Documentation ¶
Index ¶
- Constants
- Variables
- func IsFalsePositive(filePath string, line string, secret string) int
- func IsSupportedLanguage(language string) bool
- func ShannonEntropy(data string) (entropy float64)
- func ShannonEntropyBase64(data string) (entropy float64)
- type AllowList
- type Entropy
- type IsFalsePositiveFunc
- type Leak
- type Options
- type RegexScanner
- type Rule
- type Scanner
- type Severity
- type VerifiedScanner
Constants ¶
View Source
const ( // BaiscAuthenticationPattern common pattern for basic authentication URl BaiscAuthenticationPattern string = "://[^{}[:space:]]+:(?P<secret>[^{}[:space:]]+)@" // Base64Pattern Base64 pattern Base64Pattern string = string(`(?P<secret>(?:[A-Za-z0-9+\/]{4})*(?:[A-Za-z0-9+\/]{2}==|[A-Za-z0-9+\/]{3}=|[A-Za-z0-9+\/]{4}))`) // ConnectionString pattern for connection string like ftp, database ... ConnectionString string = "(?P<scheme>[a-z0-9+-.]{3,30}://)?[0-9a-z-]{3,30}:" + PasswordPattern + "@(?P<host>[0-9a-z-.]{1,50})(?::(?P<port>[0-9]{1,5}))?]?" // PasswordExcludePattern pattern to be excluded in password pattern PasswordExcludePattern string = "" // PasswordPattern Password pattern // FIXME: exclude variables, no support to negative lookahead and lookbehind in golang re2 PasswordPattern string = string(`(?P<secret>[a-zA-Z0-9!?$)(.=<>\/%@#*&{}_^+-]{6,45})`) // PasswordPrefixPattern token used to recognize passwords PasswordPrefixPattern string = "(?:(?:pass(?:w(?:or)?d)?)|(?:p(?:s)?w(?:r)?d)|secret)" // SecretKeyPrefixPattern token used to recognize secrets SecretKeyPrefixPattern string = "(?:(?:a(?:ws|ccess|p(?:i|p(?:lication)?)))|private|se(?:nsitive|cret))" // SeverityBlocker blocker severity SeverityBlocker Severity = "BLOCKER" // SeverityCritical critical severity SeverityCritical Severity = "CRITICAL" // SeverityInfo info severity SeverityInfo Severity = "INFO" // SeverityMajor major severity SeverityMajor Severity = "MAJOR" // SeverityMinor minor severity SeverityMinor Severity = "MINOR" )
View Source
const ( // IsPositive string is secret IsPositive int = iota // IsFile string is a path IsFile // IsFunction string is function IsFunction // IsPlaceholder string is placeholder IsPlaceholder // IsVariable string is variable IsVariable // PerCharThreshold entropy per character threshold PerCharThreshold = 3 )
View Source
const (
// Base64Characters list of base64 characters
Base64Characters = "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/="
)
Variables ¶
View Source
var ( // SupportedLanguages list of supported languages SupportedLanguages = []string{"go", "groovy", "java", "js", "py"} )
Functions ¶
func IsFalsePositive ¶
IsFalsePositive check if secret is a false positive
func IsSupportedLanguage ¶
IsSupportedLanguage check if extension is suported
func ShannonEntropy ¶
ShannonEntropy calculate shannon entropy
func ShannonEntropyBase64 ¶
ShannonEntropyBase64 calculate shannon entropy
Types ¶
type AllowList ¶
type AllowList struct { Commits []string Description string Files []*regexp.Regexp Paths []*regexp.Regexp Regexes []*regexp.Regexp }
AllowList list of allowed items
type IsFalsePositiveFunc ¶
IsFalsePositiveFunc function to check false positive secrets
type Leak ¶
type Leak struct { File string `json:"file"` Line string `json:"-"` LineNumber int `json:"line_number"` Offender string `json:"-"` Remediation string `json:"remediation,omitempty"` Rule string `json:"rule"` Severity Severity `json:"severity"` Tags []string `json:"tags,omitempty"` }
Leak data struct
type RegexScanner ¶
RegexScanner data struct
func NewRegexScanner ¶
func NewRegexScanner(logger logging.Interface, options *config.Options) *RegexScanner
NewRegexScanner create new regular expression
func (*RegexScanner) AddAllowedFiles ¶
func (scanner *RegexScanner) AddAllowedFiles(files *regexp.Regexp)
AddAllowedFiles add files to allowed list
func (*RegexScanner) SatisfyRules ¶
func (scanner *RegexScanner) SatisfyRules(commit *object.Commit, filePath string, content string) (leaks []Leak)
SatisfyRules check all security rules
type Rule ¶
type Rule struct { AllowList AllowList Description string Entropies []Entropy File *regexp.Regexp Path *regexp.Regexp Regexp *regexp.Regexp Severity Severity Tags []string }
Rule data struct
type Scanner ¶
type Scanner interface { AddAllowedFiles(files *regexp.Regexp) Scan(commit *object.Commit) (leaks []Leak, err error) }
Scanner scanner interface
type VerifiedScanner ¶
type VerifiedScanner interface {
Verify() bool
}
VerifiedScanner verify secret
Click to show internal directories.
Click to hide internal directories.