mirror of
https://github.com/trufflesecurity/trufflehog.git
synced 2024-11-14 00:47:21 +00:00
28ed81f0a2
This PR adds the ability to exclude buckets from S3 scans. The capability is pretty rudimentary right now, and does not support globbing. If both lists are specified the source to fail to initialize.
382 lines
10 KiB
Protocol Buffer
382 lines
10 KiB
Protocol Buffer
syntax = "proto3";
|
|
|
|
package sources;
|
|
|
|
option go_package = "github.com/trufflesecurity/trufflehog/v3/pkg/pb/sourcespb";
|
|
|
|
import "validate/validate.proto";
|
|
import "credentials.proto";
|
|
import "google/protobuf/any.proto";
|
|
import "google/protobuf/duration.proto";
|
|
import "google/protobuf/timestamp.proto";
|
|
|
|
|
|
enum SourceType {
|
|
SOURCE_TYPE_AZURE_STORAGE = 0;
|
|
SOURCE_TYPE_BITBUCKET = 1;
|
|
SOURCE_TYPE_CIRCLECI = 2;
|
|
SOURCE_TYPE_CONFLUENCE = 3;
|
|
SOURCE_TYPE_DOCKER = 4;
|
|
SOURCE_TYPE_ECR = 5;
|
|
SOURCE_TYPE_GCS = 6;
|
|
SOURCE_TYPE_GITHUB = 7;
|
|
SOURCE_TYPE_PUBLIC_GIT = 8;
|
|
SOURCE_TYPE_GITLAB = 9;
|
|
SOURCE_TYPE_JIRA = 10;
|
|
SOURCE_TYPE_NPM_UNAUTHD_PACKAGES = 11;
|
|
SOURCE_TYPE_PYPI_UNAUTHD_PACKAGES = 12;
|
|
SOURCE_TYPE_S3 = 13;
|
|
SOURCE_TYPE_SLACK = 14;
|
|
SOURCE_TYPE_FILESYSTEM = 15;
|
|
SOURCE_TYPE_GIT = 16;
|
|
SOURCE_TYPE_TEST = 17;
|
|
SOURCE_TYPE_S3_UNAUTHED = 18;
|
|
SOURCE_TYPE_GITHUB_UNAUTHENTICATED_ORG = 19;
|
|
SOURCE_TYPE_BUILDKITE = 20;
|
|
SOURCE_TYPE_GERRIT = 21;
|
|
SOURCE_TYPE_JENKINS = 22;
|
|
SOURCE_TYPE_TEAMS = 23;
|
|
SOURCE_TYPE_JFROG_ARTIFACTORY = 24;
|
|
SOURCE_TYPE_SYSLOG = 25;
|
|
SOURCE_TYPE_PUBLIC_EVENT_MONITORING = 26;
|
|
SOURCE_TYPE_SLACK_REALTIME = 27;
|
|
SOURCE_TYPE_GOOGLE_DRIVE = 28;
|
|
SOURCE_TYPE_SHAREPOINT = 29;
|
|
SOURCE_TYPE_GCS_UNAUTHED = 30;
|
|
SOURCE_TYPE_AZURE_REPOS = 31;
|
|
SOURCE_TYPE_TRAVISCI = 32;
|
|
}
|
|
|
|
message LocalSource {
|
|
string type = 1 ;
|
|
string name = 2 ;
|
|
// DEPRECATED: scan_interval is deprecated and can be removed when we no longer depend on the name.
|
|
// Deprecating in favor of scan_period due to the fact that scan_interval is a duration
|
|
// which is a fixed-length span of time represented as a count of seconds and fractions of seconds
|
|
// at nanosecond resolution. Most of the time, we want to be able to specify a scan interval in
|
|
// human-readable format (e.g. 45s, 30m, 12h, etc.) which is not possible with a duration.
|
|
// https://protobuf.dev/reference/protobuf/google.protobuf/#duration
|
|
google.protobuf.Duration scan_interval = 3 [deprecated = true];
|
|
bool verify = 4;
|
|
google.protobuf.Any connection = 5;
|
|
string scan_period = 6;
|
|
}
|
|
|
|
// https://www.jfrog.com/confluence/display/JFROG/Artifactory+REST+API#ArtifactoryRESTAPI-RetrieveFolderorRepositoryArchive
|
|
message Artifactory {
|
|
string endpoint = 1 [(validate.rules).string.uri_ref = true];
|
|
oneof credential {
|
|
credentials.BasicAuth basic_auth = 2;
|
|
string access_token = 3;
|
|
credentials.Unauthenticated unauthenticated = 7;
|
|
}
|
|
repeated string repositories = 4;
|
|
repeated string include_paths = 5;
|
|
repeated string ignore_paths = 6;
|
|
}
|
|
|
|
message AzureStorage {
|
|
oneof credential {
|
|
string connection_string = 1;
|
|
credentials.BasicAuth basic_auth = 2;
|
|
string client_certificate = 3;
|
|
credentials.Unauthenticated unauthenticated = 4;
|
|
}
|
|
repeated string storage_containers = 5;
|
|
}
|
|
|
|
message Bitbucket {
|
|
string endpoint = 1 [(validate.rules).string.uri_ref = true];
|
|
oneof credential {
|
|
string token = 2;
|
|
credentials.Oauth2 oauth = 3;
|
|
credentials.BasicAuth basic_auth = 4;
|
|
|
|
}
|
|
repeated string repositories = 5;
|
|
repeated string ignore_repos = 6;
|
|
bool skip_binaries = 7;
|
|
bool skip_archives = 8;
|
|
}
|
|
|
|
message CircleCI {
|
|
string endpoint = 1 [(validate.rules).string.uri_ref = true];
|
|
oneof credential {
|
|
string token = 2;
|
|
}
|
|
}
|
|
|
|
message TravisCI {
|
|
string endpoint = 1 [(validate.rules).string.uri_ref = true];
|
|
oneof credential {
|
|
string token = 2;
|
|
}
|
|
}
|
|
|
|
message Confluence {
|
|
string endpoint = 1 [(validate.rules).string.uri_ref = true];
|
|
oneof credential {
|
|
credentials.Unauthenticated unauthenticated = 2;
|
|
credentials.BasicAuth basic_auth = 3;
|
|
string token = 4;
|
|
}
|
|
|
|
enum GetAllSpacesScope {
|
|
ALL = 0;
|
|
GLOBAL = 1;
|
|
PERSONAL = 2;
|
|
}
|
|
|
|
GetAllSpacesScope spaces_scope = 5;
|
|
bool insecure_skip_verify_tls = 6;
|
|
repeated string spaces = 7;
|
|
repeated string ignore_spaces = 8;
|
|
bool include_attachments = 9;
|
|
bool skip_history = 10;
|
|
}
|
|
|
|
message Docker {
|
|
oneof credential {
|
|
credentials.Unauthenticated unauthenticated = 1;
|
|
credentials.BasicAuth basic_auth = 2;
|
|
string bearer_token = 3;
|
|
bool docker_keychain = 4;
|
|
}
|
|
repeated string images = 5;
|
|
}
|
|
|
|
message ECR {
|
|
oneof credential {
|
|
credentials.KeySecret access_key = 1;
|
|
}
|
|
repeated string registries = 2;
|
|
}
|
|
|
|
message Filesystem {
|
|
// DEPRECATED: directories is deprecated and can be removed / renamed to
|
|
// paths when we no longer depend on the name in enterprise configs.
|
|
repeated string directories = 1;
|
|
repeated string paths = 2;
|
|
string include_paths_file = 3; // path to file containing newline separated list of paths
|
|
string exclude_paths_file = 4; // path to file containing newline separated list of paths
|
|
}
|
|
|
|
message GCS {
|
|
oneof credential {
|
|
string json_service_account = 1;
|
|
string api_key = 2;
|
|
credentials.Unauthenticated unauthenticated = 3;
|
|
credentials.CloudEnvironment adc = 4;
|
|
string service_account_file = 11;
|
|
credentials.Oauth2 oauth = 12;
|
|
}
|
|
string project_id = 5;
|
|
repeated string include_buckets = 6;
|
|
repeated string exclude_buckets = 7;
|
|
repeated string include_objects = 8;
|
|
repeated string exclude_objects = 9;
|
|
int64 max_object_size = 10;
|
|
}
|
|
|
|
message Git {
|
|
oneof credential {
|
|
credentials.BasicAuth basic_auth = 1;
|
|
credentials.Unauthenticated unauthenticated = 2;
|
|
credentials.SSHAuth ssh_auth = 5;
|
|
}
|
|
repeated string directories = 3;
|
|
repeated string repositories = 4;
|
|
string head = 6;
|
|
string base = 7;
|
|
bool bare = 8;
|
|
string include_paths_file = 9; // path to file containing newline separated list of paths
|
|
string exclude_paths_file = 10; // path to file containing newline separated list of paths
|
|
string exclude_globs = 11; // comma separated list of globs
|
|
int64 max_depth = 12;
|
|
// This field is generally used by the CLI or within CI/CD systems to specify a single repository,
|
|
// whereas the repositories field is used by the enterprise config to specify multiple repositories.
|
|
// Passing a single repository via the uri field also allows for additional options to be specified
|
|
// like head, base, bare, etc.
|
|
string uri = 13; // repository URL. https://, file://, or ssh://
|
|
bool skip_binaries = 14;
|
|
bool skip_archives = 15;
|
|
}
|
|
|
|
message GitLab {
|
|
string endpoint = 1 [(validate.rules).string.uri_ref = true];
|
|
oneof credential {
|
|
string token = 2;
|
|
credentials.Oauth2 oauth = 3;
|
|
credentials.BasicAuth basic_auth = 4;
|
|
}
|
|
repeated string repositories = 5;
|
|
repeated string ignore_repos = 6;
|
|
bool skip_binaries = 7;
|
|
bool skip_archives = 8;
|
|
}
|
|
|
|
message GitHub {
|
|
string endpoint = 1 [(validate.rules).string.uri_ref = true];
|
|
oneof credential {
|
|
credentials.GitHubApp github_app = 2;
|
|
string token = 3;
|
|
credentials.Unauthenticated unauthenticated = 4;
|
|
credentials.BasicAuth basic_auth = 13;
|
|
}
|
|
repeated string repositories = 5;
|
|
repeated string organizations = 6;
|
|
bool scanUsers = 7;
|
|
bool includeForks = 8;
|
|
string head = 9;
|
|
string base = 10;
|
|
repeated string ignore_repos = 11;
|
|
repeated string include_repos = 12;
|
|
bool include_pull_request_comments = 14;
|
|
bool include_issue_comments = 15;
|
|
bool include_gist_comments = 16;
|
|
bool skip_binaries = 17;
|
|
bool skip_archives = 18;
|
|
bool include_wikis = 19;
|
|
}
|
|
|
|
message GoogleDrive {
|
|
oneof credential {
|
|
string refresh_token = 1;
|
|
}
|
|
}
|
|
|
|
message JIRA {
|
|
string endpoint = 1 [(validate.rules).string.uri_ref = true];
|
|
oneof credential {
|
|
credentials.BasicAuth basic_auth = 2;
|
|
credentials.Unauthenticated unauthenticated = 3;
|
|
credentials.Oauth2 oauth = 4;
|
|
string token = 6;
|
|
}
|
|
repeated string projects = 5;
|
|
repeated string ignore_projects = 7;
|
|
bool insecure_skip_verify_tls = 8;
|
|
}
|
|
|
|
message NPMUnauthenticatedPackage {
|
|
oneof credential {
|
|
credentials.Unauthenticated unauthenticated = 1;
|
|
}
|
|
}
|
|
|
|
message PyPIUnauthenticatedPackage {
|
|
oneof credential {
|
|
credentials.Unauthenticated unauthenticated = 1;
|
|
}
|
|
}
|
|
|
|
message S3 {
|
|
oneof credential {
|
|
credentials.KeySecret access_key = 1;
|
|
credentials.Unauthenticated unauthenticated = 2;
|
|
credentials.CloudEnvironment cloud_environment = 4;
|
|
credentials.AWSSessionTokenSecret session_token = 5;
|
|
}
|
|
repeated string buckets = 3;
|
|
int64 max_object_size = 6;
|
|
repeated string roles = 7;
|
|
repeated string ignore_buckets = 8;
|
|
}
|
|
|
|
message Slack {
|
|
string endpoint = 1 [(validate.rules).string.uri_ref = true];
|
|
oneof credential {
|
|
string token = 2;
|
|
credentials.SlackTokens tokens = 5;
|
|
}
|
|
repeated string channels = 3;
|
|
repeated string ignore_list = 4;
|
|
}
|
|
|
|
message Test{}
|
|
|
|
message Buildkite {
|
|
oneof credential {
|
|
string token = 1;
|
|
}
|
|
}
|
|
|
|
message Gerrit {
|
|
string endpoint = 1 [(validate.rules).string.uri_ref = true];
|
|
oneof credential {
|
|
credentials.BasicAuth basic_auth = 2;
|
|
credentials.Unauthenticated unauthenticated = 3;
|
|
}
|
|
repeated string projects = 4;
|
|
bool skip_binaries = 5;
|
|
bool skip_archives = 6;
|
|
}
|
|
|
|
message Jenkins {
|
|
string endpoint = 1 [(validate.rules).string.uri_ref = true];
|
|
oneof credential {
|
|
credentials.BasicAuth basic_auth = 2;
|
|
credentials.Header header = 3;
|
|
}
|
|
bool insecure_skip_verify_tls = 4;
|
|
}
|
|
|
|
message Teams {
|
|
string endpoint = 1 [(validate.rules).string.uri_ref = true];
|
|
oneof credential {
|
|
string token = 2;
|
|
credentials.ClientCredentials authenticated = 3;
|
|
credentials.Oauth2 oauth = 7;
|
|
}
|
|
repeated string channels = 4;
|
|
repeated string ignore_list = 5;
|
|
repeated string team_ids = 6;
|
|
}
|
|
|
|
message Syslog {
|
|
string protocol = 1;
|
|
string listen_address = 2;
|
|
string tlsCert = 3;
|
|
string tlsKey = 4;
|
|
string format = 5;
|
|
}
|
|
|
|
message Forager {
|
|
oneof credential {
|
|
credentials.Unauthenticated unauthenticated = 1;
|
|
}
|
|
repeated string domains = 2;
|
|
int64 max_depth = 3;
|
|
google.protobuf.Timestamp since = 4;
|
|
}
|
|
|
|
message SlackRealtime {
|
|
oneof credential {
|
|
credentials.SlackTokens tokens = 1;
|
|
}
|
|
}
|
|
|
|
message Sharepoint {
|
|
oneof credential {
|
|
credentials.Oauth2 oauth = 1;
|
|
}
|
|
string site_url = 2;
|
|
}
|
|
|
|
message AzureRepos {
|
|
string endpoint = 1 [(validate.rules).string.uri_ref = true];
|
|
oneof credential {
|
|
string token = 2;
|
|
credentials.Oauth2 oauth = 3;
|
|
}
|
|
repeated string repositories = 4;
|
|
repeated string organizations = 5;
|
|
repeated string projects = 6;
|
|
bool include_forks = 7;
|
|
repeated string ignore_repos = 8;
|
|
repeated string include_repos = 9;
|
|
repeated string include_projects = 10;
|
|
repeated string ignore_projects = 11;
|
|
bool skip_binaries = 12;
|
|
bool skip_archives = 13;
|
|
}
|