sast-scan icon indicating copy to clipboard operation
sast-scan copied to clipboard

Published 20 hours ago verified publisher icon ShiftLeftSecurity

credscan not detecting anything

Open crazy-matt opened this issue 4 years ago • 7 comments

Hi,

I tested all combinations of configuration possible and I can't make credscan working. How I tested? Injecting a file containing:

username='administrator'
email='[email protected]'

and using this workflow https://github.com/crazy-matt/pre-commit-manager/blob/main/.github/workflows/security_scanner.yml

which triggers a job working with the proper gitleaks action and a second one with your action.

While the first job fails reporting 2 findings, the second one run successfully outputing a table with 0 findings. The NG json file has his findings node empty too.

I run your action by overriding the credscan settings in .sastscanrc because I noticed that not doing so does not run credscan at all. I don't see the Secrets row in the Summary table at all when removing the scan_tools_args_map config from .sastscanrc

crazy-matt avatar Sep 19 '21 01:09 crazy-matt

@crazy-matt Let's setup an example repo to test and see what is going on. I remember excluding simple username and emails since these are usually not considered as secrets in a typical enterprise.

prabhu avatar Sep 20 '21 15:09 prabhu

It depends on the context actually. With GDPR, we should be able to scan them because some devs might be tempted pushing Personal Identifiable Information to do some mock testing

crazy-matt avatar Sep 20 '21 17:09 crazy-matt

Could you add a new rule similar to this one for capturing username and email. You can reduce the entropy to capture broad values.

https://github.com/ShiftLeftSecurity/sast-scan/blob/master/tools_config/credscan-config.toml#L175

prabhu avatar Sep 20 '21 19:09 prabhu

Isn't the rule below enough to do the job without entropy?

https://github.com/crazy-matt/pre-commit-manager/blob/feat%2Ftf-hooks/.security/credscan-config.toml#L84

[[rules]]
    description = "Email"
    regex = '''[a-zA-Z0-9._%+-]+@[a-zA-Z0-9.-]+\.[a-zA-Z]{2,4}'''
    tags = ["email"]
    [rules.allowlist]
        description = "ignore gitconfig emails"
        regexes = [
            '''[a-zA-Z0-9._%+-][email protected]''',
            '''[email protected]''',
            '''[email protected]''',
            '''(.*)Copyright(.*)''',
        ]

crazy-matt avatar Sep 20 '21 19:09 crazy-matt

I tried again with my rule (https://github.com/crazy-matt/pre-commit-manager/blob/6a8d586ecf4ec288ebbf935de0e793d7f9dafa4b/.security/credscan-config.toml#L84)

  • yours (https://github.com/crazy-matt/pre-commit-manager/blob/6a8d586ecf4ec288ebbf935de0e793d7f9dafa4b/.security/credscan-config.toml#L100) slightly modified, but I'm not sure this one can handle this kind of leak.

And as you can see on the workflow below, the gitleaks action detects while credscan doesn't see anything: https://github.com/crazy-matt/pre-commit-manager/runs/3657105592?check_suite_focus=true

crazy-matt avatar Sep 20 '21 22:09 crazy-matt

can you set the env variable SCAN_DEBUG_MODE to debug. Let's see what file is passed to gitleaks via scan.

prabhu avatar Sep 21 '21 11:09 prabhu

@crazy-matt How about we invoke both credscan and credscan-git automatically? That would cover both existing and upcoming changes right?

prabhu avatar Sep 25 '21 10:09 prabhu