cred-alert icon indicating copy to clipboard operation
cred-alert copied to clipboard

Published 20 hours ago verified publisher icon pivotal-cf

Supporting passwords

Open professor opened this issue 6 years ago • 2 comments

I noticed that on a recent leak, that a couple of fields would not have been caught by cred-alert. At the time, we were not using cred-alert. We are now, and it would be nice to catch these situations.

ivyrepo_passwd: "snipped"
docker_password: snipped

professor avatar Mar 13 '18 15:03 professor

We have created an issue in Pivotal Tracker to manage this. Unfortunately, the Pivotal Tracker project is private so you may be unable to view the contents of the story.

The labels on this github issue will be updated when the story is started.

cf-gitbot avatar Mar 13 '18 15:03 cf-gitbot

I was wondering about this same thing.

The underlying question, what exactly constitutes a credential?

I scanned my .ssh directory, and it recognized pem keys. I scanned my .aws/credentials and it found those easily.

What if I have a password in a terraform file? For example:

my_rds_password = "abc"

Are these types of credentials supposed to get caught?

ghost avatar Aug 15 '18 03:08 ghost