Add trufflehog for secret detection #150
Conversation
… file could be avoided
…not present in trufflehog like s3 buckets.
|
Hi @hugo-syn , thank you so much for improving cariddi! Appreciated :)
|
|
Hi, @edoardottt I've fixed the merge conflicts, I've updated some packages. For the PR I understand, don't hesitate if you have questions or remarks regarding my code :) |
|
If possible (there could be issues with deps) revert back go.mod to using |
|
The trufflehog package requires go 1.22.0: I can bump the golang version in the different CI files if you want |
|
And I've checked it looks good with go 1.22.0 |
|
Hi @hugo-syn,
the go build action is failing: https://github.com/edoardottt/cariddi/actions/runs/8754239537/job/24025715013?pr=150#step:6:8 I think this is caused by github actions, they must be set to the correct go version too (all of them: go, linting...). |
|
I've change the golang version in the workflows to 1.22.0 the build pipeline is ok now but there are errors with the golang-ci |
I've seen. See if locally everything is okay with
Can you quantify this? I'd like to comprehend how much this will be slower. cc @hugo-syn . Let me know if you need assistance :) |
|
Hi @edoardottt Unfortunately I didn't manage to fix the CI there are new errors with code that I did not modify :/
It's difficult to say but since it runs all the secret detection of trufflhog the secret search will take more time but it will find lots of new secrets |
Ok, so don't worry about golangci-lint errors. I'll fix them.
Ok, I'll merge in devel and perform some tests. For now it's okay so, wait for my PR review :) |
|
Do not hesitate if you have any questions ! :) |
There was a problem hiding this comment.
Thanks @hugo-syn !
- Requesting some changes
- Left some thoughts, let me know yours.
I'm here if you have any doubt or need assistance :)
| Rua: flags.Rua, | ||
| Proxy: flags.Proxy, | ||
| SecretsFlag: flags.Secrets, | ||
| SecretExtensionFilter: strings.Split(flags.SecretExtensionFilter, ","), |
There was a problem hiding this comment.
Better to perform this in another part, maybe in pkg/input/flags.go. Consider that it may be necessary to trim spaces too (TrimSpace() function).
| @@ -69,3 +71,25 @@ func intensiveOk(target string, urlInput string, debug bool) bool { | |||
|
|
|||
| return root == target | |||
| } | |||
|
|
|||
| // Return the extension of an URL | |||
| func GetFileExtensionFromUrl(rawUrl string) (string, error) { | |||
There was a problem hiding this comment.
We need some tests for this function since it's an important one. You can use the ones you find in this repo as example.
Try to insert as many test cases as possible (use double dots, query parameters, fragment, invalid URL...).
| @@ -120,6 +122,8 @@ func ScanFlag() Input { | |||
| secretsPtr := flag.Bool("s", false, "Hunt for secrets.") | |||
| secretsFilePtr := flag.String("sf", "", "Use an external file (txt, one per line)"+ | |||
| " to use custom regexes for secrets hunting.") | |||
| secretsExtensionFilterPtr := flag.String("secret-extension-filter", "", "Comma"+ | |||
There was a problem hiding this comment.
Can we have a shorter name for this? Like sef... do you like it?
| @@ -163,6 +167,7 @@ func ScanFlag() Input { | |||
| *proxyPtr, | |||
| *secretsPtr, | |||
| *secretsFilePtr, | |||
| *secretsExtensionFilterPtr, | |||
There was a problem hiding this comment.
Modify the README.md file according to the modifications made. In particular the new flag provided.
|
|
||
| wgScanners.Wait() | ||
|
|
||
| // keep legacy code, the original list contains secrets that are not present in trufflehog like s3 buckets. |
There was a problem hiding this comment.
I'm not fully understanding this. I guess now the code performs both trufflehog and cariddi secrets detections right? Maybe we should find a solution for this.
A simple solution could be move the S3 regexes to info of the cariddi engine and run only the trufflehog engine for the secrets. But I'm open to suggestions if you have them.
Also, we have to take in mind that the user can input a file with custom regexes, I don't know if trufflehog can do this. If not, maybe we could leave the custom cariddi engine for the custom secrets.
Let me know your thoughts on this.
|
|
||
| require ( | ||
| github.com/fatih/color v1.17.0 | ||
| github.com/gocolly/colly v1.2.0 | ||
| github.com/trufflesecurity/trufflehog/v3 v3.73.0 |
There was a problem hiding this comment.
I'm leaving this comment here but it's not related to this line specifically.
The goreleaser CI is giving these errors:
Error: ../../../go/pkg/mod/github.com/trufflesecurity/trufflehog/v3@v3.73.0/pkg/gitparse/gitparse.go:200:18: cannot use defaultMaxDiffSize (untyped int constant 2147483648) as int value in struct literal (overflows)
Error: ../../../go/pkg/mod/github.com/trufflesecurity/trufflehog/v3@v3.73.0/pkg/gitparse/gitparse.go:201:18: cannot use defaultMaxCommitSize (untyped int constant 2147[48](https://github.com/edoardottt/cariddi/actions/runs/9128423415/job/25100742967?pr=150#step:4:49)3648) as int value in struct literal (overflows)
Do you have any clue about what they mean?
Hi,
I've discovered your tool via secator it's very nice thanks for your work !
In this PR I'm adding 2 things, the first big improvement is the use of trufflehog for secret detection. Trufflehog can detect a looot of credentials, the complete list can be found here. This change make the tool slower for secret detection but improve the secret detection.
I've also add a command line option to ignore some url for secret scaning. For example scaning png files for secrets can be avoided: