Added whitelist secret feature

rohitcoder · Nov 25, 2024 · 7f3062e · 7f3062e
1 parent 6ce7e4d
commit 7f3062e
Show file tree

Hide file tree

Showing 5 changed files with 58 additions and 3 deletions.
diff --git a/src/main.rs b/src/main.rs
@@ -9,6 +9,7 @@ use utils::pipeline;
 
 async fn execute_scan(
     scan_type: &str,
+    mongo_uri: &str,
     path: &str,
     base_branch: Option<&str>,
     pr_branch: Option<&str>,
@@ -28,6 +29,7 @@ async fn execute_scan(
 
     scanner
         .execute_scan(
+            mongo_uri,
             scan_type,
             path,
             base_branch,
@@ -188,6 +190,7 @@ async fn main() {
     if is_sast {
         execute_scan(
             "sast",
+            &mongo_uri,
             &path,
             Some(&base_branch),
             pr_branch_option,
@@ -204,6 +207,7 @@ async fn main() {
     if is_sca {
         execute_scan(
             "sca",
+            &mongo_uri,
             &path,
             Some(&base_branch),
             pr_branch_option,
@@ -220,6 +224,7 @@ async fn main() {
     if is_secret {
         execute_scan(
             "secret",
+            &mongo_uri,
             &path,
             Some(&base_branch),
             pr_branch_option,
@@ -236,6 +241,7 @@ async fn main() {
     if is_license_compliance {
         execute_scan(
             "license-compliance",
+            &mongo_uri,
             &path,
             Some(&base_branch),
             pr_branch_option,

diff --git a/src/scans/scanner.rs b/src/scans/scanner.rs
@@ -26,6 +26,7 @@ impl ScanRunner {
 
     pub async fn execute_scan(
         &self,
+        mongo_uri: &str,
         scan_type: &str,
         path: &str,
         branch: Option<&str>,
@@ -53,7 +54,7 @@ impl ScanRunner {
             }
             "secret" => {
                 self.secret_tool
-                    .run_scan(path, branch, pr_branch, verbose)
+                    .run_scan(path, branch, pr_branch, mongo_uri, verbose)
                     .await
             }
             "license-compliance" => {

diff --git a/src/scans/tools/secret_tool.rs b/src/scans/tools/secret_tool.rs
@@ -2,7 +2,9 @@ use std::{fs, time::Instant};
 
 use serde_json::{json, Value};
 
-use crate::utils::common::{checkout, count_env_variables, execute_command, print_error};
+use crate::utils::common::{
+    checkout, count_env_variables, execute_command, list_whitelisted_secrets, print_error,
+};
 
 pub struct SecretTool;
 
@@ -16,6 +18,7 @@ impl SecretTool {
         _path: &str,
         _branch: Option<&str>,
         pr_branch: Option<&str>,
+        mongo_uri: &str,
         verbose: bool,
     ) {
         let start_time = Instant::now();
@@ -61,7 +64,9 @@ impl SecretTool {
 
         let cmd = format!("trufflehog filesystem --no-update {} --json --exclude-detectors=FLOAT,SIGNABLE,YANDEX,OANDA,CIRCLE,PARSEUR,URI,SENTRYTOKEN,SIRV,ETSYAPIKEY,UNIFYID,MIRO,FRESHDESK,ALIBABA,YELP,FLATIO,GETRESPONSE,ATERA,GITTER,SONARCLOUD,AZURESEARCHADMINKEY", _path);
         let output_data = execute_command(&cmd, true).await;
+
         let mut results: Vec<Value> = Vec::new();
+
         for line in output_data.lines() {
             let json_output: serde_json::Value =
                 serde_json::from_str(&line).expect("Error parsing JSON");
@@ -100,6 +105,26 @@ impl SecretTool {
                     continue;
                 }
             }
+            // Check if the detected secret is whitelisted
+            if !mongo_uri.is_empty() {
+                // Fetch whitelisted secrets from MongoDB
+                let whitelisted_secrets = match list_whitelisted_secrets(mongo_uri).await {
+                    Ok(secrets) => secrets,
+                    Err(e) => {
+                        eprintln!("Error fetching whitelisted secrets: {}", e);
+                        continue; // You might want to handle the error differently
+                    }
+                };
+
+                // Check if the detected secret is in the whitelisted secrets
+                if let Some(raw_value) = result["Raw"].as_str() {
+                    if whitelisted_secrets.contains(&raw_value.to_string()) {
+                        println!("[+] Skipping because {} is whitelisted...", raw_value);
+                        continue;
+                    }
+                }
+            }
+
             new_results.push(result.clone());
         }
         results = new_results;

diff --git a/src/utils/common.rs b/src/utils/common.rs
@@ -102,6 +102,30 @@ pub async fn bulk_check_hash_exists(
     Ok(existing_hashes)
 }
 
+pub async fn list_whitelisted_secrets(
+    mongo_uri: &str,
+) -> Result<HashSet<String>, Box<dyn std::error::Error>> {
+    let client = connect_to_mongodb(mongo_uri, "code-security-open-source").await?;
+    let collection: Collection<Document> = client
+        .database("code-security-open-source")
+        .collection("secrets");
+
+    // Create the filter to match the secret
+    let mut cursor = collection.find(None, None).await?;
+    let mut secrets_list: HashSet<String> = HashSet::new(); // Make this mutable
+    while let Some(doc) = cursor.next().await {
+        match doc {
+            Ok(document) => {
+                if let Some(secret) = document.get_str("secret").ok() {
+                    secrets_list.insert(secret.to_string());
+                }
+            }
+            Err(e) => return Err(e.into()),
+        }
+    }
+    Ok(secrets_list) // Return the secrets_list
+}
+
 pub async fn register_hash(message: &str, mongo_uri: &str) {
     let hashed_message = hash_text(message);
     match connect_to_mongodb(mongo_uri, "code-security-open-source").await {

diff --git a/src/utils/pipeline.rs b/src/utils/pipeline.rs
@@ -24,7 +24,6 @@ pub async fn pipeline_failure(
     product_name: String,
     engagement_name: String,
 ) {
-    // if code_path contains ghp_* thend redact that value because its token
     let redacted_code_path = redact_github_token(&code_path);
     // generate report in sarif format sast_result_sarif.json sca_result_sarif.json secret_result_sarif.json
     let mut total_issues = 0;