-
Notifications
You must be signed in to change notification settings - Fork 109
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
v1.1.0
- Loading branch information
Showing
30 changed files
with
488 additions
and
128 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,17 @@ | ||
| # Changelog | ||
| ## 1.1.0 | ||
| System/logic changes: | ||
| * Added system for automatically generating benchmarks | ||
| * Added results for gitrob | ||
| * Moved benchmarking, metadata, and source code into `.leaky-meta` folder | ||
| * Added CSV with data about secrets | ||
| * Categorized secrets into Risk and Informative. | ||
| * Added results from Gitrob, provided by [@evilpacket](https://github.com/evilpacket) | ||
|
|
||
| Changes to secrets: | ||
| * Added password to `sftp.json` secret | ||
| * Added pass to `filezilla/filezilla.xml` (was anonymous login) | ||
| * Added realistic value to `hub` file (was just "oauth_token") | ||
| * Set redis pass in `web/var/www/.env` | ||
| ## 1.0.0 | ||
| * Initial release version |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,7 @@ | ||
| ## .leaky-meta | ||
| This folder is for scripts/tools designed to assist with the management of this repo. It won't contain actual secrets/patterns (hopefully!) | ||
|
|
||
| ## Running benchmarks | ||
| To run these benchmarks, use `benchmark.sh`. Currently generates reports for these engines: | ||
| * TruffleHog | ||
| * Detect-secrets |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,143 @@ | ||
| # For py2 compat | ||
| from __future__ import division | ||
| import os | ||
| import csv | ||
| import json | ||
| import subprocess | ||
| from io import StringIO | ||
| from subprocess import PIPE | ||
|
|
||
| def get_secret_counts(): | ||
| ''' | ||
| A generator for secrets in default files. | ||
| :returns: filepath, risk_count, informative_count | ||
| ''' | ||
| raw_csv = None | ||
| with open('secrets.csv') as f: | ||
| raw_csv = [l for l in f.readlines() | ||
| if len(l.strip()) != 0 and not l.startswith('#')] | ||
| # Parse array to CSV | ||
| csv_reader = csv.reader(raw_csv, delimiter=',') | ||
| for row in csv_reader: | ||
| # Yield str, int, int. | ||
| yield [row[0], int(row[1]), int(row[2])] | ||
|
|
||
| def get_command_stdout(cmd, cwd='..'): | ||
| os.path.abspath(cwd) | ||
| p = subprocess.Popen(cmd, stdout=PIPE, stderr=PIPE, cwd=cwd) | ||
| stdout, stderr = p.communicate() | ||
| return stdout.decode('utf-8'), stderr.decode('utf-8') if stderr else None | ||
|
|
||
| def get_secret_count_detectsecrets(): | ||
| finds = {} | ||
| cmd = ['detect-secrets', 'scan'] | ||
| stdout, _ = get_command_stdout(cmd) | ||
| results = json.loads(stdout).get('results') | ||
| for key in results.keys(): | ||
| finds[key] = len(results.get(key)) | ||
|
|
||
| return cmd, finds | ||
|
|
||
| def get_secret_count_trufflehog(): | ||
| finds = {} | ||
| trufflehog_cmd = ['trufflehog', '--json', '--regex', '.'] | ||
| stdout, _ = get_command_stdout(trufflehog_cmd) | ||
| for line in stdout.split('\n'): | ||
| if len(line) == 0: | ||
| # Skip empty lines | ||
| continue | ||
| obj = json.loads(line) | ||
| finds[obj.get('path')] = len(obj.get('stringsFound')) | ||
|
|
||
| return trufflehog_cmd, finds | ||
|
|
||
| def build_markdown_rows(secrets_function, expected_counts): | ||
| dat = {} | ||
| cmd, secrets = secrets_function() | ||
| for row in expected_counts: | ||
| name = row[0] | ||
| expected = row[1] + row[2] | ||
| if not name in secrets: | ||
| dat[name] = {"name": name, "found": 0, "expected": expected, "false_positives" :0 } | ||
| continue | ||
|
|
||
| found = secrets[name] | ||
| # If found > expected, we have false positives. This will be negative or zero of there's no false positives. | ||
| false_positives = found - expected | ||
| # This will be zero or positive. | ||
| false_positives = max(false_positives, 0) | ||
| dat[name] = {"name": name, "found": found, "expected": expected, "false_positives" :false_positives } | ||
| return cmd, dat | ||
|
|
||
| def build_table_header(filename_cols): | ||
| template = "File Name{}| Found/Total | False Positives |\n{}|----------------|-----------------|\n" | ||
| # 9 = len("File Name") | ||
| return template.format(" " * (filename_cols - 9), "-" * filename_cols) | ||
|
|
||
| def build_md_table(secrets_function): | ||
| # {name}{padding}| {found}/{total} |{false positives} | ||
| print_template = "{}{}| {}/{} | {}\n" | ||
|
|
||
| expected_counts = [x for x in get_secret_counts()] | ||
| # Get the max length of a filename, so we can put a column seperator after it | ||
| sep_col = max([len(val[0]) for val in expected_counts]) + 2 | ||
| out = build_table_header(sep_col) | ||
| total_files = len(expected_counts) | ||
|
|
||
| cmd_used, md_rows = build_markdown_rows(secrets_function, expected_counts) | ||
| md_rows = sorted(md_rows.items(), key=lambda val: -val[1]['found']) | ||
| total_finds = 0 | ||
| total_expected = 0 | ||
| total_false_positives = 0 | ||
| files_covered = 0 | ||
| for dat in md_rows: | ||
| obj = dat[1] | ||
| name = obj.get('name') | ||
| found = obj.get('found') | ||
| expected = obj.get('expected') | ||
| false_positives = obj.get('false_positives') | ||
|
|
||
| # Determine right padding for name column | ||
| right_padding = sep_col - len(name) | ||
| right_padding_str = (" " * right_padding) | ||
|
|
||
| # For metrics we exclude false positives. | ||
| total_finds += found - false_positives | ||
| total_expected += expected | ||
| total_false_positives += false_positives | ||
| if found != 0: | ||
| files_covered += 1 | ||
|
|
||
| out += print_template.format(name, right_padding_str, found, expected, false_positives) | ||
| return cmd_used, total_files, files_covered, total_finds, total_expected, total_false_positives, out | ||
|
|
||
| def build_md(secrets_function, tool_url): | ||
| header_fmt = 'Tool: {} ' \ | ||
| '\nCommand Used: `{}` ' \ | ||
| '\nFiles covered: {}/{} ({}% coverage) ' \ | ||
| '\nTotal finds: {}/{} ' \ | ||
| '\nFalse Positives: {} ' \ | ||
| '\n\n{}' | ||
|
|
||
| cmd, total_files, files_covered, total_finds, \ | ||
| total_expected, false_positives, table = build_md_table(secrets_function) | ||
| # Convert cmd to a string | ||
| cmd = ' '.join(cmd) | ||
|
|
||
| # Get a % coverage value | ||
| file_coverage = (files_covered / total_files) * 100 | ||
| # Sanity! | ||
| file_coverage = round(file_coverage, 2) | ||
| out = header_fmt.format(tool_url, cmd, | ||
| files_covered, total_files, file_coverage, | ||
| total_finds, total_expected, false_positives, table) | ||
| return out | ||
|
|
||
| if __name__ == "__main__": | ||
| detect_secrets = build_md(get_secret_count_detectsecrets, "https://github.com/Yelp/detect-secrets") | ||
| truffle_hog = build_md(get_secret_count_trufflehog, "https://github.com/dxa4481/truffleHog") | ||
| with open('benchmarking' + os.path.sep + "TRUFFLEHOG.md", 'w+') as f: | ||
| f.write(truffle_hog) | ||
| with open('benchmarking' + os.path.sep + "DETECT-SECRETS.md", 'w+') as f: | ||
| f.write(detect_secrets) | ||
|
|
Empty file.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,52 @@ | ||
| Tool: https://github.com/Yelp/detect-secrets | ||
| Command Used: `detect-secrets scan` | ||
| Files covered: 23/44 (52.27% coverage) | ||
| Total finds: 41/179 | ||
| False Positives: 0 | ||
|
|
||
| File Name | Found/Total | False Positives | | ||
| ---------------------------------------|----------------|-----------------| | ||
| .mozilla/firefox/logins.json | 6/28 | 0 | ||
| .bash_profile | 4/11 | 0 | ||
| .bashrc | 3/6 | 0 | ||
| web/var/www/.env | 3/10 | 0 | ||
| web/ruby/secrets.yml | 3/3 | 0 | ||
| cloud/.credentials | 2/4 | 0 | ||
| cloud/heroku.json | 2/2 | 0 | ||
| high-entropy-misc.txt | 2/2 | 0 | ||
| ventrilo_srv.ini | 2/2 | 0 | ||
| .ssh/id_rsa | 1/1 | 0 | ||
| db/mongoid.yml | 1/1 | 0 | ||
| misc-keys/cert-key.pem | 1/1 | 0 | ||
| cloud/.tugboat | 1/3 | 0 | ||
| .vscode/sftp.json | 1/4 | 0 | ||
| hub | 1/2 | 0 | ||
| .docker/config.json | 1/6 | 0 | ||
| sftp-config.json | 1/4 | 0 | ||
| .idea/WebServers.xml | 1/2 | 0 | ||
| misc-keys/putty-example.ppk | 1/2 | 0 | ||
| .docker/.dockercfg | 1/6 | 0 | ||
| web/var/www/public_html/config.php | 1/4 | 0 | ||
| .remote-sync.json | 1/3 | 0 | ||
| deployment-config.json | 1/4 | 0 | ||
| db/.pgpass | 0/1 | 0 | ||
| web/var/www/public_html/.htpasswd | 0/1 | 0 | ||
| .netrc | 0/2 | 0 | ||
| db/dump.sql | 0/10 | 0 | ||
| proftpdpasswd | 0/1 | 0 | ||
| etc/shadow | 0/1 | 0 | ||
| .ssh/id_rsa.pub | 0/1 | 0 | ||
| .npmrc | 0/3 | 0 | ||
| web/var/www/public_html/wp-config.php | 0/12 | 0 | ||
| web/django/settings.py | 0/1 | 0 | ||
| .ftpconfig | 0/5 | 0 | ||
| .git-credentials | 0/1 | 0 | ||
| filezilla/filezilla.xml | 0/3 | 0 | ||
| .esmtprc | 0/3 | 0 | ||
| db/dbeaver-data-sources.xml | 0/1 | 0 | ||
| web/ruby/config/master.key | 0/1 | 0 | ||
| cloud/.s3cfg | 0/3 | 0 | ||
| config | 0/4 | 0 | ||
| web/js/salesforce.js | 0/1 | 0 | ||
| filezilla/recentservers.xml | 0/6 | 0 | ||
| db/robomongo.json | 0/7 | 0 |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,53 @@ | ||
|
|
||
| Tool: https://github.com/michenriksen/gitrob | ||
| Command Used: `gitrob (web interface)` | ||
| Files covered: 2/44 (4.54% coverage) | ||
| Total finds: 3/179 | ||
| False Positives: 0 | ||
|
|
||
| File Name | Found/Total | False Positives | | ||
| ---------------------------------------|----------------|-----------------| | ||
| misc-keys/cert-key.pem | 1/1 | 0 | ||
| .npmrc | 2/3 | 0 | ||
| .mozilla/firefox/logins.json | 0/28 | 0 | ||
| .bash_profile | 0/11 | 0 | ||
| .bashrc | 0/6 | 0 | ||
| web/var/www/.env | 0/10 | 0 | ||
| web/ruby/secrets.yml | 0/3 | 0 | ||
| cloud/.credentials | 0/4 | 0 | ||
| cloud/heroku.json | 0/2 | 0 | ||
| high-entropy-misc.txt | 0/2 | 0 | ||
| ventrilo_srv.ini | 0/2 | 0 | ||
| .ssh/id_rsa | 0/1 | 0 | ||
| db/mongoid.yml | 0/1 | 0 | ||
| cloud/.tugboat | 0/3 | 0 | ||
| .vscode/sftp.json | 0/4 | 0 | ||
| hub | 0/2 | 0 | ||
| .docker/config.json | 0/6 | 0 | ||
| sftp-config.json | 0/4 | 0 | ||
| .idea/WebServers.xml | 0/2 | 0 | ||
| misc-keys/putty-example.ppk | 0/2 | 0 | ||
| .docker/.dockercfg | 0/6 | 0 | ||
| web/var/www/public_html/config.php | 0/4 | 0 | ||
| .remote-sync.json | 0/3 | 0 | ||
| deployment-config.json | 0/4 | 0 | ||
| db/.pgpass | 0/1 | 0 | ||
| web/var/www/public_html/.htpasswd | 0/1 | 0 | ||
| .netrc | 0/2 | 0 | ||
| db/dump.sql | 0/10 | 0 | ||
| proftpdpasswd | 0/1 | 0 | ||
| etc/shadow | 0/1 | 0 | ||
| .ssh/id_rsa.pub | 0/1 | 0 | ||
| web/var/www/public_html/wp-config.php | 0/12 | 0 | ||
| web/django/settings.py | 0/1 | 0 | ||
| .ftpconfig | 0/5 | 0 | ||
| .git-credentials | 0/1 | 0 | ||
| filezilla/filezilla.xml | 0/3 | 0 | ||
| .esmtprc | 0/3 | 0 | ||
| db/dbeaver-data-sources.xml | 0/1 | 0 | ||
| web/ruby/config/master.key | 0/1 | 0 | ||
| cloud/.s3cfg | 0/3 | 0 | ||
| config | 0/4 | 0 | ||
| web/js/salesforce.js | 0/1 | 0 | ||
| filezilla/recentservers.xml | 0/6 | 0 | ||
| db/robomongo.json | 0/7 | 0 |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,52 @@ | ||
| Tool: https://github.com/dxa4481/truffleHog | ||
| Command Used: `trufflehog --json --regex .` | ||
| Files covered: 23/44 (52.27% coverage) | ||
| Total finds: 40/179 | ||
| False Positives: 43 | ||
|
|
||
| File Name | Found/Total | False Positives | | ||
| ---------------------------------------|----------------|-----------------| | ||
| misc-keys/cert-key.pem | 25/1 | 24 | ||
| misc-keys/putty-example.ppk | 21/2 | 19 | ||
| db/dump.sql | 8/10 | 0 | ||
| web/ruby/secrets.yml | 3/3 | 0 | ||
| cloud/.credentials | 2/4 | 0 | ||
| cloud/.tugboat | 2/3 | 0 | ||
| high-entropy-misc.txt | 2/2 | 0 | ||
| .docker/config.json | 2/6 | 0 | ||
| .mozilla/firefox/logins.json | 2/28 | 0 | ||
| .docker/.dockercfg | 2/6 | 0 | ||
| filezilla/recentservers.xml | 2/6 | 0 | ||
| .bashrc | 1/6 | 0 | ||
| .ssh/id_rsa | 1/1 | 0 | ||
| web/var/www/.env | 1/10 | 0 | ||
| db/mongoid.yml | 1/1 | 0 | ||
| proftpdpasswd | 1/1 | 0 | ||
| etc/shadow | 1/1 | 0 | ||
| cloud/heroku.json | 1/2 | 0 | ||
| hub | 1/2 | 0 | ||
| .ssh/id_rsa.pub | 1/1 | 0 | ||
| web/ruby/config/master.key | 1/1 | 0 | ||
| cloud/.s3cfg | 1/3 | 0 | ||
| .bash_profile | 1/11 | 0 | ||
| db/.pgpass | 0/1 | 0 | ||
| web/var/www/public_html/.htpasswd | 0/1 | 0 | ||
| .netrc | 0/2 | 0 | ||
| .vscode/sftp.json | 0/4 | 0 | ||
| .npmrc | 0/3 | 0 | ||
| web/var/www/public_html/wp-config.php | 0/12 | 0 | ||
| web/django/settings.py | 0/1 | 0 | ||
| .ftpconfig | 0/5 | 0 | ||
| .git-credentials | 0/1 | 0 | ||
| filezilla/filezilla.xml | 0/3 | 0 | ||
| sftp-config.json | 0/4 | 0 | ||
| .esmtprc | 0/3 | 0 | ||
| db/dbeaver-data-sources.xml | 0/1 | 0 | ||
| .idea/WebServers.xml | 0/2 | 0 | ||
| config | 0/4 | 0 | ||
| web/js/salesforce.js | 0/1 | 0 | ||
| web/var/www/public_html/config.php | 0/4 | 0 | ||
| ventrilo_srv.ini | 0/2 | 0 | ||
| db/robomongo.json | 0/7 | 0 | ||
| .remote-sync.json | 0/3 | 0 | ||
| deployment-config.json | 0/4 | 0 |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,7 @@ | ||
| #!/bin/bash | ||
| if if ! type "pip" > /dev/null; then | ||
| echo "Pip and Python are required for installing detect-secrets and truffleHog, but pip was not found!" | ||
| exit 1 | ||
| fi | ||
|
|
||
| pip install detect-secrets truffleHog |
Oops, something went wrong.