security

package
v0.0.0-...-bc69434 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: May 21, 2021 License: GPL-3.0 Imports: 9 Imported by: 0

Documentation

Index

Constants

View Source 
const (
	// BaiscAuthenticationPattern common pattern for basic authentication URl
	BaiscAuthenticationPattern string = "://[^{}[:space:]]+:(?P<secret>[^{}[:space:]]+)@"
	// Base64Pattern Base64 pattern
	Base64Pattern string = string(`(?P<secret>(?:[A-Za-z0-9+\/]{4})*(?:[A-Za-z0-9+\/]{2}==|[A-Za-z0-9+\/]{3}=|[A-Za-z0-9+\/]{4}))`)
	// ConnectionString pattern for connection string like ftp, database ...
	ConnectionString string = "(?P<scheme>[a-z0-9+-.]{3,30}://)?[0-9a-z-]{3,30}:" + PasswordPattern + "@(?P<host>[0-9a-z-.]{1,50})(?::(?P<port>[0-9]{1,5}))?]?"
	// PasswordExcludePattern pattern to be excluded in password pattern
	PasswordExcludePattern string = ""
	// PasswordPattern Password pattern
	// FIXME: exclude variables, no support to negative lookahead and lookbehind in golang re2
	PasswordPattern string = string(`(?P<secret>[a-zA-Z0-9!?$)(.=<>\/%@#*&{}_^+-]{6,45})`)
	// PasswordPrefixPattern token used to recognize passwords
	PasswordPrefixPattern string = "(?:(?:pass(?:w(?:or)?d)?)|(?:p(?:s)?w(?:r)?d)|secret)"
	// SecretKeyPrefixPattern token used to recognize secrets
	SecretKeyPrefixPattern string = "(?:(?:a(?:ws|ccess|p(?:i|p(?:lication)?)))|private|se(?:nsitive|cret))"
	// SeverityBlocker blocker severity
	SeverityBlocker Severity = "BLOCKER"
	// SeverityCritical critical severity
	SeverityCritical Severity = "CRITICAL"
	// SeverityInfo info severity
	SeverityInfo Severity = "INFO"
	// SeverityMajor major severity
	SeverityMajor Severity = "MAJOR"
	// SeverityMinor minor severity
	SeverityMinor Severity = "MINOR"
)
View Source 
const (
	// IsPositive string is secret
	IsPositive int = iota
	// IsFile string is a path
	IsFile
	// IsFunction string is function
	IsFunction
	// IsPlaceholder string is placeholder
	IsPlaceholder
	// IsVariable string is variable
	IsVariable
	// PerCharThreshold entropy per character threshold
	PerCharThreshold = 3
)
View Source 
const (
	// Base64Characters list of base64 characters
	Base64Characters = "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/="
)

Variables

View Source 
var (

	// SupportedLanguages list of supported languages
	SupportedLanguages = []string{"go", "groovy", "java", "js", "py"}
)

Functions

func IsFalsePositive 

func IsFalsePositive(filePath string, line string, secret string) int

IsFalsePositive check if secret is a false positive

func IsSupportedLanguage 

func IsSupportedLanguage(language string) bool

IsSupportedLanguage check if extension is suported

func ShannonEntropy 

func ShannonEntropy(data string) (entropy float64)

ShannonEntropy calculate shannon entropy

func ShannonEntropyBase64 

func ShannonEntropyBase64(data string) (entropy float64)

ShannonEntropyBase64 calculate shannon entropy

Types

type AllowList 

type AllowList struct {
	Commits     []string
	Description string
	Files       []*regexp.Regexp
	Paths       []*regexp.Regexp
	Regexes     []*regexp.Regexp
}

AllowList list of allowed items

type Entropy 

type Entropy struct {
	MinThreshold float64
	MaxThreshold float64
	Group        int
}

Entropy sata struct

type IsFalsePositiveFunc 

type IsFalsePositiveFunc func(file string, line string, secret string) int

IsFalsePositiveFunc function to check false positive secrets

type Leak 

type Leak struct {
	File        string   `json:"file"`
	Line        string   `json:"-"`
	LineNumber  int      `json:"line_number"`
	Offender    string   `json:"-"`
	Remediation string   `json:"remediation,omitempty"`
	Rule        string   `json:"rule"`
	Severity    Severity `json:"severity"`
	Tags        []string `json:"tags,omitempty"`
}

Leak data struct

type Options 

type Options struct {
	AllowList AllowList
}

Options scanner options

type RegexScanner 

type RegexScanner struct {
	Logger  logging.Interface
	Options Options
	Rules   []Rule
}

RegexScanner data struct

func NewRegexScanner 

func NewRegexScanner(logger logging.Interface, options *config.Options) *RegexScanner

NewRegexScanner create new regular expression

func (*RegexScanner) AddAllowedFiles 

func (scanner *RegexScanner) AddAllowedFiles(files *regexp.Regexp)

AddAllowedFiles add files to allowed list

func (*RegexScanner) SatisfyRules 

func (scanner *RegexScanner) SatisfyRules(commit *object.Commit, filePath string, content string) (leaks []Leak)

SatisfyRules check all security rules

func (*RegexScanner) Scan 

func (scanner *RegexScanner) Scan(commit *object.Commit) (leaks []Leak, err error)

Scan scan commit

type Rule 

type Rule struct {
	AllowList   AllowList
	Description string
	Entropies   []Entropy
	File        *regexp.Regexp
	Path        *regexp.Regexp
	Regexp      *regexp.Regexp
	Severity    Severity
	Tags        []string
}

Rule data struct

func NewRule 

func NewRule(description string, file string, pattern string, severity string, tags []string) *Rule

type Scanner 

type Scanner interface {
	AddAllowedFiles(files *regexp.Regexp)
	Scan(commit *object.Commit) (leaks []Leak, err error)
}

Scanner scanner interface

type Severity 

type Severity string

Severity rule severity

type VerifiedScanner 

type VerifiedScanner interface {
	Verify() bool
}

VerifiedScanner verify secret

Source Files

View all Source files

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.