitleaks/Makefile @@ -7,7 +7,6 @@ include_guard = set scanner = gitleaks -custom_scanner = set include ../../scanners.mk From d86c7d687aa5cb61ad8e39f08e83beb72cb29b10 Mon Sep 17 00:00:00 2001 From: Max Maass Date: Mon, 24 Jan 2022 09:18:35 +0100 Subject: [PATCH 13/30] Remove inferrence of git repo URL for commit Signed-off-by: Max Maass --- scanners/gitleaks/parser/package-lock.json | 15 ---- scanners/gitleaks/parser/package.json | 6 +- scanners/gitleaks/parser/parser.js | 36 +-------- scanners/gitleaks/parser/parser.test.js | 94 ---------------------- 4 files changed, 4 insertions(+), 147 deletions(-) diff --git a/scanners/gitleaks/parser/package-lock.json b/scanners/gitleaks/parser/package-lock.json index f24e6f808d..a2ac44e3f4 100644 --- a/scanners/gitleaks/parser/package-lock.json +++ b/scanners/gitleaks/parser/package-lock.json @@ -8,22 +8,7 @@ "name": "@securecodebox/parser-gitleaks", "version": "1.0.0", "license": "Apache-2.0", - "dependencies": { - "arg": "^5.0.0" - }, "devDependencies": {} - }, - "node_modules/arg": { - "version": "5.0.0", - "resolved": "https://registry.npmjs.org/arg/-/arg-5.0.0.tgz", - "integrity": "sha512-4P8Zm2H+BRS+c/xX1LrHw0qKpEhdlZjLCgWy+d78T9vqa2Z2SiD2wMrYuWIAFy5IZUD7nnNXroRttz+0RzlrzQ==" - } - }, - "dependencies": { - "arg": { - "version": "5.0.0", - "resolved": "https://registry.npmjs.org/arg/-/arg-5.0.0.tgz", - "integrity": "sha512-4P8Zm2H+BRS+c/xX1LrHw0qKpEhdlZjLCgWy+d78T9vqa2Z2SiD2wMrYuWIAFy5IZUD7nnNXroRttz+0RzlrzQ==" } } } diff --git a/scanners/gitleaks/parser/package.json b/scanners/gitleaks/parser/package.json index cbd20df804..1e962db784 100644 --- a/scanners/gitleaks/parser/package.json +++ b/scanners/gitleaks/parser/package.json @@ -6,9 +6,5 @@ "scripts": {}, "keywords": [], "author": "iteratec GmbH", - "license": "Apache-2.0", - "dependencies": { - "arg": "^5.0.0" - }, - "devDependencies": {} + "license": "Apache-2.0" } diff --git a/scanners/gitleaks/parser/parser.js b/scanners/gitleaks/parser/parser.js index c990887681..87ac431cb6 100644 --- a/scanners/gitleaks/parser/parser.js +++ b/scanners/gitleaks/parser/parser.js @@ -2,16 +2,11 @@ // // SPDX-License-Identifier: Apache-2.0 -const arg = require("arg"); - -const HIGH_TAGS = ['JWT', 'Artifactory', 'AWS', 'PrivateKey']; -const MEDIUM_TAGS = ['Hash', 'Facebook', 'Twitter', 'Github', 'LinkedIn', 'Slack', 'Google', 'Heroku', - 'Mailchimp', 'Mailgun', 'Paypal', 'Picatic', 'Teams', 'Jenkins', 'Stripe', 'Square', 'Twilio']; +const HIGH_TAGS = ["HIGH"]; +const MEDIUM_TAGS = ["MEDIUM"]; async function parse (fileContent, scan) { - const commitUrl = prepareCommitUrl(scan) - if (fileContent) { return fileContent.map(finding => { @@ -30,7 +25,7 @@ async function parse (fileContent, scan) { severity: severity, category: 'Potential Secret', attributes: { - commit: commitUrl + finding.Commit, + commit: finding.Commit, description: finding.Description, offender: finding.Secret, author: finding.Author, @@ -50,31 +45,6 @@ async function parse (fileContent, scan) { } } -// FIXME: Update this function to use init container data -function prepareCommitUrl (scan) { - if (!scan) { - return ''; - } - - const args = arg( - { - '-r': String, - '--repo': '-r' - }, - { permissive: true, argv: scan.spec.parameters } - ); - - const repositoryUrl = args['-r']; - - if (!repositoryUrl) { - return ''; - } - - return repositoryUrl.endsWith('/') ? - repositoryUrl + 'commit/' - : repositoryUrl + '/commit/' -} - function containsTag (tag, tags) { let result = tags.filter(longTag => tag.includes(longTag)); return result.length > 0; diff --git a/scanners/gitleaks/parser/parser.test.js b/scanners/gitleaks/parser/parser.test.js index a99cb4143a..0c0051d545 100644 --- a/scanners/gitleaks/parser/parser.test.js +++ b/scanners/gitleaks/parser/parser.test.js @@ -129,97 +129,3 @@ Array [ ] `); }); - -test("should properly construct commit URL if present with -r option", async () => { - const scan = { - spec: { - scanType: "gitleaks", - parameters: [ - "-r", - "https://github.com/iteratec/multi-juicer", - "--config", - "/home/config_all.toml", - ], - }, - }; - - const jsonContent = await readFile( - __dirname + "/__testFiles__/test-report-small.json", - { - encoding: "utf8", - } - ); - const findings = await parse(JSON.parse(jsonContent), scan); - await expect(validateParser(findings)).resolves.toBeUndefined(); - - expect(findings).toMatchInlineSnapshot(` -Array [ - Object { - "attributes": Object { - "author": "Commit Author", - "commit": "https://github.com/iteratec/multi-juicer/commit/604ca16251cd6e528328605420890f2d55a5464d", - "date": "2020-10-15T11:35:39Z", - "description": "PKCS8 private key", - "email": "committer@some-domain.tld", - "file": "scanners/gitleaks/parser/parser.test.js", - "line": "-----BEGIN PRIVATE KEY-----", - "line_number": 167, - "offender": "-----BEGIN PRIVATE KEY-----", - "tags": Array [], - }, - "category": "Potential Secret", - "description": "The name of the rule which triggered the finding: PKCS8-PK", - "name": "PKCS8-PK", - "osi_layer": "APPLICATION", - "severity": "LOW", - }, -] -`); -}); - -test("should properly construct commit URL if present with --repo option", async () => { - const scan = { - spec: { - scanType: "gitleaks", - parameters: [ - "--repo", - "https://github.com/iteratec/multi-juicer/", - "--config", - "/home/config_all.toml", - ], - }, - }; - - const jsonContent = await readFile( - __dirname + "/__testFiles__/test-report-small.json", - { - encoding: "utf8", - } - ); - - const findings = await parse(JSON.parse(jsonContent), scan); - await expect(validateParser(findings)).resolves.toBeUndefined(); - expect(findings).toMatchInlineSnapshot(` -Array [ - Object { - "attributes": Object { - "author": "Commit Author", - "commit": "https://github.com/iteratec/multi-juicer/commit/604ca16251cd6e528328605420890f2d55a5464d", - "date": "2020-10-15T11:35:39Z", - "description": "PKCS8 private key", - "email": "committer@some-domain.tld", - "file": "scanners/gitleaks/parser/parser.test.js", - "line": "-----BEGIN PRIVATE KEY-----", - "line_number": 167, - "offender": "-----BEGIN PRIVATE KEY-----", - "tags": Array [], - }, - "category": "Potential Secret", - "description": "The name of the rule which triggered the finding: PKCS8-PK", - "name": "PKCS8-PK", - "osi_layer": "APPLICATION", - "severity": "LOW", - }, -] -`); -}); From 1020a6520656922355d84eb6f3560650e40c722e Mon Sep 17 00:00:00 2001 From: Max Maass Date: Mon, 24 Jan 2022 09:24:50 +0100 Subject: [PATCH 14/30] Define more general severity tags Signed-off-by: Max Maass --- .../__testFiles__/test-report-small.json | 20 ----- .../__testFiles__/test-report-tags.json | 56 +++++++++++++ ....license => test-report-tags.json.license} | 0 scanners/gitleaks/parser/parser.js | 8 +- scanners/gitleaks/parser/parser.test.js | 83 ++++++++++++++++++- 5 files changed, 140 insertions(+), 27 deletions(-) delete mode 100644 scanners/gitleaks/parser/__testFiles__/test-report-small.json create mode 100644 scanners/gitleaks/parser/__testFiles__/test-report-tags.json rename scanners/gitleaks/parser/__testFiles__/{test-report-small.json.license => test-report-tags.json.license} (100%) diff --git a/scanners/gitleaks/parser/__testFiles__/test-report-small.json b/scanners/gitleaks/parser/__testFiles__/test-report-small.json deleted file mode 100644 index 732dc4180b..0000000000 --- a/scanners/gitleaks/parser/__testFiles__/test-report-small.json +++ /dev/null @@ -1,20 +0,0 @@ -[ - { - "Description": "PKCS8 private key", - "StartLine": 167, - "EndLine": 167, - "StartColumn": 22, - "EndColumn": 48, - "Match": "-----BEGIN PRIVATE KEY-----", - "Secret": "-----BEGIN PRIVATE KEY-----", - "File": "scanners/gitleaks/parser/parser.test.js", - "Commit": "604ca16251cd6e528328605420890f2d55a5464d", - "Entropy": 0, - "Author": "Commit Author", - "Email": "committer@some-domain.tld", - "Date": "2020-10-15T11:35:39Z", - "Message": "feature/gitleaks-scanner", - "Tags": [], - "RuleID": "PKCS8-PK" - } -] diff --git a/scanners/gitleaks/parser/__testFiles__/test-report-tags.json b/scanners/gitleaks/parser/__testFiles__/test-report-tags.json new file mode 100644 index 0000000000..d03b19b01c --- /dev/null +++ b/scanners/gitleaks/parser/__testFiles__/test-report-tags.json @@ -0,0 +1,56 @@ +[ + { + "Description": "PKCS8 private key", + "StartLine": 167, + "EndLine": 167, + "StartColumn": 22, + "EndColumn": 48, + "Match": "-----BEGIN PRIVATE KEY-----", + "Secret": "-----BEGIN PRIVATE KEY-----", + "File": "scanners/gitleaks/parser/parser.test.js", + "Commit": "604ca16251cd6e528328605420890f2d55a5464d", + "Entropy": 0, + "Author": "Commit Author", + "Email": "committer@some-domain.tld", + "Date": "2020-10-15T11:35:39Z", + "Message": "feature/gitleaks-scanner", + "Tags": ["HIGH"], + "RuleID": "PKCS8-PK" + }, + { + "Description": "PKCS8 private key", + "StartLine": 167, + "EndLine": 167, + "StartColumn": 22, + "EndColumn": 48, + "Match": "-----BEGIN PRIVATE KEY-----", + "Secret": "-----BEGIN PRIVATE KEY-----", + "File": "scanners/gitleaks/parser/parser.test.js", + "Commit": "604ca16251cd6e528328605420890f2d55a5464d", + "Entropy": 0, + "Author": "Commit Author", + "Email": "committer@some-domain.tld", + "Date": "2020-10-15T11:35:39Z", + "Message": "feature/gitleaks-scanner", + "Tags": [], + "RuleID": "PKCS8-PK" + }, + { + "Description": "PKCS8 private key", + "StartLine": 167, + "EndLine": 167, + "StartColumn": 22, + "EndColumn": 48, + "Match": "-----BEGIN PRIVATE KEY-----", + "Secret": "-----BEGIN PRIVATE KEY-----", + "File": "scanners/gitleaks/parser/parser.test.js", + "Commit": "604ca16251cd6e528328605420890f2d55a5464d", + "Entropy": 0, + "Author": "Commit Author", + "Email": "committer@some-domain.tld", + "Date": "2020-10-15T11:35:39Z", + "Message": "feature/gitleaks-scanner", + "Tags": ["LOW"], + "RuleID": "PKCS8-PK" + } +] diff --git a/scanners/gitleaks/parser/__testFiles__/test-report-small.json.license b/scanners/gitleaks/parser/__testFiles__/test-report-tags.json.license similarity index 100% rename from scanners/gitleaks/parser/__testFiles__/test-report-small.json.license rename to scanners/gitleaks/parser/__testFiles__/test-report-tags.json.license diff --git a/scanners/gitleaks/parser/parser.js b/scanners/gitleaks/parser/parser.js index 87ac431cb6..5800cbb953 100644 --- a/scanners/gitleaks/parser/parser.js +++ b/scanners/gitleaks/parser/parser.js @@ -3,19 +3,19 @@ // SPDX-License-Identifier: Apache-2.0 const HIGH_TAGS = ["HIGH"]; -const MEDIUM_TAGS = ["MEDIUM"]; +const LOW_TAGS = ["LOW"]; async function parse (fileContent, scan) { if (fileContent) { return fileContent.map(finding => { - let severity = 'LOW'; + let severity = 'MEDIUM'; if (containsTag(finding.Tags, HIGH_TAGS)) { severity = 'HIGH' - } else if (containsTag(finding.Tags, MEDIUM_TAGS)) { - severity = 'MEDIUM' + } else if (containsTag(finding.Tags, LOW_TAGS)) { + severity = 'LOW' } return { diff --git a/scanners/gitleaks/parser/parser.test.js b/scanners/gitleaks/parser/parser.test.js index 0c0051d545..5d473a602b 100644 --- a/scanners/gitleaks/parser/parser.test.js +++ b/scanners/gitleaks/parser/parser.test.js @@ -65,7 +65,7 @@ Array [ "description": "The name of the rule which triggered the finding: generic-api-key", "name": "generic-api-key", "osi_layer": "APPLICATION", - "severity": "LOW", + "severity": "MEDIUM", }, Object { "attributes": Object { @@ -86,7 +86,7 @@ Array [ "description": "The name of the rule which triggered the finding: PKCS8-PK", "name": "PKCS8-PK", "osi_layer": "APPLICATION", - "severity": "HIGH", + "severity": "MEDIUM", }, Object { "attributes": Object { @@ -105,7 +105,7 @@ Array [ "description": "The name of the rule which triggered the finding: slack-access-token", "name": "slack-access-token", "osi_layer": "APPLICATION", - "severity": "LOW", + "severity": "MEDIUM", }, Object { "attributes": Object { @@ -124,6 +124,83 @@ Array [ "description": "The name of the rule which triggered the finding: generic-api-key", "name": "generic-api-key", "osi_layer": "APPLICATION", + "severity": "MEDIUM", + }, +] +`); +}); + +test("should define severity based on tags in result file", async () => { + const jsonContent = await readFile( + __dirname + "/__testFiles__/test-report-tags.json", + { + encoding: "utf8", + } + ); + const findings = await parse(JSON.parse(jsonContent)); + await expect(validateParser(findings)).resolves.toBeUndefined(); + + expect(findings).toMatchInlineSnapshot(` +Array [ + Object { + "attributes": Object { + "author": "Commit Author", + "commit": "604ca16251cd6e528328605420890f2d55a5464d", + "date": "2020-10-15T11:35:39Z", + "description": "PKCS8 private key", + "email": "committer@some-domain.tld", + "file": "scanners/gitleaks/parser/parser.test.js", + "line": "-----BEGIN PRIVATE KEY-----", + "line_number": 167, + "offender": "-----BEGIN PRIVATE KEY-----", + "tags": Array [ + "HIGH", + ], + }, + "category": "Potential Secret", + "description": "The name of the rule which triggered the finding: PKCS8-PK", + "name": "PKCS8-PK", + "osi_layer": "APPLICATION", + "severity": "HIGH", + }, + Object { + "attributes": Object { + "author": "Commit Author", + "commit": "604ca16251cd6e528328605420890f2d55a5464d", + "date": "2020-10-15T11:35:39Z", + "description": "PKCS8 private key", + "email": "committer@some-domain.tld", + "file": "scanners/gitleaks/parser/parser.test.js", + "line": "-----BEGIN PRIVATE KEY-----", + "line_number": 167, + "offender": "-----BEGIN PRIVATE KEY-----", + "tags": Array [], + }, + "category": "Potential Secret", + "description": "The name of the rule which triggered the finding: PKCS8-PK", + "name": "PKCS8-PK", + "osi_layer": "APPLICATION", + "severity": "MEDIUM", + }, + Object { + "attributes": Object { + "author": "Commit Author", + "commit": "604ca16251cd6e528328605420890f2d55a5464d", + "date": "2020-10-15T11:35:39Z", + "description": "PKCS8 private key", + "email": "committer@some-domain.tld", + "file": "scanners/gitleaks/parser/parser.test.js", + "line": "-----BEGIN PRIVATE KEY-----", + "line_number": 167, + "offender": "-----BEGIN PRIVATE KEY-----", + "tags": Array [ + "LOW", + ], + }, + "category": "Potential Secret", + "description": "The name of the rule which triggered the finding: PKCS8-PK", + "name": "PKCS8-PK", + "osi_layer": "APPLICATION", "severity": "LOW", }, ] From 01942badac5aa380966df52d78bb87b07e729a41 Mon Sep 17 00:00:00 2001 From: Max Maass Date: Tue, 25 Jan 2022 10:14:41 +0100 Subject: [PATCH 15/30] Fix parameterization of gitleaks scantype Signed-off-by: Max Maass --- scanners/gitleaks/templates/gitleaks-scan-type.yaml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/scanners/gitleaks/templates/gitleaks-scan-type.yaml b/scanners/gitleaks/templates/gitleaks-scan-type.yaml index efa9a1361a..ba9de43477 100644 --- a/scanners/gitleaks/templates/gitleaks-scan-type.yaml +++ b/scanners/gitleaks/templates/gitleaks-scan-type.yaml @@ -33,9 +33,9 @@ spec: command: - "gitleaks" - "--verbose" - - "--format" + - "--report-format" - "json" - - "--report" + - "--report-path" - "/home/securecodebox/report.json" - "--exit-code" - "0" From 8225fffc8487cb1263698a32819af6c41371c55f Mon Sep 17 00:00:00 2001 From: Max Maass Date: Tue, 25 Jan 2022 10:21:06 +0100 Subject: [PATCH 16/30] Fix gitleaks parser dockerfile Signed-off-by: Max Maass --- scanners/gitleaks/parser/Dockerfile | 15 +++++++++------ 1 file changed, 9 insertions(+), 6 deletions(-) diff --git a/scanners/gitleaks/parser/Dockerfile b/scanners/gitleaks/parser/Dockerfile index e087d6a7ac..2f0dbd1de8 100644 --- a/scanners/gitleaks/parser/Dockerfile +++ b/scanners/gitleaks/parser/Dockerfile @@ -2,15 +2,18 @@ # # SPDX-License-Identifier: Apache-2.0 +# Commented out the dependency management as there are no dependencies in the +# parser at the moment. Add the commented-out parts of the Dockerfile again +# if the parser starts needing packages once again. ARG namespace ARG baseImageTag -FROM node:16-alpine as build -RUN mkdir -p /home/app -WORKDIR /home/app -COPY package.json package-lock.json ./ -RUN npm ci --production +# FROM node:16-alpine as build +# RUN mkdir -p /home/app +# WORKDIR /home/app +# COPY package.json package-lock.json ./ +# RUN npm ci --production FROM ${namespace:-securecodebox}/parser-sdk-nodejs:${baseImageTag:-latest} WORKDIR /home/app/parser-wrapper/parser/ -COPY --from=build --chown=app:app /home/app/node_modules/ ./node_modules/ +# COPY --from=build --chown=app:app /home/app/node_modules/ ./node_modules/ COPY --chown=app:app ./parser.js ./parser.js From cf3833cf14498a4c2f5c3bc8028be240cb68939c Mon Sep 17 00:00:00 2001 From: Max Maass Date: Tue, 25 Jan 2022 10:22:16 +0100 Subject: [PATCH 17/30] Update examples Signed-off-by: Max Maass --- .../examples/multi-juicer/findings.json | 302 ---- .../gitleaks/examples/multi-juicer/scan.yaml | 15 - .../examples/private-repository/README.md | 13 +- .../examples/private-repository/scan.yaml | 45 +- .../examples/provide-own-rules/README.md | 2 +- .../examples/provide-own-rules/scan.yaml | 47 + .../{multi-juicer => secureCodeBox}/README.md | 2 +- .../examples/secureCodeBox/findings.json | 1472 +++++++++++++++++ .../findings.json.license | 0 .../gitleaks/examples/secureCodeBox/scan.yaml | 38 + 10 files changed, 1607 insertions(+), 329 deletions(-) delete mode 100644 scanners/gitleaks/examples/multi-juicer/findings.json delete mode 100644 scanners/gitleaks/examples/multi-juicer/scan.yaml rename scanners/gitleaks/examples/{multi-juicer => secureCodeBox}/README.md (54%) create mode 100644 scanners/gitleaks/examples/secureCodeBox/findings.json rename scanners/gitleaks/examples/{multi-juicer => secureCodeBox}/findings.json.license (100%) create mode 100644 scanners/gitleaks/examples/secureCodeBox/scan.yaml diff --git a/scanners/gitleaks/examples/multi-juicer/findings.json b/scanners/gitleaks/examples/multi-juicer/findings.json deleted file mode 100644 index c9b35b099f..0000000000 --- a/scanners/gitleaks/examples/multi-juicer/findings.json +++ /dev/null @@ -1,302 +0,0 @@ -[ - { - "name": "Generic credentials", - "description": "The name of the rule which triggered the finding: Generic credentials", - "osi_layer": "APPLICATION", - "severity": "LOW", - "category": "Potential Secret", - "attributes": { - "commit": "194d89fb02c9bb6fd2ff1fcf42018d7e6dbaeae2", - "repo": "multi-juicer", - "offender": "key: metricsBasicAuthPassword", - "author": "J12934", - "email": "13718901+J12934@users.noreply.github.com", - "date": "2020-03-04T20:11:39+01:00", - "file": "helm/multi-juicer/templates/juice-balancer-deployment.yaml", - "line_number": 59, - "tags": [ - "key", - "Generic" - ], - "line": " key: metricsBasicAuthPassword" - }, - "id": "efaf1b50-3f7b-447d-92ea-7172c697f09c" - }, - { - "name": "Generic credentials", - "description": "The name of the rule which triggered the finding: Generic credentials", - "osi_layer": "APPLICATION", - "severity": "LOW", - "category": "Potential Secret", - "attributes": { - "commit": "194d89fb02c9bb6fd2ff1fcf42018d7e6dbaeae2", - "repo": "multi-juicer", - "offender": "key: metricsBasicAuthPassword", - "author": "J12934", - "email": "13718901+J12934@users.noreply.github.com", - "date": "2020-03-04T20:11:39+01:00", - "file": "helm/multi-juicer/templates/juice-balancer-servicemonitor.yaml", - "line_number": 20, - "tags": [ - "key", - "Generic" - ], - "line": " key: metricsBasicAuthPassword" - }, - "id": "43622169-a94f-4396-bb66-1ac020cdfb5b" - }, - { - "name": "Generic credentials", - "description": "The name of the rule which triggered the finding: Generic credentials", - "osi_layer": "APPLICATION", - "severity": "LOW", - "category": "Potential Secret", - "attributes": { - "commit": "194d89fb02c9bb6fd2ff1fcf42018d7e6dbaeae2", - "repo": "multi-juicer", - "offender": "password: ERzCT4pwBDxfCKRGmfrMa8KQ8sXf8GKy", - "author": "J12934", - "email": "13718901+J12934@users.noreply.github.com", - "date": "2020-03-04T20:11:39+01:00", - "file": "helm/multi-juicer/values.yaml", - "line_number": 48, - "tags": [ - "key", - "Generic" - ], - "line": " password: ERzCT4pwBDxfCKRGmfrMa8KQ8sXf8GKy" - }, - "id": "ece59401-d900-4de9-bda7-30b336c6833d" - }, - { - "name": "Generic credentials", - "description": "The name of the rule which triggered the finding: Generic credentials", - "osi_layer": "APPLICATION", - "severity": "LOW", - "category": "Potential Secret", - "attributes": { - "commit": "194d89fb02c9bb6fd2ff1fcf42018d7e6dbaeae2", - "repo": "multi-juicer", - "offender": "password\": \"ERzCT4pwBDxfCKRGmfrMa8KQ8sXf8GKy", - "author": "J12934", - "email": "13718901+J12934@users.noreply.github.com", - "date": "2020-03-04T20:11:39+01:00", - "file": "juice-balancer/config/config.json", - "line_number": 19, - "tags": [ - "key", - "Generic" - ], - "line": " \"password\": \"ERzCT4pwBDxfCKRGmfrMa8KQ8sXf8GKy\"" - }, - "id": "40d61a77-6fc1-48c3-9f73-7f772b54c749" - }, - { - "name": "Generic credentials", - "description": "The name of the rule which triggered the finding: Generic credentials", - "osi_layer": "APPLICATION", - "severity": "LOW", - "category": "Potential Secret", - "attributes": { - "commit": "4702700c71c422a6371accc5085466476dad5b3e", - "repo": "multi-juicer", - "offender": "Password: \"glaucoma-coupling-usurious-crayfish-dugout-acuity", - "author": "J12934", - "email": "13718901+J12934@users.noreply.github.com", - "date": "2020-02-29T11:24:21-05:00", - "file": "guides/monitoring-setup/prometheus-operator-config.yaml", - "line_number": 6, - "tags": [ - "key", - "Generic" - ], - "line": " adminPassword: \"glaucoma-coupling-usurious-crayfish-dugout-acuity\"" - }, - "id": "ddaca655-7f27-45ec-897f-67aa0d22cd44" - }, - { - "name": "Generic credentials", - "description": "The name of the rule which triggered the finding: Generic credentials", - "osi_layer": "APPLICATION", - "severity": "LOW", - "category": "Potential Secret", - "attributes": { - "commit": "d97c6ad68b246f4966fa496893246b19a695e781", - "repo": "multi-juicer", - "offender": "key: metricsBasicAuthPassword", - "author": "J12934", - "email": "13718901+J12934@users.noreply.github.com", - "date": "2020-02-28T17:37:24-05:00", - "file": "helm/multi-juicer/templates/juice-balancer-deployment.yaml", - "line_number": 59, - "tags": [ - "key", - "Generic" - ], - "line": " key: metricsBasicAuthPassword" - }, - "id": "c33cd638-f8b0-4b5e-b859-b167dffe5c12" - }, - { - "name": "Generic credentials", - "description": "The name of the rule which triggered the finding: Generic credentials", - "osi_layer": "APPLICATION", - "severity": "LOW", - "category": "Potential Secret", - "attributes": { - "commit": "d97c6ad68b246f4966fa496893246b19a695e781", - "repo": "multi-juicer", - "offender": "key: metricsBasicAuthPassword", - "author": "J12934", - "email": "13718901+J12934@users.noreply.github.com", - "date": "2020-02-28T17:37:24-05:00", - "file": "helm/multi-juicer/templates/juice-balancer-servicemonitor.yaml", - "line_number": 20, - "tags": [ - "key", - "Generic" - ], - "line": " key: metricsBasicAuthPassword" - }, - "id": "45e843b3-c453-41b5-8e63-928bdf58e745" - }, - { - "name": "Generic credentials", - "description": "The name of the rule which triggered the finding: Generic credentials", - "osi_layer": "APPLICATION", - "severity": "LOW", - "category": "Potential Secret", - "attributes": { - "commit": "d97c6ad68b246f4966fa496893246b19a695e781", - "repo": "multi-juicer", - "offender": "password: ERzCT4pwBDxfCKRGmfrMa8KQ8sXf8GKy", - "author": "J12934", - "email": "13718901+J12934@users.noreply.github.com", - "date": "2020-02-28T17:37:24-05:00", - "file": "helm/multi-juicer/values.yaml", - "line_number": 37, - "tags": [ - "key", - "Generic" - ], - "line": " password: ERzCT4pwBDxfCKRGmfrMa8KQ8sXf8GKy" - }, - "id": "186534f6-276e-4e50-b893-f8a95a2d0915" - }, - { - "name": "Generic credentials", - "description": "The name of the rule which triggered the finding: Generic credentials", - "osi_layer": "APPLICATION", - "severity": "LOW", - "category": "Potential Secret", - "attributes": { - "commit": "d97c6ad68b246f4966fa496893246b19a695e781", - "repo": "multi-juicer", - "offender": "password\": \"ERzCT4pwBDxfCKRGmfrMa8KQ8sXf8GKy", - "author": "J12934", - "email": "13718901+J12934@users.noreply.github.com", - "date": "2020-02-28T17:37:24-05:00", - "file": "juice-balancer/config/config.json", - "line_number": 19, - "tags": [ - "key", - "Generic" - ], - "line": " \"password\": \"ERzCT4pwBDxfCKRGmfrMa8KQ8sXf8GKy\"" - }, - "id": "99d860f7-2124-414d-83fe-634de61921af" - }, - { - "name": "Generic credentials", - "description": "The name of the rule which triggered the finding: Generic credentials", - "osi_layer": "APPLICATION", - "severity": "LOW", - "category": "Potential Secret", - "attributes": { - "commit": "eaf6864262dbbcbf19c972cd961121b340b9968f", - "repo": "multi-juicer", - "offender": "key: metricsBasicAuthPassword", - "author": "J12934", - "email": "13718901+J12934@users.noreply.github.com", - "date": "2020-02-18T22:28:53+01:00", - "file": "helm/multi-juicer/templates/juice-balancer-deployment.yaml", - "line_number": 59, - "tags": [ - "key", - "Generic" - ], - "line": " key: metricsBasicAuthPassword" - }, - "id": "9552da68-56c8-4599-a458-a10f28fb7f48" - }, - { - "name": "Generic credentials", - "description": "The name of the rule which triggered the finding: Generic credentials", - "osi_layer": "APPLICATION", - "severity": "LOW", - "category": "Potential Secret", - "attributes": { - "commit": "eaf6864262dbbcbf19c972cd961121b340b9968f", - "repo": "multi-juicer", - "offender": "key: metricsBasicAuthPassword", - "author": "J12934", - "email": "13718901+J12934@users.noreply.github.com", - "date": "2020-02-18T22:28:53+01:00", - "file": "helm/multi-juicer/templates/juice-balancer-servicemonitor.yaml", - "line_number": 20, - "tags": [ - "key", - "Generic" - ], - "line": " key: metricsBasicAuthPassword" - }, - "id": "cdb540bd-c558-43a8-a4f0-cb0d05ece5ba" - }, - { - "name": "Generic credentials", - "description": "The name of the rule which triggered the finding: Generic credentials", - "osi_layer": "APPLICATION", - "severity": "LOW", - "category": "Potential Secret", - "attributes": { - "commit": "eaf6864262dbbcbf19c972cd961121b340b9968f", - "repo": "multi-juicer", - "offender": "password: ERzCT4pwBDxfCKRGmfrMa8KQ8sXf8GKy", - "author": "J12934", - "email": "13718901+J12934@users.noreply.github.com", - "date": "2020-02-18T22:28:53+01:00", - "file": "helm/multi-juicer/values.yaml", - "line_number": 33, - "tags": [ - "key", - "Generic" - ], - "line": " password: ERzCT4pwBDxfCKRGmfrMa8KQ8sXf8GKy" - }, - "id": "e185c0d3-b060-4ae3-b292-82b89beb6a48" - }, - { - "name": "Generic credentials", - "description": "The name of the rule which triggered the finding: Generic credentials", - "osi_layer": "APPLICATION", - "severity": "LOW", - "category": "Potential Secret", - "attributes": { - "commit": "eaf6864262dbbcbf19c972cd961121b340b9968f", - "repo": "multi-juicer", - "offender": "password\": \"ERzCT4pwBDxfCKRGmfrMa8KQ8sXf8GKy", - "author": "J12934", - "email": "13718901+J12934@users.noreply.github.com", - "date": "2020-02-18T22:28:53+01:00", - "file": "juice-balancer/config/config.json", - "line_number": 19, - "tags": [ - "key", - "Generic" - ], - "line": " \"password\": \"ERzCT4pwBDxfCKRGmfrMa8KQ8sXf8GKy\"" - }, - "id": "0a48dd0c-d860-4d5d-b946-5e32f4a14f7f" - } -] - diff --git a/scanners/gitleaks/examples/multi-juicer/scan.yaml b/scanners/gitleaks/examples/multi-juicer/scan.yaml deleted file mode 100644 index ae4b2a4e32..0000000000 --- a/scanners/gitleaks/examples/multi-juicer/scan.yaml +++ /dev/null @@ -1,15 +0,0 @@ -# SPDX-FileCopyrightText: 2021 iteratec GmbH -# -# SPDX-License-Identifier: Apache-2.0 - -apiVersion: "execution.securecodebox.io/v1" -kind: Scan -metadata: - name: "scan-multi-juicer-example" -spec: - scanType: "gitleaks" - parameters: - - "-r" - - "https://github.com/iteratec/multi-juicer" - - "--config" - - "/home/config_all.toml" diff --git a/scanners/gitleaks/examples/private-repository/README.md b/scanners/gitleaks/examples/private-repository/README.md index 592c822f3d..ed59f20823 100644 --- a/scanners/gitleaks/examples/private-repository/README.md +++ b/scanners/gitleaks/examples/private-repository/README.md @@ -4,4 +4,15 @@ SPDX-FileCopyrightText: 2021 iteratec GmbH SPDX-License-Identifier: Apache-2.0 --> -Another example for how to scan a private GitLab repository: +In some cases, you may have to authenticate to clone a repository. +For this, you can place your relevant access token in a Kubernetes secret: + +```bash +# Don't forget the leading whitespace in the command to avoid +# having your GitHub access token in your shell history! + echo -n 'gh_abcdef...' > github-token.txt # use -n to avoid trailing line break +kubectl create secret generic github-access-token --from-file=token=github-token.txt +rm github-token.txt +``` + +Then, you can use this token to perform an authenticated HTTPS clone, like in the following example. \ No newline at end of file diff --git a/scanners/gitleaks/examples/private-repository/scan.yaml b/scanners/gitleaks/examples/private-repository/scan.yaml index cd36f474e7..12d7b5bf4c 100644 --- a/scanners/gitleaks/examples/private-repository/scan.yaml +++ b/scanners/gitleaks/examples/private-repository/scan.yaml @@ -5,15 +5,42 @@ apiVersion: "execution.securecodebox.io/v1" kind: Scan metadata: - name: "scan-private-repository-example" + name: "authenticated-clone.example" spec: scanType: "gitleaks" + # Define a volume and mount it at /repo in the scan container + volumes: + - name: repo + emptyDir: {} + volumeMounts: + - name: repo + mountPath: "/repo/" + # Define an init container to run the git clone for us + initContainers: + - name: "git-clone" + image: bitnami/git + # Specify that the "repo" volume should also be mounted on the + # initContainer + volumeMounts: + - name: repo + mountPath: "/repo/" + # Clone to /repo in the init container + command: + - git + - clone + # Add access token to the URL for authenticated HTTPS clone + - "https://$(GITHUB_TOKEN)@github.com/yourOrg/yourRepo" + - /repo/ + # Pull the access token into an env variable + env: + - name: GITHUB_TOKEN + valueFrom: + secretKeyRef: + name: github-access-token + key: token parameters: - - "-r" - - "https://gitlab.yourcompany.com/group/project" - - "--access-token" - - "" - - "--config" - - "/home/config_filenames_only.toml" - - "--commit-since" - - "2020-04-20" + # Run Gitleaks in "detect" mode + - "detect" + # Point it at the location of the repository + - "--source" + - "/repo/" \ No newline at end of file diff --git a/scanners/gitleaks/examples/provide-own-rules/README.md b/scanners/gitleaks/examples/provide-own-rules/README.md index 99f7c089ef..f3b11607ab 100644 --- a/scanners/gitleaks/examples/provide-own-rules/README.md +++ b/scanners/gitleaks/examples/provide-own-rules/README.md @@ -5,7 +5,7 @@ SPDX-License-Identifier: Apache-2.0 --> If you don't want to use our predefined rule files you can easily provide your own -gitleaks rules config file. Therefore create a configMap from your rules file. +gitleaks rules config file. To do this, create a `configMap` from your rules file: ```bash kubectl create configmap --from-file /path/to/my/gitleaks-config.toml gitleaks-config diff --git a/scanners/gitleaks/examples/provide-own-rules/scan.yaml b/scanners/gitleaks/examples/provide-own-rules/scan.yaml index 8a5098c3b8..ba426558f4 100644 --- a/scanners/gitleaks/examples/provide-own-rules/scan.yaml +++ b/scanners/gitleaks/examples/provide-own-rules/scan.yaml @@ -20,3 +20,50 @@ spec: volumeMounts: - name: "gitleaks-config" mountPath: "/config/" + +# SPDX-FileCopyrightText: 2021 iteratec GmbH +# +# SPDX-License-Identifier: Apache-2.0 + +apiVersion: "execution.securecodebox.io/v1" +kind: Scan +metadata: + name: "scan-scb-with-own-rules" +spec: + scanType: "gitleaks" + # Define a volume and mount it at /repo in the scan container + volumes: + - name: "repo" + emptyDir: {} + - name: "gitleaks-config" + configMap: + name: "gitleaks-config" + volumeMounts: + - name: "repo" + mountPath: "/repo/" + - name: "gitleaks-config" + mountPath: "/config/" + # Define an init container to run the git clone for us + initContainers: + - name: "git-clone" + image: bitnami/git + # Specify that the "repo" volume should also be mounted on the + # initContainer + volumeMounts: + - name: "repo" + mountPath: "/repo/" + # Clone to /repo in the init container + command: + - git + - clone + - "https://github.com/secureCodeBox/secureCodeBox" + - /repo/ + parameters: + # Run Gitleaks in "detect" mode + - "detect" + # Point it at the location of the repository + - "--source" + - "/repo/" + # Point it at your own config file + - "--config" + - "/config/gitleaks-config.toml" \ No newline at end of file diff --git a/scanners/gitleaks/examples/multi-juicer/README.md b/scanners/gitleaks/examples/secureCodeBox/README.md similarity index 54% rename from scanners/gitleaks/examples/multi-juicer/README.md rename to scanners/gitleaks/examples/secureCodeBox/README.md index 9a15c8b665..1a8e7f12ff 100644 --- a/scanners/gitleaks/examples/multi-juicer/README.md +++ b/scanners/gitleaks/examples/secureCodeBox/README.md @@ -4,4 +4,4 @@ SPDX-FileCopyrightText: 2021 iteratec GmbH SPDX-License-Identifier: Apache-2.0 --> -An Example for scanning all history of the multi juicer project on GitHub: +An Example for scanning all history of the secureCodeBox project on GitHub: diff --git a/scanners/gitleaks/examples/secureCodeBox/findings.json b/scanners/gitleaks/examples/secureCodeBox/findings.json new file mode 100644 index 0000000000..8d32bbb4db --- /dev/null +++ b/scanners/gitleaks/examples/secureCodeBox/findings.json @@ -0,0 +1,1472 @@ +[ + { + "name": "PKCS8-PK", + "description": "The name of the rule which triggered the finding: PKCS8-PK", + "osi_layer": "APPLICATION", + "severity": "MEDIUM", + "category": "Potential Secret", + "attributes": { + "commit": "531d4bb6cc1189621d15b785afe34c877d4933a6", + "description": "PKCS8 private key", + "offender": "-----BEGIN PRIVATE KEY-----", + "author": "Max Maass", + "email": "max.maass@iteratec.com", + "date": "2022-01-20T14:55:02Z", + "file": "scanners/gitleaks/parser/__testFiles__/test-report.json", + "line_number": 26, + "tags": [], + "line": "-----BEGIN PRIVATE KEY-----" + }, + "id": "2d0ad3e4-4c15-4de3-931d-59cb245c7531", + "parsed_at": "2022-01-25T08:49:25.025Z" + }, + { + "name": "PKCS8-PK", + "description": "The name of the rule which triggered the finding: PKCS8-PK", + "osi_layer": "APPLICATION", + "severity": "MEDIUM", + "category": "Potential Secret", + "attributes": { + "commit": "531d4bb6cc1189621d15b785afe34c877d4933a6", + "description": "PKCS8 private key", + "offender": "-----BEGIN PRIVATE KEY-----", + "author": "Max Maass", + "email": "max.maass@iteratec.com", + "date": "2022-01-20T14:55:02Z", + "file": "scanners/gitleaks/parser/__testFiles__/test-report.json", + "line_number": 27, + "tags": [], + "line": "-----BEGIN PRIVATE KEY-----" + }, + "id": "8ddac4b1-9922-454b-ab2f-3d5db62947a4", + "parsed_at": "2022-01-25T08:49:25.025Z" + }, + { + "name": "slack-access-token", + "description": "The name of the rule which triggered the finding: slack-access-token", + "osi_layer": "APPLICATION", + "severity": "MEDIUM", + "category": "Potential Secret", + "attributes": { + "commit": "531d4bb6cc1189621d15b785afe34c877d4933a6", + "description": "Slack token", + "offender": "xoxb-", + "author": "Max Maass", + "email": "max.maass@iteratec.com", + "date": "2022-01-20T14:55:02Z", + "file": "scanners/gitleaks/parser/__testFiles__/test-report.json", + "line_number": 44, + "tags": [], + "line": "xoxb-" + }, + "id": "23efcf9b-31a0-4da6-a913-c2782841141f", + "parsed_at": "2022-01-25T08:49:25.025Z" + }, + { + "name": "slack-access-token", + "description": "The name of the rule which triggered the finding: slack-access-token", + "osi_layer": "APPLICATION", + "severity": "MEDIUM", + "category": "Potential Secret", + "attributes": { + "commit": "531d4bb6cc1189621d15b785afe34c877d4933a6", + "description": "Slack token", + "offender": "xoxb-", + "author": "Max Maass", + "email": "max.maass@iteratec.com", + "date": "2022-01-20T14:55:02Z", + "file": "scanners/gitleaks/parser/__testFiles__/test-report.json", + "line_number": 45, + "tags": [], + "line": "xoxb-" + }, + "id": "15c5fea4-fe79-46e6-b140-c831ae3ed3c3", + "parsed_at": "2022-01-25T08:49:25.025Z" + }, + { + "name": "generic-api-key", + "description": "The name of the rule which triggered the finding: generic-api-key", + "osi_layer": "APPLICATION", + "severity": "MEDIUM", + "category": "Potential Secret", + "attributes": { + "commit": "531d4bb6cc1189621d15b785afe34c877d4933a6", + "description": "Generic API Key", + "offender": "eor898q1luuq8054e0e5r9s3jh", + "author": "Max Maass", + "email": "max.maass@iteratec.com", + "date": "2022-01-20T14:55:02Z", + "file": "scanners/gitleaks/parser/__testFiles__/test-report.json", + "line_number": 62, + "tags": [], + "line": "api_key = 'eor898q1luuq8054e0e5r9s3jh'" + }, + "id": "b965eed9-f5c5-4881-a3ea-3aaec44a3e33", + "parsed_at": "2022-01-25T08:49:25.025Z" + }, + { + "name": "PKCS8-PK", + "description": "The name of the rule which triggered the finding: PKCS8-PK", + "osi_layer": "APPLICATION", + "severity": "MEDIUM", + "category": "Potential Secret", + "attributes": { + "commit": "531d4bb6cc1189621d15b785afe34c877d4933a6", + "description": "PKCS8 private key", + "offender": "-----BEGIN PRIVATE KEY-----", + "author": "Max Maass", + "email": "max.maass@iteratec.com", + "date": "2022-01-20T14:55:02Z", + "file": "scanners/gitleaks/parser/__testFiles__/test-report-small.json", + "line_number": 8, + "tags": [], + "line": "-----BEGIN PRIVATE KEY-----" + }, + "id": "da57e9b5-fca5-42e5-96ef-f5773cdbcf67", + "parsed_at": "2022-01-25T08:49:25.025Z" + }, + { + "name": "PKCS8-PK", + "description": "The name of the rule which triggered the finding: PKCS8-PK", + "osi_layer": "APPLICATION", + "severity": "MEDIUM", + "category": "Potential Secret", + "attributes": { + "commit": "531d4bb6cc1189621d15b785afe34c877d4933a6", + "description": "PKCS8 private key", + "offender": "-----BEGIN PRIVATE KEY-----", + "author": "Max Maass", + "email": "max.maass@iteratec.com", + "date": "2022-01-20T14:55:02Z", + "file": "scanners/gitleaks/parser/__testFiles__/test-report-small.json", + "line_number": 9, + "tags": [], + "line": "-----BEGIN PRIVATE KEY-----" + }, + "id": "a81a13dd-5c10-4382-9bd4-08a0e4a39366", + "parsed_at": "2022-01-25T08:49:25.025Z" + }, + { + "name": "PKCS8-PK", + "description": "The name of the rule which triggered the finding: PKCS8-PK", + "osi_layer": "APPLICATION", + "severity": "MEDIUM", + "category": "Potential Secret", + "attributes": { + "commit": "531d4bb6cc1189621d15b785afe34c877d4933a6", + "description": "PKCS8 private key", + "offender": "-----BEGIN PRIVATE KEY-----", + "author": "Max Maass", + "email": "max.maass@iteratec.com", + "date": "2022-01-20T14:55:02Z", + "file": "scanners/gitleaks/parser/parser.test.js", + "line_number": 80, + "tags": [], + "line": "-----BEGIN PRIVATE KEY-----" + }, + "id": "ed7e95de-4b8d-4c0d-9dfb-1cf6ad1f91f2", + "parsed_at": "2022-01-25T08:49:25.025Z" + }, + { + "name": "PKCS8-PK", + "description": "The name of the rule which triggered the finding: PKCS8-PK", + "osi_layer": "APPLICATION", + "severity": "MEDIUM", + "category": "Potential Secret", + "attributes": { + "commit": "531d4bb6cc1189621d15b785afe34c877d4933a6", + "description": "PKCS8 private key", + "offender": "-----BEGIN PRIVATE KEY-----", + "author": "Max Maass", + "email": "max.maass@iteratec.com", + "date": "2022-01-20T14:55:02Z", + "file": "scanners/gitleaks/parser/parser.test.js", + "line_number": 81, + "tags": [], + "line": "-----BEGIN PRIVATE KEY-----" + }, + "id": "ae67aab4-889e-44c6-a3c0-78b4af9e0e54", + "parsed_at": "2022-01-25T08:49:25.026Z" + }, + { + "name": "slack-access-token", + "description": "The name of the rule which triggered the finding: slack-access-token", + "osi_layer": "APPLICATION", + "severity": "MEDIUM", + "category": "Potential Secret", + "attributes": { + "commit": "531d4bb6cc1189621d15b785afe34c877d4933a6", + "description": "Slack token", + "offender": "xoxb-", + "author": "Max Maass", + "email": "max.maass@iteratec.com", + "date": "2022-01-20T14:55:02Z", + "file": "scanners/gitleaks/parser/parser.test.js", + "line_number": 102, + "tags": [], + "line": "xoxb-" + }, + "id": "3a3f7133-16a7-4971-b068-183fa71aefa1", + "parsed_at": "2022-01-25T08:49:25.026Z" + }, + { + "name": "slack-access-token", + "description": "The name of the rule which triggered the finding: slack-access-token", + "osi_layer": "APPLICATION", + "severity": "MEDIUM", + "category": "Potential Secret", + "attributes": { + "commit": "531d4bb6cc1189621d15b785afe34c877d4933a6", + "description": "Slack token", + "offender": "xoxb-", + "author": "Max Maass", + "email": "max.maass@iteratec.com", + "date": "2022-01-20T14:55:02Z", + "file": "scanners/gitleaks/parser/parser.test.js", + "line_number": 103, + "tags": [], + "line": "xoxb-" + }, + "id": "1a5e8b76-8506-4fd6-8674-b41dd91ca731", + "parsed_at": "2022-01-25T08:49:25.026Z" + }, + { + "name": "generic-api-key", + "description": "The name of the rule which triggered the finding: generic-api-key", + "osi_layer": "APPLICATION", + "severity": "MEDIUM", + "category": "Potential Secret", + "attributes": { + "commit": "531d4bb6cc1189621d15b785afe34c877d4933a6", + "description": "Generic API Key", + "offender": "eor898q1luuq8054e0e5r9s3jh", + "author": "Max Maass", + "email": "max.maass@iteratec.com", + "date": "2022-01-20T14:55:02Z", + "file": "scanners/gitleaks/parser/parser.test.js", + "line_number": 122, + "tags": [], + "line": "api_key = 'eor898q1luuq8054e0e5r9s3jh'" + }, + "id": "af93e3ed-5627-4933-aa0c-abfd85c73c8c", + "parsed_at": "2022-01-25T08:49:25.026Z" + }, + { + "name": "PKCS8-PK", + "description": "The name of the rule which triggered the finding: PKCS8-PK", + "osi_layer": "APPLICATION", + "severity": "MEDIUM", + "category": "Potential Secret", + "attributes": { + "commit": "531d4bb6cc1189621d15b785afe34c877d4933a6", + "description": "PKCS8 private key", + "offender": "-----BEGIN PRIVATE KEY-----", + "author": "Max Maass", + "email": "max.maass@iteratec.com", + "date": "2022-01-20T14:55:02Z", + "file": "scanners/gitleaks/parser/parser.test.js", + "line_number": 170, + "tags": [], + "line": "-----BEGIN PRIVATE KEY-----" + }, + "id": "3ba8bd3a-fedc-44ea-9bb9-c3db5bef2e10", + "parsed_at": "2022-01-25T08:49:25.026Z" + }, + { + "name": "PKCS8-PK", + "description": "The name of the rule which triggered the finding: PKCS8-PK", + "osi_layer": "APPLICATION", + "severity": "MEDIUM", + "category": "Potential Secret", + "attributes": { + "commit": "531d4bb6cc1189621d15b785afe34c877d4933a6", + "description": "PKCS8 private key", + "offender": "-----BEGIN PRIVATE KEY-----", + "author": "Max Maass", + "email": "max.maass@iteratec.com", + "date": "2022-01-20T14:55:02Z", + "file": "scanners/gitleaks/parser/parser.test.js", + "line_number": 171, + "tags": [], + "line": "-----BEGIN PRIVATE KEY-----" + }, + "id": "7a87a951-14d4-4f3a-a1df-a51ad1bb144c", + "parsed_at": "2022-01-25T08:49:25.026Z" + }, + { + "name": "PKCS8-PK", + "description": "The name of the rule which triggered the finding: PKCS8-PK", + "osi_layer": "APPLICATION", + "severity": "MEDIUM", + "category": "Potential Secret", + "attributes": { + "commit": "531d4bb6cc1189621d15b785afe34c877d4933a6", + "description": "PKCS8 private key", + "offender": "-----BEGIN PRIVATE KEY-----", + "author": "Max Maass", + "email": "max.maass@iteratec.com", + "date": "2022-01-20T14:55:02Z", + "file": "scanners/gitleaks/parser/parser.test.js", + "line_number": 218, + "tags": [], + "line": "-----BEGIN PRIVATE KEY-----" + }, + "id": "0f8bc2be-41d6-4a67-8061-cc322e3c0864", + "parsed_at": "2022-01-25T08:49:25.026Z" + }, + { + "name": "PKCS8-PK", + "description": "The name of the rule which triggered the finding: PKCS8-PK", + "osi_layer": "APPLICATION", + "severity": "MEDIUM", + "category": "Potential Secret", + "attributes": { + "commit": "531d4bb6cc1189621d15b785afe34c877d4933a6", + "description": "PKCS8 private key", + "offender": "-----BEGIN PRIVATE KEY-----", + "author": "Max Maass", + "email": "max.maass@iteratec.com", + "date": "2022-01-20T14:55:02Z", + "file": "scanners/gitleaks/parser/parser.test.js", + "line_number": 219, + "tags": [], + "line": "-----BEGIN PRIVATE KEY-----" + }, + "id": "5b1765a3-e0c8-4fd6-8cd9-63e2a9b5ca61", + "parsed_at": "2022-01-25T08:49:25.026Z" + }, + { + "name": "generic-api-key", + "description": "The name of the rule which triggered the finding: generic-api-key", + "osi_layer": "APPLICATION", + "severity": "MEDIUM", + "category": "Potential Secret", + "attributes": { + "commit": "20202220306db37c13792bc672e57b0598ab680c", + "description": "Generic API Key", + "offender": "aGVsbG8taS1hbS1hLXRlc3Qta2V5", + "author": "Max Maass", + "email": "max.maass@iteratec.com", + "date": "2022-01-06T15:19:51Z", + "file": "hooks/persistence-azure-monitor/hook/hook.test.js", + "line_number": 51, + "tags": [], + "line": "Key: \"aGVsbG8taS1hbS1hLXRlc3Qta2V5\"" + }, + "id": "9c68074e-6612-45b0-9510-59918ad740a0", + "parsed_at": "2022-01-25T08:49:25.026Z" + }, + { + "name": "generic-api-key", + "description": "The name of the rule which triggered the finding: generic-api-key", + "osi_layer": "APPLICATION", + "severity": "MEDIUM", + "category": "Potential Secret", + "attributes": { + "commit": "20202220306db37c13792bc672e57b0598ab680c", + "description": "Generic API Key", + "offender": "aGVsbG8taS1hbS1hLXRlc3Qta2V5", + "author": "Max Maass", + "email": "max.maass@iteratec.com", + "date": "2022-01-06T15:19:51Z", + "file": "hooks/persistence-azure-monitor/hook/hook.test.js", + "line_number": 81, + "tags": [], + "line": "Key: \"aGVsbG8taS1hbS1hLXRlc3Qta2V5\"" + }, + "id": "9561d49b-d06c-4546-9a34-77e8c1c2f53e", + "parsed_at": "2022-01-25T08:49:25.026Z" + }, + { + "name": "PKCS8-PK", + "description": "The name of the rule which triggered the finding: PKCS8-PK", + "osi_layer": "APPLICATION", + "severity": "MEDIUM", + "category": "Potential Secret", + "attributes": { + "commit": "e064eb8bd2094287fdeb64474798a8fd53e77bd3", + "description": "PKCS8 private key", + "offender": "-----BEGIN PRIVATE KEY-----", + "author": "Ilyes Ben Dlala", + "email": "ilyes.bendlala@iteratec.com", + "date": "2021-09-06T13:53:58Z", + "file": "demo-targets/unsafe-https/container/site.key", + "line_number": 1, + "tags": [], + "line": "-----BEGIN PRIVATE KEY-----" + }, + "id": "ce0ae13d-7a3a-43e2-9372-e4855a395354", + "parsed_at": "2022-01-25T08:49:25.026Z" + }, + { + "name": "PKCS8-PK", + "description": "The name of the rule which triggered the finding: PKCS8-PK", + "osi_layer": "APPLICATION", + "severity": "MEDIUM", + "category": "Potential Secret", + "attributes": { + "commit": "e4034cda3427e9782c3f91192fd628b84ba0b267", + "description": "PKCS8 private key", + "offender": "-----BEGIN PRIVATE KEY-----", + "author": "Ilyes Ben Dlala", + "email": "ilyes.bendlala@iteratec.com", + "date": "2021-09-01T11:59:54Z", + "file": "scanners/gitleaks/parser/parser.test.js", + "line_number": 196, + "tags": [], + "line": "-----BEGIN PRIVATE KEY-----" + }, + "id": "b3054da2-60a3-44a5-9aed-0b8a160e7a5f", + "parsed_at": "2022-01-25T08:49:25.026Z" + }, + { + "name": "PKCS8-PK", + "description": "The name of the rule which triggered the finding: PKCS8-PK", + "osi_layer": "APPLICATION", + "severity": "MEDIUM", + "category": "Potential Secret", + "attributes": { + "commit": "e4034cda3427e9782c3f91192fd628b84ba0b267", + "description": "PKCS8 private key", + "offender": "-----BEGIN PRIVATE KEY-----", + "author": "Ilyes Ben Dlala", + "email": "ilyes.bendlala@iteratec.com", + "date": "2021-09-01T11:59:54Z", + "file": "scanners/gitleaks/parser/parser.test.js", + "line_number": 198, + "tags": [], + "line": "-----BEGIN PRIVATE KEY-----" + }, + "id": "47358808-7fdf-4e25-9a9c-71373225ab38", + "parsed_at": "2022-01-25T08:49:25.026Z" + }, + { + "name": "slack-access-token", + "description": "The name of the rule which triggered the finding: slack-access-token", + "osi_layer": "APPLICATION", + "severity": "MEDIUM", + "category": "Potential Secret", + "attributes": { + "commit": "ae9e923125a0409025316a970fa16e0271e1734a", + "description": "Slack token", + "offender": "xoxb-", + "author": "twwd", + "email": "twwd@users.noreply.github.com", + "date": "2021-07-02T12:25:00Z", + "file": "hooks/notification/README.md", + "line_number": 164, + "tags": [], + "line": "xoxb-" + }, + "id": "17b20ad5-4d4f-4cc7-bcb7-5ff26b8caa24", + "parsed_at": "2022-01-25T08:49:25.026Z" + }, + { + "name": "slack-access-token", + "description": "The name of the rule which triggered the finding: slack-access-token", + "osi_layer": "APPLICATION", + "severity": "MEDIUM", + "category": "Potential Secret", + "attributes": { + "commit": "ae9e923125a0409025316a970fa16e0271e1734a", + "description": "Slack token", + "offender": "xoxb-", + "author": "twwd", + "email": "twwd@users.noreply.github.com", + "date": "2021-07-02T12:25:00Z", + "file": "hooks/notification/README.md", + "line_number": 178, + "tags": [], + "line": "xoxb-" + }, + "id": "465955c6-798a-4b39-af34-1751266cb8bb", + "parsed_at": "2022-01-25T08:49:25.026Z" + }, + { + "name": "RSA-PK", + "description": "The name of the rule which triggered the finding: RSA-PK", + "osi_layer": "APPLICATION", + "severity": "MEDIUM", + "category": "Potential Secret", + "attributes": { + "commit": "0d90fb830431bb51b2b19544a82bcffd354a9566", + "description": "RSA private key", + "offender": "-----BEGIN RSA PRIVATE KEY-----", + "author": "Johannes Zahn", + "email": "johannes.zahn@iteratec.com", + "date": "2021-07-02T09:54:14Z", + "file": "scanners/ncrack/parser/parser.test.js", + "line_number": 145, + "tags": [], + "line": "-----BEGIN RSA PRIVATE KEY-----" + }, + "id": "7cfb7fe9-eac5-40f7-9e05-26a7f5536c74", + "parsed_at": "2022-01-25T08:49:25.026Z" + }, + { + "name": "slack-access-token", + "description": "The name of the rule which triggered the finding: slack-access-token", + "osi_layer": "APPLICATION", + "severity": "MEDIUM", + "category": "Potential Secret", + "attributes": { + "commit": "5a80e9c80b286f76f6c751c9f60ec172c06f2470", + "description": "Slack token", + "offender": "xoxb-", + "author": "Robert Seedorff", + "email": "Robert.Seedorff@iteratec.com", + "date": "2021-06-26T09:33:58Z", + "file": "hooks/notification/docs/README.ArtifactHub.md", + "line_number": 187, + "tags": [], + "line": "xoxb-" + }, + "id": "2fb1fb3a-7221-4d8d-9a13-b324f2631a12", + "parsed_at": "2022-01-25T08:49:25.026Z" + }, + { + "name": "slack-access-token", + "description": "The name of the rule which triggered the finding: slack-access-token", + "osi_layer": "APPLICATION", + "severity": "MEDIUM", + "category": "Potential Secret", + "attributes": { + "commit": "5a80e9c80b286f76f6c751c9f60ec172c06f2470", + "description": "Slack token", + "offender": "xoxb-", + "author": "Robert Seedorff", + "email": "Robert.Seedorff@iteratec.com", + "date": "2021-06-26T09:33:58Z", + "file": "hooks/notification/docs/README.ArtifactHub.md", + "line_number": 201, + "tags": [], + "line": "xoxb-" + }, + "id": "181ac2a9-f570-432b-9a01-906f0a20f1e0", + "parsed_at": "2022-01-25T08:49:25.026Z" + }, + { + "name": "slack-access-token", + "description": "The name of the rule which triggered the finding: slack-access-token", + "osi_layer": "APPLICATION", + "severity": "MEDIUM", + "category": "Potential Secret", + "attributes": { + "commit": "50dce9aa1bc1e07bc870506edb6fbb3a4ace98e0", + "description": "Slack token", + "offender": "xoxb-", + "author": "Yannik Fuhrmeister", + "email": "12710254+fuhrmeistery@users.noreply.github.com", + "date": "2021-06-01T19:14:53Z", + "file": "hooks/notification-hook/README.md", + "line_number": 117, + "tags": [], + "line": "xoxb-" + }, + "id": "dcbd49ef-1b65-419a-9126-e8498480b951", + "parsed_at": "2022-01-25T08:49:25.026Z" + }, + { + "name": "slack-access-token", + "description": "The name of the rule which triggered the finding: slack-access-token", + "osi_layer": "APPLICATION", + "severity": "MEDIUM", + "category": "Potential Secret", + "attributes": { + "commit": "50dce9aa1bc1e07bc870506edb6fbb3a4ace98e0", + "description": "Slack token", + "offender": "xoxb-", + "author": "Yannik Fuhrmeister", + "email": "12710254+fuhrmeistery@users.noreply.github.com", + "date": "2021-06-01T19:14:53Z", + "file": "hooks/notification-hook/README.md", + "line_number": 131, + "tags": [], + "line": "xoxb-" + }, + "id": "9c4d7c09-5e7b-40d9-ab7e-d1aa82f18d3f", + "parsed_at": "2022-01-25T08:49:25.026Z" + }, + { + "name": "slack-access-token", + "description": "The name of the rule which triggered the finding: slack-access-token", + "osi_layer": "APPLICATION", + "severity": "MEDIUM", + "category": "Potential Secret", + "attributes": { + "commit": "50dce9aa1bc1e07bc870506edb6fbb3a4ace98e0", + "description": "Slack token", + "offender": "xoxb-", + "author": "Yannik Fuhrmeister", + "email": "12710254+fuhrmeistery@users.noreply.github.com", + "date": "2021-06-01T19:14:53Z", + "file": "hooks/notification-hook/README.md.gotmpl", + "line_number": 122, + "tags": [], + "line": "xoxb-" + }, + "id": "edec2d01-986a-4329-a503-00d9e993cad2", + "parsed_at": "2022-01-25T08:49:25.026Z" + }, + { + "name": "slack-access-token", + "description": "The name of the rule which triggered the finding: slack-access-token", + "osi_layer": "APPLICATION", + "severity": "MEDIUM", + "category": "Potential Secret", + "attributes": { + "commit": "50dce9aa1bc1e07bc870506edb6fbb3a4ace98e0", + "description": "Slack token", + "offender": "xoxb-", + "author": "Yannik Fuhrmeister", + "email": "12710254+fuhrmeistery@users.noreply.github.com", + "date": "2021-06-01T19:14:53Z", + "file": "hooks/notification-hook/README.md.gotmpl", + "line_number": 136, + "tags": [], + "line": "xoxb-" + }, + "id": "cfc7f9ef-31a3-40e7-9f74-25203efc74f0", + "parsed_at": "2022-01-25T08:49:25.026Z" + }, + { + "name": "generic-api-key", + "description": "The name of the rule which triggered the finding: generic-api-key", + "osi_layer": "APPLICATION", + "severity": "MEDIUM", + "category": "Potential Secret", + "attributes": { + "commit": "549b29afa8644c6385c385bed3327e6131557ecb", + "description": "Generic API Key", + "offender": "eor898q1luuq8054e0e5r9s3jh", + "author": "Robert Seedorff", + "email": "Robert.Seedorff@iteratec.com", + "date": "2021-05-02T17:17:57Z", + "file": "scanners/zap-extended/scanner/scbzapv2/__main__.py", + "line_number": 37, + "tags": [], + "line": "api_key = 'eor898q1luuq8054e0e5r9s3jh'" + }, + "id": "bd4e48e7-d6a7-4531-ae7a-d34fcc0a0de9", + "parsed_at": "2022-01-25T08:49:25.026Z" + }, + { + "name": "generic-api-key", + "description": "The name of the rule which triggered the finding: generic-api-key", + "osi_layer": "APPLICATION", + "severity": "MEDIUM", + "category": "Potential Secret", + "attributes": { + "commit": "74e0a0a85be803c0181ae87c63d0b81c7cfe30be", + "description": "Generic API Key", + "offender": "eor898q1luuq8054e0e5r9s3jh", + "author": "Robert Seedorff", + "email": "Robert.Seedorff@iteratec.com", + "date": "2021-04-30T18:49:54Z", + "file": "scanners/zap-extended/scanner/tests/test_integration_zap_local.py", + "line_number": 66, + "tags": [], + "line": "apiKey = 'eor898q1luuq8054e0e5r9s3jh'" + }, + "id": "f86d3776-c78c-4ee5-ad37-2a00fcd65239", + "parsed_at": "2022-01-25T08:49:25.026Z" + }, + { + "name": "generic-api-key", + "description": "The name of the rule which triggered the finding: generic-api-key", + "osi_layer": "APPLICATION", + "severity": "MEDIUM", + "category": "Potential Secret", + "attributes": { + "commit": "62c308c61a2baf9ebdc9b103a126e8651b95f734", + "description": "Generic API Key", + "offender": "eor898q1luuq8054e0e5r9s3jh", + "author": "Robert Seedorff", + "email": "Robert.Seedorff@iteratec.com", + "date": "2021-04-30T11:13:41Z", + "file": "scanners/zap-extended/scanner/tests/test_integration_docker_local.py", + "line_number": 75, + "tags": [], + "line": "apiKey = 'eor898q1luuq8054e0e5r9s3jh'" + }, + "id": "5d468e1b-fb10-40d6-919e-ce8dea839a37", + "parsed_at": "2022-01-25T08:49:25.026Z" + }, + { + "name": "generic-api-key", + "description": "The name of the rule which triggered the finding: generic-api-key", + "osi_layer": "APPLICATION", + "severity": "MEDIUM", + "category": "Potential Secret", + "attributes": { + "commit": "f2a06b914bf9c9c9d35731cb3ffb40fc875a7bfe", + "description": "Generic API Key", + "offender": "eor898q1luuq8054e0e5r9s3jh", + "author": "Yannik Fuhrmeister", + "email": "12710254+fuhrmeistery@users.noreply.github.com", + "date": "2021-04-26T08:02:22Z", + "file": "scanners/zap-extended/scanner/tests/integration_test_zap_local.py", + "line_number": 23, + "tags": [], + "line": "apiKey = 'eor898q1luuq8054e0e5r9s3jh'" + }, + "id": "009fed28-3bb2-4029-8e08-bff8edc140de", + "parsed_at": "2022-01-25T08:49:25.026Z" + }, + { + "name": "generic-api-key", + "description": "The name of the rule which triggered the finding: generic-api-key", + "osi_layer": "APPLICATION", + "severity": "MEDIUM", + "category": "Potential Secret", + "attributes": { + "commit": "d5eec9676af4d7943aba59a79d81c7032f0bee00", + "description": "Generic API Key", + "offender": "basic-auth-password-1", + "author": "Robert Seedorff", + "email": "Robert.Seedorff@iteratec.com", + "date": "2021-04-17T12:56:00Z", + "file": "scanners/zap-extended/scanner/tests/mocks/configs/context-with-overlay-secrets/3_zap-extended-scan-config.yaml", + "line_number": 38, + "tags": [], + "line": "password: \"basic-auth-password-1\"" + }, + "id": "317f6dfb-715a-42b8-9a7c-50e6e945c16d", + "parsed_at": "2022-01-25T08:49:25.026Z" + }, + { + "name": "generic-api-key", + "description": "The name of the rule which triggered the finding: generic-api-key", + "osi_layer": "APPLICATION", + "severity": "MEDIUM", + "category": "Potential Secret", + "attributes": { + "commit": "d5eec9676af4d7943aba59a79d81c7032f0bee00", + "description": "Generic API Key", + "offender": "basic-auth-password-2", + "author": "Robert Seedorff", + "email": "Robert.Seedorff@iteratec.com", + "date": "2021-04-17T12:56:00Z", + "file": "scanners/zap-extended/scanner/tests/mocks/configs/context-with-overlay-secrets/3_zap-extended-scan-config.yaml", + "line_number": 41, + "tags": [], + "line": "password: \"basic-auth-password-2\"" + }, + "id": "e889c16d-3bfe-4210-954e-596def7e8289", + "parsed_at": "2022-01-25T08:49:25.026Z" + }, + { + "name": "generic-api-key", + "description": "The name of the rule which triggered the finding: generic-api-key", + "osi_layer": "APPLICATION", + "severity": "MEDIUM", + "category": "Potential Secret", + "attributes": { + "commit": "d5eec9676af4d7943aba59a79d81c7032f0bee00", + "description": "Generic API Key", + "offender": "basic-auth-password-1", + "author": "Robert Seedorff", + "email": "Robert.Seedorff@iteratec.com", + "date": "2021-04-17T12:56:00Z", + "file": "scanners/zap-extended/scanner/tests/mocks/configs/context-with-overlay-secrets/4_zap-extended-scan-config-secret.yaml", + "line_number": 11, + "tags": [], + "line": "password: \"basic-auth-password-1\"" + }, + "id": "579cf733-ec84-4354-8fa3-505e3a173002", + "parsed_at": "2022-01-25T08:49:25.026Z" + }, + { + "name": "generic-api-key", + "description": "The name of the rule which triggered the finding: generic-api-key", + "osi_layer": "APPLICATION", + "severity": "MEDIUM", + "category": "Potential Secret", + "attributes": { + "commit": "d5eec9676af4d7943aba59a79d81c7032f0bee00", + "description": "Generic API Key", + "offender": "basic-auth-password-2", + "author": "Robert Seedorff", + "email": "Robert.Seedorff@iteratec.com", + "date": "2021-04-17T12:56:00Z", + "file": "scanners/zap-extended/scanner/tests/mocks/configs/context-with-overlay-secrets/4_zap-extended-scan-config-secret.yaml", + "line_number": 14, + "tags": [], + "line": "password: \"basic-auth-password-2\"" + }, + "id": "94ae7432-fb52-41c1-9313-04ba1c29bdcc", + "parsed_at": "2022-01-25T08:49:25.026Z" + }, + { + "name": "generic-api-key", + "description": "The name of the rule which triggered the finding: generic-api-key", + "osi_layer": "APPLICATION", + "severity": "MEDIUM", + "category": "Potential Secret", + "attributes": { + "commit": "d5eec9676af4d7943aba59a79d81c7032f0bee00", + "description": "Generic API Key", + "offender": "basic-auth-password-1", + "author": "Robert Seedorff", + "email": "Robert.Seedorff@iteratec.com", + "date": "2021-04-17T12:56:00Z", + "file": "scanners/zap-extended/scanner/tests/mocks/configs/context-with-overlay/2_zap-extended-scan-config.yaml", + "line_number": 106, + "tags": [], + "line": "password: \"basic-auth-password-1\"" + }, + "id": "ec78d1f1-1866-4d93-a358-6b35700b390d", + "parsed_at": "2022-01-25T08:49:25.026Z" + }, + { + "name": "generic-api-key", + "description": "The name of the rule which triggered the finding: generic-api-key", + "osi_layer": "APPLICATION", + "severity": "MEDIUM", + "category": "Potential Secret", + "attributes": { + "commit": "d5eec9676af4d7943aba59a79d81c7032f0bee00", + "description": "Generic API Key", + "offender": "basic-auth-password-2", + "author": "Robert Seedorff", + "email": "Robert.Seedorff@iteratec.com", + "date": "2021-04-17T12:56:00Z", + "file": "scanners/zap-extended/scanner/tests/mocks/configs/context-with-overlay/2_zap-extended-scan-config.yaml", + "line_number": 109, + "tags": [], + "line": "password: \"basic-auth-password-2\"" + }, + "id": "1829a91e-71b3-4506-8b0d-cf3affbff65e", + "parsed_at": "2022-01-25T08:49:25.026Z" + }, + { + "name": "generic-api-key", + "description": "The name of the rule which triggered the finding: generic-api-key", + "osi_layer": "APPLICATION", + "severity": "MEDIUM", + "category": "Potential Secret", + "attributes": { + "commit": "8816678186c7ec2af5e2e3b162272c6ae9053edd", + "description": "Generic API Key", + "offender": "basic-auth-password-1", + "author": "Robert Seedorff", + "email": "Robert.Seedorff@iteratec.com", + "date": "2021-04-10T09:55:52Z", + "file": "scanners/zap-extended/scanner/examples/scan-overlay-secrets/3_zap-extended-scan-config.yaml", + "line_number": 38, + "tags": [], + "line": "password: \"basic-auth-password-1\"" + }, + "id": "438d1ecd-663f-4847-a7d9-fc4be12a5de9", + "parsed_at": "2022-01-25T08:49:25.026Z" + }, + { + "name": "generic-api-key", + "description": "The name of the rule which triggered the finding: generic-api-key", + "osi_layer": "APPLICATION", + "severity": "MEDIUM", + "category": "Potential Secret", + "attributes": { + "commit": "8816678186c7ec2af5e2e3b162272c6ae9053edd", + "description": "Generic API Key", + "offender": "basic-auth-password-2", + "author": "Robert Seedorff", + "email": "Robert.Seedorff@iteratec.com", + "date": "2021-04-10T09:55:52Z", + "file": "scanners/zap-extended/scanner/examples/scan-overlay-secrets/3_zap-extended-scan-config.yaml", + "line_number": 41, + "tags": [], + "line": "password: \"basic-auth-password-2\"" + }, + "id": "3ff98cc8-2311-4154-a751-e423b0da3828", + "parsed_at": "2022-01-25T08:49:25.026Z" + }, + { + "name": "generic-api-key", + "description": "The name of the rule which triggered the finding: generic-api-key", + "osi_layer": "APPLICATION", + "severity": "MEDIUM", + "category": "Potential Secret", + "attributes": { + "commit": "8816678186c7ec2af5e2e3b162272c6ae9053edd", + "description": "Generic API Key", + "offender": "basic-auth-password-1", + "author": "Robert Seedorff", + "email": "Robert.Seedorff@iteratec.com", + "date": "2021-04-10T09:55:52Z", + "file": "scanners/zap-extended/scanner/examples/scan-overlay-secrets/4_zap-extended-scan-config-secret.yaml", + "line_number": 11, + "tags": [], + "line": "password: \"basic-auth-password-1\"" + }, + "id": "54053722-5af6-4cb0-8e09-8782d769d622", + "parsed_at": "2022-01-25T08:49:25.026Z" + }, + { + "name": "generic-api-key", + "description": "The name of the rule which triggered the finding: generic-api-key", + "osi_layer": "APPLICATION", + "severity": "MEDIUM", + "category": "Potential Secret", + "attributes": { + "commit": "8816678186c7ec2af5e2e3b162272c6ae9053edd", + "description": "Generic API Key", + "offender": "basic-auth-password-2", + "author": "Robert Seedorff", + "email": "Robert.Seedorff@iteratec.com", + "date": "2021-04-10T09:55:52Z", + "file": "scanners/zap-extended/scanner/examples/scan-overlay-secrets/4_zap-extended-scan-config-secret.yaml", + "line_number": 14, + "tags": [], + "line": "password: \"basic-auth-password-2\"" + }, + "id": "3ef7844f-d5da-441f-b874-1aa5a260ba59", + "parsed_at": "2022-01-25T08:49:25.026Z" + }, + { + "name": "generic-api-key", + "description": "The name of the rule which triggered the finding: generic-api-key", + "osi_layer": "APPLICATION", + "severity": "MEDIUM", + "category": "Potential Secret", + "attributes": { + "commit": "8816678186c7ec2af5e2e3b162272c6ae9053edd", + "description": "Generic API Key", + "offender": "basic-auth-password-1", + "author": "Robert Seedorff", + "email": "Robert.Seedorff@iteratec.com", + "date": "2021-04-10T09:55:52Z", + "file": "scanners/zap-extended/scanner/examples/scan-overlay/scantype/2_zap-extended-scan-config.yaml", + "line_number": 106, + "tags": [], + "line": "password: \"basic-auth-password-1\"" + }, + "id": "a130f30f-996e-4d02-b6c2-3f018faf68fa", + "parsed_at": "2022-01-25T08:49:25.026Z" + }, + { + "name": "generic-api-key", + "description": "The name of the rule which triggered the finding: generic-api-key", + "osi_layer": "APPLICATION", + "severity": "MEDIUM", + "category": "Potential Secret", + "attributes": { + "commit": "8816678186c7ec2af5e2e3b162272c6ae9053edd", + "description": "Generic API Key", + "offender": "basic-auth-password-2", + "author": "Robert Seedorff", + "email": "Robert.Seedorff@iteratec.com", + "date": "2021-04-10T09:55:52Z", + "file": "scanners/zap-extended/scanner/examples/scan-overlay/scantype/2_zap-extended-scan-config.yaml", + "line_number": 109, + "tags": [], + "line": "password: \"basic-auth-password-2\"" + }, + "id": "725784df-f0a0-479e-971f-c0c37846209c", + "parsed_at": "2022-01-25T08:49:25.026Z" + }, + { + "name": "generic-api-key", + "description": "The name of the rule which triggered the finding: generic-api-key", + "osi_layer": "APPLICATION", + "severity": "MEDIUM", + "category": "Potential Secret", + "attributes": { + "commit": "8816678186c7ec2af5e2e3b162272c6ae9053edd", + "description": "Generic API Key", + "offender": "eor898q1luuq8054e0e5r9s3jh", + "author": "Robert Seedorff", + "email": "Robert.Seedorff@iteratec.com", + "date": "2021-04-10T09:55:52Z", + "file": "scanners/zap-extended/scanner/test_zap_local.py", + "line_number": 16, + "tags": [], + "line": "apiKey='eor898q1luuq8054e0e5r9s3jh'" + }, + "id": "8b8e6787-fbcc-4941-bea4-4bfcad7db1c8", + "parsed_at": "2022-01-25T08:49:25.026Z" + }, + { + "name": "generic-api-key", + "description": "The name of the rule which triggered the finding: generic-api-key", + "osi_layer": "APPLICATION", + "severity": "MEDIUM", + "category": "Potential Secret", + "attributes": { + "commit": "8816678186c7ec2af5e2e3b162272c6ae9053edd", + "description": "Generic API Key", + "offender": "basic-auth-password-1", + "author": "Robert Seedorff", + "email": "Robert.Seedorff@iteratec.com", + "date": "2021-04-10T09:55:52Z", + "file": "scanners/zap-extended/scanner/tests/docker/tmp/configs/examples/scan-overlay-secrets/3_zap-extended-scan-config.yaml", + "line_number": 38, + "tags": [], + "line": "password: \"basic-auth-password-1\"" + }, + "id": "2e4f75d1-d551-4f2e-83ba-b99f8d6f287e", + "parsed_at": "2022-01-25T08:49:25.026Z" + }, + { + "name": "generic-api-key", + "description": "The name of the rule which triggered the finding: generic-api-key", + "osi_layer": "APPLICATION", + "severity": "MEDIUM", + "category": "Potential Secret", + "attributes": { + "commit": "8816678186c7ec2af5e2e3b162272c6ae9053edd", + "description": "Generic API Key", + "offender": "basic-auth-password-2", + "author": "Robert Seedorff", + "email": "Robert.Seedorff@iteratec.com", + "date": "2021-04-10T09:55:52Z", + "file": "scanners/zap-extended/scanner/tests/docker/tmp/configs/examples/scan-overlay-secrets/3_zap-extended-scan-config.yaml", + "line_number": 41, + "tags": [], + "line": "password: \"basic-auth-password-2\"" + }, + "id": "50f5add3-829b-46c3-981c-a70eda4c7f1f", + "parsed_at": "2022-01-25T08:49:25.026Z" + }, + { + "name": "generic-api-key", + "description": "The name of the rule which triggered the finding: generic-api-key", + "osi_layer": "APPLICATION", + "severity": "MEDIUM", + "category": "Potential Secret", + "attributes": { + "commit": "8816678186c7ec2af5e2e3b162272c6ae9053edd", + "description": "Generic API Key", + "offender": "basic-auth-password-1", + "author": "Robert Seedorff", + "email": "Robert.Seedorff@iteratec.com", + "date": "2021-04-10T09:55:52Z", + "file": "scanners/zap-extended/scanner/tests/docker/tmp/configs/examples/scan-overlay-secrets/4_zap-extended-scan-config-secret.yaml", + "line_number": 11, + "tags": [], + "line": "password: \"basic-auth-password-1\"" + }, + "id": "5e95eb3a-f02c-414c-9869-a83008873443", + "parsed_at": "2022-01-25T08:49:25.026Z" + }, + { + "name": "generic-api-key", + "description": "The name of the rule which triggered the finding: generic-api-key", + "osi_layer": "APPLICATION", + "severity": "MEDIUM", + "category": "Potential Secret", + "attributes": { + "commit": "8816678186c7ec2af5e2e3b162272c6ae9053edd", + "description": "Generic API Key", + "offender": "basic-auth-password-2", + "author": "Robert Seedorff", + "email": "Robert.Seedorff@iteratec.com", + "date": "2021-04-10T09:55:52Z", + "file": "scanners/zap-extended/scanner/tests/docker/tmp/configs/examples/scan-overlay-secrets/4_zap-extended-scan-config-secret.yaml", + "line_number": 14, + "tags": [], + "line": "password: \"basic-auth-password-2\"" + }, + "id": "341891d3-d125-4939-85e6-c53402ad2699", + "parsed_at": "2022-01-25T08:49:25.026Z" + }, + { + "name": "generic-api-key", + "description": "The name of the rule which triggered the finding: generic-api-key", + "osi_layer": "APPLICATION", + "severity": "MEDIUM", + "category": "Potential Secret", + "attributes": { + "commit": "8816678186c7ec2af5e2e3b162272c6ae9053edd", + "description": "Generic API Key", + "offender": "basic-auth-password-1", + "author": "Robert Seedorff", + "email": "Robert.Seedorff@iteratec.com", + "date": "2021-04-10T09:55:52Z", + "file": "scanners/zap-extended/scanner/tests/docker/tmp/configs/examples/scan-overlay/scantype/2_zap-extended-scan-config.yaml", + "line_number": 106, + "tags": [], + "line": "password: \"basic-auth-password-1\"" + }, + "id": "5431975e-669b-487a-8ada-38cdcae44e6b", + "parsed_at": "2022-01-25T08:49:25.026Z" + }, + { + "name": "generic-api-key", + "description": "The name of the rule which triggered the finding: generic-api-key", + "osi_layer": "APPLICATION", + "severity": "MEDIUM", + "category": "Potential Secret", + "attributes": { + "commit": "8816678186c7ec2af5e2e3b162272c6ae9053edd", + "description": "Generic API Key", + "offender": "basic-auth-password-2", + "author": "Robert Seedorff", + "email": "Robert.Seedorff@iteratec.com", + "date": "2021-04-10T09:55:52Z", + "file": "scanners/zap-extended/scanner/tests/docker/tmp/configs/examples/scan-overlay/scantype/2_zap-extended-scan-config.yaml", + "line_number": 109, + "tags": [], + "line": "password: \"basic-auth-password-2\"" + }, + "id": "01eea82b-2b94-4366-b47f-5c758227cc8b", + "parsed_at": "2022-01-25T08:49:25.026Z" + }, + { + "name": "generic-api-key", + "description": "The name of the rule which triggered the finding: generic-api-key", + "osi_layer": "APPLICATION", + "severity": "MEDIUM", + "category": "Potential Secret", + "attributes": { + "commit": "8816678186c7ec2af5e2e3b162272c6ae9053edd", + "description": "Generic API Key", + "offender": "basic-auth-password-1", + "author": "Robert Seedorff", + "email": "Robert.Seedorff@iteratec.com", + "date": "2021-04-10T09:55:52Z", + "file": "scanners/zap-extended/scanner/tests/docker/tmp/configs/scan-overlay-secrets/3_zap-extended-scan-config.yaml", + "line_number": 38, + "tags": [], + "line": "password: \"basic-auth-password-1\"" + }, + "id": "0311938c-bf77-46da-9dc9-5b5e81c368ba", + "parsed_at": "2022-01-25T08:49:25.026Z" + }, + { + "name": "generic-api-key", + "description": "The name of the rule which triggered the finding: generic-api-key", + "osi_layer": "APPLICATION", + "severity": "MEDIUM", + "category": "Potential Secret", + "attributes": { + "commit": "8816678186c7ec2af5e2e3b162272c6ae9053edd", + "description": "Generic API Key", + "offender": "basic-auth-password-2", + "author": "Robert Seedorff", + "email": "Robert.Seedorff@iteratec.com", + "date": "2021-04-10T09:55:52Z", + "file": "scanners/zap-extended/scanner/tests/docker/tmp/configs/scan-overlay-secrets/3_zap-extended-scan-config.yaml", + "line_number": 41, + "tags": [], + "line": "password: \"basic-auth-password-2\"" + }, + "id": "04f4caaa-938c-4e0c-9baf-690e7a5d7ff7", + "parsed_at": "2022-01-25T08:49:25.026Z" + }, + { + "name": "generic-api-key", + "description": "The name of the rule which triggered the finding: generic-api-key", + "osi_layer": "APPLICATION", + "severity": "MEDIUM", + "category": "Potential Secret", + "attributes": { + "commit": "8816678186c7ec2af5e2e3b162272c6ae9053edd", + "description": "Generic API Key", + "offender": "basic-auth-password-1", + "author": "Robert Seedorff", + "email": "Robert.Seedorff@iteratec.com", + "date": "2021-04-10T09:55:52Z", + "file": "scanners/zap-extended/scanner/tests/docker/tmp/configs/scan-overlay-secrets/4_zap-extended-scan-config-secret.yaml", + "line_number": 11, + "tags": [], + "line": "password: \"basic-auth-password-1\"" + }, + "id": "7629c261-fca1-4b72-be49-33807b7fb4a1", + "parsed_at": "2022-01-25T08:49:25.026Z" + }, + { + "name": "generic-api-key", + "description": "The name of the rule which triggered the finding: generic-api-key", + "osi_layer": "APPLICATION", + "severity": "MEDIUM", + "category": "Potential Secret", + "attributes": { + "commit": "8816678186c7ec2af5e2e3b162272c6ae9053edd", + "description": "Generic API Key", + "offender": "basic-auth-password-2", + "author": "Robert Seedorff", + "email": "Robert.Seedorff@iteratec.com", + "date": "2021-04-10T09:55:52Z", + "file": "scanners/zap-extended/scanner/tests/docker/tmp/configs/scan-overlay-secrets/4_zap-extended-scan-config-secret.yaml", + "line_number": 14, + "tags": [], + "line": "password: \"basic-auth-password-2\"" + }, + "id": "72244b86-ac10-409e-9621-0d4e9194774f", + "parsed_at": "2022-01-25T08:49:25.026Z" + }, + { + "name": "generic-api-key", + "description": "The name of the rule which triggered the finding: generic-api-key", + "osi_layer": "APPLICATION", + "severity": "MEDIUM", + "category": "Potential Secret", + "attributes": { + "commit": "8816678186c7ec2af5e2e3b162272c6ae9053edd", + "description": "Generic API Key", + "offender": "basic-auth-password-1", + "author": "Robert Seedorff", + "email": "Robert.Seedorff@iteratec.com", + "date": "2021-04-10T09:55:52Z", + "file": "scanners/zap-extended/scanner/tests/docker/tmp/configs/scan-overlay/scantype/2_zap-extended-scan-config.yaml", + "line_number": 106, + "tags": [], + "line": "password: \"basic-auth-password-1\"" + }, + "id": "b8484e60-bd02-43c6-bbe8-11f2cadbd707", + "parsed_at": "2022-01-25T08:49:25.026Z" + }, + { + "name": "generic-api-key", + "description": "The name of the rule which triggered the finding: generic-api-key", + "osi_layer": "APPLICATION", + "severity": "MEDIUM", + "category": "Potential Secret", + "attributes": { + "commit": "8816678186c7ec2af5e2e3b162272c6ae9053edd", + "description": "Generic API Key", + "offender": "basic-auth-password-2", + "author": "Robert Seedorff", + "email": "Robert.Seedorff@iteratec.com", + "date": "2021-04-10T09:55:52Z", + "file": "scanners/zap-extended/scanner/tests/docker/tmp/configs/scan-overlay/scantype/2_zap-extended-scan-config.yaml", + "line_number": 109, + "tags": [], + "line": "password: \"basic-auth-password-2\"" + }, + "id": "9dd50aab-a7d8-4016-95f9-9cae96c38232", + "parsed_at": "2022-01-25T08:49:25.026Z" + }, + { + "name": "RSA-PK", + "description": "The name of the rule which triggered the finding: RSA-PK", + "osi_layer": "APPLICATION", + "severity": "MEDIUM", + "category": "Potential Secret", + "attributes": { + "commit": "85b730b7dfc7a84c7f4d3494768de79b2bf86d3a", + "description": "RSA private key", + "offender": "-----BEGIN RSA PRIVATE KEY-----", + "author": "Paul", + "email": "paul.schmelzer@iteratec.com", + "date": "2020-12-01T16:06:11Z", + "file": "scanners/ncrack/parser/parser.test.js", + "line_number": 120, + "tags": [], + "line": "-----BEGIN RSA PRIVATE KEY-----" + }, + "id": "c4e11c22-2ef2-4510-a289-97a5b40a0298", + "parsed_at": "2022-01-25T08:49:25.026Z" + }, + { + "name": "generic-api-key", + "description": "The name of the rule which triggered the finding: generic-api-key", + "osi_layer": "APPLICATION", + "severity": "MEDIUM", + "category": "Potential Secret", + "attributes": { + "commit": "135f19274fea68c8fc07b46965b63a19092d451f", + "description": "Generic API Key", + "offender": "ca267cf37a368b8ae02a184164b196a25fca77de", + "author": "Jannik Hollenbach", + "email": "jannik.hollenbach@iteratec.com", + "date": "2020-11-12T18:11:23Z", + "file": "hooks/persistence-defectdojo/src/main/resources/application.yaml", + "line_number": 10, + "tags": [], + "line": "key: \"ca267cf37a368b8ae02a184164b196a25fca77de\"" + }, + "id": "49b38367-bebc-43ae-9218-ebdc6e05322f", + "parsed_at": "2022-01-25T08:49:25.026Z" + }, + { + "name": "PKCS8-PK", + "description": "The name of the rule which triggered the finding: PKCS8-PK", + "osi_layer": "APPLICATION", + "severity": "MEDIUM", + "category": "Potential Secret", + "attributes": { + "commit": "5adab93cd6d7ba0420a12f3c16bdf36818c1f24f", + "description": "PKCS8 private key", + "offender": "-----BEGIN PRIVATE KEY-----", + "author": "SebieF", + "email": "sebastian.franz@iteratec.com", + "date": "2020-10-16T12:47:24Z", + "file": "scanners/gitleaks/parser/__testFiles__/test-report.json", + "line_number": 93, + "tags": [], + "line": "-----BEGIN PRIVATE KEY-----" + }, + "id": "bf3e3817-59b1-408c-b3ae-2c9be4d13f05", + "parsed_at": "2022-01-25T08:49:25.026Z" + }, + { + "name": "PKCS8-PK", + "description": "The name of the rule which triggered the finding: PKCS8-PK", + "osi_layer": "APPLICATION", + "severity": "MEDIUM", + "category": "Potential Secret", + "attributes": { + "commit": "5adab93cd6d7ba0420a12f3c16bdf36818c1f24f", + "description": "PKCS8 private key", + "offender": "-----BEGIN PRIVATE KEY-----", + "author": "SebieF", + "email": "sebastian.franz@iteratec.com", + "date": "2020-10-16T12:47:24Z", + "file": "scanners/gitleaks/parser/__testFiles__/test-report.json", + "line_number": 95, + "tags": [], + "line": "-----BEGIN PRIVATE KEY-----" + }, + "id": "a3966d6c-5e80-4159-b70f-8f75150dacda", + "parsed_at": "2022-01-25T08:49:25.026Z" + }, + { + "name": "PKCS8-PK", + "description": "The name of the rule which triggered the finding: PKCS8-PK", + "osi_layer": "APPLICATION", + "severity": "MEDIUM", + "category": "Potential Secret", + "attributes": { + "commit": "5adab93cd6d7ba0420a12f3c16bdf36818c1f24f", + "description": "PKCS8 private key", + "offender": "-----BEGIN PRIVATE KEY-----", + "author": "SebieF", + "email": "sebastian.franz@iteratec.com", + "date": "2020-10-16T12:47:24Z", + "file": "scanners/gitleaks/parser/parser.test.js", + "line_number": 167, + "tags": [], + "line": "-----BEGIN PRIVATE KEY-----" + }, + "id": "31e5dd8a-4260-4eb3-8db3-b607f41f048a", + "parsed_at": "2022-01-25T08:49:25.026Z" + }, + { + "name": "PKCS8-PK", + "description": "The name of the rule which triggered the finding: PKCS8-PK", + "osi_layer": "APPLICATION", + "severity": "MEDIUM", + "category": "Potential Secret", + "attributes": { + "commit": "5adab93cd6d7ba0420a12f3c16bdf36818c1f24f", + "description": "PKCS8 private key", + "offender": "-----BEGIN PRIVATE KEY-----", + "author": "SebieF", + "email": "sebastian.franz@iteratec.com", + "date": "2020-10-16T12:47:24Z", + "file": "scanners/gitleaks/parser/parser.test.js", + "line_number": 169, + "tags": [], + "line": "-----BEGIN PRIVATE KEY-----" + }, + "id": "8ba955a5-e33e-4d52-aaee-2725d578c9c3", + "parsed_at": "2022-01-25T08:49:25.026Z" + }, + { + "name": "PKCS8-PK", + "description": "The name of the rule which triggered the finding: PKCS8-PK", + "osi_layer": "APPLICATION", + "severity": "MEDIUM", + "category": "Potential Secret", + "attributes": { + "commit": "604ca16251cd6e528328605420890f2d55a5464d", + "description": "PKCS8 private key", + "offender": "-----BEGIN PRIVATE KEY-----", + "author": "Paul", + "email": "paul.schmelzer@iteratec.com", + "date": "2020-10-15T11:35:39Z", + "file": "scanners/gitleaks/parser/__testFiles__/test-report.json", + "line_number": 93, + "tags": [], + "line": "-----BEGIN PRIVATE KEY-----" + }, + "id": "ef8cbbdb-a322-4a08-995e-e0f9231d87d2", + "parsed_at": "2022-01-25T08:49:25.026Z" + }, + { + "name": "PKCS8-PK", + "description": "The name of the rule which triggered the finding: PKCS8-PK", + "osi_layer": "APPLICATION", + "severity": "MEDIUM", + "category": "Potential Secret", + "attributes": { + "commit": "604ca16251cd6e528328605420890f2d55a5464d", + "description": "PKCS8 private key", + "offender": "-----BEGIN PRIVATE KEY-----", + "author": "Paul", + "email": "paul.schmelzer@iteratec.com", + "date": "2020-10-15T11:35:39Z", + "file": "scanners/gitleaks/parser/__testFiles__/test-report.json", + "line_number": 95, + "tags": [], + "line": "-----BEGIN PRIVATE KEY-----" + }, + "id": "7b41793b-0932-4850-85f7-883a2f1b5195", + "parsed_at": "2022-01-25T08:49:25.026Z" + }, + { + "name": "PKCS8-PK", + "description": "The name of the rule which triggered the finding: PKCS8-PK", + "osi_layer": "APPLICATION", + "severity": "MEDIUM", + "category": "Potential Secret", + "attributes": { + "commit": "604ca16251cd6e528328605420890f2d55a5464d", + "description": "PKCS8 private key", + "offender": "-----BEGIN PRIVATE KEY-----", + "author": "Paul", + "email": "paul.schmelzer@iteratec.com", + "date": "2020-10-15T11:35:39Z", + "file": "scanners/gitleaks/parser/parser.test.js", + "line_number": 167, + "tags": [], + "line": "-----BEGIN PRIVATE KEY-----" + }, + "id": "f5d9613f-b53a-4476-93f4-a15ee324930f", + "parsed_at": "2022-01-25T08:49:25.026Z" + }, + { + "name": "PKCS8-PK", + "description": "The name of the rule which triggered the finding: PKCS8-PK", + "osi_layer": "APPLICATION", + "severity": "MEDIUM", + "category": "Potential Secret", + "attributes": { + "commit": "604ca16251cd6e528328605420890f2d55a5464d", + "description": "PKCS8 private key", + "offender": "-----BEGIN PRIVATE KEY-----", + "author": "Paul", + "email": "paul.schmelzer@iteratec.com", + "date": "2020-10-15T11:35:39Z", + "file": "scanners/gitleaks/parser/parser.test.js", + "line_number": 169, + "tags": [], + "line": "-----BEGIN PRIVATE KEY-----" + }, + "id": "f1307218-368c-45ec-bba1-ba89dccf6c05", + "parsed_at": "2022-01-25T08:49:25.026Z" + }, + { + "name": "PKCS8-PK", + "description": "The name of the rule which triggered the finding: PKCS8-PK", + "osi_layer": "APPLICATION", + "severity": "MEDIUM", + "category": "Potential Secret", + "attributes": { + "commit": "893f84ba706b48814b048f0ee69c04c8fcff9e6d", + "description": "PKCS8 private key", + "offender": "-----BEGIN PRIVATE KEY-----", + "author": "J12934", + "email": "13718901+J12934@users.noreply.github.com", + "date": "2020-01-20T10:09:06Z", + "file": "demo/unsafe-https/site.key", + "line_number": 1, + "tags": [], + "line": "-----BEGIN PRIVATE KEY-----" + }, + "id": "cb629f0c-3e1d-43fe-ac05-763049c2cd1d", + "parsed_at": "2022-01-25T08:49:25.026Z" + } +] diff --git a/scanners/gitleaks/examples/multi-juicer/findings.json.license b/scanners/gitleaks/examples/secureCodeBox/findings.json.license similarity index 100% rename from scanners/gitleaks/examples/multi-juicer/findings.json.license rename to scanners/gitleaks/examples/secureCodeBox/findings.json.license diff --git a/scanners/gitleaks/examples/secureCodeBox/scan.yaml b/scanners/gitleaks/examples/secureCodeBox/scan.yaml new file mode 100644 index 0000000000..af3172bc7a --- /dev/null +++ b/scanners/gitleaks/examples/secureCodeBox/scan.yaml @@ -0,0 +1,38 @@ +# SPDX-FileCopyrightText: 2021 iteratec GmbH +# +# SPDX-License-Identifier: Apache-2.0 + +apiVersion: "execution.securecodebox.io/v1" +kind: Scan +metadata: + name: "scan-scb-example" +spec: + scanType: "gitleaks" + # Define a volume and mount it at /repo in the scan container + volumes: + - name: repo + emptyDir: {} + volumeMounts: + - name: repo + mountPath: "/repo/" + # Define an init container to run the git clone for us + initContainers: + - name: "git-clone" + image: bitnami/git + # Specify that the "repo" volume should also be mounted on the + # initContainer + volumeMounts: + - name: repo + mountPath: "/repo/" + # Clone to /repo in the init container + command: + - git + - clone + - "https://github.com/secureCodeBox/secureCodeBox" + - /repo/ + parameters: + # Run Gitleaks in "detect" mode + - "detect" + # Point it at the location of the repository + - "--source" + - "/repo/" \ No newline at end of file From 7dc4f0343c3eaadc40275aeff279155d882ffbc3 Mon Sep 17 00:00:00 2001 From: Max Maass Date: Tue, 25 Jan 2022 12:31:18 +0100 Subject: [PATCH 18/30] Update and enable integration tests for gitleaks Signed-off-by: Max Maass --- scanners/gitleaks/Makefile | 7 ++++ .../integration-tests/gitleaks.test.js | 41 ++++++++++++++----- 2 files changed, 37 insertions(+), 11 deletions(-) diff --git a/scanners/gitleaks/Makefile b/scanners/gitleaks/Makefile index 5a8e684fc9..c33d5bec59 100644 --- a/scanners/gitleaks/Makefile +++ b/scanners/gitleaks/Makefile @@ -10,3 +10,10 @@ scanner = gitleaks include ../../scanners.mk +integration-tests: + @echo ".: 🩺 Starting integration test in kind namespace 'integration-tests'." + kubectl -n integration-tests delete scans --all + cd ../../tests/integration/ && npm ci + cd ../../scanners/${scanner} + npx --yes --package jest@$(JEST_VERSION) jest --verbose --ci --colors --coverage --passWithNoTests ${scanner}/integration-tests + diff --git a/scanners/gitleaks/integration-tests/gitleaks.test.js b/scanners/gitleaks/integration-tests/gitleaks.test.js index 86da618019..ad6d3f9b85 100644 --- a/scanners/gitleaks/integration-tests/gitleaks.test.js +++ b/scanners/gitleaks/integration-tests/gitleaks.test.js @@ -7,28 +7,47 @@ const { scan } = require("../../../tests/integration/helpers"); jest.retryTimes(3); test( - "gitleaks should find 1 credential in the testfiles", + "Gitleaks should find 16 secrets in a specific commit", async () => { const { categories, severities, count } = await scan( "gitleaks-dummy-scan", "gitleaks", [ - "-r", - "https://github.com/secureCodeBox/secureCodeBox", - "--commit=ec0fe179ccf178b56fcd51d1730448bc64bb9ab5", - "--config-path", - "/home/config_all.toml", + "detect", + "--source", + "/repo/", + "--log-opts=a7296dcaef571b9f1858069511f6678c1a6541ef..531d4bb6cc1189621d15b785afe34c877d4933a6" ], - 90 + 90, + // volumes + [{ + "name": "test-dir", + "emptyDir": {} + }], + // volumeMounts + [{ + "mountPath": "/repo/", + "name": "test-dir" + }], + // initContainers + [{ + "name": "init-git", + "image": "bitnami/git", + "command": ["git", "clone", "https://github.com/secureCodeBox/secureCodeBox", "/repo/"], + "volumeMounts": [{ + "mountPath": "/repo/", + "name": "test-dir" + }] + }] ); - expect(count).toBe(1); + expect(count).toBe(16); expect(categories).toEqual({ - "Potential Secret": 1, + "Potential Secret": 16, }); expect(severities).toEqual({ - high: 1, + medium: 16 }); }, 3 * 60 * 1000 -); +); \ No newline at end of file From a674a178e0b7eb2975718e31ac2fb80f4f39f110 Mon Sep 17 00:00:00 2001 From: Max Maass Date: Tue, 25 Jan 2022 13:30:04 +0100 Subject: [PATCH 19/30] Remove internet access from integration tests Signed-off-by: Max Maass --- .../integration-tests/gitleaks.test.js | 22 +++++++++++++------ 1 file changed, 15 insertions(+), 7 deletions(-) diff --git a/scanners/gitleaks/integration-tests/gitleaks.test.js b/scanners/gitleaks/integration-tests/gitleaks.test.js index ad6d3f9b85..8d03378fa9 100644 --- a/scanners/gitleaks/integration-tests/gitleaks.test.js +++ b/scanners/gitleaks/integration-tests/gitleaks.test.js @@ -4,7 +4,7 @@ const { scan } = require("../../../tests/integration/helpers"); -jest.retryTimes(3); +jest.retryTimes(0); test( "Gitleaks should find 16 secrets in a specific commit", @@ -15,8 +15,7 @@ test( [ "detect", "--source", - "/repo/", - "--log-opts=a7296dcaef571b9f1858069511f6678c1a6541ef..531d4bb6cc1189621d15b785afe34c877d4933a6" + "/repo/" ], 90, // volumes @@ -33,7 +32,16 @@ test( [{ "name": "init-git", "image": "bitnami/git", - "command": ["git", "clone", "https://github.com/secureCodeBox/secureCodeBox", "/repo/"], + "command": ["bash", + "-c", + // Bash script to create a git repo with a demo file + `cd /repo && \\ + git init && \\ + echo '-----BEGIN PRIVATE KEY-----' > secret.pem && \\ + git config --global user.name test && \\ + git config --global user.email user@example.com && \\ + git add secret.pem && \\ + git commit -m test`], "volumeMounts": [{ "mountPath": "/repo/", "name": "test-dir" @@ -41,12 +49,12 @@ test( }] ); - expect(count).toBe(16); + expect(count).toBe(1); expect(categories).toEqual({ - "Potential Secret": 16, + "Potential Secret": 1, }); expect(severities).toEqual({ - medium: 16 + medium: 1 }); }, 3 * 60 * 1000 From 0cc2972be1adb472e3b18f00e61ac5c5aae8972c Mon Sep 17 00:00:00 2001 From: Max Maass Date: Tue, 25 Jan 2022 14:19:44 +0100 Subject: [PATCH 20/30] Fix name for integration test case Signed-off-by: Max Maass --- scanners/gitleaks/integration-tests/gitleaks.test.js | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/scanners/gitleaks/integration-tests/gitleaks.test.js b/scanners/gitleaks/integration-tests/gitleaks.test.js index 8d03378fa9..28fc037850 100644 --- a/scanners/gitleaks/integration-tests/gitleaks.test.js +++ b/scanners/gitleaks/integration-tests/gitleaks.test.js @@ -7,7 +7,7 @@ const { scan } = require("../../../tests/integration/helpers"); jest.retryTimes(0); test( - "Gitleaks should find 16 secrets in a specific commit", + "Gitleaks should find one secret in a demo target", async () => { const { categories, severities, count } = await scan( "gitleaks-dummy-scan", From 6ce565f5788aa3f2cdc83bf070448e8ffce1e6be Mon Sep 17 00:00:00 2001 From: Max Maass Date: Tue, 25 Jan 2022 14:22:08 +0100 Subject: [PATCH 21/30] Let parser construct repo URLs from annotation Before Gitleaks 8.0, the parser used to construct a direct URL to each detected commit based on the parameter used to clone the repo. Since it can no longer clone repos, this is no longer feasible. However, this commit adds the capability to pull the repo information from a scan annotation and use that. It does not actually enforce that the provided repository URL matches the one that was cloned in the init container - it blindly trusts whatever data it is given. Signed-off-by: Max Maass --- scanners/gitleaks/parser/parser.js | 18 +- scanners/gitleaks/parser/parser.test.js | 286 +++++++++++++++++++++--- 2 files changed, 267 insertions(+), 37 deletions(-) diff --git a/scanners/gitleaks/parser/parser.js b/scanners/gitleaks/parser/parser.js index 5800cbb953..0d3693ae78 100644 --- a/scanners/gitleaks/parser/parser.js +++ b/scanners/gitleaks/parser/parser.js @@ -5,9 +5,13 @@ const HIGH_TAGS = ["HIGH"]; const LOW_TAGS = ["LOW"]; +const repoUrlAnnotationKey = "metadata.securecodebox.io/git-repo-url" + async function parse (fileContent, scan) { if (fileContent) { + const commitUrlBase = prepareCommitUrl(scan); + return fileContent.map(finding => { let severity = 'MEDIUM'; @@ -25,7 +29,7 @@ async function parse (fileContent, scan) { severity: severity, category: 'Potential Secret', attributes: { - commit: finding.Commit, + commit: commitUrlBase + finding.Commit, description: finding.Description, offender: finding.Secret, author: finding.Author, @@ -50,4 +54,16 @@ function containsTag (tag, tags) { return result.length > 0; } +function prepareCommitUrl (scan) { + if (!scan || !scan.metadata.annotations || !scan.metadata.annotations[repoUrlAnnotationKey]) { + return ''; + } + + var repositoryUrl = scan.metadata.annotations[repoUrlAnnotationKey]; + + return repositoryUrl.endsWith('/') ? + repositoryUrl + 'commit/' + : repositoryUrl + '/commit/' +} + module.exports.parse = parse; diff --git a/scanners/gitleaks/parser/parser.test.js b/scanners/gitleaks/parser/parser.test.js index 5d473a602b..5172011580 100644 --- a/scanners/gitleaks/parser/parser.test.js +++ b/scanners/gitleaks/parser/parser.test.js @@ -46,12 +46,196 @@ test("should properly parse gitleaks json file", async () => { ); const findings = await parse(JSON.parse(jsonContent)); await expect(validateParser(findings)).resolves.toBeUndefined(); + expect(findings).toMatchInlineSnapshot(` + Array [ + Object { + "attributes": Object { + "author": "Commit Author", + "commit": "20202220306db37c13792bc672e57b0598ab680c", + "date": "2022-01-06T15:19:51Z", + "description": "Generic API Key", + "email": "committer@some-domain.tld", + "file": "hooks/persistence-azure-monitor/hook/hook.test.js", + "line": "Key: \\"aGVsbG8taS1hbS1hLXRlc3Qta2V5\\"", + "line_number": 51, + "offender": "aGVsbG8taS1hbS1hLXRlc3Qta2V5", + "tags": Array [], + }, + "category": "Potential Secret", + "description": "The name of the rule which triggered the finding: generic-api-key", + "name": "generic-api-key", + "osi_layer": "APPLICATION", + "severity": "MEDIUM", + }, + Object { + "attributes": Object { + "author": "Commit Author", + "commit": "e064eb8bd2094287fdeb64474798a8fd53e77bd3", + "date": "2021-09-06T13:53:58Z", + "description": "PKCS8 private key", + "email": "committer@some-domain.tld", + "file": "demo-targets/unsafe-https/container/site.key", + "line": "-----BEGIN PRIVATE KEY-----", + "line_number": 1, + "offender": "-----BEGIN PRIVATE KEY-----", + "tags": Array [ + "PrivateKey", + ], + }, + "category": "Potential Secret", + "description": "The name of the rule which triggered the finding: PKCS8-PK", + "name": "PKCS8-PK", + "osi_layer": "APPLICATION", + "severity": "MEDIUM", + }, + Object { + "attributes": Object { + "author": "Commit Author", + "commit": "ae9e923125a0409025316a970fa16e0271e1734a", + "date": "2021-07-02T12:25:00Z", + "description": "Slack token", + "email": "committer@some-domain.tld", + "file": "hooks/notification/README.md", + "line": "xoxb-", + "line_number": 164, + "offender": "xoxb-", + "tags": Array [], + }, + "category": "Potential Secret", + "description": "The name of the rule which triggered the finding: slack-access-token", + "name": "slack-access-token", + "osi_layer": "APPLICATION", + "severity": "MEDIUM", + }, + Object { + "attributes": Object { + "author": "Commit Author", + "commit": "549b29afa8644c6385c385bed3327e6131557ecb", + "date": "2021-05-02T17:17:57Z", + "description": "Generic API Key", + "email": "committer@some-domain.tld", + "file": "scanners/zap-extended/scanner/scbzapv2/__main__.py", + "line": "api_key = 'eor898q1luuq8054e0e5r9s3jh'", + "line_number": 37, + "offender": "eor898q1luuq8054e0e5r9s3jh", + "tags": Array [], + }, + "category": "Potential Secret", + "description": "The name of the rule which triggered the finding: generic-api-key", + "name": "generic-api-key", + "osi_layer": "APPLICATION", + "severity": "MEDIUM", + }, + ] + `); +}); + +test("should define severity based on tags in result file", async () => { + const jsonContent = await readFile( + __dirname + "/__testFiles__/test-report-tags.json", + { + encoding: "utf8", + } + ); + const findings = await parse(JSON.parse(jsonContent)); + await expect(validateParser(findings)).resolves.toBeUndefined(); + + expect(findings).toMatchInlineSnapshot(` + Array [ + Object { + "attributes": Object { + "author": "Commit Author", + "commit": "604ca16251cd6e528328605420890f2d55a5464d", + "date": "2020-10-15T11:35:39Z", + "description": "PKCS8 private key", + "email": "committer@some-domain.tld", + "file": "scanners/gitleaks/parser/parser.test.js", + "line": "-----BEGIN PRIVATE KEY-----", + "line_number": 167, + "offender": "-----BEGIN PRIVATE KEY-----", + "tags": Array [ + "HIGH", + ], + }, + "category": "Potential Secret", + "description": "The name of the rule which triggered the finding: PKCS8-PK", + "name": "PKCS8-PK", + "osi_layer": "APPLICATION", + "severity": "HIGH", + }, + Object { + "attributes": Object { + "author": "Commit Author", + "commit": "604ca16251cd6e528328605420890f2d55a5464d", + "date": "2020-10-15T11:35:39Z", + "description": "PKCS8 private key", + "email": "committer@some-domain.tld", + "file": "scanners/gitleaks/parser/parser.test.js", + "line": "-----BEGIN PRIVATE KEY-----", + "line_number": 167, + "offender": "-----BEGIN PRIVATE KEY-----", + "tags": Array [], + }, + "category": "Potential Secret", + "description": "The name of the rule which triggered the finding: PKCS8-PK", + "name": "PKCS8-PK", + "osi_layer": "APPLICATION", + "severity": "MEDIUM", + }, + Object { + "attributes": Object { + "author": "Commit Author", + "commit": "604ca16251cd6e528328605420890f2d55a5464d", + "date": "2020-10-15T11:35:39Z", + "description": "PKCS8 private key", + "email": "committer@some-domain.tld", + "file": "scanners/gitleaks/parser/parser.test.js", + "line": "-----BEGIN PRIVATE KEY-----", + "line_number": 167, + "offender": "-----BEGIN PRIVATE KEY-----", + "tags": Array [ + "LOW", + ], + }, + "category": "Potential Secret", + "description": "The name of the rule which triggered the finding: PKCS8-PK", + "name": "PKCS8-PK", + "osi_layer": "APPLICATION", + "severity": "LOW", + }, + ] + `); +}); + +test("should properly construct commit URL if given in scan annotation without trailing slash", async () => { + const scan = { + spec: { + scanType: "gitleaks", + parameters: ["detect"], + }, + metadata: { + annotations: { + "metadata.securecodebox.io/git-repo-url": + "https://github.com/secureCodeBox/secureCodeBox", + }, + }, + }; + + const jsonContent = await readFile( + __dirname + "/__testFiles__/test-report.json", + { + encoding: "utf8", + } + ); + const findings = await parse(JSON.parse(jsonContent), scan); + await expect(validateParser(findings)).resolves.toBeUndefined(); + expect(findings).toMatchInlineSnapshot(` Array [ Object { "attributes": Object { "author": "Commit Author", - "commit": "20202220306db37c13792bc672e57b0598ab680c", + "commit": "https://github.com/secureCodeBox/secureCodeBox/commit/20202220306db37c13792bc672e57b0598ab680c", "date": "2022-01-06T15:19:51Z", "description": "Generic API Key", "email": "committer@some-domain.tld", @@ -70,7 +254,7 @@ Array [ Object { "attributes": Object { "author": "Commit Author", - "commit": "e064eb8bd2094287fdeb64474798a8fd53e77bd3", + "commit": "https://github.com/secureCodeBox/secureCodeBox/commit/e064eb8bd2094287fdeb64474798a8fd53e77bd3", "date": "2021-09-06T13:53:58Z", "description": "PKCS8 private key", "email": "committer@some-domain.tld", @@ -91,7 +275,7 @@ Array [ Object { "attributes": Object { "author": "Commit Author", - "commit": "ae9e923125a0409025316a970fa16e0271e1734a", + "commit": "https://github.com/secureCodeBox/secureCodeBox/commit/ae9e923125a0409025316a970fa16e0271e1734a", "date": "2021-07-02T12:25:00Z", "description": "Slack token", "email": "committer@some-domain.tld", @@ -110,7 +294,7 @@ Array [ Object { "attributes": Object { "author": "Commit Author", - "commit": "549b29afa8644c6385c385bed3327e6131557ecb", + "commit": "https://github.com/secureCodeBox/secureCodeBox/commit/549b29afa8644c6385c385bed3327e6131557ecb", "date": "2021-05-02T17:17:57Z", "description": "Generic API Key", "email": "committer@some-domain.tld", @@ -130,14 +314,27 @@ Array [ `); }); -test("should define severity based on tags in result file", async () => { +test("should properly construct commit URL if given in scan annotation with trailing slash", async () => { + const scan = { + spec: { + scanType: "gitleaks", + parameters: ["detect"], + }, + metadata: { + annotations: { + "metadata.securecodebox.io/git-repo-url": + "https://github.com/secureCodeBox/secureCodeBox/", + }, + }, + }; + const jsonContent = await readFile( - __dirname + "/__testFiles__/test-report-tags.json", + __dirname + "/__testFiles__/test-report.json", { encoding: "utf8", } ); - const findings = await parse(JSON.parse(jsonContent)); + const findings = await parse(JSON.parse(jsonContent), scan); await expect(validateParser(findings)).resolves.toBeUndefined(); expect(findings).toMatchInlineSnapshot(` @@ -145,64 +342,81 @@ Array [ Object { "attributes": Object { "author": "Commit Author", - "commit": "604ca16251cd6e528328605420890f2d55a5464d", - "date": "2020-10-15T11:35:39Z", + "commit": "https://github.com/secureCodeBox/secureCodeBox/commit/20202220306db37c13792bc672e57b0598ab680c", + "date": "2022-01-06T15:19:51Z", + "description": "Generic API Key", + "email": "committer@some-domain.tld", + "file": "hooks/persistence-azure-monitor/hook/hook.test.js", + "line": "Key: \\"aGVsbG8taS1hbS1hLXRlc3Qta2V5\\"", + "line_number": 51, + "offender": "aGVsbG8taS1hbS1hLXRlc3Qta2V5", + "tags": Array [], + }, + "category": "Potential Secret", + "description": "The name of the rule which triggered the finding: generic-api-key", + "name": "generic-api-key", + "osi_layer": "APPLICATION", + "severity": "MEDIUM", + }, + Object { + "attributes": Object { + "author": "Commit Author", + "commit": "https://github.com/secureCodeBox/secureCodeBox/commit/e064eb8bd2094287fdeb64474798a8fd53e77bd3", + "date": "2021-09-06T13:53:58Z", "description": "PKCS8 private key", "email": "committer@some-domain.tld", - "file": "scanners/gitleaks/parser/parser.test.js", + "file": "demo-targets/unsafe-https/container/site.key", "line": "-----BEGIN PRIVATE KEY-----", - "line_number": 167, + "line_number": 1, "offender": "-----BEGIN PRIVATE KEY-----", "tags": Array [ - "HIGH", + "PrivateKey", ], }, "category": "Potential Secret", "description": "The name of the rule which triggered the finding: PKCS8-PK", "name": "PKCS8-PK", "osi_layer": "APPLICATION", - "severity": "HIGH", + "severity": "MEDIUM", }, Object { "attributes": Object { "author": "Commit Author", - "commit": "604ca16251cd6e528328605420890f2d55a5464d", - "date": "2020-10-15T11:35:39Z", - "description": "PKCS8 private key", + "commit": "https://github.com/secureCodeBox/secureCodeBox/commit/ae9e923125a0409025316a970fa16e0271e1734a", + "date": "2021-07-02T12:25:00Z", + "description": "Slack token", "email": "committer@some-domain.tld", - "file": "scanners/gitleaks/parser/parser.test.js", - "line": "-----BEGIN PRIVATE KEY-----", - "line_number": 167, - "offender": "-----BEGIN PRIVATE KEY-----", + "file": "hooks/notification/README.md", + "line": "xoxb-", + "line_number": 164, + "offender": "xoxb-", "tags": Array [], }, "category": "Potential Secret", - "description": "The name of the rule which triggered the finding: PKCS8-PK", - "name": "PKCS8-PK", + "description": "The name of the rule which triggered the finding: slack-access-token", + "name": "slack-access-token", "osi_layer": "APPLICATION", "severity": "MEDIUM", }, Object { "attributes": Object { "author": "Commit Author", - "commit": "604ca16251cd6e528328605420890f2d55a5464d", - "date": "2020-10-15T11:35:39Z", - "description": "PKCS8 private key", + "commit": "https://github.com/secureCodeBox/secureCodeBox/commit/549b29afa8644c6385c385bed3327e6131557ecb", + "date": "2021-05-02T17:17:57Z", + "description": "Generic API Key", "email": "committer@some-domain.tld", - "file": "scanners/gitleaks/parser/parser.test.js", - "line": "-----BEGIN PRIVATE KEY-----", - "line_number": 167, - "offender": "-----BEGIN PRIVATE KEY-----", - "tags": Array [ - "LOW", - ], + "file": "scanners/zap-extended/scanner/scbzapv2/__main__.py", + "line": "api_key = 'eor898q1luuq8054e0e5r9s3jh'", + "line_number": 37, + "offender": "eor898q1luuq8054e0e5r9s3jh", + "tags": Array [], }, "category": "Potential Secret", - "description": "The name of the rule which triggered the finding: PKCS8-PK", - "name": "PKCS8-PK", + "description": "The name of the rule which triggered the finding: generic-api-key", + "name": "generic-api-key", "osi_layer": "APPLICATION", - "severity": "LOW", + "severity": "MEDIUM", }, ] `); -}); +}); \ No newline at end of file From 2c15090f0aecfd234b10e02f518b075723cd849c Mon Sep 17 00:00:00 2001 From: Max Maass Date: Tue, 25 Jan 2022 14:25:59 +0100 Subject: [PATCH 22/30] Rename repo URL annotation This improves consistency with the scope limiter annotations, which use descriptors of a similar form. Signed-off-by: Max Maass --- scanners/gitleaks/parser/parser.js | 2 +- scanners/gitleaks/parser/parser.test.js | 4 ++-- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/scanners/gitleaks/parser/parser.js b/scanners/gitleaks/parser/parser.js index 0d3693ae78..95e1e5df5a 100644 --- a/scanners/gitleaks/parser/parser.js +++ b/scanners/gitleaks/parser/parser.js @@ -5,7 +5,7 @@ const HIGH_TAGS = ["HIGH"]; const LOW_TAGS = ["LOW"]; -const repoUrlAnnotationKey = "metadata.securecodebox.io/git-repo-url" +const repoUrlAnnotationKey = "metadata.scan.securecodebox.io/git-repo-url" async function parse (fileContent, scan) { diff --git a/scanners/gitleaks/parser/parser.test.js b/scanners/gitleaks/parser/parser.test.js index 5172011580..07e353742c 100644 --- a/scanners/gitleaks/parser/parser.test.js +++ b/scanners/gitleaks/parser/parser.test.js @@ -215,7 +215,7 @@ test("should properly construct commit URL if given in scan annotation without t }, metadata: { annotations: { - "metadata.securecodebox.io/git-repo-url": + "metadata.scan.securecodebox.io/git-repo-url": "https://github.com/secureCodeBox/secureCodeBox", }, }, @@ -322,7 +322,7 @@ test("should properly construct commit URL if given in scan annotation with trai }, metadata: { annotations: { - "metadata.securecodebox.io/git-repo-url": + "metadata.scan.securecodebox.io/git-repo-url": "https://github.com/secureCodeBox/secureCodeBox/", }, }, From c44b705f1f03ca92620c28c9d5b8002074535970 Mon Sep 17 00:00:00 2001 From: Max Maass Date: Tue, 25 Jan 2022 14:35:39 +0100 Subject: [PATCH 23/30] Update examples to use new annotation Signed-off-by: Max Maass --- .../examples/private-repository/scan.yaml | 2 + .../examples/provide-own-rules/scan.yaml | 4 +- .../examples/secureCodeBox/findings.json | 1451 +---------------- .../gitleaks/examples/secureCodeBox/scan.yaml | 2 + 4 files changed, 20 insertions(+), 1439 deletions(-) diff --git a/scanners/gitleaks/examples/private-repository/scan.yaml b/scanners/gitleaks/examples/private-repository/scan.yaml index 12d7b5bf4c..d01adf184f 100644 --- a/scanners/gitleaks/examples/private-repository/scan.yaml +++ b/scanners/gitleaks/examples/private-repository/scan.yaml @@ -6,6 +6,8 @@ apiVersion: "execution.securecodebox.io/v1" kind: Scan metadata: name: "authenticated-clone.example" + annotations: + metadata.scan.securecodebox.io/git-repo-url: "https://github.com/yourOrg/yourRepo" spec: scanType: "gitleaks" # Define a volume and mount it at /repo in the scan container diff --git a/scanners/gitleaks/examples/provide-own-rules/scan.yaml b/scanners/gitleaks/examples/provide-own-rules/scan.yaml index ba426558f4..d2da767647 100644 --- a/scanners/gitleaks/examples/provide-own-rules/scan.yaml +++ b/scanners/gitleaks/examples/provide-own-rules/scan.yaml @@ -5,7 +5,9 @@ apiVersion: "execution.securecodebox.io/v1" kind: Scan metadata: - name: "scan-multi-juicer-with-own-rules" + name: "scan-scb-with-own-rules" + annotations: + metadata.scan.securecodebox.io/git-repo-url: "https://github.com/secureCodeBox/secureCodeBox" spec: scanType: "gitleaks" parameters: diff --git a/scanners/gitleaks/examples/secureCodeBox/findings.json b/scanners/gitleaks/examples/secureCodeBox/findings.json index 8d32bbb4db..a4fbdcbc57 100644 --- a/scanners/gitleaks/examples/secureCodeBox/findings.json +++ b/scanners/gitleaks/examples/secureCodeBox/findings.json @@ -6,19 +6,19 @@ "severity": "MEDIUM", "category": "Potential Secret", "attributes": { - "commit": "531d4bb6cc1189621d15b785afe34c877d4933a6", + "commit": "https://github.com/secureCodeBox/secureCodeBox/commit/a674a178e0b7eb2975718e31ac2fb80f4f39f110", "description": "PKCS8 private key", "offender": "-----BEGIN PRIVATE KEY-----", "author": "Max Maass", "email": "max.maass@iteratec.com", - "date": "2022-01-20T14:55:02Z", - "file": "scanners/gitleaks/parser/__testFiles__/test-report.json", - "line_number": 26, + "date": "2022-01-25T12:30:04Z", + "file": "scanners/gitleaks/integration-tests/gitleaks.test.js", + "line_number": 40, "tags": [], "line": "-----BEGIN PRIVATE KEY-----" }, - "id": "2d0ad3e4-4c15-4de3-931d-59cb245c7531", - "parsed_at": "2022-01-25T08:49:25.025Z" + "id": "fd1914a4-5a3e-4656-a532-ab1a0f645515", + "parsed_at": "2022-01-25T13:31:05.257Z" }, { "name": "PKCS8-PK", @@ -27,1446 +27,21 @@ "severity": "MEDIUM", "category": "Potential Secret", "attributes": { - "commit": "531d4bb6cc1189621d15b785afe34c877d4933a6", + "commit": "https://github.com/secureCodeBox/secureCodeBox/commit/1020a6520656922355d84eb6f3560650e40c722e", "description": "PKCS8 private key", "offender": "-----BEGIN PRIVATE KEY-----", "author": "Max Maass", "email": "max.maass@iteratec.com", - "date": "2022-01-20T14:55:02Z", - "file": "scanners/gitleaks/parser/__testFiles__/test-report.json", - "line_number": 27, - "tags": [], - "line": "-----BEGIN PRIVATE KEY-----" - }, - "id": "8ddac4b1-9922-454b-ab2f-3d5db62947a4", - "parsed_at": "2022-01-25T08:49:25.025Z" - }, - { - "name": "slack-access-token", - "description": "The name of the rule which triggered the finding: slack-access-token", - "osi_layer": "APPLICATION", - "severity": "MEDIUM", - "category": "Potential Secret", - "attributes": { - "commit": "531d4bb6cc1189621d15b785afe34c877d4933a6", - "description": "Slack token", - "offender": "xoxb-", - "author": "Max Maass", - "email": "max.maass@iteratec.com", - "date": "2022-01-20T14:55:02Z", - "file": "scanners/gitleaks/parser/__testFiles__/test-report.json", - "line_number": 44, - "tags": [], - "line": "xoxb-" - }, - "id": "23efcf9b-31a0-4da6-a913-c2782841141f", - "parsed_at": "2022-01-25T08:49:25.025Z" - }, - { - "name": "slack-access-token", - "description": "The name of the rule which triggered the finding: slack-access-token", - "osi_layer": "APPLICATION", - "severity": "MEDIUM", - "category": "Potential Secret", - "attributes": { - "commit": "531d4bb6cc1189621d15b785afe34c877d4933a6", - "description": "Slack token", - "offender": "xoxb-", - "author": "Max Maass", - "email": "max.maass@iteratec.com", - "date": "2022-01-20T14:55:02Z", - "file": "scanners/gitleaks/parser/__testFiles__/test-report.json", - "line_number": 45, - "tags": [], - "line": "xoxb-" - }, - "id": "15c5fea4-fe79-46e6-b140-c831ae3ed3c3", - "parsed_at": "2022-01-25T08:49:25.025Z" - }, - { - "name": "generic-api-key", - "description": "The name of the rule which triggered the finding: generic-api-key", - "osi_layer": "APPLICATION", - "severity": "MEDIUM", - "category": "Potential Secret", - "attributes": { - "commit": "531d4bb6cc1189621d15b785afe34c877d4933a6", - "description": "Generic API Key", - "offender": "eor898q1luuq8054e0e5r9s3jh", - "author": "Max Maass", - "email": "max.maass@iteratec.com", - "date": "2022-01-20T14:55:02Z", - "file": "scanners/gitleaks/parser/__testFiles__/test-report.json", - "line_number": 62, - "tags": [], - "line": "api_key = 'eor898q1luuq8054e0e5r9s3jh'" - }, - "id": "b965eed9-f5c5-4881-a3ea-3aaec44a3e33", - "parsed_at": "2022-01-25T08:49:25.025Z" - }, - { - "name": "PKCS8-PK", - "description": "The name of the rule which triggered the finding: PKCS8-PK", - "osi_layer": "APPLICATION", - "severity": "MEDIUM", - "category": "Potential Secret", - "attributes": { - "commit": "531d4bb6cc1189621d15b785afe34c877d4933a6", - "description": "PKCS8 private key", - "offender": "-----BEGIN PRIVATE KEY-----", - "author": "Max Maass", - "email": "max.maass@iteratec.com", - "date": "2022-01-20T14:55:02Z", - "file": "scanners/gitleaks/parser/__testFiles__/test-report-small.json", + "date": "2022-01-24T08:24:50Z", + "file": "scanners/gitleaks/parser/__testFiles__/test-report-tags.json", "line_number": 8, "tags": [], "line": "-----BEGIN PRIVATE KEY-----" }, - "id": "da57e9b5-fca5-42e5-96ef-f5773cdbcf67", - "parsed_at": "2022-01-25T08:49:25.025Z" - }, - { - "name": "PKCS8-PK", - "description": "The name of the rule which triggered the finding: PKCS8-PK", - "osi_layer": "APPLICATION", - "severity": "MEDIUM", - "category": "Potential Secret", - "attributes": { - "commit": "531d4bb6cc1189621d15b785afe34c877d4933a6", - "description": "PKCS8 private key", - "offender": "-----BEGIN PRIVATE KEY-----", - "author": "Max Maass", - "email": "max.maass@iteratec.com", - "date": "2022-01-20T14:55:02Z", - "file": "scanners/gitleaks/parser/__testFiles__/test-report-small.json", - "line_number": 9, - "tags": [], - "line": "-----BEGIN PRIVATE KEY-----" - }, - "id": "a81a13dd-5c10-4382-9bd4-08a0e4a39366", - "parsed_at": "2022-01-25T08:49:25.025Z" - }, - { - "name": "PKCS8-PK", - "description": "The name of the rule which triggered the finding: PKCS8-PK", - "osi_layer": "APPLICATION", - "severity": "MEDIUM", - "category": "Potential Secret", - "attributes": { - "commit": "531d4bb6cc1189621d15b785afe34c877d4933a6", - "description": "PKCS8 private key", - "offender": "-----BEGIN PRIVATE KEY-----", - "author": "Max Maass", - "email": "max.maass@iteratec.com", - "date": "2022-01-20T14:55:02Z", - "file": "scanners/gitleaks/parser/parser.test.js", - "line_number": 80, - "tags": [], - "line": "-----BEGIN PRIVATE KEY-----" - }, - "id": "ed7e95de-4b8d-4c0d-9dfb-1cf6ad1f91f2", - "parsed_at": "2022-01-25T08:49:25.025Z" - }, - { - "name": "PKCS8-PK", - "description": "The name of the rule which triggered the finding: PKCS8-PK", - "osi_layer": "APPLICATION", - "severity": "MEDIUM", - "category": "Potential Secret", - "attributes": { - "commit": "531d4bb6cc1189621d15b785afe34c877d4933a6", - "description": "PKCS8 private key", - "offender": "-----BEGIN PRIVATE KEY-----", - "author": "Max Maass", - "email": "max.maass@iteratec.com", - "date": "2022-01-20T14:55:02Z", - "file": "scanners/gitleaks/parser/parser.test.js", - "line_number": 81, - "tags": [], - "line": "-----BEGIN PRIVATE KEY-----" - }, - "id": "ae67aab4-889e-44c6-a3c0-78b4af9e0e54", - "parsed_at": "2022-01-25T08:49:25.026Z" - }, - { - "name": "slack-access-token", - "description": "The name of the rule which triggered the finding: slack-access-token", - "osi_layer": "APPLICATION", - "severity": "MEDIUM", - "category": "Potential Secret", - "attributes": { - "commit": "531d4bb6cc1189621d15b785afe34c877d4933a6", - "description": "Slack token", - "offender": "xoxb-", - "author": "Max Maass", - "email": "max.maass@iteratec.com", - "date": "2022-01-20T14:55:02Z", - "file": "scanners/gitleaks/parser/parser.test.js", - "line_number": 102, - "tags": [], - "line": "xoxb-" - }, - "id": "3a3f7133-16a7-4971-b068-183fa71aefa1", - "parsed_at": "2022-01-25T08:49:25.026Z" - }, - { - "name": "slack-access-token", - "description": "The name of the rule which triggered the finding: slack-access-token", - "osi_layer": "APPLICATION", - "severity": "MEDIUM", - "category": "Potential Secret", - "attributes": { - "commit": "531d4bb6cc1189621d15b785afe34c877d4933a6", - "description": "Slack token", - "offender": "xoxb-", - "author": "Max Maass", - "email": "max.maass@iteratec.com", - "date": "2022-01-20T14:55:02Z", - "file": "scanners/gitleaks/parser/parser.test.js", - "line_number": 103, - "tags": [], - "line": "xoxb-" - }, - "id": "1a5e8b76-8506-4fd6-8674-b41dd91ca731", - "parsed_at": "2022-01-25T08:49:25.026Z" - }, - { - "name": "generic-api-key", - "description": "The name of the rule which triggered the finding: generic-api-key", - "osi_layer": "APPLICATION", - "severity": "MEDIUM", - "category": "Potential Secret", - "attributes": { - "commit": "531d4bb6cc1189621d15b785afe34c877d4933a6", - "description": "Generic API Key", - "offender": "eor898q1luuq8054e0e5r9s3jh", - "author": "Max Maass", - "email": "max.maass@iteratec.com", - "date": "2022-01-20T14:55:02Z", - "file": "scanners/gitleaks/parser/parser.test.js", - "line_number": 122, - "tags": [], - "line": "api_key = 'eor898q1luuq8054e0e5r9s3jh'" - }, - "id": "af93e3ed-5627-4933-aa0c-abfd85c73c8c", - "parsed_at": "2022-01-25T08:49:25.026Z" - }, - { - "name": "PKCS8-PK", - "description": "The name of the rule which triggered the finding: PKCS8-PK", - "osi_layer": "APPLICATION", - "severity": "MEDIUM", - "category": "Potential Secret", - "attributes": { - "commit": "531d4bb6cc1189621d15b785afe34c877d4933a6", - "description": "PKCS8 private key", - "offender": "-----BEGIN PRIVATE KEY-----", - "author": "Max Maass", - "email": "max.maass@iteratec.com", - "date": "2022-01-20T14:55:02Z", - "file": "scanners/gitleaks/parser/parser.test.js", - "line_number": 170, - "tags": [], - "line": "-----BEGIN PRIVATE KEY-----" - }, - "id": "3ba8bd3a-fedc-44ea-9bb9-c3db5bef2e10", - "parsed_at": "2022-01-25T08:49:25.026Z" - }, - { - "name": "PKCS8-PK", - "description": "The name of the rule which triggered the finding: PKCS8-PK", - "osi_layer": "APPLICATION", - "severity": "MEDIUM", - "category": "Potential Secret", - "attributes": { - "commit": "531d4bb6cc1189621d15b785afe34c877d4933a6", - "description": "PKCS8 private key", - "offender": "-----BEGIN PRIVATE KEY-----", - "author": "Max Maass", - "email": "max.maass@iteratec.com", - "date": "2022-01-20T14:55:02Z", - "file": "scanners/gitleaks/parser/parser.test.js", - "line_number": 171, - "tags": [], - "line": "-----BEGIN PRIVATE KEY-----" - }, - "id": "7a87a951-14d4-4f3a-a1df-a51ad1bb144c", - "parsed_at": "2022-01-25T08:49:25.026Z" - }, - { - "name": "PKCS8-PK", - "description": "The name of the rule which triggered the finding: PKCS8-PK", - "osi_layer": "APPLICATION", - "severity": "MEDIUM", - "category": "Potential Secret", - "attributes": { - "commit": "531d4bb6cc1189621d15b785afe34c877d4933a6", - "description": "PKCS8 private key", - "offender": "-----BEGIN PRIVATE KEY-----", - "author": "Max Maass", - "email": "max.maass@iteratec.com", - "date": "2022-01-20T14:55:02Z", - "file": "scanners/gitleaks/parser/parser.test.js", - "line_number": 218, - "tags": [], - "line": "-----BEGIN PRIVATE KEY-----" - }, - "id": "0f8bc2be-41d6-4a67-8061-cc322e3c0864", - "parsed_at": "2022-01-25T08:49:25.026Z" - }, - { - "name": "PKCS8-PK", - "description": "The name of the rule which triggered the finding: PKCS8-PK", - "osi_layer": "APPLICATION", - "severity": "MEDIUM", - "category": "Potential Secret", - "attributes": { - "commit": "531d4bb6cc1189621d15b785afe34c877d4933a6", - "description": "PKCS8 private key", - "offender": "-----BEGIN PRIVATE KEY-----", - "author": "Max Maass", - "email": "max.maass@iteratec.com", - "date": "2022-01-20T14:55:02Z", - "file": "scanners/gitleaks/parser/parser.test.js", - "line_number": 219, - "tags": [], - "line": "-----BEGIN PRIVATE KEY-----" - }, - "id": "5b1765a3-e0c8-4fd6-8cd9-63e2a9b5ca61", - "parsed_at": "2022-01-25T08:49:25.026Z" - }, - { - "name": "generic-api-key", - "description": "The name of the rule which triggered the finding: generic-api-key", - "osi_layer": "APPLICATION", - "severity": "MEDIUM", - "category": "Potential Secret", - "attributes": { - "commit": "20202220306db37c13792bc672e57b0598ab680c", - "description": "Generic API Key", - "offender": "aGVsbG8taS1hbS1hLXRlc3Qta2V5", - "author": "Max Maass", - "email": "max.maass@iteratec.com", - "date": "2022-01-06T15:19:51Z", - "file": "hooks/persistence-azure-monitor/hook/hook.test.js", - "line_number": 51, - "tags": [], - "line": "Key: \"aGVsbG8taS1hbS1hLXRlc3Qta2V5\"" - }, - "id": "9c68074e-6612-45b0-9510-59918ad740a0", - "parsed_at": "2022-01-25T08:49:25.026Z" - }, - { - "name": "generic-api-key", - "description": "The name of the rule which triggered the finding: generic-api-key", - "osi_layer": "APPLICATION", - "severity": "MEDIUM", - "category": "Potential Secret", - "attributes": { - "commit": "20202220306db37c13792bc672e57b0598ab680c", - "description": "Generic API Key", - "offender": "aGVsbG8taS1hbS1hLXRlc3Qta2V5", - "author": "Max Maass", - "email": "max.maass@iteratec.com", - "date": "2022-01-06T15:19:51Z", - "file": "hooks/persistence-azure-monitor/hook/hook.test.js", - "line_number": 81, - "tags": [], - "line": "Key: \"aGVsbG8taS1hbS1hLXRlc3Qta2V5\"" - }, - "id": "9561d49b-d06c-4546-9a34-77e8c1c2f53e", - "parsed_at": "2022-01-25T08:49:25.026Z" - }, - { - "name": "PKCS8-PK", - "description": "The name of the rule which triggered the finding: PKCS8-PK", - "osi_layer": "APPLICATION", - "severity": "MEDIUM", - "category": "Potential Secret", - "attributes": { - "commit": "e064eb8bd2094287fdeb64474798a8fd53e77bd3", - "description": "PKCS8 private key", - "offender": "-----BEGIN PRIVATE KEY-----", - "author": "Ilyes Ben Dlala", - "email": "ilyes.bendlala@iteratec.com", - "date": "2021-09-06T13:53:58Z", - "file": "demo-targets/unsafe-https/container/site.key", - "line_number": 1, - "tags": [], - "line": "-----BEGIN PRIVATE KEY-----" - }, - "id": "ce0ae13d-7a3a-43e2-9372-e4855a395354", - "parsed_at": "2022-01-25T08:49:25.026Z" - }, - { - "name": "PKCS8-PK", - "description": "The name of the rule which triggered the finding: PKCS8-PK", - "osi_layer": "APPLICATION", - "severity": "MEDIUM", - "category": "Potential Secret", - "attributes": { - "commit": "e4034cda3427e9782c3f91192fd628b84ba0b267", - "description": "PKCS8 private key", - "offender": "-----BEGIN PRIVATE KEY-----", - "author": "Ilyes Ben Dlala", - "email": "ilyes.bendlala@iteratec.com", - "date": "2021-09-01T11:59:54Z", - "file": "scanners/gitleaks/parser/parser.test.js", - "line_number": 196, - "tags": [], - "line": "-----BEGIN PRIVATE KEY-----" - }, - "id": "b3054da2-60a3-44a5-9aed-0b8a160e7a5f", - "parsed_at": "2022-01-25T08:49:25.026Z" - }, - { - "name": "PKCS8-PK", - "description": "The name of the rule which triggered the finding: PKCS8-PK", - "osi_layer": "APPLICATION", - "severity": "MEDIUM", - "category": "Potential Secret", - "attributes": { - "commit": "e4034cda3427e9782c3f91192fd628b84ba0b267", - "description": "PKCS8 private key", - "offender": "-----BEGIN PRIVATE KEY-----", - "author": "Ilyes Ben Dlala", - "email": "ilyes.bendlala@iteratec.com", - "date": "2021-09-01T11:59:54Z", - "file": "scanners/gitleaks/parser/parser.test.js", - "line_number": 198, - "tags": [], - "line": "-----BEGIN PRIVATE KEY-----" - }, - "id": "47358808-7fdf-4e25-9a9c-71373225ab38", - "parsed_at": "2022-01-25T08:49:25.026Z" - }, - { - "name": "slack-access-token", - "description": "The name of the rule which triggered the finding: slack-access-token", - "osi_layer": "APPLICATION", - "severity": "MEDIUM", - "category": "Potential Secret", - "attributes": { - "commit": "ae9e923125a0409025316a970fa16e0271e1734a", - "description": "Slack token", - "offender": "xoxb-", - "author": "twwd", - "email": "twwd@users.noreply.github.com", - "date": "2021-07-02T12:25:00Z", - "file": "hooks/notification/README.md", - "line_number": 164, - "tags": [], - "line": "xoxb-" - }, - "id": "17b20ad5-4d4f-4cc7-bcb7-5ff26b8caa24", - "parsed_at": "2022-01-25T08:49:25.026Z" - }, - { - "name": "slack-access-token", - "description": "The name of the rule which triggered the finding: slack-access-token", - "osi_layer": "APPLICATION", - "severity": "MEDIUM", - "category": "Potential Secret", - "attributes": { - "commit": "ae9e923125a0409025316a970fa16e0271e1734a", - "description": "Slack token", - "offender": "xoxb-", - "author": "twwd", - "email": "twwd@users.noreply.github.com", - "date": "2021-07-02T12:25:00Z", - "file": "hooks/notification/README.md", - "line_number": 178, - "tags": [], - "line": "xoxb-" - }, - "id": "465955c6-798a-4b39-af34-1751266cb8bb", - "parsed_at": "2022-01-25T08:49:25.026Z" + "id": "9b767656-48a8-45b3-aabd-c0a788ddec03", + "parsed_at": "2022-01-25T13:31:05.257Z" }, { - "name": "RSA-PK", - "description": "The name of the rule which triggered the finding: RSA-PK", - "osi_layer": "APPLICATION", - "severity": "MEDIUM", - "category": "Potential Secret", - "attributes": { - "commit": "0d90fb830431bb51b2b19544a82bcffd354a9566", - "description": "RSA private key", - "offender": "-----BEGIN RSA PRIVATE KEY-----", - "author": "Johannes Zahn", - "email": "johannes.zahn@iteratec.com", - "date": "2021-07-02T09:54:14Z", - "file": "scanners/ncrack/parser/parser.test.js", - "line_number": 145, - "tags": [], - "line": "-----BEGIN RSA PRIVATE KEY-----" - }, - "id": "7cfb7fe9-eac5-40f7-9e05-26a7f5536c74", - "parsed_at": "2022-01-25T08:49:25.026Z" - }, - { - "name": "slack-access-token", - "description": "The name of the rule which triggered the finding: slack-access-token", - "osi_layer": "APPLICATION", - "severity": "MEDIUM", - "category": "Potential Secret", - "attributes": { - "commit": "5a80e9c80b286f76f6c751c9f60ec172c06f2470", - "description": "Slack token", - "offender": "xoxb-", - "author": "Robert Seedorff", - "email": "Robert.Seedorff@iteratec.com", - "date": "2021-06-26T09:33:58Z", - "file": "hooks/notification/docs/README.ArtifactHub.md", - "line_number": 187, - "tags": [], - "line": "xoxb-" - }, - "id": "2fb1fb3a-7221-4d8d-9a13-b324f2631a12", - "parsed_at": "2022-01-25T08:49:25.026Z" - }, - { - "name": "slack-access-token", - "description": "The name of the rule which triggered the finding: slack-access-token", - "osi_layer": "APPLICATION", - "severity": "MEDIUM", - "category": "Potential Secret", - "attributes": { - "commit": "5a80e9c80b286f76f6c751c9f60ec172c06f2470", - "description": "Slack token", - "offender": "xoxb-", - "author": "Robert Seedorff", - "email": "Robert.Seedorff@iteratec.com", - "date": "2021-06-26T09:33:58Z", - "file": "hooks/notification/docs/README.ArtifactHub.md", - "line_number": 201, - "tags": [], - "line": "xoxb-" - }, - "id": "181ac2a9-f570-432b-9a01-906f0a20f1e0", - "parsed_at": "2022-01-25T08:49:25.026Z" - }, - { - "name": "slack-access-token", - "description": "The name of the rule which triggered the finding: slack-access-token", - "osi_layer": "APPLICATION", - "severity": "MEDIUM", - "category": "Potential Secret", - "attributes": { - "commit": "50dce9aa1bc1e07bc870506edb6fbb3a4ace98e0", - "description": "Slack token", - "offender": "xoxb-", - "author": "Yannik Fuhrmeister", - "email": "12710254+fuhrmeistery@users.noreply.github.com", - "date": "2021-06-01T19:14:53Z", - "file": "hooks/notification-hook/README.md", - "line_number": 117, - "tags": [], - "line": "xoxb-" - }, - "id": "dcbd49ef-1b65-419a-9126-e8498480b951", - "parsed_at": "2022-01-25T08:49:25.026Z" - }, - { - "name": "slack-access-token", - "description": "The name of the rule which triggered the finding: slack-access-token", - "osi_layer": "APPLICATION", - "severity": "MEDIUM", - "category": "Potential Secret", - "attributes": { - "commit": "50dce9aa1bc1e07bc870506edb6fbb3a4ace98e0", - "description": "Slack token", - "offender": "xoxb-", - "author": "Yannik Fuhrmeister", - "email": "12710254+fuhrmeistery@users.noreply.github.com", - "date": "2021-06-01T19:14:53Z", - "file": "hooks/notification-hook/README.md", - "line_number": 131, - "tags": [], - "line": "xoxb-" - }, - "id": "9c4d7c09-5e7b-40d9-ab7e-d1aa82f18d3f", - "parsed_at": "2022-01-25T08:49:25.026Z" - }, - { - "name": "slack-access-token", - "description": "The name of the rule which triggered the finding: slack-access-token", - "osi_layer": "APPLICATION", - "severity": "MEDIUM", - "category": "Potential Secret", - "attributes": { - "commit": "50dce9aa1bc1e07bc870506edb6fbb3a4ace98e0", - "description": "Slack token", - "offender": "xoxb-", - "author": "Yannik Fuhrmeister", - "email": "12710254+fuhrmeistery@users.noreply.github.com", - "date": "2021-06-01T19:14:53Z", - "file": "hooks/notification-hook/README.md.gotmpl", - "line_number": 122, - "tags": [], - "line": "xoxb-" - }, - "id": "edec2d01-986a-4329-a503-00d9e993cad2", - "parsed_at": "2022-01-25T08:49:25.026Z" - }, - { - "name": "slack-access-token", - "description": "The name of the rule which triggered the finding: slack-access-token", - "osi_layer": "APPLICATION", - "severity": "MEDIUM", - "category": "Potential Secret", - "attributes": { - "commit": "50dce9aa1bc1e07bc870506edb6fbb3a4ace98e0", - "description": "Slack token", - "offender": "xoxb-", - "author": "Yannik Fuhrmeister", - "email": "12710254+fuhrmeistery@users.noreply.github.com", - "date": "2021-06-01T19:14:53Z", - "file": "hooks/notification-hook/README.md.gotmpl", - "line_number": 136, - "tags": [], - "line": "xoxb-" - }, - "id": "cfc7f9ef-31a3-40e7-9f74-25203efc74f0", - "parsed_at": "2022-01-25T08:49:25.026Z" - }, - { - "name": "generic-api-key", - "description": "The name of the rule which triggered the finding: generic-api-key", - "osi_layer": "APPLICATION", - "severity": "MEDIUM", - "category": "Potential Secret", - "attributes": { - "commit": "549b29afa8644c6385c385bed3327e6131557ecb", - "description": "Generic API Key", - "offender": "eor898q1luuq8054e0e5r9s3jh", - "author": "Robert Seedorff", - "email": "Robert.Seedorff@iteratec.com", - "date": "2021-05-02T17:17:57Z", - "file": "scanners/zap-extended/scanner/scbzapv2/__main__.py", - "line_number": 37, - "tags": [], - "line": "api_key = 'eor898q1luuq8054e0e5r9s3jh'" - }, - "id": "bd4e48e7-d6a7-4531-ae7a-d34fcc0a0de9", - "parsed_at": "2022-01-25T08:49:25.026Z" - }, - { - "name": "generic-api-key", - "description": "The name of the rule which triggered the finding: generic-api-key", - "osi_layer": "APPLICATION", - "severity": "MEDIUM", - "category": "Potential Secret", - "attributes": { - "commit": "74e0a0a85be803c0181ae87c63d0b81c7cfe30be", - "description": "Generic API Key", - "offender": "eor898q1luuq8054e0e5r9s3jh", - "author": "Robert Seedorff", - "email": "Robert.Seedorff@iteratec.com", - "date": "2021-04-30T18:49:54Z", - "file": "scanners/zap-extended/scanner/tests/test_integration_zap_local.py", - "line_number": 66, - "tags": [], - "line": "apiKey = 'eor898q1luuq8054e0e5r9s3jh'" - }, - "id": "f86d3776-c78c-4ee5-ad37-2a00fcd65239", - "parsed_at": "2022-01-25T08:49:25.026Z" - }, - { - "name": "generic-api-key", - "description": "The name of the rule which triggered the finding: generic-api-key", - "osi_layer": "APPLICATION", - "severity": "MEDIUM", - "category": "Potential Secret", - "attributes": { - "commit": "62c308c61a2baf9ebdc9b103a126e8651b95f734", - "description": "Generic API Key", - "offender": "eor898q1luuq8054e0e5r9s3jh", - "author": "Robert Seedorff", - "email": "Robert.Seedorff@iteratec.com", - "date": "2021-04-30T11:13:41Z", - "file": "scanners/zap-extended/scanner/tests/test_integration_docker_local.py", - "line_number": 75, - "tags": [], - "line": "apiKey = 'eor898q1luuq8054e0e5r9s3jh'" - }, - "id": "5d468e1b-fb10-40d6-919e-ce8dea839a37", - "parsed_at": "2022-01-25T08:49:25.026Z" - }, - { - "name": "generic-api-key", - "description": "The name of the rule which triggered the finding: generic-api-key", - "osi_layer": "APPLICATION", - "severity": "MEDIUM", - "category": "Potential Secret", - "attributes": { - "commit": "f2a06b914bf9c9c9d35731cb3ffb40fc875a7bfe", - "description": "Generic API Key", - "offender": "eor898q1luuq8054e0e5r9s3jh", - "author": "Yannik Fuhrmeister", - "email": "12710254+fuhrmeistery@users.noreply.github.com", - "date": "2021-04-26T08:02:22Z", - "file": "scanners/zap-extended/scanner/tests/integration_test_zap_local.py", - "line_number": 23, - "tags": [], - "line": "apiKey = 'eor898q1luuq8054e0e5r9s3jh'" - }, - "id": "009fed28-3bb2-4029-8e08-bff8edc140de", - "parsed_at": "2022-01-25T08:49:25.026Z" - }, - { - "name": "generic-api-key", - "description": "The name of the rule which triggered the finding: generic-api-key", - "osi_layer": "APPLICATION", - "severity": "MEDIUM", - "category": "Potential Secret", - "attributes": { - "commit": "d5eec9676af4d7943aba59a79d81c7032f0bee00", - "description": "Generic API Key", - "offender": "basic-auth-password-1", - "author": "Robert Seedorff", - "email": "Robert.Seedorff@iteratec.com", - "date": "2021-04-17T12:56:00Z", - "file": "scanners/zap-extended/scanner/tests/mocks/configs/context-with-overlay-secrets/3_zap-extended-scan-config.yaml", - "line_number": 38, - "tags": [], - "line": "password: \"basic-auth-password-1\"" - }, - "id": "317f6dfb-715a-42b8-9a7c-50e6e945c16d", - "parsed_at": "2022-01-25T08:49:25.026Z" - }, - { - "name": "generic-api-key", - "description": "The name of the rule which triggered the finding: generic-api-key", - "osi_layer": "APPLICATION", - "severity": "MEDIUM", - "category": "Potential Secret", - "attributes": { - "commit": "d5eec9676af4d7943aba59a79d81c7032f0bee00", - "description": "Generic API Key", - "offender": "basic-auth-password-2", - "author": "Robert Seedorff", - "email": "Robert.Seedorff@iteratec.com", - "date": "2021-04-17T12:56:00Z", - "file": "scanners/zap-extended/scanner/tests/mocks/configs/context-with-overlay-secrets/3_zap-extended-scan-config.yaml", - "line_number": 41, - "tags": [], - "line": "password: \"basic-auth-password-2\"" - }, - "id": "e889c16d-3bfe-4210-954e-596def7e8289", - "parsed_at": "2022-01-25T08:49:25.026Z" - }, - { - "name": "generic-api-key", - "description": "The name of the rule which triggered the finding: generic-api-key", - "osi_layer": "APPLICATION", - "severity": "MEDIUM", - "category": "Potential Secret", - "attributes": { - "commit": "d5eec9676af4d7943aba59a79d81c7032f0bee00", - "description": "Generic API Key", - "offender": "basic-auth-password-1", - "author": "Robert Seedorff", - "email": "Robert.Seedorff@iteratec.com", - "date": "2021-04-17T12:56:00Z", - "file": "scanners/zap-extended/scanner/tests/mocks/configs/context-with-overlay-secrets/4_zap-extended-scan-config-secret.yaml", - "line_number": 11, - "tags": [], - "line": "password: \"basic-auth-password-1\"" - }, - "id": "579cf733-ec84-4354-8fa3-505e3a173002", - "parsed_at": "2022-01-25T08:49:25.026Z" - }, - { - "name": "generic-api-key", - "description": "The name of the rule which triggered the finding: generic-api-key", - "osi_layer": "APPLICATION", - "severity": "MEDIUM", - "category": "Potential Secret", - "attributes": { - "commit": "d5eec9676af4d7943aba59a79d81c7032f0bee00", - "description": "Generic API Key", - "offender": "basic-auth-password-2", - "author": "Robert Seedorff", - "email": "Robert.Seedorff@iteratec.com", - "date": "2021-04-17T12:56:00Z", - "file": "scanners/zap-extended/scanner/tests/mocks/configs/context-with-overlay-secrets/4_zap-extended-scan-config-secret.yaml", - "line_number": 14, - "tags": [], - "line": "password: \"basic-auth-password-2\"" - }, - "id": "94ae7432-fb52-41c1-9313-04ba1c29bdcc", - "parsed_at": "2022-01-25T08:49:25.026Z" - }, - { - "name": "generic-api-key", - "description": "The name of the rule which triggered the finding: generic-api-key", - "osi_layer": "APPLICATION", - "severity": "MEDIUM", - "category": "Potential Secret", - "attributes": { - "commit": "d5eec9676af4d7943aba59a79d81c7032f0bee00", - "description": "Generic API Key", - "offender": "basic-auth-password-1", - "author": "Robert Seedorff", - "email": "Robert.Seedorff@iteratec.com", - "date": "2021-04-17T12:56:00Z", - "file": "scanners/zap-extended/scanner/tests/mocks/configs/context-with-overlay/2_zap-extended-scan-config.yaml", - "line_number": 106, - "tags": [], - "line": "password: \"basic-auth-password-1\"" - }, - "id": "ec78d1f1-1866-4d93-a358-6b35700b390d", - "parsed_at": "2022-01-25T08:49:25.026Z" - }, - { - "name": "generic-api-key", - "description": "The name of the rule which triggered the finding: generic-api-key", - "osi_layer": "APPLICATION", - "severity": "MEDIUM", - "category": "Potential Secret", - "attributes": { - "commit": "d5eec9676af4d7943aba59a79d81c7032f0bee00", - "description": "Generic API Key", - "offender": "basic-auth-password-2", - "author": "Robert Seedorff", - "email": "Robert.Seedorff@iteratec.com", - "date": "2021-04-17T12:56:00Z", - "file": "scanners/zap-extended/scanner/tests/mocks/configs/context-with-overlay/2_zap-extended-scan-config.yaml", - "line_number": 109, - "tags": [], - "line": "password: \"basic-auth-password-2\"" - }, - "id": "1829a91e-71b3-4506-8b0d-cf3affbff65e", - "parsed_at": "2022-01-25T08:49:25.026Z" - }, - { - "name": "generic-api-key", - "description": "The name of the rule which triggered the finding: generic-api-key", - "osi_layer": "APPLICATION", - "severity": "MEDIUM", - "category": "Potential Secret", - "attributes": { - "commit": "8816678186c7ec2af5e2e3b162272c6ae9053edd", - "description": "Generic API Key", - "offender": "basic-auth-password-1", - "author": "Robert Seedorff", - "email": "Robert.Seedorff@iteratec.com", - "date": "2021-04-10T09:55:52Z", - "file": "scanners/zap-extended/scanner/examples/scan-overlay-secrets/3_zap-extended-scan-config.yaml", - "line_number": 38, - "tags": [], - "line": "password: \"basic-auth-password-1\"" - }, - "id": "438d1ecd-663f-4847-a7d9-fc4be12a5de9", - "parsed_at": "2022-01-25T08:49:25.026Z" - }, - { - "name": "generic-api-key", - "description": "The name of the rule which triggered the finding: generic-api-key", - "osi_layer": "APPLICATION", - "severity": "MEDIUM", - "category": "Potential Secret", - "attributes": { - "commit": "8816678186c7ec2af5e2e3b162272c6ae9053edd", - "description": "Generic API Key", - "offender": "basic-auth-password-2", - "author": "Robert Seedorff", - "email": "Robert.Seedorff@iteratec.com", - "date": "2021-04-10T09:55:52Z", - "file": "scanners/zap-extended/scanner/examples/scan-overlay-secrets/3_zap-extended-scan-config.yaml", - "line_number": 41, - "tags": [], - "line": "password: \"basic-auth-password-2\"" - }, - "id": "3ff98cc8-2311-4154-a751-e423b0da3828", - "parsed_at": "2022-01-25T08:49:25.026Z" - }, - { - "name": "generic-api-key", - "description": "The name of the rule which triggered the finding: generic-api-key", - "osi_layer": "APPLICATION", - "severity": "MEDIUM", - "category": "Potential Secret", - "attributes": { - "commit": "8816678186c7ec2af5e2e3b162272c6ae9053edd", - "description": "Generic API Key", - "offender": "basic-auth-password-1", - "author": "Robert Seedorff", - "email": "Robert.Seedorff@iteratec.com", - "date": "2021-04-10T09:55:52Z", - "file": "scanners/zap-extended/scanner/examples/scan-overlay-secrets/4_zap-extended-scan-config-secret.yaml", - "line_number": 11, - "tags": [], - "line": "password: \"basic-auth-password-1\"" - }, - "id": "54053722-5af6-4cb0-8e09-8782d769d622", - "parsed_at": "2022-01-25T08:49:25.026Z" - }, - { - "name": "generic-api-key", - "description": "The name of the rule which triggered the finding: generic-api-key", - "osi_layer": "APPLICATION", - "severity": "MEDIUM", - "category": "Potential Secret", - "attributes": { - "commit": "8816678186c7ec2af5e2e3b162272c6ae9053edd", - "description": "Generic API Key", - "offender": "basic-auth-password-2", - "author": "Robert Seedorff", - "email": "Robert.Seedorff@iteratec.com", - "date": "2021-04-10T09:55:52Z", - "file": "scanners/zap-extended/scanner/examples/scan-overlay-secrets/4_zap-extended-scan-config-secret.yaml", - "line_number": 14, - "tags": [], - "line": "password: \"basic-auth-password-2\"" - }, - "id": "3ef7844f-d5da-441f-b874-1aa5a260ba59", - "parsed_at": "2022-01-25T08:49:25.026Z" - }, - { - "name": "generic-api-key", - "description": "The name of the rule which triggered the finding: generic-api-key", - "osi_layer": "APPLICATION", - "severity": "MEDIUM", - "category": "Potential Secret", - "attributes": { - "commit": "8816678186c7ec2af5e2e3b162272c6ae9053edd", - "description": "Generic API Key", - "offender": "basic-auth-password-1", - "author": "Robert Seedorff", - "email": "Robert.Seedorff@iteratec.com", - "date": "2021-04-10T09:55:52Z", - "file": "scanners/zap-extended/scanner/examples/scan-overlay/scantype/2_zap-extended-scan-config.yaml", - "line_number": 106, - "tags": [], - "line": "password: \"basic-auth-password-1\"" - }, - "id": "a130f30f-996e-4d02-b6c2-3f018faf68fa", - "parsed_at": "2022-01-25T08:49:25.026Z" - }, - { - "name": "generic-api-key", - "description": "The name of the rule which triggered the finding: generic-api-key", - "osi_layer": "APPLICATION", - "severity": "MEDIUM", - "category": "Potential Secret", - "attributes": { - "commit": "8816678186c7ec2af5e2e3b162272c6ae9053edd", - "description": "Generic API Key", - "offender": "basic-auth-password-2", - "author": "Robert Seedorff", - "email": "Robert.Seedorff@iteratec.com", - "date": "2021-04-10T09:55:52Z", - "file": "scanners/zap-extended/scanner/examples/scan-overlay/scantype/2_zap-extended-scan-config.yaml", - "line_number": 109, - "tags": [], - "line": "password: \"basic-auth-password-2\"" - }, - "id": "725784df-f0a0-479e-971f-c0c37846209c", - "parsed_at": "2022-01-25T08:49:25.026Z" - }, - { - "name": "generic-api-key", - "description": "The name of the rule which triggered the finding: generic-api-key", - "osi_layer": "APPLICATION", - "severity": "MEDIUM", - "category": "Potential Secret", - "attributes": { - "commit": "8816678186c7ec2af5e2e3b162272c6ae9053edd", - "description": "Generic API Key", - "offender": "eor898q1luuq8054e0e5r9s3jh", - "author": "Robert Seedorff", - "email": "Robert.Seedorff@iteratec.com", - "date": "2021-04-10T09:55:52Z", - "file": "scanners/zap-extended/scanner/test_zap_local.py", - "line_number": 16, - "tags": [], - "line": "apiKey='eor898q1luuq8054e0e5r9s3jh'" - }, - "id": "8b8e6787-fbcc-4941-bea4-4bfcad7db1c8", - "parsed_at": "2022-01-25T08:49:25.026Z" - }, - { - "name": "generic-api-key", - "description": "The name of the rule which triggered the finding: generic-api-key", - "osi_layer": "APPLICATION", - "severity": "MEDIUM", - "category": "Potential Secret", - "attributes": { - "commit": "8816678186c7ec2af5e2e3b162272c6ae9053edd", - "description": "Generic API Key", - "offender": "basic-auth-password-1", - "author": "Robert Seedorff", - "email": "Robert.Seedorff@iteratec.com", - "date": "2021-04-10T09:55:52Z", - "file": "scanners/zap-extended/scanner/tests/docker/tmp/configs/examples/scan-overlay-secrets/3_zap-extended-scan-config.yaml", - "line_number": 38, - "tags": [], - "line": "password: \"basic-auth-password-1\"" - }, - "id": "2e4f75d1-d551-4f2e-83ba-b99f8d6f287e", - "parsed_at": "2022-01-25T08:49:25.026Z" - }, - { - "name": "generic-api-key", - "description": "The name of the rule which triggered the finding: generic-api-key", - "osi_layer": "APPLICATION", - "severity": "MEDIUM", - "category": "Potential Secret", - "attributes": { - "commit": "8816678186c7ec2af5e2e3b162272c6ae9053edd", - "description": "Generic API Key", - "offender": "basic-auth-password-2", - "author": "Robert Seedorff", - "email": "Robert.Seedorff@iteratec.com", - "date": "2021-04-10T09:55:52Z", - "file": "scanners/zap-extended/scanner/tests/docker/tmp/configs/examples/scan-overlay-secrets/3_zap-extended-scan-config.yaml", - "line_number": 41, - "tags": [], - "line": "password: \"basic-auth-password-2\"" - }, - "id": "50f5add3-829b-46c3-981c-a70eda4c7f1f", - "parsed_at": "2022-01-25T08:49:25.026Z" - }, - { - "name": "generic-api-key", - "description": "The name of the rule which triggered the finding: generic-api-key", - "osi_layer": "APPLICATION", - "severity": "MEDIUM", - "category": "Potential Secret", - "attributes": { - "commit": "8816678186c7ec2af5e2e3b162272c6ae9053edd", - "description": "Generic API Key", - "offender": "basic-auth-password-1", - "author": "Robert Seedorff", - "email": "Robert.Seedorff@iteratec.com", - "date": "2021-04-10T09:55:52Z", - "file": "scanners/zap-extended/scanner/tests/docker/tmp/configs/examples/scan-overlay-secrets/4_zap-extended-scan-config-secret.yaml", - "line_number": 11, - "tags": [], - "line": "password: \"basic-auth-password-1\"" - }, - "id": "5e95eb3a-f02c-414c-9869-a83008873443", - "parsed_at": "2022-01-25T08:49:25.026Z" - }, - { - "name": "generic-api-key", - "description": "The name of the rule which triggered the finding: generic-api-key", - "osi_layer": "APPLICATION", - "severity": "MEDIUM", - "category": "Potential Secret", - "attributes": { - "commit": "8816678186c7ec2af5e2e3b162272c6ae9053edd", - "description": "Generic API Key", - "offender": "basic-auth-password-2", - "author": "Robert Seedorff", - "email": "Robert.Seedorff@iteratec.com", - "date": "2021-04-10T09:55:52Z", - "file": "scanners/zap-extended/scanner/tests/docker/tmp/configs/examples/scan-overlay-secrets/4_zap-extended-scan-config-secret.yaml", - "line_number": 14, - "tags": [], - "line": "password: \"basic-auth-password-2\"" - }, - "id": "341891d3-d125-4939-85e6-c53402ad2699", - "parsed_at": "2022-01-25T08:49:25.026Z" - }, - { - "name": "generic-api-key", - "description": "The name of the rule which triggered the finding: generic-api-key", - "osi_layer": "APPLICATION", - "severity": "MEDIUM", - "category": "Potential Secret", - "attributes": { - "commit": "8816678186c7ec2af5e2e3b162272c6ae9053edd", - "description": "Generic API Key", - "offender": "basic-auth-password-1", - "author": "Robert Seedorff", - "email": "Robert.Seedorff@iteratec.com", - "date": "2021-04-10T09:55:52Z", - "file": "scanners/zap-extended/scanner/tests/docker/tmp/configs/examples/scan-overlay/scantype/2_zap-extended-scan-config.yaml", - "line_number": 106, - "tags": [], - "line": "password: \"basic-auth-password-1\"" - }, - "id": "5431975e-669b-487a-8ada-38cdcae44e6b", - "parsed_at": "2022-01-25T08:49:25.026Z" - }, - { - "name": "generic-api-key", - "description": "The name of the rule which triggered the finding: generic-api-key", - "osi_layer": "APPLICATION", - "severity": "MEDIUM", - "category": "Potential Secret", - "attributes": { - "commit": "8816678186c7ec2af5e2e3b162272c6ae9053edd", - "description": "Generic API Key", - "offender": "basic-auth-password-2", - "author": "Robert Seedorff", - "email": "Robert.Seedorff@iteratec.com", - "date": "2021-04-10T09:55:52Z", - "file": "scanners/zap-extended/scanner/tests/docker/tmp/configs/examples/scan-overlay/scantype/2_zap-extended-scan-config.yaml", - "line_number": 109, - "tags": [], - "line": "password: \"basic-auth-password-2\"" - }, - "id": "01eea82b-2b94-4366-b47f-5c758227cc8b", - "parsed_at": "2022-01-25T08:49:25.026Z" - }, - { - "name": "generic-api-key", - "description": "The name of the rule which triggered the finding: generic-api-key", - "osi_layer": "APPLICATION", - "severity": "MEDIUM", - "category": "Potential Secret", - "attributes": { - "commit": "8816678186c7ec2af5e2e3b162272c6ae9053edd", - "description": "Generic API Key", - "offender": "basic-auth-password-1", - "author": "Robert Seedorff", - "email": "Robert.Seedorff@iteratec.com", - "date": "2021-04-10T09:55:52Z", - "file": "scanners/zap-extended/scanner/tests/docker/tmp/configs/scan-overlay-secrets/3_zap-extended-scan-config.yaml", - "line_number": 38, - "tags": [], - "line": "password: \"basic-auth-password-1\"" - }, - "id": "0311938c-bf77-46da-9dc9-5b5e81c368ba", - "parsed_at": "2022-01-25T08:49:25.026Z" - }, - { - "name": "generic-api-key", - "description": "The name of the rule which triggered the finding: generic-api-key", - "osi_layer": "APPLICATION", - "severity": "MEDIUM", - "category": "Potential Secret", - "attributes": { - "commit": "8816678186c7ec2af5e2e3b162272c6ae9053edd", - "description": "Generic API Key", - "offender": "basic-auth-password-2", - "author": "Robert Seedorff", - "email": "Robert.Seedorff@iteratec.com", - "date": "2021-04-10T09:55:52Z", - "file": "scanners/zap-extended/scanner/tests/docker/tmp/configs/scan-overlay-secrets/3_zap-extended-scan-config.yaml", - "line_number": 41, - "tags": [], - "line": "password: \"basic-auth-password-2\"" - }, - "id": "04f4caaa-938c-4e0c-9baf-690e7a5d7ff7", - "parsed_at": "2022-01-25T08:49:25.026Z" - }, - { - "name": "generic-api-key", - "description": "The name of the rule which triggered the finding: generic-api-key", - "osi_layer": "APPLICATION", - "severity": "MEDIUM", - "category": "Potential Secret", - "attributes": { - "commit": "8816678186c7ec2af5e2e3b162272c6ae9053edd", - "description": "Generic API Key", - "offender": "basic-auth-password-1", - "author": "Robert Seedorff", - "email": "Robert.Seedorff@iteratec.com", - "date": "2021-04-10T09:55:52Z", - "file": "scanners/zap-extended/scanner/tests/docker/tmp/configs/scan-overlay-secrets/4_zap-extended-scan-config-secret.yaml", - "line_number": 11, - "tags": [], - "line": "password: \"basic-auth-password-1\"" - }, - "id": "7629c261-fca1-4b72-be49-33807b7fb4a1", - "parsed_at": "2022-01-25T08:49:25.026Z" - }, - { - "name": "generic-api-key", - "description": "The name of the rule which triggered the finding: generic-api-key", - "osi_layer": "APPLICATION", - "severity": "MEDIUM", - "category": "Potential Secret", - "attributes": { - "commit": "8816678186c7ec2af5e2e3b162272c6ae9053edd", - "description": "Generic API Key", - "offender": "basic-auth-password-2", - "author": "Robert Seedorff", - "email": "Robert.Seedorff@iteratec.com", - "date": "2021-04-10T09:55:52Z", - "file": "scanners/zap-extended/scanner/tests/docker/tmp/configs/scan-overlay-secrets/4_zap-extended-scan-config-secret.yaml", - "line_number": 14, - "tags": [], - "line": "password: \"basic-auth-password-2\"" - }, - "id": "72244b86-ac10-409e-9621-0d4e9194774f", - "parsed_at": "2022-01-25T08:49:25.026Z" - }, - { - "name": "generic-api-key", - "description": "The name of the rule which triggered the finding: generic-api-key", - "osi_layer": "APPLICATION", - "severity": "MEDIUM", - "category": "Potential Secret", - "attributes": { - "commit": "8816678186c7ec2af5e2e3b162272c6ae9053edd", - "description": "Generic API Key", - "offender": "basic-auth-password-1", - "author": "Robert Seedorff", - "email": "Robert.Seedorff@iteratec.com", - "date": "2021-04-10T09:55:52Z", - "file": "scanners/zap-extended/scanner/tests/docker/tmp/configs/scan-overlay/scantype/2_zap-extended-scan-config.yaml", - "line_number": 106, - "tags": [], - "line": "password: \"basic-auth-password-1\"" - }, - "id": "b8484e60-bd02-43c6-bbe8-11f2cadbd707", - "parsed_at": "2022-01-25T08:49:25.026Z" - }, - { - "name": "generic-api-key", - "description": "The name of the rule which triggered the finding: generic-api-key", - "osi_layer": "APPLICATION", - "severity": "MEDIUM", - "category": "Potential Secret", - "attributes": { - "commit": "8816678186c7ec2af5e2e3b162272c6ae9053edd", - "description": "Generic API Key", - "offender": "basic-auth-password-2", - "author": "Robert Seedorff", - "email": "Robert.Seedorff@iteratec.com", - "date": "2021-04-10T09:55:52Z", - "file": "scanners/zap-extended/scanner/tests/docker/tmp/configs/scan-overlay/scantype/2_zap-extended-scan-config.yaml", - "line_number": 109, - "tags": [], - "line": "password: \"basic-auth-password-2\"" - }, - "id": "9dd50aab-a7d8-4016-95f9-9cae96c38232", - "parsed_at": "2022-01-25T08:49:25.026Z" - }, - { - "name": "RSA-PK", - "description": "The name of the rule which triggered the finding: RSA-PK", - "osi_layer": "APPLICATION", - "severity": "MEDIUM", - "category": "Potential Secret", - "attributes": { - "commit": "85b730b7dfc7a84c7f4d3494768de79b2bf86d3a", - "description": "RSA private key", - "offender": "-----BEGIN RSA PRIVATE KEY-----", - "author": "Paul", - "email": "paul.schmelzer@iteratec.com", - "date": "2020-12-01T16:06:11Z", - "file": "scanners/ncrack/parser/parser.test.js", - "line_number": 120, - "tags": [], - "line": "-----BEGIN RSA PRIVATE KEY-----" - }, - "id": "c4e11c22-2ef2-4510-a289-97a5b40a0298", - "parsed_at": "2022-01-25T08:49:25.026Z" - }, - { - "name": "generic-api-key", - "description": "The name of the rule which triggered the finding: generic-api-key", - "osi_layer": "APPLICATION", - "severity": "MEDIUM", - "category": "Potential Secret", - "attributes": { - "commit": "135f19274fea68c8fc07b46965b63a19092d451f", - "description": "Generic API Key", - "offender": "ca267cf37a368b8ae02a184164b196a25fca77de", - "author": "Jannik Hollenbach", - "email": "jannik.hollenbach@iteratec.com", - "date": "2020-11-12T18:11:23Z", - "file": "hooks/persistence-defectdojo/src/main/resources/application.yaml", - "line_number": 10, - "tags": [], - "line": "key: \"ca267cf37a368b8ae02a184164b196a25fca77de\"" - }, - "id": "49b38367-bebc-43ae-9218-ebdc6e05322f", - "parsed_at": "2022-01-25T08:49:25.026Z" - }, - { - "name": "PKCS8-PK", - "description": "The name of the rule which triggered the finding: PKCS8-PK", - "osi_layer": "APPLICATION", - "severity": "MEDIUM", - "category": "Potential Secret", - "attributes": { - "commit": "5adab93cd6d7ba0420a12f3c16bdf36818c1f24f", - "description": "PKCS8 private key", - "offender": "-----BEGIN PRIVATE KEY-----", - "author": "SebieF", - "email": "sebastian.franz@iteratec.com", - "date": "2020-10-16T12:47:24Z", - "file": "scanners/gitleaks/parser/__testFiles__/test-report.json", - "line_number": 93, - "tags": [], - "line": "-----BEGIN PRIVATE KEY-----" - }, - "id": "bf3e3817-59b1-408c-b3ae-2c9be4d13f05", - "parsed_at": "2022-01-25T08:49:25.026Z" - }, - { - "name": "PKCS8-PK", - "description": "The name of the rule which triggered the finding: PKCS8-PK", - "osi_layer": "APPLICATION", - "severity": "MEDIUM", - "category": "Potential Secret", - "attributes": { - "commit": "5adab93cd6d7ba0420a12f3c16bdf36818c1f24f", - "description": "PKCS8 private key", - "offender": "-----BEGIN PRIVATE KEY-----", - "author": "SebieF", - "email": "sebastian.franz@iteratec.com", - "date": "2020-10-16T12:47:24Z", - "file": "scanners/gitleaks/parser/__testFiles__/test-report.json", - "line_number": 95, - "tags": [], - "line": "-----BEGIN PRIVATE KEY-----" - }, - "id": "a3966d6c-5e80-4159-b70f-8f75150dacda", - "parsed_at": "2022-01-25T08:49:25.026Z" - }, - { - "name": "PKCS8-PK", - "description": "The name of the rule which triggered the finding: PKCS8-PK", - "osi_layer": "APPLICATION", - "severity": "MEDIUM", - "category": "Potential Secret", - "attributes": { - "commit": "5adab93cd6d7ba0420a12f3c16bdf36818c1f24f", - "description": "PKCS8 private key", - "offender": "-----BEGIN PRIVATE KEY-----", - "author": "SebieF", - "email": "sebastian.franz@iteratec.com", - "date": "2020-10-16T12:47:24Z", - "file": "scanners/gitleaks/parser/parser.test.js", - "line_number": 167, - "tags": [], - "line": "-----BEGIN PRIVATE KEY-----" - }, - "id": "31e5dd8a-4260-4eb3-8db3-b607f41f048a", - "parsed_at": "2022-01-25T08:49:25.026Z" - }, - { - "name": "PKCS8-PK", - "description": "The name of the rule which triggered the finding: PKCS8-PK", - "osi_layer": "APPLICATION", - "severity": "MEDIUM", - "category": "Potential Secret", - "attributes": { - "commit": "5adab93cd6d7ba0420a12f3c16bdf36818c1f24f", - "description": "PKCS8 private key", - "offender": "-----BEGIN PRIVATE KEY-----", - "author": "SebieF", - "email": "sebastian.franz@iteratec.com", - "date": "2020-10-16T12:47:24Z", - "file": "scanners/gitleaks/parser/parser.test.js", - "line_number": 169, - "tags": [], - "line": "-----BEGIN PRIVATE KEY-----" - }, - "id": "8ba955a5-e33e-4d52-aaee-2725d578c9c3", - "parsed_at": "2022-01-25T08:49:25.026Z" - }, - { - "name": "PKCS8-PK", - "description": "The name of the rule which triggered the finding: PKCS8-PK", - "osi_layer": "APPLICATION", - "severity": "MEDIUM", - "category": "Potential Secret", - "attributes": { - "commit": "604ca16251cd6e528328605420890f2d55a5464d", - "description": "PKCS8 private key", - "offender": "-----BEGIN PRIVATE KEY-----", - "author": "Paul", - "email": "paul.schmelzer@iteratec.com", - "date": "2020-10-15T11:35:39Z", - "file": "scanners/gitleaks/parser/__testFiles__/test-report.json", - "line_number": 93, - "tags": [], - "line": "-----BEGIN PRIVATE KEY-----" - }, - "id": "ef8cbbdb-a322-4a08-995e-e0f9231d87d2", - "parsed_at": "2022-01-25T08:49:25.026Z" - }, - { - "name": "PKCS8-PK", - "description": "The name of the rule which triggered the finding: PKCS8-PK", - "osi_layer": "APPLICATION", - "severity": "MEDIUM", - "category": "Potential Secret", - "attributes": { - "commit": "604ca16251cd6e528328605420890f2d55a5464d", - "description": "PKCS8 private key", - "offender": "-----BEGIN PRIVATE KEY-----", - "author": "Paul", - "email": "paul.schmelzer@iteratec.com", - "date": "2020-10-15T11:35:39Z", - "file": "scanners/gitleaks/parser/__testFiles__/test-report.json", - "line_number": 95, - "tags": [], - "line": "-----BEGIN PRIVATE KEY-----" - }, - "id": "7b41793b-0932-4850-85f7-883a2f1b5195", - "parsed_at": "2022-01-25T08:49:25.026Z" - }, - { - "name": "PKCS8-PK", - "description": "The name of the rule which triggered the finding: PKCS8-PK", - "osi_layer": "APPLICATION", - "severity": "MEDIUM", - "category": "Potential Secret", - "attributes": { - "commit": "604ca16251cd6e528328605420890f2d55a5464d", - "description": "PKCS8 private key", - "offender": "-----BEGIN PRIVATE KEY-----", - "author": "Paul", - "email": "paul.schmelzer@iteratec.com", - "date": "2020-10-15T11:35:39Z", - "file": "scanners/gitleaks/parser/parser.test.js", - "line_number": 167, - "tags": [], - "line": "-----BEGIN PRIVATE KEY-----" - }, - "id": "f5d9613f-b53a-4476-93f4-a15ee324930f", - "parsed_at": "2022-01-25T08:49:25.026Z" - }, - { - "name": "PKCS8-PK", - "description": "The name of the rule which triggered the finding: PKCS8-PK", - "osi_layer": "APPLICATION", - "severity": "MEDIUM", - "category": "Potential Secret", - "attributes": { - "commit": "604ca16251cd6e528328605420890f2d55a5464d", - "description": "PKCS8 private key", - "offender": "-----BEGIN PRIVATE KEY-----", - "author": "Paul", - "email": "paul.schmelzer@iteratec.com", - "date": "2020-10-15T11:35:39Z", - "file": "scanners/gitleaks/parser/parser.test.js", - "line_number": 169, - "tags": [], - "line": "-----BEGIN PRIVATE KEY-----" - }, - "id": "f1307218-368c-45ec-bba1-ba89dccf6c05", - "parsed_at": "2022-01-25T08:49:25.026Z" - }, - { - "name": "PKCS8-PK", - "description": "The name of the rule which triggered the finding: PKCS8-PK", - "osi_layer": "APPLICATION", - "severity": "MEDIUM", - "category": "Potential Secret", - "attributes": { - "commit": "893f84ba706b48814b048f0ee69c04c8fcff9e6d", - "description": "PKCS8 private key", - "offender": "-----BEGIN PRIVATE KEY-----", - "author": "J12934", - "email": "13718901+J12934@users.noreply.github.com", - "date": "2020-01-20T10:09:06Z", - "file": "demo/unsafe-https/site.key", - "line_number": 1, - "tags": [], - "line": "-----BEGIN PRIVATE KEY-----" - }, - "id": "cb629f0c-3e1d-43fe-ac05-763049c2cd1d", - "parsed_at": "2022-01-25T08:49:25.026Z" + "note": "Results truncated for space reasons" } -] +] \ No newline at end of file diff --git a/scanners/gitleaks/examples/secureCodeBox/scan.yaml b/scanners/gitleaks/examples/secureCodeBox/scan.yaml index af3172bc7a..1faa8ed7a7 100644 --- a/scanners/gitleaks/examples/secureCodeBox/scan.yaml +++ b/scanners/gitleaks/examples/secureCodeBox/scan.yaml @@ -6,6 +6,8 @@ apiVersion: "execution.securecodebox.io/v1" kind: Scan metadata: name: "scan-scb-example" + annotations: + metadata.scan.securecodebox.io/git-repo-url: "https://github.com/secureCodeBox/secureCodeBox" spec: scanType: "gitleaks" # Define a volume and mount it at /repo in the scan container From 296ed1ec5f3e65eb4da7dc0d9fafdf77609423ca Mon Sep 17 00:00:00 2001 From: Max Maass Date: Tue, 25 Jan 2022 14:45:09 +0100 Subject: [PATCH 24/30] Update gitleaks docs Signed-off-by: Max Maass --- scanners/gitleaks/.helm-docs.gotmpl | 138 ++++++------------ scanners/gitleaks/docs/README.ArtifactHub.md | 138 ++++++------------ .../gitleaks/docs/README.DockerHub-Hook.md | 86 +++++++++++ 3 files changed, 168 insertions(+), 194 deletions(-) create mode 100644 scanners/gitleaks/docs/README.DockerHub-Hook.md diff --git a/scanners/gitleaks/.helm-docs.gotmpl b/scanners/gitleaks/.helm-docs.gotmpl index 34ddb0fb9d..0d3e5db102 100644 --- a/scanners/gitleaks/.helm-docs.gotmpl +++ b/scanners/gitleaks/.helm-docs.gotmpl @@ -36,108 +36,52 @@ To learn more about gitleaks visit . {{- define "extra.scannerConfigurationSection" -}} ## Scanner Configuration +For a complete overview of the configuration options, see the +[Gitleaks documentation](https://github.com/zricethezav/gitleaks#usage). -For a complete overview of the configuration options checkout the -[Gitleaks documentation](https://github.com/zricethezav/gitleaks/wiki/Options). - -The only mandatory parameters are: -- `-r`: The link to the repository you want to scan. -- `--access-token`: Only for non-public repositories. -- `--username` and `--password`: Only for non-public repositories. -- `--config-path`: The ruleset you want to use. - -#### Ruleset - -At this point we provide three rulesets which you can pass to the `--config-path` oprtion: - -- `/home/config_all.toml`: Includes every rule. -- `/home/config_filenames_only.toml`: Gitleaks scans only file names and extensions. -- `/home/config_no_generics.toml`: No generic rules like searching for the word *password*. With this option you won't -find something like **password = Ej2ifDk2jfeo2**, but it will reduce resulting false positives. - -If you like to provide your custom ruleset, you can create a configMap and mount it into -the scan. Checkout the examples for more information about providing your own gitleaks rules config. -{{- end }} - -{{- define "extra.chartConfigurationSection" -}} -**Do not** override the option `--report-format` or `--report`. It is already configured for automatic findings parsing. - -## Additional Chart Configurations -### secureCodeBox extended GitLeaks Features - -:::info -If you run gitleaks based on a scheduledScan (e.g. one scan per day) it would be enough to scan all git-commits since the last executed schedule. -Instead of scanning all commits in the complete git history every day it would save a lot of resources to scan only all commits of the last day. - -_Problem is: This is a feature and configuration option gitleaks is currently not supporting._ - -That's why we created an [issue](https://github.com/zricethezav/gitleaks/issues/497) and a [pull request](https://github.com/zricethezav/gitleaks/pull/498) for that. -If you like the idea, please vote for our issue and PR. - -If you already want to use our implementation (fork) of this feature you can use our [gitleaks forked docker image](https://hub.docker.com/r/securecodebox/gitleaks) instead of the gitleaks original image. -::: +Starting with version 8.0, gitleaks no longer supports cloning the repository directly. +Instead, you will have to use an init container to do so. +[We provide example scan definitions below](https://docs.securecodebox.io/docs/scanners/gitleaks/#examples) that you can build on. +### Scanning Specific Timeframes +When running gitleaks as a [scheduled scan](https://docs.securecodebox.io/docs/how-tos/automatically-repeating-scans), you may not want to go through the entire repository history every time. +Gitleaks allows you to limit the commits it will scan using the `--log-opts` parameter, which accepts all parameters supported by `git log -p`. +For example, if you want to scan only commits made in the last 7 days, on all branches of the repository, use the following parameters: ```yaml -# Corresponding HelmChart Configuration -scanner: - image: - # scanner.image.repository -- Container Image to run the scan - repository: docker.io/securecodebox/scanner-gitleaks - # scanner.image.tag -- defaults to the charts version - tag: v7.3.0 -``` - -#### Deployment with extended GitLeaks -```bash -# Install HelmChart (use -n to configure another namespace) -helm upgrade --install gitleaks secureCodeBox/gitleaks \ - --set="scanner.image.repository=docker.io/securecodebox/scanner-gitleaks" \ - --set="scanner.image.tag=v7.3.0" -``` - -#### Additional (Fork) Scanner configuration options -```bash ---commit-since-duration= Scan commits more recent than a specific date expresed by an duration (now + duration). A duration string is a possibly signed sequence of decimal numbers, each - with optional fraction and a unit suffix, such as '300ms', '-1.5h' or '2h45m'. Valid time units are 'ns', 'us' (or 'µs'), 'ms', 's', 'm', 'h'. ---commit-until-duration= Scan commits older than a specific date expresed by an duration (now + duration). A duration string is a possibly signed sequence of decimal numbers, each with - optional fraction and a unit suffix, such as '300ms', '-1.5h' or '2h45m'. Valid time units are 'ns', 'us' (or 'µs'), 'ms', 's', 'm', 'h'. -``` - -#### Other useful options are: - -- `--commit-since`: Scan commits more recent than a specific date. Ex: '2006-01-02' or '2006-01-02T15:04:05-0700' format. -- `--commit-until`: Scan commits older than a specific date. Ex: '2006-01-02' or '2006-01-02T15:04:05-0700' format. -- `--repo-config`: Load config from target repo. Config file must be ".gitleaks.toml" or "gitleaks.toml". - -#### Finding format - -It is not an easy task to classify the severity of the scans because we can't tell for sure if the finding is e.g. a real -or a testing password. Another issue is that the rate of false positives for generic rules can be very high. Therefore, -we tried to classify the severity of the finding by looking at the accuracy of the rule which detected it. Rules for AWS -secrets or Artifactory tokens are very precise, so they get a high severity. Generic rules on the other hand get a low -severity because the often produce false positives. - -**Please keep in mind that findings with a low severity can be actually -very critical.** - -#### Cascading Rules - -If you want to scan multiple repositories from GitHub or gitlab automatically at once, you should -take a look at the cascading rules which get triggered by the **git-repo-scanner**. -For more information on how to use **git-repo-scanner** checkout the -[Readme](https://github.com/secureCodeBox/secureCodeBox/tree/main/scanners/git-repo-scanner). - -For cascading scans on public GitHub repositories you don't need any credentials. For the gitlab -and private GitHub rules you need to provide an access token via environment. You could do that with -the following commands: - -```bash -kubectl create secret generic github-access-token --from-literal="token=" -kubectl create secret generic gitlab-access-token --from-literal="token=" +parameters: + # Run gitleaks in "detect" mode + - "detect" + # Point it at the location of the repository + - "--source" + - "/repo/" + # Only consider commits within the last 7 days, on all branches + - "--log-opts=--since=7days --all --full-history" ``` +Note that the parameters to `--log-opts` are not quoted separately due to the way the scanner is called inside secureCodeBox - adding extra quotes will break the scan! +It is important to remember to pass `--all --full-history` when using `--log-opts`, as otherwise only the default branch will be scanned (when not using `--log-opts`, gitleaks adds these parameters implicitly). + +### Human-Friendly Commit URLs +Before gitleaks 8.0, the findings used to contain a direct link to the commit that contained the secret. +The base URL was pulled from the parameter given to gitleaks. +Since this is no longer possible, we cannot automatically infer which repository the commits belong to. +However, you can provide this information manually using a scan annotation called `metadata.scan.securecodebox.io/git-repo-url`. +See the examples below on how to use it. + +### Cascading Scans +Gitleaks works well in conjunction with [git-repo-scanner](https://docs.securecodebox.io/docs/scanners/git-repo-scanner) to enumerate Git repositories and scan them using cascading rules. +We do not ship default cascading rules for this purpose. +However, you can find instructions on running such cascading scans in [this article](https://docs.securecodebox.io/blog/2021/10/27/sast-scanning) - simply adapt it to use gitleaks instead of semgrep and you are good to go. + +### Providing Your Own Ruleset +SecureCodeBox used to ship a number of default rulesets. +We have stopped doing this, as the official ruleset of gitleaks is much more up-to-date and well-maintained. +However, if you still want to write and use your own rulesets, we [provide an example below](https://docs.securecodebox.io/docs/scanners/gitleaks#provide-own-rules). +The parser will set all found issues to `medium` severity by default. +To override the severity in your own rulesets, include the result tag "HIGH" or "LOW" in your gitleaks rule. +{{- end }} -For more information on how to use cascades take a look at -[Scanning Networks Example](https://docs.securecodebox.io/docs/how-tos/scanning-networks/) +{{- define "extra.chartConfigurationSection" -}} +**Do not** override the option `--report-format` or `--report-path`. It is already configured for automatic findings parsing. {{- end }} {{- define "extra.scannerLinksSection" -}} diff --git a/scanners/gitleaks/docs/README.ArtifactHub.md b/scanners/gitleaks/docs/README.ArtifactHub.md index dcd7cc0ee8..00c5fe59a1 100644 --- a/scanners/gitleaks/docs/README.ArtifactHub.md +++ b/scanners/gitleaks/docs/README.ArtifactHub.md @@ -57,110 +57,54 @@ helm upgrade --install gitleaks secureCodeBox/gitleaks ``` ## Scanner Configuration +For a complete overview of the configuration options, see the +[Gitleaks documentation](https://github.com/zricethezav/gitleaks#usage). -For a complete overview of the configuration options checkout the -[Gitleaks documentation](https://github.com/zricethezav/gitleaks/wiki/Options). - -The only mandatory parameters are: -- `-r`: The link to the repository you want to scan. -- `--access-token`: Only for non-public repositories. -- `--username` and `--password`: Only for non-public repositories. -- `--config-path`: The ruleset you want to use. - -#### Ruleset - -At this point we provide three rulesets which you can pass to the `--config-path` oprtion: - -- `/home/config_all.toml`: Includes every rule. -- `/home/config_filenames_only.toml`: Gitleaks scans only file names and extensions. -- `/home/config_no_generics.toml`: No generic rules like searching for the word *password*. With this option you won't -find something like **password = Ej2ifDk2jfeo2**, but it will reduce resulting false positives. - -If you like to provide your custom ruleset, you can create a configMap and mount it into -the scan. Checkout the examples for more information about providing your own gitleaks rules config. - -## Requirements - -Kubernetes: `>=v1.11.0-0` - -**Do not** override the option `--report-format` or `--report`. It is already configured for automatic findings parsing. - -## Additional Chart Configurations -### secureCodeBox extended GitLeaks Features - -:::info -If you run gitleaks based on a scheduledScan (e.g. one scan per day) it would be enough to scan all git-commits since the last executed schedule. -Instead of scanning all commits in the complete git history every day it would save a lot of resources to scan only all commits of the last day. - -_Problem is: This is a feature and configuration option gitleaks is currently not supporting._ - -That's why we created an [issue](https://github.com/zricethezav/gitleaks/issues/497) and a [pull request](https://github.com/zricethezav/gitleaks/pull/498) for that. -If you like the idea, please vote for our issue and PR. - -If you already want to use our implementation (fork) of this feature you can use our [gitleaks forked docker image](https://hub.docker.com/r/securecodebox/gitleaks) instead of the gitleaks original image. -::: +Starting with version 8.0, gitleaks no longer supports cloning the repository directly. +Instead, you will have to use an init container to do so. +[We provide example scan definitions below](https://docs.securecodebox.io/docs/scanners/gitleaks/#examples) that you can build on. +### Scanning Specific Timeframes +When running gitleaks as a [scheduled scan](https://docs.securecodebox.io/docs/how-tos/automatically-repeating-scans), you may not want to go through the entire repository history every time. +Gitleaks allows you to limit the commits it will scan using the `--log-opts` parameter, which accepts all parameters supported by `git log -p`. +For example, if you want to scan only commits made in the last 7 days, on all branches of the repository, use the following parameters: ```yaml -# Corresponding HelmChart Configuration -scanner: - image: - # scanner.image.repository -- Container Image to run the scan - repository: docker.io/securecodebox/scanner-gitleaks - # scanner.image.tag -- defaults to the charts version - tag: v7.3.0 +parameters: + # Run gitleaks in "detect" mode + - "detect" + # Point it at the location of the repository + - "--source" + - "/repo/" + # Only consider commits within the last 7 days, on all branches + - "--log-opts=--since=7days --all --full-history" ``` +Note that the parameters to `--log-opts` are not quoted separately due to the way the scanner is called inside secureCodeBox - adding extra quotes will break the scan! +It is important to remember to pass `--all --full-history` when using `--log-opts`, as otherwise only the default branch will be scanned (when not using `--log-opts`, gitleaks adds these parameters implicitly). + +### Human-Friendly Commit URLs +Before gitleaks 8.0, the findings used to contain a direct link to the commit that contained the secret. +The base URL was pulled from the parameter given to gitleaks. +Since this is no longer possible, we cannot automatically infer which repository the commits belong to. +However, you can provide this information manually using a scan annotation called `metadata.scan.securecodebox.io/git-repo-url`. +See the examples below on how to use it. + +### Cascading Scans +Gitleaks works well in conjunction with [git-repo-scanner](https://docs.securecodebox.io/docs/scanners/git-repo-scanner) to enumerate Git repositories and scan them using cascading rules. +We do not ship default cascading rules for this purpose. +However, you can find instructions on running such cascading scans in [this article](https://docs.securecodebox.io/blog/2021/10/27/sast-scanning) - simply adapt it to use gitleaks instead of semgrep and you are good to go. + +### Providing Your Own Ruleset +SecureCodeBox used to ship a number of default rulesets. +We have stopped doing this, as the official ruleset of gitleaks is much more up-to-date and well-maintained. +However, if you still want to write and use your own rulesets, we [provide an example below](https://docs.securecodebox.io/docs/scanners/gitleaks#provide-own-rules). +The parser will set all found issues to `medium` severity by default. +To override the severity in your own rulesets, include the result tag "HIGH" or "LOW" in your gitleaks rule. -#### Deployment with extended GitLeaks -```bash -# Install HelmChart (use -n to configure another namespace) -helm upgrade --install gitleaks secureCodeBox/gitleaks \ - --set="scanner.image.repository=docker.io/securecodebox/scanner-gitleaks" \ - --set="scanner.image.tag=v7.3.0" -``` - -#### Additional (Fork) Scanner configuration options -```bash ---commit-since-duration= Scan commits more recent than a specific date expresed by an duration (now + duration). A duration string is a possibly signed sequence of decimal numbers, each - with optional fraction and a unit suffix, such as '300ms', '-1.5h' or '2h45m'. Valid time units are 'ns', 'us' (or 'µs'), 'ms', 's', 'm', 'h'. ---commit-until-duration= Scan commits older than a specific date expresed by an duration (now + duration). A duration string is a possibly signed sequence of decimal numbers, each with - optional fraction and a unit suffix, such as '300ms', '-1.5h' or '2h45m'. Valid time units are 'ns', 'us' (or 'µs'), 'ms', 's', 'm', 'h'. -``` - -#### Other useful options are: - -- `--commit-since`: Scan commits more recent than a specific date. Ex: '2006-01-02' or '2006-01-02T15:04:05-0700' format. -- `--commit-until`: Scan commits older than a specific date. Ex: '2006-01-02' or '2006-01-02T15:04:05-0700' format. -- `--repo-config`: Load config from target repo. Config file must be ".gitleaks.toml" or "gitleaks.toml". - -#### Finding format - -It is not an easy task to classify the severity of the scans because we can't tell for sure if the finding is e.g. a real -or a testing password. Another issue is that the rate of false positives for generic rules can be very high. Therefore, -we tried to classify the severity of the finding by looking at the accuracy of the rule which detected it. Rules for AWS -secrets or Artifactory tokens are very precise, so they get a high severity. Generic rules on the other hand get a low -severity because the often produce false positives. - -**Please keep in mind that findings with a low severity can be actually -very critical.** - -#### Cascading Rules - -If you want to scan multiple repositories from GitHub or gitlab automatically at once, you should -take a look at the cascading rules which get triggered by the **git-repo-scanner**. -For more information on how to use **git-repo-scanner** checkout the -[Readme](https://github.com/secureCodeBox/secureCodeBox/tree/main/scanners/git-repo-scanner). - -For cascading scans on public GitHub repositories you don't need any credentials. For the gitlab -and private GitHub rules you need to provide an access token via environment. You could do that with -the following commands: +## Requirements -```bash -kubectl create secret generic github-access-token --from-literal="token=" -kubectl create secret generic gitlab-access-token --from-literal="token=" -``` +Kubernetes: `>=v1.11.0-0` -For more information on how to use cascades take a look at -[Scanning Networks Example](https://docs.securecodebox.io/docs/how-tos/scanning-networks/) +**Do not** override the option `--report-format` or `--report-path`. It is already configured for automatic findings parsing. ## Values diff --git a/scanners/gitleaks/docs/README.DockerHub-Hook.md b/scanners/gitleaks/docs/README.DockerHub-Hook.md new file mode 100644 index 0000000000..2147991ec8 --- /dev/null +++ b/scanners/gitleaks/docs/README.DockerHub-Hook.md @@ -0,0 +1,86 @@ + + + +

+ License Apache-2.0 + GitHub release (latest SemVer) + OWASP Incubator Project + Artifact HUB + GitHub Repo stars + Twitter Follower +

+ +## What is OWASP secureCodeBox? + +

+ secureCodeBox Logo +

+ +_[OWASP secureCodeBox][scb-github]_ is an automated and scalable open source solution that can be used to integrate various *security vulnerability scanners* with a simple and lightweight interface. The _secureCodeBox_ mission is to support *DevSecOps* Teams to make it easy to automate security vulnerability testing in different scenarios. + +With the _secureCodeBox_ we provide a toolchain for continuous scanning of applications to find the low-hanging fruit issues early in the development process and free the resources of the penetration tester to concentrate on the major security issues. + +The secureCodeBox project is running on [Kubernetes](https://kubernetes.io/). To install it you need [Helm](https://helm.sh), a package manager for Kubernetes. It is also possible to start the different integrated security vulnerability scanners based on a docker infrastructure. + +### Quickstart with secureCodeBox on kubernetes + +You can find resources to help you get started on our [documentation website](https://docs.securecodebox.io) including instruction on how to [install the secureCodeBox project](https://docs.securecodebox.io/docs/getting-started/installation) and guides to help you [run your first scans](https://docs.securecodebox.io/docs/getting-started/first-scans) with it. + +## Supported Tags +- `latest` (represents the latest stable release build) +- tagged releases, e.g. `v8.2.7` + +## How to use this image +This `hook` image is intended to work in combination with other `parser` images to read or manipulate `findings` results. For more information details please take a look at the [project page][scb-docs] or [documentation page][https://docs.securecodebox.io/docs/scanners/gitleaks]. + +```bash +docker pull securecodebox/hook-gitleaks +``` + +## What is Gitleaks? +Gitleaks is a free and open source tool for finding secrets in git repositories. +These secrets could be passwords, API keys, tokens, private keys or suspicious file names or +file extensions like *id_rsa*, *.pem*, *htpasswd*. Furthermore, gitleaks can scan your whole repository's history +with all commits up to the initial one. + +To learn more about gitleaks visit . + +## Community + +You are welcome, please join us on... 👋 + +- [GitHub][scb-github] +- [Slack][scb-slack] +- [Twitter][scb-twitter] + +secureCodeBox is an official [OWASP][scb-owasp] project. + +## License +[![License](https://img.shields.io/badge/License-Apache%202.0-blue.svg)](https://opensource.org/licenses/Apache-2.0) + +As with all Docker images, these likely also contain other software which may be under other licenses (such as Bash, etc from the base distribution, along with any direct or indirect dependencies of the primary software being contained). + +As for any pre-built image usage, it is the image user's responsibility to ensure that any use of this image complies with any relevant licenses for all software contained within. + +[scb-owasp]: https://www.owasp.org/index.php/OWASP_secureCodeBox +[scb-docs]: https://docs.securecodebox.io/ +[scb-site]: https://www.securecodebox.io/ +[scb-github]: https://github.com/secureCodeBox/ +[scb-twitter]: https://twitter.com/secureCodeBox +[scb-slack]: https://join.slack.com/t/securecodebox/shared_invite/enQtNDU3MTUyOTM0NTMwLTBjOWRjNjVkNGEyMjQ0ZGMyNDdlYTQxYWQ4MzNiNGY3MDMxNThkZjJmMzY2NDRhMTk3ZWM3OWFkYmY1YzUxNTU +[scb-license]: https://github.com/secureCodeBox/secureCodeBox/blob/master/LICENSE + From e055ccc0afb4595a75286b8100da0ba2b48f0d20 Mon Sep 17 00:00:00 2001 From: malexmave Date: Tue, 25 Jan 2022 13:45:53 +0000 Subject: [PATCH 25/30] Updating Helm Docs Signed-off-by: GitHub Actions --- scanners/gitleaks/README.md | 138 +++++++++++------------------------- 1 file changed, 41 insertions(+), 97 deletions(-) diff --git a/scanners/gitleaks/README.md b/scanners/gitleaks/README.md index 77ce832a3b..85c093b9a4 100644 --- a/scanners/gitleaks/README.md +++ b/scanners/gitleaks/README.md @@ -52,110 +52,54 @@ helm upgrade --install gitleaks secureCodeBox/gitleaks ``` ## Scanner Configuration +For a complete overview of the configuration options, see the +[Gitleaks documentation](https://github.com/zricethezav/gitleaks#usage). -For a complete overview of the configuration options checkout the -[Gitleaks documentation](https://github.com/zricethezav/gitleaks/wiki/Options). - -The only mandatory parameters are: -- `-r`: The link to the repository you want to scan. -- `--access-token`: Only for non-public repositories. -- `--username` and `--password`: Only for non-public repositories. -- `--config-path`: The ruleset you want to use. - -#### Ruleset - -At this point we provide three rulesets which you can pass to the `--config-path` oprtion: - -- `/home/config_all.toml`: Includes every rule. -- `/home/config_filenames_only.toml`: Gitleaks scans only file names and extensions. -- `/home/config_no_generics.toml`: No generic rules like searching for the word *password*. With this option you won't -find something like **password = Ej2ifDk2jfeo2**, but it will reduce resulting false positives. - -If you like to provide your custom ruleset, you can create a configMap and mount it into -the scan. Checkout the examples for more information about providing your own gitleaks rules config. - -## Requirements - -Kubernetes: `>=v1.11.0-0` - -**Do not** override the option `--report-format` or `--report`. It is already configured for automatic findings parsing. - -## Additional Chart Configurations -### secureCodeBox extended GitLeaks Features - -:::info -If you run gitleaks based on a scheduledScan (e.g. one scan per day) it would be enough to scan all git-commits since the last executed schedule. -Instead of scanning all commits in the complete git history every day it would save a lot of resources to scan only all commits of the last day. - -_Problem is: This is a feature and configuration option gitleaks is currently not supporting._ - -That's why we created an [issue](https://github.com/zricethezav/gitleaks/issues/497) and a [pull request](https://github.com/zricethezav/gitleaks/pull/498) for that. -If you like the idea, please vote for our issue and PR. - -If you already want to use our implementation (fork) of this feature you can use our [gitleaks forked docker image](https://hub.docker.com/r/securecodebox/gitleaks) instead of the gitleaks original image. -::: +Starting with version 8.0, gitleaks no longer supports cloning the repository directly. +Instead, you will have to use an init container to do so. +[We provide example scan definitions below](https://docs.securecodebox.io/docs/scanners/gitleaks/#examples) that you can build on. +### Scanning Specific Timeframes +When running gitleaks as a [scheduled scan](https://docs.securecodebox.io/docs/how-tos/automatically-repeating-scans), you may not want to go through the entire repository history every time. +Gitleaks allows you to limit the commits it will scan using the `--log-opts` parameter, which accepts all parameters supported by `git log -p`. +For example, if you want to scan only commits made in the last 7 days, on all branches of the repository, use the following parameters: ```yaml -# Corresponding HelmChart Configuration -scanner: - image: - # scanner.image.repository -- Container Image to run the scan - repository: docker.io/securecodebox/scanner-gitleaks - # scanner.image.tag -- defaults to the charts version - tag: v7.3.0 +parameters: + # Run gitleaks in "detect" mode + - "detect" + # Point it at the location of the repository + - "--source" + - "/repo/" + # Only consider commits within the last 7 days, on all branches + - "--log-opts=--since=7days --all --full-history" ``` +Note that the parameters to `--log-opts` are not quoted separately due to the way the scanner is called inside secureCodeBox - adding extra quotes will break the scan! +It is important to remember to pass `--all --full-history` when using `--log-opts`, as otherwise only the default branch will be scanned (when not using `--log-opts`, gitleaks adds these parameters implicitly). + +### Human-Friendly Commit URLs +Before gitleaks 8.0, the findings used to contain a direct link to the commit that contained the secret. +The base URL was pulled from the parameter given to gitleaks. +Since this is no longer possible, we cannot automatically infer which repository the commits belong to. +However, you can provide this information manually using a scan annotation called `metadata.scan.securecodebox.io/git-repo-url`. +See the examples below on how to use it. + +### Cascading Scans +Gitleaks works well in conjunction with [git-repo-scanner](https://docs.securecodebox.io/docs/scanners/git-repo-scanner) to enumerate Git repositories and scan them using cascading rules. +We do not ship default cascading rules for this purpose. +However, you can find instructions on running such cascading scans in [this article](https://docs.securecodebox.io/blog/2021/10/27/sast-scanning) - simply adapt it to use gitleaks instead of semgrep and you are good to go. + +### Providing Your Own Ruleset +SecureCodeBox used to ship a number of default rulesets. +We have stopped doing this, as the official ruleset of gitleaks is much more up-to-date and well-maintained. +However, if you still want to write and use your own rulesets, we [provide an example below](https://docs.securecodebox.io/docs/scanners/gitleaks#provide-own-rules). +The parser will set all found issues to `medium` severity by default. +To override the severity in your own rulesets, include the result tag "HIGH" or "LOW" in your gitleaks rule. -#### Deployment with extended GitLeaks -```bash -# Install HelmChart (use -n to configure another namespace) -helm upgrade --install gitleaks secureCodeBox/gitleaks \ - --set="scanner.image.repository=docker.io/securecodebox/scanner-gitleaks" \ - --set="scanner.image.tag=v7.3.0" -``` - -#### Additional (Fork) Scanner configuration options -```bash ---commit-since-duration= Scan commits more recent than a specific date expresed by an duration (now + duration). A duration string is a possibly signed sequence of decimal numbers, each - with optional fraction and a unit suffix, such as '300ms', '-1.5h' or '2h45m'. Valid time units are 'ns', 'us' (or 'µs'), 'ms', 's', 'm', 'h'. ---commit-until-duration= Scan commits older than a specific date expresed by an duration (now + duration). A duration string is a possibly signed sequence of decimal numbers, each with - optional fraction and a unit suffix, such as '300ms', '-1.5h' or '2h45m'. Valid time units are 'ns', 'us' (or 'µs'), 'ms', 's', 'm', 'h'. -``` - -#### Other useful options are: - -- `--commit-since`: Scan commits more recent than a specific date. Ex: '2006-01-02' or '2006-01-02T15:04:05-0700' format. -- `--commit-until`: Scan commits older than a specific date. Ex: '2006-01-02' or '2006-01-02T15:04:05-0700' format. -- `--repo-config`: Load config from target repo. Config file must be ".gitleaks.toml" or "gitleaks.toml". - -#### Finding format - -It is not an easy task to classify the severity of the scans because we can't tell for sure if the finding is e.g. a real -or a testing password. Another issue is that the rate of false positives for generic rules can be very high. Therefore, -we tried to classify the severity of the finding by looking at the accuracy of the rule which detected it. Rules for AWS -secrets or Artifactory tokens are very precise, so they get a high severity. Generic rules on the other hand get a low -severity because the often produce false positives. - -**Please keep in mind that findings with a low severity can be actually -very critical.** - -#### Cascading Rules - -If you want to scan multiple repositories from GitHub or gitlab automatically at once, you should -take a look at the cascading rules which get triggered by the **git-repo-scanner**. -For more information on how to use **git-repo-scanner** checkout the -[Readme](https://github.com/secureCodeBox/secureCodeBox/tree/main/scanners/git-repo-scanner). - -For cascading scans on public GitHub repositories you don't need any credentials. For the gitlab -and private GitHub rules you need to provide an access token via environment. You could do that with -the following commands: +## Requirements -```bash -kubectl create secret generic github-access-token --from-literal="token=" -kubectl create secret generic gitlab-access-token --from-literal="token=" -``` +Kubernetes: `>=v1.11.0-0` -For more information on how to use cascades take a look at -[Scanning Networks Example](https://docs.securecodebox.io/docs/how-tos/scanning-networks/) +**Do not** override the option `--report-format` or `--report-path`. It is already configured for automatic findings parsing. ## Values From 7cd4e8a1282572da57ae533ecb6f5f4b582f13f4 Mon Sep 17 00:00:00 2001 From: Max Maass Date: Tue, 25 Jan 2022 14:46:26 +0100 Subject: [PATCH 26/30] Add empty commit to restart CI Signed-off-by: Max Maass From ffc40e7cd22f10ef6606b14bbfb5bc4f23947290 Mon Sep 17 00:00:00 2001 From: Max Maass Date: Tue, 25 Jan 2022 14:55:46 +0100 Subject: [PATCH 27/30] SCB-Bot: Re-enable version check for gitleaks Signed-off-by: Max Maass --- .github/workflows/scb-bot.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/scb-bot.yaml b/.github/workflows/scb-bot.yaml index 5d9d357a13..482127c513 100644 --- a/.github/workflows/scb-bot.yaml +++ b/.github/workflows/scb-bot.yaml @@ -11,7 +11,7 @@ jobs: - amass - angularjs-csti-scanner - cmseek - # - gitleaks + - gitleaks - kube-hunter - kubeaudit - ncrack From 1e13785e169044056ec95930d3bf28855946e593 Mon Sep 17 00:00:00 2001 From: Max Maass Date: Fri, 25 Feb 2022 09:10:15 +0100 Subject: [PATCH 28/30] Run git clone with --mirror in examples The git clone should use the --mirror option to ensure the full repository is cloned. Otherwise the data may be incomplete. See https://wwws.nightwatchcybersecurity.com/2022/02/11/gitbleed/ Signed-off-by: Max Maass --- scanners/gitleaks/examples/private-repository/scan.yaml | 3 +++ scanners/gitleaks/examples/provide-own-rules/scan.yaml | 3 +++ scanners/gitleaks/examples/secureCodeBox/scan.yaml | 3 +++ 3 files changed, 9 insertions(+) diff --git a/scanners/gitleaks/examples/private-repository/scan.yaml b/scanners/gitleaks/examples/private-repository/scan.yaml index d01adf184f..a81a539a3d 100644 --- a/scanners/gitleaks/examples/private-repository/scan.yaml +++ b/scanners/gitleaks/examples/private-repository/scan.yaml @@ -30,6 +30,9 @@ spec: command: - git - clone + # Use the --mirror clone to get the complete repository, otherwise findings may be + # incomplete. See https://wwws.nightwatchcybersecurity.com/2022/02/11/gitbleed/ + - "--mirror" # Add access token to the URL for authenticated HTTPS clone - "https://$(GITHUB_TOKEN)@github.com/yourOrg/yourRepo" - /repo/ diff --git a/scanners/gitleaks/examples/provide-own-rules/scan.yaml b/scanners/gitleaks/examples/provide-own-rules/scan.yaml index d2da767647..db53b48f72 100644 --- a/scanners/gitleaks/examples/provide-own-rules/scan.yaml +++ b/scanners/gitleaks/examples/provide-own-rules/scan.yaml @@ -58,6 +58,9 @@ spec: command: - git - clone + # Use the --mirror clone to get the complete repository, otherwise findings may be + # incomplete. See https://wwws.nightwatchcybersecurity.com/2022/02/11/gitbleed/ + - "--mirror" - "https://github.com/secureCodeBox/secureCodeBox" - /repo/ parameters: diff --git a/scanners/gitleaks/examples/secureCodeBox/scan.yaml b/scanners/gitleaks/examples/secureCodeBox/scan.yaml index 1faa8ed7a7..9b5ea5be9c 100644 --- a/scanners/gitleaks/examples/secureCodeBox/scan.yaml +++ b/scanners/gitleaks/examples/secureCodeBox/scan.yaml @@ -30,6 +30,9 @@ spec: command: - git - clone + # Use the --mirror clone to get the complete repository, otherwise findings may be + # incomplete. See https://wwws.nightwatchcybersecurity.com/2022/02/11/gitbleed/ + - "--mirror" - "https://github.com/secureCodeBox/secureCodeBox" - /repo/ parameters: From 39d54cb59b7d544ec8a03c6ba3bc4ba754b362d5 Mon Sep 17 00:00:00 2001 From: Max Maass Date: Fri, 25 Feb 2022 11:15:00 +0100 Subject: [PATCH 29/30] Upgrade gitleaks to 8.3.0 Signed-off-by: Max Maass --- scanners/gitleaks/Chart.yaml | 2 +- scanners/gitleaks/README.md | 2 +- scanners/gitleaks/docs/README.DockerHub-Parser.md | 2 +- 3 files changed, 3 insertions(+), 3 deletions(-) diff --git a/scanners/gitleaks/Chart.yaml b/scanners/gitleaks/Chart.yaml index 6b15d33e3c..d835245945 100644 --- a/scanners/gitleaks/Chart.yaml +++ b/scanners/gitleaks/Chart.yaml @@ -8,7 +8,7 @@ description: A Helm chart for the gitleaks repository scanner that integrates wi type: application # version - gets automatically set to the secureCodeBox release version when the helm charts gets published version: v3.1.0-alpha1 -appVersion: "v8.2.7" +appVersion: "v8.3.0" kubeVersion: ">=v1.11.0-0" annotations: versionApi: https://api.github.com/repos/zricethezav/gitleaks/releases/latest diff --git a/scanners/gitleaks/README.md b/scanners/gitleaks/README.md index 65c4226fa8..8fc17aaf3f 100644 --- a/scanners/gitleaks/README.md +++ b/scanners/gitleaks/README.md @@ -3,7 +3,7 @@ title: "Gitleaks" category: "scanner" type: "Repository" state: "released" -appVersion: "v8.2.7" +appVersion: "v8.3.0" usecase: "Find potential secrets in repositories" --- diff --git a/scanners/gitleaks/docs/README.DockerHub-Parser.md b/scanners/gitleaks/docs/README.DockerHub-Parser.md index 3a91be4be2..1945aaa7b1 100644 --- a/scanners/gitleaks/docs/README.DockerHub-Parser.md +++ b/scanners/gitleaks/docs/README.DockerHub-Parser.md @@ -42,7 +42,7 @@ You can find resources to help you get started on our [documentation website](ht ## Supported Tags - `latest` (represents the latest stable release build) -- tagged releases, e.g. `v8.2.7` +- tagged releases, e.g. `v8.3.0` ## How to use this image This `parser` image is intended to work in combination with the corresponding security scanner docker image to parse the `findings` results. For more information details please take a look at the documentation page: https://docs.securecodebox.io/docs/scanners/gitleaks. From ee5222045b002d10fcc36a7d851575d66c4b7295 Mon Sep 17 00:00:00 2001 From: Max Maass Date: Thu, 10 Mar 2022 13:18:13 +0100 Subject: [PATCH 30/30] Make example-scan name style consistent Signed-off-by: Max Maass --- scanners/gitleaks/examples/private-repository/scan.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/scanners/gitleaks/examples/private-repository/scan.yaml b/scanners/gitleaks/examples/private-repository/scan.yaml index 344f0cc0bb..a9297dd40f 100644 --- a/scanners/gitleaks/examples/private-repository/scan.yaml +++ b/scanners/gitleaks/examples/private-repository/scan.yaml @@ -5,7 +5,7 @@ apiVersion: "execution.securecodebox.io/v1" kind: Scan metadata: - name: "authenticated-clone.example" + name: "authenticated-clone-example" annotations: metadata.scan.securecodebox.io/git-repo-url: "https://github.com/yourOrg/yourRepo" spec: