owenrumney / Squealer
Licence: unlicense
Telling tales on you for leaking secrets!
Stars: ✭ 97
Projects that are alternatives of or similar to Squealer
Whaler
Program to reverse Docker images into Dockerfiles
Stars: ✭ 670 (+590.72%)
Mutual labels: security-tools, secrets
Cfn nag
Linting tool for CloudFormation templates
Stars: ✭ 808 (+732.99%)
Mutual labels: aws, static-analysis
Brakeman
A static analysis security vulnerability scanner for Ruby on Rails applications
Stars: ✭ 6,281 (+6375.26%)
Mutual labels: static-analysis, security-tools
Jsprime
a javascript static security analysis tool
Stars: ✭ 556 (+473.2%)
Mutual labels: static-analysis, security-tools
Aws Secrets Manager Credentials Provider Plugin
AWS Secrets Manager Credentials Provider for Jenkins
Stars: ✭ 45 (-53.61%)
Mutual labels: aws, secrets
Terraform Aws Secure Baseline
Terraform module to set up your AWS account with the secure baseline configuration based on CIS Amazon Web Services Foundations and AWS Foundational Security Best Practices.
Stars: ✭ 596 (+514.43%)
Mutual labels: aws, security-tools
Amdh
Android Mobile Device Hardening
Stars: ✭ 95 (-2.06%)
Mutual labels: static-analysis, security-tools
Gosec
Golang security checker
Stars: ✭ 5,694 (+5770.1%)
Mutual labels: static-analysis, security-tools
Subdomainizer
A tool to find subdomains and interesting things hidden inside, external Javascript files of page, folder, and Github.
Stars: ✭ 915 (+843.3%)
Mutual labels: security-tools, secrets
Secretscanner
Find secrets and passwords in container images and file systems
Stars: ✭ 895 (+822.68%)
Mutual labels: security-tools, secrets
Skyark
SkyArk helps to discover, assess and secure the most privileged entities in Azure and AWS
Stars: ✭ 526 (+442.27%)
Mutual labels: aws, security-tools
Envkey App
Secure, human-friendly, cross-platform secrets and config.
Stars: ✭ 83 (-14.43%)
Mutual labels: security-tools, secrets
Security Tools
Collection of small security tools, mostly in Bash and Python. CTFs, Bug Bounty and other stuff.
Stars: ✭ 509 (+424.74%)
Mutual labels: static-analysis, security-tools
Git Hound
Reconnaissance tool for GitHub code search. Finds exposed API keys using pattern matching, commit history searching, and a unique result scoring system.
Stars: ✭ 602 (+520.62%)
Mutual labels: security-tools, secrets
Salus
Security scanner coordinator
Stars: ✭ 441 (+354.64%)
Mutual labels: static-analysis, security-tools
Awesome Python Security
Awesome Python Security resources 🕶🐍🔐
Stars: ✭ 738 (+660.82%)
Mutual labels: static-analysis, security-tools
Applicationinspector
A source code analyzer built for surfacing features of interest and other characteristics to answer the question 'What's in the code?' quickly using static analysis with a json based rules engine. Ideal for scanning components before use or detecting feature level changes.
Stars: ✭ 3,873 (+3892.78%)
Mutual labels: static-analysis, security-tools
Huskyci
Performing security tests inside your CI
Stars: ✭ 398 (+310.31%)
Mutual labels: static-analysis, security-tools
Deprecated Patrol Rules Aws
A set of functions implemented using lambda-cfn to monitor an organization's AWS infrastructure for best practices, security and compliance.
Stars: ✭ 16 (-83.51%)
Mutual labels: aws, security-tools
Terraform Security Scan
Run a security scan on your terraform with the very nice https://github.com/liamg/tfsec
Stars: ✭ 64 (-34.02%)
Mutual labels: aws, static-analysis
Squealer
Telling tales on you for leaking secrets!
Squealer scans a local git repository for secrets that are being leaked deep within the commit history.
The built-in configuration has the following checks;
AWS
- access key id
- access secret key
Github
- github token
Slack
- slack token OAUTH
- webhook url
Other
- Asymmetric Private Key
Sometimes we have secrets committed to our projects, generally we can invalidate them and move on. If squealer is telling tales about a secret that you are aware of and has been mitigated, you can use the exception rule found in the output to register it as ignored.
Installation
curl -s "https://raw.githubusercontent.com/owenrumney/squealer/main/scripts/install.sh" | bash
Usage
Squealer is intended to be run either locally or as part of a CI process.
./squealer --help
Telling tales on your secret leaking
Usage:
squealer [flags]
Flags:
--concise Reduced output.
--config-file string Path to the config file with the rules.
--debug Include debug output.
--everything Scan all commits.... everywhere.
--from-hash string The hash to work back to from the starting hash.
-h, --help help for squealer
--no-git Scan as a directory rather than a git history.
--output-format string The format that the output should come in (default, json, sarif.
--redacted Display the results redacted.
--to-hash string The most recent hash to start with.
Config File
rules:
- rule: (A3T[A-Z0-9]|AKIA|AGPA|AIDA|AROA|AIPA|ANPA|ANVA|ASIA)[A-Z0-9]{16}
description: Check for AWS Access Key Id
- rule: (?i)aws(.{0,20})?(?-i)['\"][0-9a-zA-Z\/+]{40}['\"]
description: Check for AWS Secret Access Key
- rule: (?i)github[_\-\.]?token[\s:,="\]']+?(?-i)[0-9a-zA-Z]{35,40}
description: Check for Github Token
- rule: https://hooks.slack.com/services/T[a-zA-Z0-9_]{8}/B[a-zA-Z0-9_]{8}/[a-zA-Z0-9_]{24}
description: Check for Slack webhook
- rule: xox[baprs]-([0-9a-zA-Z]{10,48})?
description: Check for Slack token
- rule: '-----BEGIN ((EC|PGP|DSA|RSA|OPENSSH) )?PRIVATE KEY( BLOCK)?-----'
description: Check for Private Asymetric Key
ignore_paths:
- vendor
- node_modules
ignore_extensions:
- .zip
- .png
- .jpg
- .pdf
- .xls
- .doc
- .docx
exceptions:
- exception: release/update.go:D2IDetI6aidl58GE6dv5uAaWmXM=
reason: This is a webhook that we got rid of - can be ignored in this file
Config breakdown
The config file is made up of the rules, ignore_prefixes, ignore_extensions and exceptions.
rules
Rules define the regular expression that is used to detect the secret. Requires a description for posterity.
ignore_paths
Ignore paths are folders that you don't want to look ing - generally vendor and the like.
ignore_extensions
Ignore extensions have the file types that won't be scanned. Binaries are automatically ignored.
exceptions
Exceptions are the entries that you've already handled and don't want to be reported any more.
Example Output
INFO[0000] Using a git scanner to process ../../tfsec/tfsec
INFO[0000] starting at hash 3bd04e7e17f2aad9e5f38826d88325798534a289
Content: | access_key = "AKIAABCD12ABCDEF1ABC"
Filename: | internal/app/tfsec/checks/aws044.go
Line No: | 21
Secret Hash: | bcE9jU2WV11OYs63eGHPZf1l9v8=
Commit: | 4e68e1c5b3bc66982e4b7e6c5cc1c1642c87f83d
Committer: | GitHub ([email protected])
Committed: | 2020-10-21 21:59:22 +0100 +0100
Exclude rule: | internal/app/tfsec/checks/aws044.go:bcE9jU2WV11OYs63eGHPZf1l9v8=
Content: | access_key = "AKIAABCD12ABCDEF1ABC"
Filename: | docs-website/docs/aws/AWS044.md
Line No: | 26
Secret Hash: | bcE9jU2WV11OYs63eGHPZf1l9v8=
Commit: | 8a7715f2cf5a2ac74a1e186792c476fd52ee1474
Committer: | ¨Owen Rumney ([email protected])
Committed: | 2021-01-24 19:04:27 +0000 +0000
Exclude rule: | docs-website/docs/aws/AWS044.md:bcE9jU2WV11OYs63eGHPZf1l9v8=
Processing:
duration: 2.99s
commits: 503
commit files: 4095
transgressionMap:
identified: 6
ignored: 0
reported: 2
INFO[0002] Exit code: 1
It's worth noting that these are known because they're examples in the documentation for tfsec - I can add them to the config.yaml as exclusions y using the Exclude rule
Credits
Note that the project description data, including the texts, logos, images, and/or trademarks,
for each open source project belongs to its rightful owner.
If you wish to add or remove any projects, please contact us at [email protected].