4.8 KiB
Secret Detectors
Secret Detectors have these two major functions:
- Given some bytes, extract possible secrets, typically using a regex.
- Validate the secrets against the target API, typically using a HTTP client.
The purpose of Secret Detectors is to discover secrets with exceptionally high signal. High rates of false positives are not accepted.
Table of Contents
Getting Started
Sourcing Guidelines
We are interested in detectors for services that meet at least one of these criteria
- host data (they store any sort of data provided)
- have paid services (having a free or trial tier is okay though)
If you think that something should be included outside of these guidelines, please let us know.
Development Guidelines
- When reasonable, favor using the
net/httplibrary to make requests instead of bringing in another library. - Use the
common.SaneHttpClientfor thehttp.Clientwhenever possible. - We recommend an editor with gopls integration (such as Vscode with Go plugin) for benefits like easily running tests, autocompletion, linting, type checking, etc.
Development Dependencies
- A GitLab account
- A Google account
- Google Cloud SDK installed
- Go 1.17+
- Make
Creating a new Secret Scanner
-
Identify the Secret Detector name from the /proto/detectors.proto
DetectorTypeenum. -
Generate the Secret Detector
go run hack/generate/generate.go detector <DetectorType enum name> -
Complete the secret detector.
The previous step templated a boilerplate + some example code as a package in the
pkg/detectorsfolder for you to work on. The secret detector can be completed with these general steps:- Add the test secret to GCP Secrets. See managing test secrets
- Update the pattern regex and keywords. Try iterating with regex101.com.
- Update the verifier code to use a non-destructive API call that can determine whether the secret is valid or not.
- Update the tests with these test cases at minimum:
- Found and verified (using a credential loaded from GCP Secrets)
- Found and unverified
- Not found
- Any false positive cases that you come across
- Create a merge request for review. CI tests must be passing.
Addendum
Managing Test Secrets
Do not embed test credentials in the test code. Instead, use GCP Secrets Manager.
-
Access the latest secret version for modification.
Note:
/tmp/sis a valid path on Linux. You will need to change that for Windows or OSX, otherwise you will see an error. On Windows you will also need to install WSL.gcloud secrets versions access --project trufflehog-testing --secret detectors3 latest > /tmp/s -
Add the secret that you need for testing.
The command above saved it to
/tmp/s.The format is standard env file format,
SECRET_TYPE_ONE=value SECRET_TYPE_ONE_INACTIVE=v@lue -
Update the secret version with your modification.
gcloud secrets versions add --project trufflehog-testing detectors3 --data-file /tmp/s -
Access the secret value as shown in the example code.
Setting up Google Cloud SDK
- Install the Google Cloud SDK: https://cloud.google.com/sdk/docs/install
- Authenticate with
gcloud auth login --update-adcusing your Google account
Adding Protos in Windows
- Install Ubuntu App in Microsoft Store https://www.microsoft.com/en-us/p/ubuntu/9nblggh4msv6.
- Install Docker Desktop https://www.docker.com/products/docker-desktop. Enable WSL integration to Ubuntu. In Docker app, go to Settings->Resources->WSL INTEGRATION->enable Ubuntu.
- Open Ubuntu cli and install
dos2unix.sudo apt install dos2unix - Identify the
trufflehoglocal directory and convertscripts/gen_proto.shfile in Unix format.dos2unix ./scripts/gen_proto.sh - Open /proto/detectors.proto file and add new detectors then save it. Make sure Docker is running and run this in Ubuntu command line.
make protos
Testing a detector
go test ./pkg/detectors/<detector> -tags=detectors