Squealer scans a local git repository for secrets that are being leaked deep within the commit history.
The built-in configuration has the following checks;
AWS
- access key id
- access secret key
Github
- github token
Slack
- slack token OAUTH
- webhook url
Other
- Asymmetric Private Key
Sometimes we have secrets committed to our projects, generally we can invalidate them and move on. If squealer is telling tales about a secret that you are aware of and has been mitigated, you can use the exception
rule found in the output to register it as ignored.
curl -s "https://raw.githubusercontent.com/owenrumney/squealer/main/scripts/install.sh" | bash
Squealer is intended to be run either locally or as part of a CI process.
./squealer --help
Telling tales on your secret leaking
Usage:
squealer [flags]
Flags:
--concise Reduced output.
--config-file string Path to the config file with the rules.
--debug Include debug output.
--everything Scan all commits.... everywhere.
--from-hash string The hash to work back to from the starting hash.
-h, --help help for squealer
--no-git Scan as a directory rather than a git history.
--redacted Display the results redacted.
--to-hash string The most recent hash to start with.
rules:
- rule: (A3T[A-Z0-9]|AKIA|AGPA|AIDA|AROA|AIPA|ANPA|ANVA|ASIA)[A-Z0-9]{16}
description: Check for AWS Access Key Id
- rule: (?i)aws(.{0,20})?(?-i)['\"][0-9a-zA-Z\/+]{40}['\"]
description: Check for AWS Secret Access Key
- rule: (?i)github[_\-\.]?token[\s:,="\]']+?(?-i)[0-9a-zA-Z]{35,40}
description: Check for Github Token
- rule: https://hooks.slack.com/services/T[a-zA-Z0-9_]{8}/B[a-zA-Z0-9_]{8}/[a-zA-Z0-9_]{24}
description: Check for Slack webhook
- rule: xox[baprs]-([0-9a-zA-Z]{10,48})?
description: Check for Slack token
- rule: '-----BEGIN ((EC|PGP|DSA|RSA|OPENSSH) )?PRIVATE KEY( BLOCK)?-----'
description: Check for Private Asymetric Key
ignore_paths:
- vendor
- node_modules
ignore_extensions:
- .zip
- .png
- .jpg
- .pdf
- .xls
- .doc
- .docx
exceptions:
- exception: release/update.go:D2IDetI6aidl58GE6dv5uAaWmXM=
reason: This is a webhook that we got rid of - can be ignored in this file
The config file is made up of the rules
, ignore_prefixes
, ignore_extensions
and exceptions
.
Rules define the regular expression that is used to detect the secret. Requires a description for posterity.
Ignore paths are folders that you don't want to look ing - generally vendor
and the like.
Ignore extensions have the file types that won't be scanned. Binaries are automatically ignored.
Exceptions are the entries that you've already handled and don't want to be reported any more.
squealer /home/owen/go/src/github.com/owenrumney/go-github-pr-commenter
scanning /home/owen/go/src/github.com/owenrumney/go-github-pr-commenter
Process took 0.084771843
Processing:
commits: 25
commit files: 291
Transgressions:
identified: 0
ignored: 0
reported: 0