Find secrets and passwords in container images and file systems

Overview

Deepfence Logo

What are Secrets?

Secrets are any kind of sensitive or private data which gives authorized users permission to access critical IT infrastructure (such as accounts, devices, network, cloud based services), applications, storage, databases and other kinds of critical data for an organization. For example, passwords, AWS access IDs, AWS secret access keys, Google OAuth Key etc. are secrets. Secrets should be strictly kept private. However, sometimes attackers can easily access secrets due to flawed security policies or inadvertent mistakes by developers. Sometimes developers use default secrets or leave hard-coded secrets such as passwords, API keys, encryption keys, SSH keys, tokens etc. in container images, especially during rapid development and deployment cycles in CI/CD pipeline. Also, sometimes users store passwords in plain text. Leakage of secrets to unauthorized entities can put your organization and infrastructure at serious security risk.

Deepfence SecretScanner helps users scan their container images or local directories on hosts and outputs a JSON file with details of all the secrets found.

Check out our blog for more details.

Command line options

Running as a container

$ docker run -it --name=deepfence-secretscanner -v /var/run/docker.sock:/var/run/docker.sock -v /usr/bin/docker:/usr/bin/docker deepfenceio/secretscanning:latest

Usage of /home/deepfence/src/SecretScanner/SecretScanner:
  -config-path string
    	Searches for config.yaml from given directory. If not set, tries to find it from SecretScanner binary's and current directory
  -debug-level string
    	Debug levels are one of FATAL, ERROR, IMPORTANT, WARN, INFO, DEBUG. Only levels higher than the debug-level are displayed (default "ERROR")
  -image-name string
    	Name of the image along with tag to scan for secrets
  -local string
    	Specify local directory (absolute path) which to scan. Scans only given directory recursively.
  -max-multi-match uint
    	Maximum number of matches of same pattern in one file. This is used only when multi-match option is enabled. (default 3)
  -maximum-file-size uint
    	Maximum file size to process in KB (default 256)
  -multi-match
    	Output multiple matches of same pattern in one file. By default, only one match of a pattern is output for a file for better performance
  -temp-directory string
    	Directory to process and store repositories/matches (default "/tmp/Deepfence/SecretScanning")
  -threads int
    	Number of concurrent threads (default number of logical CPUs)

Running on host

$ ./SecretScanner

Usage of ./SecretScanner:
  -config-path string
    	Searches for config.yaml from given directory. If not set, tries to find it from SecretScanner binary's and current directory
  -debug-level string
    	Debug levels are one of FATAL, ERROR, IMPORTANT, WARN, INFO, DEBUG. Only levels higher than the debug-level are displayed (default "ERROR")
  -image-name string
    	Name of the image along with tag to scan for secrets
  -local string
    	Specify local directory (absolute path) which to scan. Scans only given directory recursively.
  -max-multi-match uint
    	Maximum number of matches of same pattern in one file. This is used only when multi-match option is enabled. (default 3)
  -maximum-file-size uint
    	Maximum file size to process in KB (default 256)
  -multi-match
    	Output multiple matches of same pattern in one file. By default, only one match of a pattern is output for a file for better performance
  -temp-directory string
    	Directory to process and store repositories/matches (default "/tmp/Deepfence/SecretScanning")
  -threads int
    	Number of concurrent threads (default number of logical CPUs)

Quickly Try Using Docker

Install docker and run SecretScanner on a container image using the following instructions:

  • Build SecretScanner:

docker build --rm=true --tag=deepfenceio/secretscanning:latest -f Dockerfile .

  • Or, pull the latest build from docker hub by doing:

docker pull deepfenceio/secretscanning

  • Pull a container image for scanning:

docker pull node:8.11

  • Run SecretScanner:
    • Scan a container image:

      docker run -it --name=deepfence-secretscanner -v /var/run/docker.sock:/var/run/docker.sock -v /usr/bin/docker:/usr/bin/docker deepfenceio/secretscanning:latest -image-name node:8.11
      
    • Scan a local directory:

      docker run -it --name=deepfence-secretscanner -v /var/run/docker.sock:/var/run/docker.sock -v /usr/bin/docker:/usr/bin/docker deepfenceio/secretscanning:latest -local /home/deepfence/src/SecretScanner/test
      

SecretScanner will also create json files with details of all the secrets found in the current working directory. In this case, output json files will be in the directory (/home/deepfence/output) inside the container.

Build Instructions

  1. Install Docker
  2. Install Hyperscan
  3. Install go for your platform (version 1.14)
  4. Install go modules, if needed: gohs, yaml.v3 and color
  5. go get github.com/deepfence/SecretScanner will download and build SecretScanner automatically in $GOPATH/bin or $HOME/go/bin directory. Or, clone this repository and run go build -v -i to build the executable in the current directory.
  6. Edit config.yaml file as needed and run the secret scanner with the appropriate config file directory.

For reference, the Install file has commands to build on an ubuntu system.

Instructions to Run on Local Host

./SecretScanner --help

./SecretScanner -config-path /path/to/config.yaml/dir -local test

./SecretScanner -config-path /path/to/config.yaml/dir -image-name node:8.11

Sample Secrets Json Output

SampleJsonOutput

Credits

We have built upon the configuration file from shhgit project.

Disclaimer

This tool is not meant to be used for hacking. Please use it only for legitimate purposes like detecting secrets on the infrastructure you own, not on others' infrastructure. DEEPFENCE shall not be liable for loss of profit, loss of business, other financial loss, or any other loss or damage which may be caused, directly or indirectly, by the inadequacy of SecretScanner for any purpose or use thereof or by any defect or deficiency therein.

Comments
  • Crashed when scanning big sized image.

    Crashed when scanning big sized image.

    Hi, I used this tool to scan an image whose size is 26.83GB, then I received a fatal error:

    scanImage: Could not save container image: exit status 1. Check if the image name is correct. main: error while scanning image: exit status 1 panic: Fatal error....

    goroutine 1 [running]: github.com/deepfence/SecretScanner/core.(*Logger).Log(0x4000800f5b, 0x5, {0x1094c61, 0x24}, {0xc00045dee8, 0x1, 0x1}) /home/deepfence/src/SecretScanner/core/log.go:68 +0x25e github.com/deepfence/SecretScanner/core.(*Logger).Fatal(...) /home/deepfence/src/SecretScanner/core/log.go:73 main.runOnce() /home/deepfence/src/SecretScanner/main.go:108 +0x145 main.main() /home/deepfence/src/SecretScanner/main.go:148 +0x114

    opened by JackTien 11
  • Remove baseDir from IsSkippableDir

    Remove baseDir from IsSkippableDir

    • I would expect that if "{sep}var{sep}lib{sep}docker" is included in blacklisted_paths that the contents of /var/lib/docker will not be scanned
    • However, when scanning docker images, baseDir = /tmp/Deepfence/SecretScanning/df_<image_name><imagetag>/ExtractedFiles which means that /var/lib/docker is not skipped
    • Removing baseDir from the IsSkippableDir check also allows for matching multiple directories with one pattern
      • If this is seen as undesirable then we could always use strings.HasPrefix

    Love the software and am keen to use it in CI pipelines but need to be able to effectively ignore directories to control false positives 🙂

    opened by j0nnyr0berts 4
  • can't install from repo

    can't install from repo

    I'm getting this error:

    output/output.go:11:2: github.com/deepfence/[email protected] (replaced by ./agent-plugins-grpc): reading agent-plugins-grpc/go.mod: open /go/src/github.com/deepfence/SecretScanner/agent-plugins-grpc/go.mod: no such file or directory
    
    opened by dcu 3
  • Skip matches containing strings using blacklisted_strings

    Skip matches containing strings using blacklisted_strings

    Hi,

    I'm running the SecretScanner in local mode using the docker image: docker run --rm -v /tmp/vulnerable_repo:/target -v /tmp/test_sec:/artifacts deepfenceio/deepfence_secret_scanner -config-path /artifacts -debug-level DEBUG -multi-match -maximum-file-size 512 -max-multi-match 5 -json-filename report.json -output-path /artifacts -local /target

    The tool works perfectly, and it detect all the repository secrets.

    But in some cases the target repositories may contain files with meta attributes. For example:

    {
        "mariadb": {
            "host": "MARIADB_HOST",
            "port": "MARIADB_PORT",
            "rootMariaPwd": "MYSQL_ROOT_PASSWORD_EXAMPLE",
        },
    }
    

    I'm triying to whitelist all the matches containing the string _EXAMPLE with no success:

    # Secret Scanner Configuration File
    
    blacklisted_extensions: []
    blacklisted_paths: []
    blacklisted_strings:
    - _EXAMPLE
    
    signatures:
    - name: Generic credentials
      part: contents
      regex: (?i)(?:'|"){0,1}(?:[a-z0-9\-_.]{0,25})(?:key|api|apikey|token|secret|client|pass|pwd|passwd|password|auth|cred|authentication)(?:[0-9a-z\-_\s.]{0,20})(?:'|"){0,1}(?:=|>|:=|\|\|:|<=|=>|:)(?:'|\"|\s|=){0,5}([0-9a-z\-_\.=:@!]{8,512})['|\"|\n|\r|\s]
      regextype: 'large'
      severity: high
      severityscore: 10
    

    Is there something wrong with my configuration ? or it is a SecretScanner bug ?

    opened by j0k2r 3
  • Docker build fails on MacOS Catalina 10.15.7

    Docker build fails on MacOS Catalina 10.15.7

    Building the docker image fails when trying to compile hyperscan:

    $ docker build --rm=true --tag=deepfenceio/secretscanning:latest -f Dockerfile .
    
    [snip]
    
    #6 341.4 [ 54%] Building CXX object CMakeFiles/hs_compile.dir/src/nfagraph/ng_literal_decorated.cpp.o
    #6 341.6 [ 54%] Building C object CMakeFiles/hs_exec_shared_corei7.dir/src/nfa/truffle.c.o
    #6 343.6 [ 54%] Building C object CMakeFiles/hs_exec_shared_corei7.dir/src/som/som_runtime.c.o
    #6 343.9 [ 54%] Building C object CMakeFiles/hs_exec_shared_corei7.dir/src/som/som_stream.c.o
    #6 344.3 [ 54%] Building CXX object CMakeFiles/hs_compile.dir/src/nfagraph/ng_mcclellan.cpp.o
    #6 345.9 [ 54%] Building C object CMakeFiles/hs_exec_shared_core2.dir/src/nfa/sheng.c.o
    #6 346.6 [ 54%] Building CXX object CMakeFiles/hs_compile.dir/src/nfagraph/ng_limex.cpp.o
    #6 347.0 [ 54%] Building C object CMakeFiles/hs_exec_shared_corei7.dir/src/rose/block.c.o
    #6 347.5 [ 55%] Building CXX object CMakeFiles/hs_compile.dir/src/nfagraph/ng_limex_accel.cpp.o
    #6 348.8 [ 55%] Building CXX object CMakeFiles/hs_compile.dir/src/nfagraph/ng_misc_opt.cpp.o
    #6 350.8 [ 55%] Building C object CMakeFiles/hs_exec_shared_core2.dir/src/nfa/shufti.c.o
    #6 350.8 [ 55%] Building C object CMakeFiles/hs_exec_shared_corei7.dir/src/rose/catchup.c.o
    #6 353.6 [ 55%] Building C object CMakeFiles/hs_exec_shared_core2.dir/src/nfa/tamarama.c.o
    #6 389.1 c++: internal compiler error: Killed (program cc1plus)
    #6 389.1 Please submit a full bug report,
    #6 389.1 with preprocessed source if appropriate.
    #6 389.1 See <file:///usr/share/doc/gcc-7/README.Bugs> for instructions.
    #6 389.1 CMakeFiles/hs_compile.dir/build.make:1536: recipe for target 'CMakeFiles/hs_compile.dir/src/nfagraph/ng_mcclellan.cpp.o' failed
    #6 389.1 make[2]: *** [CMakeFiles/hs_compile.dir/src/nfagraph/ng_mcclellan.cpp.o] Error 4
    #6 389.1 make[2]: *** Waiting for unfinished jobs....
    #6 389.2 [ 56%] Building C object CMakeFiles/hs_exec_shared_corei7.dir/src/rose/init.c.o
    #6 392.1 [ 56%] Building C object CMakeFiles/hs_exec_shared_core2.dir/src/nfa/truffle.c.o
    #6 392.3 [ 57%] Building C object CMakeFiles/hs_exec_shared_core2.dir/src/som/som_runtime.c.o
    #6 392.3 [ 57%] Building C object CMakeFiles/hs_exec_shared_core2.dir/src/som/som_stream.c.o
    #6 392.3 [ 57%] Building C object CMakeFiles/hs_exec_shared_corei7.dir/src/rose/stream.c.o
    #6 393.0 [ 57%] Building C object CMakeFiles/hs_exec_shared_corei7.dir/src/rose/match.c.o
    #6 394.3 CMakeFiles/Makefile2:512: recipe for target 'CMakeFiles/hs_compile.dir/all' failed
    #6 394.3 make[1]: *** [CMakeFiles/hs_compile.dir/all] Error 2
    #6 394.3 [ 57%] Building C object CMakeFiles/hs_exec_shared_core2.dir/src/rose/block.c.o
    #6 394.8 [ 57%] Building C object CMakeFiles/hs_exec_shared_core2.dir/src/rose/catchup.c.o
    #6 395.1 [ 57%] Building C object CMakeFiles/hs_exec_shared_core2.dir/src/rose/init.c.o
    #6 398.7 [ 57%] Building C object CMakeFiles/hs_exec_shared_corei7.dir/src/rose/program_runtime.c.o
    #6 398.9 [ 57%] Building C object CMakeFiles/hs_exec_shared_corei7.dir/src/util/multibit.c.o
    #6 399.9 [ 57%] Building C object CMakeFiles/hs_exec_shared_core2.dir/src/rose/stream.c.o
    #6 400.1 [ 58%] Building C object CMakeFiles/hs_exec_shared_core2.dir/src/rose/match.c.o
    #6 400.2 [ 58%] Building C object CMakeFiles/hs_exec_shared_core2.dir/src/rose/program_runtime.c.o
    #6 403.2 [ 58%] Building C object CMakeFiles/hs_exec_shared_core2.dir/src/util/multibit.c.o
    #6 404.2 [ 58%] Building C object CMakeFiles/hs_exec_shared_core2.dir/src/util/simd_utils.c.o
    #6 406.8 [ 58%] Building C object CMakeFiles/hs_exec_shared_core2.dir/src/util/state_compress.c.o
    #6 408.1 [ 58%] Building C object CMakeFiles/hs_exec_shared_core2.dir/src/database.c.o
    #6 408.1 [ 58%] Building C object CMakeFiles/hs_exec_shared_corei7.dir/src/util/simd_utils.c.o
    #6 408.4 [ 59%] Building C object CMakeFiles/hs_exec_shared_corei7.dir/src/util/state_compress.c.o
    #6 411.4 [ 59%] Building C object CMakeFiles/hs_exec_shared_corei7.dir/src/database.c.o
    #6 421.1 [ 59%] Built target hs_exec_shared_corei7
    #6 421.3 [ 59%] Built target hs_exec_shared_core2
    #6 421.3 make: *** [all] Error 2
    #6 421.3 Makefile:129: recipe for target 'all' failed
    ------
    executor failed running [/bin/sh -c mkdir -p /usr/local/include/ &&     cd /usr/local/include/ &&     git clone https://github.com/intel/hyperscan.git &&     mkdir /usr/local/include/hs &&     cd /usr/local/include/hs &&     export MAKEFLAGS=-j$(nproc) &&     cmake -DBUILD_STATIC_AND_SHARED=1 /usr/local/include/hyperscan &&     echo "/usr/local/lib" | tee --append /etc/ld.so.conf.d/usrlocal.conf &&     cd /usr/local/include/hs && make && make install]: exit code: 2
    

    I'm relatively new to docker, so if you can provide the steps to grab any log files you might be interested in, I'm happy to do so. Pulling the docker image from docker hub appears to work fine, and is a valid workaround.

    opened by BlakeBLuther 3
  • Blacklisted problem

    Blacklisted problem

    Hi I saw blacklisted_paths in config.yaml I use customization content pattern, but result is not skip blacklisted_paths path Does blacklisted_paths work on scan image mode?

    opened by Ethonwu 2
  • --json-file is invalid flag

    --json-file is invalid flag

    See:

    Initializing....
    flag provided but not defined: -json-file
    Usage of /home/deepfence/usr/SecretScanner:
      -config-path string
            Searches for config.yaml from given directory. If not set, tries to find it from SecretScanner binary's and current directory
      -container-id string
            Id of existing container ID
      -container-ns string
            Namespace of existing container to scan, empty for docker runtime
      -debug-level string
            Debug levels are one of FATAL, ERROR, IMPORTANT, WARN, INFO, DEBUG. Only levels higher than the debug-level are displayed (default "ERROR")
      -host-mount-path string
            If scanning the host, specify the host mount path for path exclusions to work correctly.
      -http-port string
      -image-name string
            Name of the image along with tag to scan for secrets
      -json-filename string
            Output json file name. If not set, it will automatically create a filename based on image or dir name
      -local string
            Specify local directory (absolute path) which to scan. Scans only given directory recursively.
      -max-multi-match uint
            Maximum number of matches of same pattern in one file. This is used only when multi-match option is enabled. (default 3)
      -max-secrets uint
            Maximum number of secrets to find in one container image or file system. (default 1000)
      -maximum-file-size uint
            Maximum file size to process in KB (default 256)
      -multi-match
            Output multiple matches of same pattern in one file. By default, only one match of a pattern is output for a file for better performance
      -output-path string
            Output directory where json file will be stored. If not set, it will output to current directory (default ".")
      -socket-path string
            The gRPC server unix socket path
      -temp-directory string
            Directory to process and store repositories/matches (default "/tmp")
      -threads int
            Number of concurrent threads (default number of logical CPUs)
    

    Correct-one (printed by binary as well): --json-filename

    opened by ch-e-mistry 1
  • Allow for merging multiple config files and absolute path specification.

    Allow for merging multiple config files and absolute path specification.

    This PR allows for multiple config paths to be specified, and adds the --merge-configs flag. When multiple paths are specified, and the merge is enabled, it joins the configs together, layering each config on top of the default config.

    Additionally it adds the ability to specify the full path to a config file, not just the directory containing a config file. This means you can do --config-path some/path/nonstandard.yaml

    Closes #71

    opened by jmhobbs 1
  • Fix blacklisted_paths can not work on scan image feature

    Fix blacklisted_paths can not work on scan image feature

    Hi, I try to use blacklisted_paths to ignore some dir when using image scan, but it not work.

    In IsSkippableDir function, use path var to compare with skippablePathIndicator var that read from blacklisted_paths, I try to print path to I get some path problem.

    For example: If I want to ignore /bin path, code will compare both two string by use HasPrefix But in image scan feature, path output is like this: /tmp/Deepfence/SecretScanning/df_demoimage4/ExtractedFiles/<layer_id>/bin This is reason that I this blacklisted_paths not work So I try use TrimPrefix to let path like this: Original /tmp/Deepfence/SecretScanning/df_demoimage4/ExtractedFiles/<layer_id>/bin After TrimPrefix /bin It will work on IsSkippableDir function, and can successful ignore blacklisted_paths by use image scan

    opened by Ethonwu 1
  • Process gets killed when scanning

    Process gets killed when scanning

    The secret scanner process running inside agent gets Killed on VM 143.198.68.242 Process log:

          "Full File Name": "/fenced/mnt/host/var/snap/docker/common/var-lib-docker/overlay2/5043b3ac304141297e67251e1ce08efd890a2e0b738a4fdc0087daee3d95ca9c/diff/var/log/dpkg.log",
          "Matched Contents": ".log"
        }
    
    Killed
    

    top:

       PID USER      PR  NI    VIRT    RES    SHR S  %CPU  %MEM     TIME+ COMMAND                                                                                                                       
    1375878 root      20   0 1404896  40476  22884 D  19.3   1.0   0:13.14 SecretScanner  
    

    The memory % and cpu usage does not grow with time. Issue has been produced only in this VM

    opened by saurabh2253 1
  • Error creating temp folder.

    Error creating temp folder.

    [email protected]:~# SecretScanner -image-name worker1
    Initializing....
    Scanning image worker1 for secrets...
    scanImage: Could save container image failed to save image: invalid output path: directory "/tmp/Deepfence/SecretScanning/df_worker1" does not exist
    
    findSecretsInImage: failed to save image: invalid output path: directory "/tmp/Deepfence/SecretScanning/df_worker1" does not exist
    
    main: error while scanning image: failed to save image: invalid output path: directory "/tmp/Deepfence/SecretScanning/df_worker1" does not exist
    
    panic: Fatal error....
    
    goroutine 1 [running]:
    github.com/deepfence/SecretScanner/core.(*Logger).Log(0x7ffc1c756662, 0x5, {0x56cb7e, 0x24}, {0xc00033ff50, 0x1, 0x1})
    	/root/go/src/github.com/deepfence/SecretScanner/core/log.go:68 +0x25e
    github.com/deepfence/SecretScanner/core.(*Logger).Fatal(...)
    	/root/go/src/github.com/deepfence/SecretScanner/core/log.go:73
    main.main()
    	/root/go/src/github.com/deepfence/SecretScanner/main.go:139 +0x14c
    

    Ubuntu 20 go version go1.17.6 linux/amd64

    opened by random-robbie 1
  • CLI for SecretScanner

    CLI for SecretScanner

    Running make static creates a static binary in the current folder which can be placed in /usr/bin Sample commands:

    SecretScanner -local ~/.aws/ -quiet=false -config-path /home/ubuntu/SecretScanner/
    SecretScanner -quiet=false -image-name ubuntu/redis:latest -config-path /home/ubuntu/SecretScanner/
    SecretScanner -quiet=false -config-path /home/ubuntu/SecretScanner/ -container-id mystifying_newton
    
    
    opened by saurabh2253 0
  • Building as standalone gives issues regarding version

    Building as standalone gives issues regarding version

    $ go get github.com/deepfence/SecretScanner go: downloading github.com/deepfence/SecretScanner v1.1.2 go: github.com/deepfence/SecretScanner upgrade => v1.1.2 go get: github.com/deepfence/[email protected] requires github.com/deepfence/[email protected]: invalid version: unknown revision 000000000000

    What is the problem here? May I have the latest updated the documentation or can you fix the go.mod file?

    opened by wing-cheng 6
  • Github action and secretscanner match support for 140 secret types using SARIF file integration

    Github action and secretscanner match support for 140 secret types using SARIF file integration

    idea :- https://docs.github.com/en/[email protected]/code-security/secret-scanning/managing-alerts-from-secret-scanning | need same feature using our secretscanner | ---> how to :- SARIF support for secret scanning using github action

    enhancement 
    opened by sangam14 0
  • How to exclude paths?

    How to exclude paths?

    I read the documentation and found that I can exclude certain paths by appending them to exclude_paths.

    Trying to evaluate this tool, I found the following false positive:

        {
          "Image Layer ID": "xxxxxxxxxxx",
          "Matched Rule ID": 135,
          "Matched Rule Name": "Contains a private key",
          "Matched Part": "contents",
          "String to Match": "",
          "Signature to Match": "-----BEGIN (EC|RSA|DSA|OPENSSH|PGP) PRIVATE KEY",
          "Severity": "medium",
          "Severity Score": 5.08,
          "Starting Index of Match in Original Content": 0,
          "Relative Starting Index of Match in Displayed Substring": 0,
          "Relative Ending Index of Match in Displayed Substring": 26,
          "Full File Name": "usr/local/share/.cache/yarn/v6/npm-proxy-agent-5.0.0-d31405c10d6e8431fde96cba7a0c027ce01d633b-integrity/node_modules/proxy-agent/test/ssl-cert-snakeoil.key",
          "Matched Contents": "-----BEGIN RSA PRIVATE KEY-----"
        },
    

    While there's a private key in the path, it's added to the container by the repo's dependencies. So inorder to remove any detection of secrets in the usr/local/share/.cache path, I appended it to exclude_paths list:

    Snippet:

    # Secret Scanner Configuration File
    
    blacklisted_strings: ["node_modules"] # skip matches containing any of these strings (case sensitive)
    blacklisted_extensions: [".exe", ".jpg", ".jpeg", ".png", ".gif", ".bmp", ".tiff", ".tif", ".psd", ".xcf", ".zip", ".tar.gz", ".ttf", ".lock", ".pem"]
    blacklisted_paths: ["{sep}var{sep}lib{sep}docker", "{sep}var{sep}lib{sep}containerd", "{sep}var{sep}lib{sep}containers", "{sep}var{sep}lib{sep}crio", "{sep}var{sep}run{sep}containers", "{sep}bin", "{sep}boot", "{sep}dev", "{sep}lib", "{sep}lib64", "{sep}media", "{sep}proc", "{sep}run", "{sep}sbin", "{sep}usr{sep}lib", "{sep}sys", "{sep}home{sep}kubernetes"]
    exclude_paths: ["{sep}var{sep}lib{sep}docker", "{sep}var{name_sep}lib{name_sep}docker","{sep}var{sep}lib{sep}containerd", "{sep}var{name_sep}lib{name_sep}containerd", "{sep}usr{sep}local{sep}share{sep}.cache"] # use {sep} for the OS' path seperator and {name_sep} for -  (i.e. / or \)
    
    signatures:
      - part:  'extension'
    

    And ran the command: docker run -it --rm --name=deepfence-secretscanner -v $(pwd):/home/deepfence/output -v /var/run/docker.sock:/var/run/docker.sock deepfenceio/deepfence_secret_scanner:latest -image-name <image>:latest --config-path secretscanner (where the config.yaml is saved in secretscanner directory).

    SecretScanner still detects this path and the false positive.

    PS: I tried using {name_sep} instead of {sep}, and tried adding the path to blacklisted_strings and blacklisted_paths. Nothing worked so far.

    opened by Chan9390 3
  • [feat]:Docker extension for SecretScanner

    [feat]:Docker extension for SecretScanner

    Design and develop docker extension for SecretScanner with following features.

    • Ability to list all images present locally
    • Ability to run secret scan on selected image
    • Result in human readable table format instead of JSON
    • In-depth details of each scan result
    enhancement 
    opened by ibreakthecloud 0
  • feature-req: container runtime as a flag

    feature-req: container runtime as a flag

    passing a flag like, -container-runtime or -cr during runtime would reduce the overall time taken to scan images when underlying runtime is known to user.

    enhancement good first issue 
    opened by ibreakthecloud 0
Releases(v1.1.4)
  • v1.1.4(Jan 5, 2023)

    What's Changed

    • Upgrade dependencies by @ramanan-ravi in https://github.com/deepfence/SecretScanner/pull/84

    Full Changelog: https://github.com/deepfence/SecretScanner/compare/v1.1.3...v1.1.4

    Source code(tar.gz)
    Source code(zip)
  • v1.1.3(Nov 21, 2022)

    What's Changed

    • Docker public registry by @saurabh2253 in https://github.com/deepfence/SecretScanner/pull/80
    • --json-file is invalid flag by @ch-e-mistry in https://github.com/deepfence/SecretScanner/pull/82

    New Contributors

    • @ch-e-mistry made their first contribution in https://github.com/deepfence/SecretScanner/pull/82

    Full Changelog: https://github.com/deepfence/SecretScanner/compare/v1.1.2...v1.1.3

    Source code(tar.gz)
    Source code(zip)
  • v1.1.2(Oct 27, 2022)

    What's Changed

    • update vessel to v0.8.1 by @gnmahanth in https://github.com/deepfence/SecretScanner/pull/78

    Full Changelog: https://github.com/deepfence/SecretScanner/compare/v1.1.1...v1.1.2

    Source code(tar.gz)
    Source code(zip)
  • v1.1.1(Oct 19, 2022)

    What's Changed

    • adding proper exclude paths by @deviprasad303 in https://github.com/deepfence/SecretScanner/pull/74
    • update vessel to v0.8.0 and support crio by @gnmahanth in https://github.com/deepfence/SecretScanner/pull/76

    New Contributors

    • @gnmahanth made their first contribution in https://github.com/deepfence/SecretScanner/pull/76

    Full Changelog: https://github.com/deepfence/SecretScanner/compare/v1.0.9...v1.1.1

    Source code(tar.gz)
    Source code(zip)
  • v1.0.9(Oct 17, 2022)

    What's Changed

    • adding proper exclude paths https://github.com/deepfence/SecretScanner/issues/38 by @deviprasad303 in https://github.com/deepfence/SecretScanner/pull/73
    • Allow for merging multiple config files and absolute path specification. by @jmhobbs in https://github.com/deepfence/SecretScanner/pull/75

    New Contributors

    • @deviprasad303 made their first contribution in https://github.com/deepfence/SecretScanner/pull/73
    • @jmhobbs made their first contribution in https://github.com/deepfence/SecretScanner/pull/75

    Full Changelog: https://github.com/deepfence/SecretScanner/compare/v1.0.8...v1.0.9

    Source code(tar.gz)
    Source code(zip)
  • v1.0.8(Oct 14, 2022)

    What's Changed

    • (feat.) add option to run secretscanner as server in standalone mode by @ibreakthecloud in https://github.com/deepfence/SecretScanner/pull/67
    • Add SECURITY.md by @scovetta in https://github.com/deepfence/SecretScanner/pull/72

    New Contributors

    • @ibreakthecloud made their first contribution in https://github.com/deepfence/SecretScanner/pull/67
    • @scovetta made their first contribution in https://github.com/deepfence/SecretScanner/pull/72

    Full Changelog: https://github.com/deepfence/SecretScanner/compare/v1.0.7...v1.0.8

    Source code(tar.gz)
    Source code(zip)
  • v1.0.7(Sep 16, 2022)

    What's Changed

    • Add .DS_Store to .gitignore by @its0x08 in https://github.com/deepfence/SecretScanner/pull/58
    • Change submodules urls from https:// to [email protected] by @noboruma in https://github.com/deepfence/SecretScanner/pull/61
    • Fresh product documentation by @ogarrett in https://github.com/deepfence/SecretScanner/pull/63
    • now scans are working fine deepfence/enterprise-roadmap#1611 by @mukuldeepfence in https://github.com/deepfence/SecretScanner/pull/65

    New Contributors

    • @its0x08 made their first contribution in https://github.com/deepfence/SecretScanner/pull/58
    • @ogarrett made their first contribution in https://github.com/deepfence/SecretScanner/pull/63

    Full Changelog: https://github.com/deepfence/SecretScanner/compare/v1.0.6...v1.0.7

    Source code(tar.gz)
    Source code(zip)
  • v1.0.6(Apr 26, 2022)

  • v1.0.5(Apr 14, 2022)

  • v1.0.4(Apr 14, 2022)

    What's Changed

    • issue 44 by @mukuldeepfence in https://github.com/deepfence/SecretScanner/pull/54
    • changes related to fetcher service #55 by @shubhamjain32 in https://github.com/deepfence/SecretScanner/pull/56

    New Contributors

    • @shubhamjain32 made their first contribution in https://github.com/deepfence/SecretScanner/pull/56

    Full Changelog: https://github.com/deepfence/SecretScanner/compare/v1.0.3...v1.0.4

    Source code(tar.gz)
    Source code(zip)
  • v1.0.3(Apr 9, 2022)

  • v1.0.2(Apr 9, 2022)

    What's Changed

    • Ignore management console port in the url if 443 by @ramanan-ravi in https://github.com/deepfence/SecretScanner/pull/51
    • Fix flag parsing error when quiet flag is set by @ramanan-ravi in https://github.com/deepfence/SecretScanner/pull/53

    Full Changelog: https://github.com/deepfence/SecretScanner/compare/v1.0.1...v1.0.2

    Source code(tar.gz)
    Source code(zip)
  • v1.0.1(Apr 6, 2022)

    What's Changed

    • Fix blacklisted_paths can not work on scan image feature by @Ethonwu in https://github.com/deepfence/SecretScanner/pull/45
    • Skip Dir Fix for Host Scans by @saurabh2253 in https://github.com/deepfence/SecretScanner/pull/46
    • Concurrency Issue fix by @saurabh2253 in https://github.com/deepfence/SecretScanner/pull/47
    • Make es index name configurable by @ramanan-ravi in https://github.com/deepfence/SecretScanner/pull/50

    New Contributors

    • @Ethonwu made their first contribution in https://github.com/deepfence/SecretScanner/pull/45

    Full Changelog: https://github.com/deepfence/SecretScanner/compare/v1.0.0...v1.0.1

    Source code(tar.gz)
    Source code(zip)
  • v1.0.0(Mar 29, 2022)

    What's Changed

    • Quick typo fix by @BlakeBLuther in https://github.com/deepfence/SecretScanner/pull/3
    • Readme fixes by @ArnabKalita in https://github.com/deepfence/SecretScanner/pull/4
    • Fixing behavior when there is no explicit output-dir parameter and minor docker-build related improvements by @dcaba in https://github.com/deepfence/SecretScanner/pull/7
    • Add Bitcoin core related files in https://github.com/deepfence/SecretScanner/pull/18
    • Add multi-stage image building by @noboruma in https://github.com/deepfence/SecretScanner/pull/21
    • Replace docker calls with vessel by @noboruma in https://github.com/deepfence/SecretScanner/pull/23
    • Add gRPC support by @noboruma in https://github.com/deepfence/SecretScanner/pull/22
    • Add default blacklisted paths by @ramanan-ravi in https://github.com/deepfence/SecretScanner/pull/27
    • Optimization by @ramanan-ravi in https://github.com/deepfence/SecretScanner/pull/28
    • Container Scan Changes by @saurabh2253 in https://github.com/deepfence/SecretScanner/pull/31
    • Registry Image Scanner Service by @saurabh2253 in https://github.com/deepfence/SecretScanner/pull/35
    • Set scans concurrency by @ramanan-ravi in https://github.com/deepfence/SecretScanner/pull/37
    • [Fixed] Crashed when scanning big sized image by @mukuldeepfence in https://github.com/deepfence/SecretScanner/pull/36
    • #355 Secrets Registry Scan Fix by @saurabh2253 in https://github.com/deepfence/SecretScanner/pull/41
    • Remove baseDir from IsSkippableDir by @j0nnyr0berts in https://github.com/deepfence/SecretScanner/pull/39
    • Vessel upgrade by @saurabh2253 in https://github.com/deepfence/SecretScanner/pull/42

    New Contributors

    • @BlakeBLuther made their first contribution in https://github.com/deepfence/SecretScanner/pull/3
    • @ArnabKalita made their first contribution in https://github.com/deepfence/SecretScanner/pull/4
    • @dcaba made their first contribution in https://github.com/deepfence/SecretScanner/pull/7
    • @noboruma made their first contribution in https://github.com/deepfence/SecretScanner/pull/21
    • @ramanan-ravi made their first contribution in https://github.com/deepfence/SecretScanner/pull/27
    • @saurabh2253 made their first contribution in https://github.com/deepfence/SecretScanner/pull/31
    • @mukuldeepfence made their first contribution in https://github.com/deepfence/SecretScanner/pull/36
    • @j0nnyr0berts made their first contribution in https://github.com/deepfence/SecretScanner/pull/39

    Full Changelog: https://github.com/deepfence/SecretScanner/commits/v1.0.0

    Source code(tar.gz)
    Source code(zip)
Owner
null
One Time Passwords (OTPs) are an mechanism to improve security over passwords alone.

otp: One Time Password utilities Go / Golang Why One Time Passwords? One Time Passwords (OTPs) are an mechanism to improve security over passwords alo

Paul Querna 1.6k Jan 7, 2023
Secretsmanager - Secrets management that allows you to store your secrets encrypted in git

I created secretsmanager to store some secrets within a repository. The secrets are encrypted at rest, with readable keys and editable JSON, so you can rename a key or delete it by hand. The cli tool handles the bare minumum of requirements.

Tit Petric 20 May 6, 2022
Proto-find is a tool for researchers that lets you find client side prototype pollution vulnerability.

proto-find proto-find is a tool for researchers that lets you find client side prototype pollution vulnerability. How it works proto-find open URL in

null 54 Dec 6, 2022
Scan systems and docker images for potential spring4shell vulnerabilities.

Scan systems and docker images for potential spring4shell vulnerabilities. Will detect in-depth (layered archives jar/zip/tar/war and scans for vulnerable Spring4shell versions. Binaries for Windows, Linux and OsX, but can be build on each platform supported by supported Golang.

null 10 Nov 9, 2022
Take a list of domains and scan for endpoints, secrets, api keys, file extensions, tokens and more...

Take a list of domains and scan for endpoints, secrets, api keys, file extensions, tokens and more... Coded with ?? by edoardottt. Share on Twitter! P

gilfoyle97 654 Dec 25, 2022
Allows you to replace a secret in a file using secrets manager

secrets inserter Allows you to replace a secret in a file using secrets manager. ::SECRET:secret-name:SECRET:: will be replaced with your secret-name

null 0 Dec 12, 2021
A vulnerability scanner for container images and filesystems

A vulnerability scanner for container images and filesystems

Anchore, Inc. 5k Jan 1, 2023
A vulnerability scanner for container images and filesystems

A vulnerability scanner for container images and filesystems. Easily install the

null 0 Dec 24, 2021
Create strong passwords using words that are easy for you to remember

Grasp Create strong passwords using words that are easy for you to remember A way to circumvent password complexity rules and restrictions while only

Luca Sepe 22 Nov 3, 2022
A Go Library For Generating Random, Rule Based Passwords. Many Random, Much Secure.

Can Haz Password? A Go library for generating random, rule based passwords. Many random, much secure. Features Randomized password length (bounded). T

null 7 Dec 6, 2021
linenoise is a library that generates strings of random characters that can be used as reasonably secure passwords.

linenoise linenoise is a library that generates strings of random characters (herein called a "noise") that can be used as reasonably secure passwords

Mark Cornick 0 Dec 7, 2022
Simple CLI to generate passwords

pwdrng Simple CLI to generate passwords $ pwdrng Copied password to clipboard: bfx861[X<26-b^UT Installation and Usage With Homebrew $ brew tap docto

Perry 2 Apr 8, 2022
A tool for secrets management, encryption as a service, and privileged access management

Vault Please note: We take Vault's security and our users' trust very seriously. If you believe you have found a security issue in Vault, please respo

HashiCorp 26.7k Jan 2, 2023
QR secrets is a cryptographically secure mechanism to store secret data with the highest levels of security and store it on physical paper.

QR Secrets QR secrets is a cryptographically secure mechanism to store secret data with the highest levels of security. Incorporating; AES256-GCM-HKDF

Go Compile 0 Jan 12, 2022
Telling tales on you for leaking secrets!

Squealer Telling tales on you for leaking secrets! Squealer scans a local git repository for secrets that are being leaked deep within the commit hist

Owen Rumney 125 Nov 8, 2022
Friends don't let friends leak secrets on their terminal window

senv - safer env Friends don't let friends leak secrets in terminal windows. ?? Print your environment to the terminal without worry.

null 104 Oct 26, 2022
A containerd runc shim for replacing environment variables with external secrets

ext-secrets-runc-shim A containerd, runc-based, shim for replacing environment variables with secrets from arbitrary external engines. Quickstart Inst

Pelotech 8 Aug 9, 2022
Scans and catches callbacks of systems that are impacted by Log4J Log4Shell vulnerability across specific headers.

Log4ShellScanner Scans and catches callbacks of systems that are impacted by Log4J Log4Shell vulnerability across specific headers. Very Beta Warning!

null 56 Jun 17, 2022