apuigsech / seekret Goto Github PK

View Code? Open in Web Editor NEW

243.0 16.0 64.0 70 KB

Go library and command line to seek for secrets on various sources.

License: Apache License 2.0

Go 100.00%

seekret's Introduction

seekret

Go library and command line to seek for secrets on various sources.

Command Line

Description

seekret inspect different sources (files into a directory or git repositories) to seek for secrets. It can be used to prevent that secrets are published in exposed locations.

Installing seekret

seekret can be directly installed by using go get.

go get github.com/apuigsech/seekret/cmd/seekret

The requirements for a success installation are:

pkg-config

golang >= 1.6

libgit2 >= 2.23

Usage

General Options

NAME:
   seekret - seek for secrets on various sources.

USAGE:
   seekret [global options] command [command options] [arguments...]

VERSION:
   0.0.1

AUTHOR(S):
   Albert Puigsech Galicia <[email protected]>

COMMANDS:
   seek:
     git    seek for seecrets on a git repository.
     dir    seek for seecrets on a directory.

GLOBAL OPTIONS:
   --exception FILE, -x FILE    load exceptions from FILE.
   --rules PATH         PATH with rules. [$SEEKRET_RULES_PATH]
   --format value, -f value specify the output format. (default: "human")
   --known FILE, -k FILE  load known secrets from FILE.
   --workers value, -w value  number of workers used for the inspection (default: 4)
   --help, -h           show help
   --version, -v        print the version

-x, --exception

--rules

-f, --format

-k, --known

-w, --workers

Options for Git

NAME:
   seekret git - seek for seecrets on a git repository.

USAGE:
   seekret git [command options] [arguments...]

CATEGORY:
   seek

OPTIONS:
   --count value, -c value  (default: 0)

-c, --count

Options for Dir

NAME:
   seekret dir - seek for seecrets on a directory.

USAGE:
   seekret dir [command options] [arguments...]

CATEGORY:
   seek

OPTIONS:
   --recursive, -r
   --hidden

-r, --recursive

-h, --hidden

Examples

Scan all files from all commits in a local repo:

seekret git /path/to/repo

Scan all files from all commits in a remote repo:

seekret git http://github.com/apuigsech/seekret-exposed

Scan all files from the last commit in a local repo:

seekret git --count 1 /path/to/repo

Scan all files (including hidden) in a local folder:

seekret dir --recursive --hidden /path/to/dir

Hands-On

The repository seekret-secrets is prepare to test seekret, and can be used to perform the following hands-on examples:

Inspect remote git repository:

seekret --rules $GOPATH/src/github.com/apuigsech/seekret/rules/ git https://github.com/apuigsech/seekret-secrets.git

Inspect local got repository:

git clone https://github.com/apuigsech/seekret-secrets.git /tmp/seekret-secrets
seekret --rules $GOPATH/src/github.com/apuigsech/seekret/rules/ git /tmp/seekret-secrets

Inspect only the last 2 commits:

seekret --rules $GOPATH/src/github.com/apuigsech/seekret/rules/ git -c 2 /tmp/seekret-secrets

Inspect with exceptions:

seekret --rules $GOPATH/src/github.com/apuigsech/seekret/rules/ -x /tmp/seekret-secrets/.exception_1 git /tmp/seekret-secrets

Library

Importing seekret Library

import seekret "github.com/apuigsech/seekret/lib"

Init Seekret context

s := seekret.NewSeekret()

Loading Rules

s.LoadRulesFromPath("/path/to/main/rues:/path/to/other/rules:/path/to/more/rules")

s.LoadRulesFromDir("/path/to/rules")

s.LoadRulesFromFile("/path/to/file.rule")

Loading Objects

opts := map[string]interface{} {
  "hidden": true,
  "recursive": false,
}
s.LoadObjects("dir", "/path/to/inspect", opts)

opts := map[string]interface{} {
  "count": 10,
}
s.LoadObjects("dir", "/repo/to/inspect", opts)

Loading Exceptions

s.LoadExceptionsFromFile("/path/to/exceptions/file")

Inspect

s.Inspect(5)

Get Inspect Results

secretsList := s.ListSecrets()

Rules

Secret identification is performed by using a set of rules specified on the rules files. Those files, with '.rule' extension are defined by using YAML following this format:

rulename:
  match: [regexp]
  unmatch:
    - [regexp]
    - [regexp]
    - ...

For the contents of a file is considered a secret, it must comply with the 'match' regexp and not comply ANY of the 'unmatch' reg rule and comply match ANY of the unmatch.

Exceptions

Exceptions determine conditions under which content should not be considered a secret. The exceptions are specified by using a YAML file that follows this format:

  ...
-
  rule: [rulename]
  object: [regexp]
  line: [linenumber]
  content: [regexp]
-
  ...

The conditions are optional, so it is not necessary to specify them all, but for a content deemed exception must meet all the specified conditions.

The meaning of the various conditions explained:

rule Contains the name of the rule.

object Contains a regexp that should match the object name (usually the filename).

line Contains the line number into the object.

content Contains a regexp that should match the content.

seekret's People

Contributors

Stargazers

Watchers

seekret's Issues

Error During Installation

I want to thank you for the great work and I believe this tool is very useful, however I got some errors during installation. See below.

inspect.go:27: x.Buffer undefined (type *bufio.Scanner has no field or method Buffer)
inspect.go:28: x.Buffer undefined (type *bufio.Scanner has no field or method Buffer)

Line numbers not correct

When using this in git-seekret if there is a violation on any line besides line 1 of a file, it will always report the line number for the violation as on line 1.

Not working as expected on directories?

$ seekret --rules ${GOPATH}/src/github.com/apuigsech/seekret/rules dir --recursive . ; echo $?

0
$ rgrep -- '-----BEGIN RSA PRIVATE KEY-----' .
./.ssh/id_rsa:-----BEGIN RSA PRIVATE KEY-----
$ go version
go version go1.7.1 linux/amd64

What am I doing wrong?

`seekret git`(with no args) will panic

If I do not give any arguments, the tool will panic

This looked like an interesting project, but I seem to be unable to compile the binary. Possibly this is a Fedora specific problem due to either missing config or a missing dependency? I'm using Fedora 23.

I've run:

$ sudo dnf -y install libgit2
$ go get github.com/apuigsech/seekret/cmd/seekret

And receive the following error:

# github.com/libgit2/git2go
could not determine kind of name for C.GIT_CONFIG_LEVEL_PROGRAMDATA
could not determine kind of name for C.git_config_find_programdata

Compiled binaries to download

In order to use this in a scriptable way that does not require the installation of Go, it would be useful to have compiled binaries to download.
Could use something like goxc

Staged files check can miss secrets

When staging a file that contains no secrets either with, or after, one that does, suddenly shows that it found no secrets at all.

Consider the following when files are staged one after the other:

$ more password_test
password = f00b4rb4z

$ more no_secrets_test
This file has no secrets at all.

$ git s
## Initial commit on master
?? no_secrets_test
?? password_test

$ git add password_test
$ seekret --rules ~/.git-secrets/rules/ git . --staged
password_test
        1: [password.password] password = f00b4rb4z %!s(bool=false)

$ git add no_secrets_test
$ seekret --rules ~/.git-secrets/rules/ git . --staged

$ git s
## Initial commit on master
A  no_secrets_test
A  password_test

The same happens when the files are staged at the same time:

$ git s
## Initial commit on master
?? no_secrets_test
?? password_test

$ git add no_secrets_test password_test
$ seekret --rules ~/.git-secrets/rules/ git . --staged

$ git s
## Initial commit on master
A  no_secrets_test
A  password_test

If we take two files, both with secrets, but different rules violated, it only shows one violation, but for both files. Notice that it shows the cred_test violation for password_test instead of it's true violation.

$ more cred_test
cred = "plum"

$ more password_test
password = f00b4rb4z

$ git add cred_test password_test
$ seekret --rules ~/.git-secrets/rules/ git . --staged
cred_test
        1: [password.cred] cred = "plum" %!s(bool=false)
password_test
        1: [password.cred] cred = "plum" %!s(bool=false)

$ git s
## Initial commit on master
A  cred_test
A  password_test
?? no_secrets_test

Windows Executable

Awesome work!

Could you please provide an windows executable for windows users? I have tried compiling in to .exe but it require many dependencies, that is why not able to compile in to .exe.

Could you please provide a official .exe by WindowsCrossCompiling, i would like to include this in PentestBox.

Thanks!

Possibility to look at only staged revision

In order to use this as a pre-commit hook, would be helpful if you could look at just the staged revision / before the commit is actually made.

Example of the --staged flag here:
https://github.com/emanuelfeld/poirot#running-poirot-from-the-command-line

type *bufio.Scanner has no field or method Buffer

root@kali:/taylor# go get github.com/apuigsech/seekret/cmd/seekret

github.com/apuigsech/seekret/lib

src/github.com/apuigsech/seekret/lib/inspect.go:27: x.Buffer undefined (type *bufio.Scanner has no field or method Buffer)
src/github.com/apuigsech/seekret/lib/inspect.go:28: x.Buffer undefined (type *bufio.Scanner has no field or method Buffer)