diff --git a/.gitattributes b/.gitattributes new file mode 100644 index 0000000..d12c1c1 --- /dev/null +++ b/.gitattributes @@ -0,0 +1,6 @@ +# This is not a secrets file but must be in the root directory. +# 2010 +*.txt -crlf + +# 2020 +*.txt text eol=lf \ No newline at end of file diff --git a/.leaky-meta/,gitignore b/.leaky-meta/,gitignore new file mode 100644 index 0000000..4027c18 --- /dev/null +++ b/.leaky-meta/,gitignore @@ -0,0 +1 @@ +*.toml \ No newline at end of file diff --git a/.leaky-meta/benchmark.py b/.leaky-meta/benchmark.py index e567978..3852690 100644 --- a/.leaky-meta/benchmark.py +++ b/.leaky-meta/benchmark.py @@ -40,7 +40,7 @@ def get_secret_count_detectsecrets(): def get_secret_count_gitleaks(): finds = {} - cmd = ['gitleaks', '--report=.leaky-meta/gitleaks.json', '--repo-path', '.'] + cmd = ['gitleaks', '--config=.leaky-meta/gitleaks-config.toml', '--report=.leaky-meta/gitleaks.json', '--repo-path', '.'] stdout, stderr = get_command_stdout(cmd) with open('gitleaks.json') as f: data = json.load(f) diff --git a/.leaky-meta/benchmarking/DETECT-SECRETS.md b/.leaky-meta/benchmarking/DETECT-SECRETS.md index 7eb9f07..9b5c13f 100644 --- a/.leaky-meta/benchmarking/DETECT-SECRETS.md +++ b/.leaky-meta/benchmarking/DETECT-SECRETS.md @@ -1,52 +1,52 @@ Tool: https://github.com/Yelp/detect-secrets Command Used: `detect-secrets scan` Files covered: 23/44 (52.27% coverage) -Total finds: 41/179 (22.91% coverage) +Total finds: 41/175 (23.43% coverage) False Positives: 0 File Name | Found/Total | False Positives | ---------------------------------------|----------------|-----------------| .mozilla/firefox/logins.json | 6/28 | 0 .bash_profile | 4/11 | 0 +.bashrc | 3/6 | 0 web/ruby/secrets.yml | 3/3 | 0 web/var/www/.env | 3/10 | 0 -.bashrc | 3/6 | 0 -ventrilo_srv.ini | 2/2 | 0 -cloud/heroku.json | 2/2 | 0 cloud/.credentials | 2/4 | 0 +cloud/heroku.json | 2/2 | 0 high-entropy-misc.txt | 2/2 | 0 -.remote-sync.json | 1/3 | 0 -sftp-config.json | 1/4 | 0 -.docker/.dockercfg | 1/6 | 0 +ventrilo_srv.ini | 2/2 | 0 +.docker/.dockercfg | 1/4 | 0 +.docker/config.json | 1/4 | 0 .ssh/id_rsa | 1/1 | 0 -web/var/www/public_html/config.php | 1/4 | 0 -misc-keys/putty-example.ppk | 1/2 | 0 cloud/.tugboat | 1/3 | 0 -.idea/WebServers.xml | 1/2 | 0 +db/mongoid.yml | 1/1 | 0 +misc-keys/cert-key.pem | 1/1 | 0 +misc-keys/putty-example.ppk | 1/2 | 0 hub | 1/2 | 0 -.vscode/sftp.json | 1/4 | 0 +web/var/www/public_html/config.php | 1/4 | 0 deployment-config.json | 1/4 | 0 -.docker/config.json | 1/6 | 0 -misc-keys/cert-key.pem | 1/1 | 0 -db/mongoid.yml | 1/1 | 0 -filezilla/recentservers.xml | 0/6 | 0 -web/var/www/public_html/.htpasswd | 0/1 | 0 +.remote-sync.json | 1/3 | 0 +.vscode/sftp.json | 1/4 | 0 +sftp-config.json | 1/4 | 0 +.idea/WebServers.xml | 1/2 | 0 +.ssh/id_rsa.pub | 0/1 | 0 cloud/.s3cfg | 0/3 | 0 -web/django/settings.py | 0/1 | 0 -.ftpconfig | 0/5 | 0 -.npmrc | 0/3 | 0 db/dump.sql | 0/10 | 0 etc/shadow | 0/1 | 0 -config | 0/4 | 0 -web/js/salesforce.js | 0/1 | 0 -web/var/www/public_html/wp-config.php | 0/12 | 0 -proftpdpasswd | 0/1 | 0 +filezilla/recentservers.xml | 0/6 | 0 filezilla/filezilla.xml | 0/3 | 0 -db/dbeaver-data-sources.xml | 0/1 | 0 -.netrc | 0/2 | 0 -.esmtprc | 0/3 | 0 -db/.pgpass | 0/1 | 0 -db/robomongo.json | 0/7 | 0 +proftpdpasswd | 0/1 | 0 web/ruby/config/master.key | 0/1 | 0 +.npmrc | 0/3 | 0 +web/var/www/public_html/wp-config.php | 0/12 | 0 +web/var/www/public_html/.htpasswd | 0/1 | 0 .git-credentials | 0/1 | 0 -.ssh/id_rsa.pub | 0/1 | 0 +db/robomongo.json | 0/7 | 0 +web/js/salesforce.js | 0/1 | 0 +.netrc | 0/2 | 0 +config | 0/4 | 0 +db/.pgpass | 0/1 | 0 +db/dbeaver-data-sources.xml | 0/1 | 0 +.esmtprc | 0/3 | 0 +web/django/settings.py | 0/1 | 0 +.ftpconfig | 0/5 | 0 diff --git a/.leaky-meta/benchmarking/GITLEAKS.md b/.leaky-meta/benchmarking/GITLEAKS.md index 6a2b1df..0e34f19 100644 --- a/.leaky-meta/benchmarking/GITLEAKS.md +++ b/.leaky-meta/benchmarking/GITLEAKS.md @@ -1,52 +1,52 @@ Tool: https://github.com/zricethezav/gitleaks -Command Used: `gitleaks --report=.leaky-meta/gitleaks.json --repo-path .` -Files covered: 6/44 (13.64% coverage) -Total finds: 8/179 (4.47% coverage) -False Positives: 0 +Command Used: `gitleaks --config=.leaky-meta/gitleaks-config.toml --report=.leaky-meta/gitleaks.json --repo-path .` +Files covered: 40/44 (90.91% coverage) +Total finds: 127/175 (72.57% coverage) +False Positives: 17 File Name | Found/Total | False Positives | ---------------------------------------|----------------|-----------------| -.bash_profile | 2/11 | 0 -.bashrc | 2/6 | 0 -cloud/heroku.json | 1/2 | 0 +web/var/www/.env | 14/10 | 4 +web/var/www/public_html/wp-config.php | 14/12 | 2 +.mozilla/firefox/logins.json | 13/28 | 0 +.bash_profile | 12/11 | 1 +db/dump.sql | 10/10 | 0 +db/robomongo.json | 7/7 | 0 +.vscode/sftp.json | 7/4 | 3 +cloud/.credentials | 6/4 | 2 +web/var/www/public_html/config.php | 4/4 | 0 +.bashrc | 3/6 | 0 +config | 3/4 | 0 +db/dbeaver-data-sources.xml | 3/1 | 2 +.esmtprc | 3/3 | 0 +deployment-config.json | 3/4 | 0 +sftp-config.json | 3/4 | 0 +.idea/WebServers.xml | 3/2 | 1 +.docker/.dockercfg | 2/4 | 0 +.docker/config.json | 2/4 | 0 +cloud/heroku.json | 2/2 | 0 +filezilla/recentservers.xml | 2/6 | 0 +high-entropy-misc.txt | 2/2 | 0 +.git-credentials | 2/1 | 1 +web/js/salesforce.js | 2/1 | 1 +.netrc | 2/2 | 0 +hub | 2/2 | 0 +ventrilo_srv.ini | 2/2 | 0 +.ftpconfig | 2/5 | 0 +.remote-sync.json | 2/3 | 0 .ssh/id_rsa | 1/1 | 0 -misc-keys/cert-key.pem | 1/1 | 0 +.ssh/id_rsa.pub | 1/1 | 0 +cloud/.tugboat | 1/3 | 0 db/mongoid.yml | 1/1 | 0 -filezilla/recentservers.xml | 0/6 | 0 -ventrilo_srv.ini | 0/2 | 0 -web/var/www/public_html/.htpasswd | 0/1 | 0 -.remote-sync.json | 0/3 | 0 -sftp-config.json | 0/4 | 0 -.docker/.dockercfg | 0/6 | 0 +etc/shadow | 1/1 | 0 +filezilla/filezilla.xml | 1/3 | 0 +misc-keys/cert-key.pem | 1/1 | 0 +proftpdpasswd | 1/1 | 0 +web/ruby/config/master.key | 1/1 | 0 +.npmrc | 1/3 | 0 +web/var/www/public_html/.htpasswd | 1/1 | 0 +db/.pgpass | 1/1 | 0 cloud/.s3cfg | 0/3 | 0 -web/django/settings.py | 0/1 | 0 -.ftpconfig | 0/5 | 0 -.npmrc | 0/3 | 0 -web/var/www/public_html/config.php | 0/4 | 0 -.mozilla/firefox/logins.json | 0/28 | 0 -web/ruby/secrets.yml | 0/3 | 0 -cloud/.credentials | 0/4 | 0 misc-keys/putty-example.ppk | 0/2 | 0 -db/dump.sql | 0/10 | 0 -etc/shadow | 0/1 | 0 -cloud/.tugboat | 0/3 | 0 -.idea/WebServers.xml | 0/2 | 0 -config | 0/4 | 0 -web/js/salesforce.js | 0/1 | 0 -hub | 0/2 | 0 -.vscode/sftp.json | 0/4 | 0 -web/var/www/public_html/wp-config.php | 0/12 | 0 -proftpdpasswd | 0/1 | 0 -filezilla/filezilla.xml | 0/3 | 0 -web/var/www/.env | 0/10 | 0 -db/dbeaver-data-sources.xml | 0/1 | 0 -.netrc | 0/2 | 0 -deployment-config.json | 0/4 | 0 -.docker/config.json | 0/6 | 0 -.esmtprc | 0/3 | 0 -db/.pgpass | 0/1 | 0 -db/robomongo.json | 0/7 | 0 -web/ruby/config/master.key | 0/1 | 0 -.git-credentials | 0/1 | 0 -.ssh/id_rsa.pub | 0/1 | 0 -high-entropy-misc.txt | 0/2 | 0 +web/ruby/secrets.yml | 0/3 | 0 +web/django/settings.py | 0/1 | 0 diff --git a/.leaky-meta/benchmarking/TRUFFLEHOG.md b/.leaky-meta/benchmarking/TRUFFLEHOG.md index e4c1975..c629425 100644 --- a/.leaky-meta/benchmarking/TRUFFLEHOG.md +++ b/.leaky-meta/benchmarking/TRUFFLEHOG.md @@ -1,7 +1,7 @@ Tool: https://github.com/dxa4481/truffleHog Command Used: `trufflehog --json --regex .` Files covered: 23/44 (52.27% coverage) -Total finds: 40/179 (22.35% coverage) +Total finds: 40/175 (22.86% coverage) False Positives: 43 File Name | Found/Total | False Positives | @@ -10,43 +10,43 @@ misc-keys/cert-key.pem | 25/1 | 24 misc-keys/putty-example.ppk | 21/2 | 19 db/dump.sql | 8/10 | 0 web/ruby/secrets.yml | 3/3 | 0 -filezilla/recentservers.xml | 2/6 | 0 -.docker/.dockercfg | 2/6 | 0 +.docker/.dockercfg | 2/4 | 0 +.docker/config.json | 2/4 | 0 .mozilla/firefox/logins.json | 2/28 | 0 cloud/.credentials | 2/4 | 0 cloud/.tugboat | 2/3 | 0 -.docker/config.json | 2/6 | 0 +filezilla/recentservers.xml | 2/6 | 0 high-entropy-misc.txt | 2/2 | 0 +.bash_profile | 1/11 | 0 +.bashrc | 1/6 | 0 +.ssh/id_rsa | 1/1 | 0 +.ssh/id_rsa.pub | 1/1 | 0 cloud/.s3cfg | 1/3 | 0 cloud/heroku.json | 1/2 | 0 -.ssh/id_rsa | 1/1 | 0 +db/mongoid.yml | 1/1 | 0 etc/shadow | 1/1 | 0 -hub | 1/2 | 0 proftpdpasswd | 1/1 | 0 -.bash_profile | 1/11 | 0 -web/var/www/.env | 1/10 | 0 web/ruby/config/master.key | 1/1 | 0 -db/mongoid.yml | 1/1 | 0 -.bashrc | 1/6 | 0 -.ssh/id_rsa.pub | 1/1 | 0 -ventrilo_srv.ini | 0/2 | 0 -web/var/www/public_html/.htpasswd | 0/1 | 0 -.remote-sync.json | 0/3 | 0 -sftp-config.json | 0/4 | 0 -web/django/settings.py | 0/1 | 0 -.ftpconfig | 0/5 | 0 +web/var/www/.env | 1/10 | 0 +hub | 1/2 | 0 +filezilla/filezilla.xml | 0/3 | 0 .npmrc | 0/3 | 0 -web/var/www/public_html/config.php | 0/4 | 0 -.idea/WebServers.xml | 0/2 | 0 -config | 0/4 | 0 -web/js/salesforce.js | 0/1 | 0 -.vscode/sftp.json | 0/4 | 0 web/var/www/public_html/wp-config.php | 0/12 | 0 -filezilla/filezilla.xml | 0/3 | 0 -db/dbeaver-data-sources.xml | 0/1 | 0 +web/var/www/public_html/.htpasswd | 0/1 | 0 +.git-credentials | 0/1 | 0 +db/robomongo.json | 0/7 | 0 +web/js/salesforce.js | 0/1 | 0 .netrc | 0/2 | 0 -deployment-config.json | 0/4 | 0 -.esmtprc | 0/3 | 0 +config | 0/4 | 0 db/.pgpass | 0/1 | 0 -db/robomongo.json | 0/7 | 0 -.git-credentials | 0/1 | 0 +ventrilo_srv.ini | 0/2 | 0 +web/var/www/public_html/config.php | 0/4 | 0 +db/dbeaver-data-sources.xml | 0/1 | 0 +.esmtprc | 0/3 | 0 +web/django/settings.py | 0/1 | 0 +deployment-config.json | 0/4 | 0 +.ftpconfig | 0/5 | 0 +.remote-sync.json | 0/3 | 0 +.vscode/sftp.json | 0/4 | 0 +sftp-config.json | 0/4 | 0 +.idea/WebServers.xml | 0/2 | 0 diff --git a/.leaky-meta/install-test-tools.sh b/.leaky-meta/install-test-tools.sh index 4728844..1b23328 100644 --- a/.leaky-meta/install-test-tools.sh +++ b/.leaky-meta/install-test-tools.sh @@ -1,4 +1,5 @@ -#!/bin/bash +#!/usr/bin/env bash + if ! type "pip" > /dev/null then echo "Pip and Python are required for installing detect-secrets and truffleHog, but pip was not found!" @@ -6,9 +7,11 @@ then fi mkdir -p ~/.local/bin -if [ ! -f ~/.local/bin/gitleaks ]; then - wget https://github.com/zricethezav/gitleaks/releases/download/v2.1.0/gitleaks-linux-amd64 -O ~/.local/bin/gitleaks +if ! type "gitleaks" > /dev/null; then + latest=$(curl -s https://api.github.com/repos/zricethezav/gitleaks/releases/latest |grep "browser_download_url.*linux-amd64" |cut -d : -f 2,3 | tr -d '"') + wget $latest -O ~/.local/bin/gitleaks chmod +x ~/.local/bin/gitleaks fi +wget https://raw.githubusercontent.com/zricethezav/gitleaks/master/examples/leaky-repo.toml -O gitleaks-config.toml -pip install detect-secrets truffleHog \ No newline at end of file +pip install detect-secrets truffleHog diff --git a/.leaky-meta/secrets.csv b/.leaky-meta/secrets.csv index 8886c8f..d72a5c6 100644 --- a/.leaky-meta/secrets.csv +++ b/.leaky-meta/secrets.csv @@ -9,10 +9,12 @@ .bash_profile,6,5 .bashrc,3,3 -# Here the users and urls are informative, the auth is risk. -.docker/.dockercfg,2,4 +# Here the users are informative, the auth is risk. +# The URLs may be informative in rare cases, but will likely +# just be docker hub in most cases. +.docker/.dockercfg,2,2 # Same as above -.docker/config.json,2,4 +.docker/config.json,2,2 # For all 4 firefox profiles: # Risk: encryptedUsername, encryptedPassword diff --git a/cloud/.tugboat b/cloud/.tugboat index cdd8531..6e1addb 100644 --- a/cloud/.tugboat +++ b/cloud/.tugboat @@ -1,7 +1,7 @@ --- authentication: client_key: 383c8164d4bdd95d8b1bfbf4f540d754 # Informative - api_key: 3b6311afca5bd8aac647b316704e9c6d # Sensitive. + api_key: 3b6311afca5bd8aac647b316704e9c6d # Risk. ssh: ssh_user: admin # Informative ssh_key_path: "~/.ssh/deploy.pem"