213 lines
5.8 KiB
Python
213 lines
5.8 KiB
Python
#!/usr/bin/env python3
|
|
"""
|
|
Scan for accidentally committed secrets and credentials.
|
|
|
|
Copyright (C) 2025 Moko Consulting <hello@mokoconsulting.tech>
|
|
|
|
This file is part of a Moko Consulting project.
|
|
|
|
SPDX-License-Identifier: GPL-3.0-or-later
|
|
|
|
This program is free software; you can redistribute it and/or modify
|
|
it under the terms of the GNU General Public License as published by
|
|
the Free Software Foundation; either version 3 of the License, or
|
|
(at your option) any later version.
|
|
|
|
This program is distributed in the hope that it will be useful,
|
|
but WITHOUT ANY WARRANTY; without even the implied warranty of
|
|
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
|
GNU General Public License for more details.
|
|
|
|
You should have received a copy of the GNU General Public License
|
|
along with this program (./LICENSE.md).
|
|
|
|
FILE INFORMATION
|
|
DEFGROUP: Script.Validate
|
|
INGROUP: Security
|
|
REPO: https://github.com/mokoconsulting-tech/moko-cassiopeia
|
|
PATH: /scripts/validate/no_secrets.py
|
|
VERSION: 01.00.00
|
|
BRIEF: Scan for accidentally committed secrets and credentials
|
|
NOTE: High-signal pattern detection to prevent credential exposure
|
|
"""
|
|
|
|
import argparse
|
|
import json
|
|
import os
|
|
import re
|
|
import sys
|
|
from pathlib import Path
|
|
from typing import List, Dict
|
|
|
|
# Add lib directory to path
|
|
sys.path.insert(0, str(Path(__file__).parent.parent / "lib"))
|
|
|
|
try:
|
|
import common
|
|
except ImportError:
|
|
print("ERROR: Cannot import required libraries", file=sys.stderr)
|
|
sys.exit(1)
|
|
|
|
|
|
# High-signal patterns only. Any match is a hard fail.
|
|
SECRET_PATTERNS = [
|
|
# Private keys
|
|
r'-----BEGIN (RSA|DSA|EC|OPENSSH) PRIVATE KEY-----',
|
|
r'PuTTY-User-Key-File-',
|
|
# AWS keys
|
|
r'AKIA[0-9A-Z]{16}',
|
|
r'ASIA[0-9A-Z]{16}',
|
|
# GitHub tokens
|
|
r'ghp_[A-Za-z0-9]{36}',
|
|
r'gho_[A-Za-z0-9]{36}',
|
|
r'github_pat_[A-Za-z0-9_]{20,}',
|
|
# Slack tokens
|
|
r'xox[baprs]-[0-9A-Za-z-]{10,48}',
|
|
# Stripe keys
|
|
r'sk_live_[0-9a-zA-Z]{20,}',
|
|
]
|
|
|
|
# Directories to exclude from scanning
|
|
EXCLUDE_DIRS = {
|
|
'vendor',
|
|
'node_modules',
|
|
'dist',
|
|
'build',
|
|
'.git',
|
|
}
|
|
|
|
|
|
def scan_file(filepath: Path, patterns: List[re.Pattern]) -> List[Dict[str, str]]:
|
|
"""
|
|
Scan a file for secret patterns.
|
|
|
|
Args:
|
|
filepath: Path to file to scan
|
|
patterns: Compiled regex patterns to search for
|
|
|
|
Returns:
|
|
List of matches with file, line number, and content
|
|
"""
|
|
hits = []
|
|
|
|
try:
|
|
with open(filepath, 'r', encoding='utf-8', errors='ignore') as f:
|
|
for line_num, line in enumerate(f, 1):
|
|
for pattern in patterns:
|
|
if pattern.search(line):
|
|
hits.append({
|
|
'file': str(filepath),
|
|
'line': line_num,
|
|
'content': line.strip()[:100] # Limit to 100 chars
|
|
})
|
|
except Exception as e:
|
|
common.log_warn(f"Could not read {filepath}: {e}")
|
|
|
|
return hits
|
|
|
|
|
|
def scan_directory(src_dir: str, patterns: List[re.Pattern]) -> List[Dict[str, str]]:
|
|
"""
|
|
Recursively scan directory for secrets.
|
|
|
|
Args:
|
|
src_dir: Directory to scan
|
|
patterns: Compiled regex patterns
|
|
|
|
Returns:
|
|
List of all matches
|
|
"""
|
|
src_path = Path(src_dir)
|
|
all_hits = []
|
|
|
|
for item in src_path.rglob("*"):
|
|
# Skip directories
|
|
if not item.is_file():
|
|
continue
|
|
|
|
# Skip excluded directories
|
|
if any(excluded in item.parts for excluded in EXCLUDE_DIRS):
|
|
continue
|
|
|
|
# Skip binary files (heuristic)
|
|
try:
|
|
with open(item, 'rb') as f:
|
|
chunk = f.read(1024)
|
|
if b'\x00' in chunk: # Contains null bytes = likely binary
|
|
continue
|
|
except Exception:
|
|
continue
|
|
|
|
# Scan the file
|
|
hits = scan_file(item, patterns)
|
|
all_hits.extend(hits)
|
|
|
|
return all_hits
|
|
|
|
|
|
def main() -> int:
|
|
"""Main entry point."""
|
|
parser = argparse.ArgumentParser(
|
|
description="Scan for accidentally committed secrets and credentials"
|
|
)
|
|
parser.add_argument(
|
|
"-s", "--src-dir",
|
|
default=os.environ.get("SRC_DIR", "src"),
|
|
help="Source directory to scan (default: src)"
|
|
)
|
|
|
|
args = parser.parse_args()
|
|
|
|
# Check if source directory exists
|
|
if not Path(args.src_dir).is_dir():
|
|
result = {
|
|
"status": "fail",
|
|
"error": "src directory missing"
|
|
}
|
|
common.json_output(result)
|
|
return 1
|
|
|
|
# Compile patterns
|
|
compiled_patterns = [re.compile(pattern) for pattern in SECRET_PATTERNS]
|
|
|
|
# Scan directory
|
|
hits = scan_directory(args.src_dir, compiled_patterns)
|
|
|
|
if hits:
|
|
# Limit to first 50 hits
|
|
hits = hits[:50]
|
|
|
|
result = {
|
|
"status": "fail",
|
|
"error": "secret_pattern_detected",
|
|
"hits": [{"hit": f"{h['file']}:{h['line']}: {h['content']}"} for h in hits]
|
|
}
|
|
|
|
print(json.dumps(result))
|
|
|
|
# Also print human-readable output
|
|
print("\nERROR: Potential secrets detected!", file=sys.stderr)
|
|
print(f"\nFound {len(hits)} potential secret(s):", file=sys.stderr)
|
|
for hit in hits[:10]: # Show first 10 in detail
|
|
print(f" {hit['file']}:{hit['line']}", file=sys.stderr)
|
|
print(f" {hit['content']}", file=sys.stderr)
|
|
|
|
if len(hits) > 10:
|
|
print(f" ... and {len(hits) - 10} more", file=sys.stderr)
|
|
|
|
print("\nPlease remove any secrets and use environment variables or secret management instead.", file=sys.stderr)
|
|
|
|
return 1
|
|
|
|
result = {
|
|
"status": "ok",
|
|
"src_dir": args.src_dir
|
|
}
|
|
common.json_output(result)
|
|
print("no_secrets: ok")
|
|
return 0
|
|
|
|
|
|
if __name__ == "__main__":
|
|
sys.exit(main())
|