Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

credscan not detecting anything #347

Open
crazy-matt opened this issue Sep 19, 2021 · 7 comments
Open

credscan not detecting anything #347

crazy-matt opened this issue Sep 19, 2021 · 7 comments

Comments

@crazy-matt
Copy link

crazy-matt commented Sep 19, 2021
edited
Loading

Hi,

I tested all combinations of configuration possible and I can't make credscan working.
How I tested? Injecting a file containing:

username='administrator'
email='[email protected]'

and using this workflow https://github.com/crazy-matt/pre-commit-manager/blob/main/.github/workflows/security_scanner.yml

which triggers a job working with the proper gitleaks action and a second one with your action.

While the first job fails reporting 2 findings, the second one run successfully outputing a table with 0 findings. The NG json file has his findings node empty too.

I run your action by overriding the credscan settings in .sastscanrc because I noticed that not doing so does not run credscan at all. I don't see the Secrets row in the Summary table at all when removing the scan_tools_args_map config from .sastscanrc
@prabhu
Copy link
Contributor

prabhu commented Sep 20, 2021

@crazy-matt Let's setup an example repo to test and see what is going on. I remember excluding simple username and emails since these are usually not considered as secrets in a typical enterprise.

@crazy-matt
Copy link
Author

It depends on the context actually. With GDPR, we should be able to scan them because some devs might be tempted pushing Personal Identifiable Information to do some mock testing

@prabhu
Copy link
Contributor

prabhu commented Sep 20, 2021

Could you add a new rule similar to this one for capturing username and email. You can reduce the entropy to capture broad values.

https://github.com/ShiftLeftSecurity/sast-scan/blob/master/tools_config/credscan-config.toml#L175

@crazy-matt
Copy link
Author

crazy-matt commented Sep 20, 2021
edited
Loading

Isn't the rule below enough to do the job without entropy?

https://github.com/crazy-matt/pre-commit-manager/blob/feat%2Ftf-hooks/.security/credscan-config.toml#L84

[[rules]]
    description = "Email"
    regex = '''[a-zA-Z0-9._%+-]+@[a-zA-Z0-9.-]+\.[a-zA-Z]{2,4}'''
    tags = ["email"]
    [rules.allowlist]
        description = "ignore gitconfig emails"
        regexes = [
            '''[a-zA-Z0-9._%+-][email protected]''',
            '''[email protected]''',
            '''[email protected]''',
            '''(.*)Copyright(.*)''',
        ]

@crazy-matt
Copy link
Author

I tried again with my rule (https://github.com/crazy-matt/pre-commit-manager/blob/6a8d586ecf4ec288ebbf935de0e793d7f9dafa4b/.security/credscan-config.toml#L84)

And as you can see on the workflow below, the gitleaks action detects while credscan doesn't see anything:
https://github.com/crazy-matt/pre-commit-manager/runs/3657105592?check_suite_focus=true

@prabhu
Copy link
Contributor

prabhu commented Sep 21, 2021

can you set the env variable SCAN_DEBUG_MODE to debug. Let's see what file is passed to gitleaks via scan.

@prabhu
Copy link
Contributor

prabhu commented Sep 25, 2021

@crazy-matt How about we invoke both credscan and credscan-git automatically? That would cover both existing and upcoming changes right?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@prabhu @crazy-matt