-
-
Notifications
You must be signed in to change notification settings - Fork 158
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add trufflehog for secret detection #150
base: devel
Are you sure you want to change the base?
Conversation
… file could be avoided
…not present in trufflehog like s3 buckets.
Hi @hugo-syn , thank you so much for improving cariddi! Appreciated :)
|
Hi, @edoardottt I've fixed the merge conflicts, I've updated some packages. For the PR I understand, don't hesitate if you have questions or remarks regarding my code :) |
If possible (there could be issues with deps) revert back go.mod to using |
The trufflehog package requires go 1.22.0:
I can bump the golang version in the different CI files if you want |
And I've checked it looks good with go 1.22.0 |
Hi @hugo-syn,
the go build action is failing:
https://github.com/edoardottt/cariddi/actions/runs/8754239537/job/24025715013?pr=150#step:6:8 I think this is caused by github actions, they must be set to the correct go version too (all of them: go, linting...). |
I've change the golang version in the workflows to 1.22.0 the build pipeline is ok now but there are errors with the golang-ci |
I've seen. See if locally everything is okay with
Can you quantify this? I'd like to comprehend how much this will be slower. cc @hugo-syn . Let me know if you need assistance :) |
Hi @edoardottt Unfortunately I didn't manage to fix the CI there are new errors with code that I did not modify :/
It's difficult to say but since it runs all the secret detection of trufflhog the secret search will take more time but it will find lots of new secrets |
Ok, so don't worry about golangci-lint errors. I'll fix them.
Ok, I'll merge in devel and perform some tests. For now it's okay so, wait for my PR review :) |
Do not hesitate if you have any questions ! :) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks @hugo-syn !
- Requesting some changes
- Left some thoughts, let me know yours.
I'm here if you have any doubt or need assistance :)
Rua: flags.Rua, | ||
Proxy: flags.Proxy, | ||
SecretsFlag: flags.Secrets, | ||
SecretExtensionFilter: strings.Split(flags.SecretExtensionFilter, ","), |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Better to perform this in another part, maybe in pkg/input/flags.go
. Consider that it may be necessary to trim spaces too (TrimSpace() function).
@@ -69,3 +71,25 @@ func intensiveOk(target string, urlInput string, debug bool) bool { | |||
|
|||
return root == target | |||
} | |||
|
|||
// Return the extension of an URL | |||
func GetFileExtensionFromUrl(rawUrl string) (string, error) { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
We need some tests for this function since it's an important one. You can use the ones you find in this repo as example.
Try to insert as many test cases as possible (use double dots, query parameters, fragment, invalid URL...).
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
where do you want to do tests ?
@@ -120,6 +122,8 @@ func ScanFlag() Input { | |||
secretsPtr := flag.Bool("s", false, "Hunt for secrets.") | |||
secretsFilePtr := flag.String("sf", "", "Use an external file (txt, one per line)"+ | |||
" to use custom regexes for secrets hunting.") | |||
secretsExtensionFilterPtr := flag.String("secret-extension-filter", "", "Comma"+ |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Can we have a shorter name for this? Like sef
... do you like it?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
yeah sure !
@@ -163,6 +167,7 @@ func ScanFlag() Input { | |||
*proxyPtr, | |||
*secretsPtr, | |||
*secretsFilePtr, | |||
*secretsExtensionFilterPtr, |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Modify the README.md file according to the modifications made. In particular the new flag provided.
|
||
wgScanners.Wait() | ||
|
||
// keep legacy code, the original list contains secrets that are not present in trufflehog like s3 buckets. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I'm not fully understanding this. I guess now the code performs both trufflehog and cariddi secrets detections right? Maybe we should find a solution for this.
A simple solution could be move the S3 regexes to info
of the cariddi engine and run only the trufflehog engine for the secrets. But I'm open to suggestions if you have them.
Also, we have to take in mind that the user can input a file with custom regexes, I don't know if trufflehog can do this. If not, maybe we could leave the custom cariddi engine for the custom secrets.
Let me know your thoughts on this.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
yes I did not know so I kept both way.
I don't know if you can add custom regexes with trufflehog when used ad a library. I think you should keep both.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
PR review adjustments @hugo-syn
|
||
require ( | ||
github.com/fatih/color v1.17.0 | ||
github.com/gocolly/colly v1.2.0 | ||
github.com/trufflesecurity/trufflehog/v3 v3.73.0 |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I'm leaving this comment here but it's not related to this line specifically.
The goreleaser CI is giving these errors:
Error: ../../../go/pkg/mod/github.com/trufflesecurity/trufflehog/[email protected]/pkg/gitparse/gitparse.go:200:18: cannot use defaultMaxDiffSize (untyped int constant 2147483648) as int value in struct literal (overflows)
Error: ../../../go/pkg/mod/github.com/trufflesecurity/trufflehog/[email protected]/pkg/gitparse/gitparse.go:201:18: cannot use defaultMaxCommitSize (untyped int constant 2147[48](https://github.com/edoardottt/cariddi/actions/runs/9128423415/job/25100742967?pr=150#step:4:49)3648) as int value in struct literal (overflows)
Do you have any clue about what they mean?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
no clue on this I'm not used to this
Hi @edoardottt I'm not used to dev practices what should I do ? feel free to rewrite what I did to fit your way :) |
Hi @hugo-syn . I don't have write access to your fork + this PR is huge + it seems it was created a while ago and since this would be a big improvement I'll proceed in this way: |
Oh ok I thought there would be a mechanism so that you could modify the code directly. Sounds good to me. Do not hesitate if you have any question |
Hi,
I've discovered your tool via secator it's very nice thanks for your work !
In this PR I'm adding 2 things, the first big improvement is the use of trufflehog for secret detection. Trufflehog can detect a looot of credentials, the complete list can be found here. This change make the tool slower for secret detection but improve the secret detection.
I've also add a command line option to ignore some url for secret scaning. For example scaning png files for secrets can be avoided: