-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathfindsecrets.py
202 lines (167 loc) · 6.77 KB
/
findsecrets.py
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
import os
import sys
import re
import os
import jellyfish
from yaml import safe_load
from pathlib import Path
import argparse
import json
import shutil
import os
if sys.version_info < (3, 0):
sys.stdout.write("Sorry, findsecrets requires Python 3.x\n")
sys.exit(1)
parser = argparse.ArgumentParser('findsecrets.py', formatter_class=lambda prog: argparse.HelpFormatter(prog, max_help_position=40))
parser.add_argument('-f', '--folder', help='Source folder to scan', dest='folder', required=False)
parser.add_argument('-e', '--exclude', help='Comma separated list of files to exclude', dest='exclude', required=False)
parser.add_argument('-m', '--mask', help='Mask Secret Values', dest='mask', action='store_true', default=False)
parser.add_argument('-v', '--verbose', help='Verbose output in stdout', dest='verbose', action='store_true', default=False)
parser.add_argument('-r', '--reportpath', help='If specified, copy reports to specified folder', dest='reportpath', required=False)
args = parser.parse_args()
# Load Configs
def yamlconfig(configyml=Path('config.yml')):
yamldict = safe_load(configyml.read_text())
if not isinstance(yamldict, dict):
return dict()
if args.exclude:
exclude_files = map(str.strip, args.exclude.split(','))
for file in exclude_files:
yamldict['exclude']['files'].append(file)
return yamldict
config = yamlconfig()
if args.folder is not None:
scanfolder = args.folder
else:
try:
scanfolder = config['scanfolder'][0]
except:
print("Findsecrets failed... Scanfolder not specified")
parser.print_help()
sys.exit(1)
keywordsdb = 'db/positivekeywords.txt'
foundsecrets = dict()
def validated_secret_value(key, value):
excl_values_lcase = [i.lower() for i in config['exclude']['values']]
# Checks values for potential ENV variables / False positives
if len(value) < config['settings'][2]['min-value-length']:
return False
if any([x in value for x in excl_values_lcase]):
return False
if key in value:
return False
if value.endswith('}') or value.endswith(')') or value.endswith(';'):
return False
# Check if key somewhat compares value string using levenhstein distance
# https://jellyfish.readthedocs.io/en/latest/comparison.html#levenshtein-distance
ldistance = config['settings'][0]['levenshtein-distance']
if jellyfish.levenshtein_distance(key, value) <= ldistance:
return False
# Extra checks within sensitive values
if key in config['sensitivevalues']['sensitivevalues']:
if 'http' or 'https' in value:
return False
regexp2 = "^(?=.*?[A-Z])(?=.*?[a-z])(?=.*?[0-9]).{8,100}"
# https://regex101.com/r/v1qv1E/1
if re.findall(regexp2, value, re.IGNORECASE):
return True
else:
return False
return True
def spiderfolder(scanfolder):
try:
len(os.listdir(scanfolder)) == 0
except:
print(f"{scanfolder} Directory not found or is empty")
sys.exit(1)
print(f'\nFindsecrets Running \nSpidering folder: {scanfolder}\n')
filepaths = list()
for root, dirs, files in os.walk(scanfolder, topdown=True):
# Exclude Dirs
dirs[:] = [d for d in dirs if d not in config['exclude']['folders']]
# Exclude Extentions
files = [file for file in files if not file.endswith(tuple(config['exclude']['extentions']))]
# Exclude Filenames
files = [file for file in files if not file.endswith(tuple(config['exclude']['files']))]
# Exclude Large Filesizes
for i in files:
filesize = "%.0f" % (os.path.getsize(os.path.join(root, i)) / 1024)
if int(filesize) <= int(config['settings'][1]['max-filesize-kb']):
filepaths.append(os.path.join(root, i))
print(f'{len(filepaths)} files will be scanned for secrets\n')
return filepaths
def find_keywords_with_values_in_file(file):
assignment = "(\\b|[ ._-])({})[ '\"]*(=>|=|:)[ '\"]*([^'\" ]+)"
keywords = open(keywordsdb).read().splitlines()
# alternative assignment = "(\b{})(=>|:|=)(.*)"
assignment_pattern = assignment.format('|'.join(keywords))
# assignment pattern example https://regex101.com/r/DzO3jR/1
filename = str(file)
matchesdict = dict()
matchesdict[filename] = list()
try:
file = open(file, 'r', encoding='utf8')
except:
pass
try:
for line in file:
line = line.strip()
if line != '':
matches = re.findall(assignment_pattern, line, re.IGNORECASE)
if matches:
for i in matches:
key, _, value = i[1:]
if validated_secret_value(key.lower(), value.lower()):
if args.mask:
value = value[4:].rjust(len(value), "*")
value = value[:-4].ljust(len(value), "*")
key_value = key + ':' + value
matchesdict[filename].append(key_value)
except:
pass
for file, secret in matchesdict.items():
if len(secret) != 0 or None:
foundsecrets.update({file: secret})
if args.verbose:
print(matchesdict)
def jsonreport(foundsecrets):
jsonreport = 'report.json'
jsonobject = {"vulnerabilities": []}
for file, secrets in foundsecrets.items():
with open(jsonreport, 'w'):
secretsdb = {
"File": file,
"Secrets": secrets,
"Severity": "High"
}
jsonobject['vulnerabilities'].append(secretsdb)
with open(jsonreport, 'w') as f:
json.dump(jsonobject, f, indent=4)
def seqhubreport(foundsecrets):
seqhubreport = 'seqhubreport.json'
jsonobject = {"vulnerabilities": []}
for file, secrets in foundsecrets.items():
if len(secrets) > 1:
secrets = str(''.join('%s ' % secrets for secrets in secrets))
else:
secrets = secrets[0]
with open(seqhubreport, 'w'):
secretsdb = {
"title": "Secret Found",
"description": f"{file} contains: {secrets}",
"severity": "High"
}
jsonobject['vulnerabilities'].append(secretsdb)
with open(seqhubreport, 'w') as f:
json.dump(jsonobject, f, indent=4)
def move_reports():
reports = ['seqhubreport.json', 'report.json']
for report in reports:
shutil.move(os.path.join(os.getcwd(), report), os.path.join(args.reportpath, report))
filepaths = spiderfolder(scanfolder)
for scannedfile in filepaths:
find_keywords_with_values_in_file(scannedfile)
jsonreport(foundsecrets)
seqhubreport(foundsecrets)
if args.reportpath:
move_reports()