SecretScanner
SecretScanner copied to clipboard
Published
20 hours ago •
deepfence
deepfence
[Secrect Scanner] some secrects that were not detected
- Type: circle ci config file keys such as auth, username, password is not detected
Ex: auth: username: circleclidockeruser password: circleclidockerpassword # context / project UI env-var reference
- API keys in openweather maps (must be shown as a warning)
Example:
Highligted text is not detected:
url = "https://api.openweathermap.org/data/2.5/find?q=Palo+Alto&units=imperial&type=accurate&mode=json&APPID=ba3447bf3NOTREAL18414e1f995f68aeb6d"
- Variable names such as username, user, password and passwd are not detected
Example: USER = 'realusername' PASSWORD = 'Realpassword@1234'
usr = 'anotherrealluser' passwd = 'anotherrealpasswd'
- There is no username and password in this line,
https://github.com/apache/jmeter/blob/efe50ca5b150cdbdb578886f8b4d98d3f1ea264f/xdocs/usermanual/curl.xml#L173I get a false positive scan result:
{
"Image Layer ID": "",
"Matched Rule ID": 118,
"Matched Rule Name": "Username and password in URI",
"Matched Part": "contents",
"String to Match": "",
"Signature to Match": "([\\w+]{1,24})(://)([^$\u003c]{1})([^\\s\";]{1,}):([^$\u003c]{1})([^\\s\";/]{1,})@[-a-zA-Z0-9@:%._\\+~#=]{1,256}\\.[a-zA-Z0-9()]{1,24}([^\\s]+)",
"Severity": "high",
"Severity Score": 7.53,
"Starting Index of Match in Original Content": 9408,
"Relative Starting Index of Match in Displayed Substring": 50,
"Relative Ending Index of Match in Displayed Substring": 72,
"Full File Name": "/deepfence/mnt/root/jmeter/xdocs/usermanual/curl.xml",
"Matched Contents": "xy\u003c/b\u003e\u003csource\u003ecurl 'https://example.invalid/' -x '[31mhttps://aa:[email protected][0mvalid:8042'\u003c/source\u003e\u003c/p\u003e"
}
- However this line must be detected as there is a mention of passwd https://github.com/apache/jmeter/blob/efe50ca5b150cdbdb578886f8b4d98d3f1ea264f/xdocs/usermanual/curl.xml#L174
"https://example.invalid" -u 'user:passwd' --basic</source></p>
