Skip to content

CLI for SecretScanner #83

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
wants to merge 13 commits into
base: master
Choose a base branch
from
Open

CLI for SecretScanner #83

Show file tree
Hide file tree
Changes from 12 commits
Commits
Show all changes
13 commits
Select commit Hold shift + click to select a range
42e6910
CLI for SS
saurabh2253 Dec 28, 2022
2d500ce
branch name change
saurabh2253 Dec 28, 2022
3eadc7e
removed main.go compilation
saurabh2253 Dec 28, 2022
b0346d1
Clean up Makefile
noboruma Dec 28, 2022
2fe947c
cli bullseye to alpine
saurabh2253 Dec 28, 2022
3099dc0
Add new static Makefile action
noboruma Dec 28, 2022
82143d3
Adding debug logs, to be reverted
saurabh2253 Dec 29, 2022
af59d96
adding log for revert
saurabh2253 Dec 29, 2022
22b0395
reverting debug logs and cleaning up
saurabh2253 Dec 29, 2022
f5b2a6d
Fixing logic of quiet
saurabh2253 Dec 29, 2022
36daa50
Fixed json printing of secrets
saurabh2253 Dec 29, 2022
dc6cefb
fix
saurabh2253 Dec 29, 2022
e807224
Added docs to use cli
saurabh2253 Dec 31, 2022
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
24 changes: 24 additions & 0 deletions Dockerfile-static
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,24 @@
FROM golang:1.19.4-alpine

RUN apk add --upgrade gcc musl-dev pkgconfig g++ make git protoc cmake boost-dev
RUN apk add hyperscan-dev --repository=https://dl-cdn.alpinelinux.org/alpine/v3.13/community
RUN apk add ragel

ENV PKG_CONFIG_PATH=/usr/local/include/hs/ \
CGO_CFLAGS="-I/usr/local/include/hyperscan/src" \
LD_LIBRARY_PATH=/usr/local/lib:/usr/local/include/hs/lib:$LD_LIBRARY_PATH

RUN go install google.golang.org/protobuf/cmd/[email protected] \
&& go install google.golang.org/grpc/cmd/[email protected]

WORKDIR /go/src
RUN git clone https://github.com/intel/hyperscan.git
RUN cd hyperscan && mkdir build && cd build && cmake .. -DCMAKE_BUILD_TYPE=MinSizeRel

WORKDIR /go/src/SecretScanner
ENV PKG_CONFIG_PATH=/go/src/hyperscan/build
ENV CGO_LDFLAGS="-L /go/src/hyperscan/build/lib -static"
ENV CGO_CFLAGS="-I/go/src/hyperscan/src"
ENV GO_BUILD_EXTRA="-buildvcs=false"
Copy link
Contributor

@ramanan-ravi ramanan-ravi Dec 29, 2022

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This should be added to Dockerfile also here


ENTRYPOINT ["/bin/sh", "-c", "make clean && make"]
8 changes: 6 additions & 2 deletions Makefile
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -11,6 +11,10 @@ clean:
-rm ./SecretScanner

SecretScanner: $(PWD)/**/*.go $(PWD)/agent-plugins-grpc/proto/*.go
go build -buildvcs=false -v .
go build $(GO_BUILD_EXTRA)

.PHONY: clean
static:
docker build -t static-secret-scanner -f Dockerfile-static .
docker run -v $(PWD):/go/src/SecretScanner static-secret-scanner

.PHONY: clean static
2 changes: 1 addition & 1 deletion agent-plugins-grpc
Open in desktop
Submodule agent-plugins-grpc updated 2 files
+1 −0 proto/malware_scanner.proto
+2 −1 proto/package_scanner.proto
2 changes: 1 addition & 1 deletion core/options.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -66,7 +66,7 @@ func ParseOptions() (*Options, error) {
MaxSecrets: flag.Uint("max-secrets", 1000, "Maximum number of secrets to find in one container image or file system."),
ContainerId: flag.String("container-id", "", "Id of existing container ID"),
ContainerNS: flag.String("container-ns", "", "Namespace of existing container to scan, empty for docker runtime"),
Quiet: flag.Bool("quiet", false, "Don't display any output in stdout"),
Quiet: flag.Bool("quiet", true, "Don't display any output in stdout"),
}
flag.Var(options.ConfigPath, "config-path", "Searches for config.yaml from given directory. If not set, tries to find it from SecretScanner binary's and current directory. Can be specified multiple times.")
flag.Parse()
Expand Down
2 changes: 1 addition & 1 deletion core/util.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -65,7 +65,7 @@ func GetJsonFilepath(input string) (string, error) {
}
}
if JsonFilename == "" {
JsonFilename = getSanitizedString(input) + "-secrets.json"
JsonFilename = getSanitizedString(input) + "secrets.json"
}
jsonFilePath := filepath.Join(outputDir, JsonFilename)
GetSession().Log.Info("Complete json file path and name: %s", jsonFilePath)
Expand Down
39 changes: 24 additions & 15 deletions main.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -57,15 +57,18 @@ var session = core.GetSession()
// Error, if any. Otherwise, returns nil
func findSecretsInImage(image string) (*output.JsonImageSecretsOutput, error) {

jsonImageSecretsOutput := output.JsonImageSecretsOutput{ImageName: image}
jsonImageSecretsOutput.SetTime()
if !(*session.Options.Quiet) {
jsonImageSecretsOutput.PrintJsonHeader()
}
res, err := scan.ExtractAndScanImage(image)
if err != nil {
return nil, err
}
jsonImageSecretsOutput := output.JsonImageSecretsOutput{ImageName: image}
jsonImageSecretsOutput.SetTime()
jsonImageSecretsOutput.SetImageId(res.ImageId)
jsonImageSecretsOutput.PrintJsonHeader()
jsonImageSecretsOutput.PrintJsonFooter()
if !(*session.Options.Quiet) {
jsonImageSecretsOutput.PrintJsonFooter()
}
jsonImageSecretsOutput.SetSecrets(res.Secrets)

return &jsonImageSecretsOutput, nil
Expand All @@ -79,17 +82,20 @@ func findSecretsInImage(image string) (*output.JsonImageSecretsOutput, error) {
func findSecretsInDir(dir string) (*output.JsonDirSecretsOutput, error) {
var isFirstSecret bool = true
var numSecrets uint = 0
jsonDirSecretsOutput := output.JsonDirSecretsOutput{DirName: *session.Options.Local}
jsonDirSecretsOutput.SetTime()
if !(*session.Options.Quiet) {
jsonDirSecretsOutput.PrintJsonHeader()
}

secrets, err := scan.ScanSecretsInDir("", "", dir, &isFirstSecret, &numSecrets, nil)
if err != nil {
core.GetSession().Log.Error("findSecretsInDir: %s", err)
return nil, err
}

jsonDirSecretsOutput := output.JsonDirSecretsOutput{DirName: *session.Options.Local}
jsonDirSecretsOutput.SetTime()
jsonDirSecretsOutput.PrintJsonHeader()
jsonDirSecretsOutput.PrintJsonFooter()
if !(*session.Options.Quiet) {
jsonDirSecretsOutput.PrintJsonFooter()
}
jsonDirSecretsOutput.SetSecrets(secrets)

return &jsonDirSecretsOutput, nil
Expand All @@ -102,15 +108,18 @@ func findSecretsInDir(dir string) (*output.JsonDirSecretsOutput, error) {
// Error, if any. Otherwise, returns nil
func findSecretsInContainer(containerId string, containerNS string) (*output.JsonImageSecretsOutput, error) {

jsonImageSecretsOutput := output.JsonImageSecretsOutput{ContainerId: containerId}
jsonImageSecretsOutput.SetTime()
if !(*session.Options.Quiet) {
jsonImageSecretsOutput.PrintJsonHeader()
}
res, err := scan.ExtractAndScanContainer(containerId, containerNS)
if err != nil {
return nil, err
}
jsonImageSecretsOutput := output.JsonImageSecretsOutput{ContainerId: containerId}
jsonImageSecretsOutput.SetTime()
jsonImageSecretsOutput.SetImageId(res.ContainerId)
jsonImageSecretsOutput.PrintJsonHeader()
jsonImageSecretsOutput.PrintJsonFooter()
if !(*session.Options.Quiet) {
jsonImageSecretsOutput.PrintJsonFooter()
}
jsonImageSecretsOutput.SetSecrets(res.Secrets)

return &jsonImageSecretsOutput, nil
Expand Down
9 changes: 5 additions & 4 deletions output/output.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -43,11 +43,11 @@ type JsonDirSecretsOutput struct {
}

type JsonImageSecretsOutput struct {
Timestamp time.Time
ImageName string `json:"Image Name"`
ImageId string `json:"Image ID"`
Timestamp time.Time
ImageName string `json:"Image Name"`
ImageId string `json:"Image ID"`
ContainerId string `json:"Container ID"`
Secrets []SecretFound
Secrets []SecretFound
}

func (imageOutput *JsonImageSecretsOutput) SetImageName(imageName string) {
Expand Down Expand Up @@ -111,6 +111,7 @@ func (imageOutput JsonImageSecretsOutput) PrintJsonHeader() {
fmt.Printf(Indent+"\"Timestamp\": \"%s\",\n", time.Now().Format("2006-01-02 15:04:05.000000000 -07:00"))
fmt.Printf(Indent+"\"Image Name\": \"%s\",\n", imageOutput.ImageName)
fmt.Printf(Indent+"\"Image ID\": \"%s\",\n", imageOutput.ImageId)
fmt.Printf(Indent+"\"Container ID\": \"%s\",\n", imageOutput.ContainerId)
fmt.Printf(Indent + "\"Secrets\": [\n")
}

Expand Down
10 changes: 5 additions & 5 deletions scan/process_image.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -136,7 +136,7 @@ func ScanSecretsInDir(layer string, baseDir string, fullDir string, isFirstSecre

var scanDirPath string
if layer != "" {
scanDirPath = strings.TrimPrefix(path, baseDir + "/" + layer)
scanDirPath = strings.TrimPrefix(path, baseDir+"/"+layer)
if scanDirPath == "" {
scanDirPath = "/"
}
Expand Down Expand Up @@ -190,14 +190,14 @@ func ScanSecretsInDir(layer string, baseDir string, fullDir string, isFirstSecre
session.Log.Error("scanSecretsInDir: %s", err)
// return tempSecretsFound, err
}
if *session.Options.Quiet {
if !(*session.Options.Quiet) {
output.PrintColoredSecrets(secrets, isFirstSecret)
}
tempSecretsFound = append(tempSecretsFound, secrets...)
}

secrets = signature.MatchSimpleSignatures(relPath, file.Filename, file.Extension, layer, numSecrets)
if *session.Options.Quiet {
if !(*session.Options.Quiet) {
output.PrintColoredSecrets(secrets, isFirstSecret)
}
tempSecretsFound = append(tempSecretsFound, secrets...)
Expand Down Expand Up @@ -378,7 +378,7 @@ func untar(tarName string, xpath string) (err error) {
relPath := strings.Split(fileName, "/")
var absDirPath string
if len(relPath) > 1 {
dirs := relPath[0: len(relPath) - 1]
dirs := relPath[0 : len(relPath)-1]
absDirPath = filepath.Join(absPath, strings.Join(dirs, "/"))
}
if err := os.MkdirAll(absDirPath, 0755); err != nil {
Expand All @@ -402,7 +402,7 @@ func untar(tarName string, xpath string) (err error) {
// fmt.Printf("x %s\n", absFileName)
n, cpErr := io.Copy(file, tr)
if closeErr := file.Close(); closeErr != nil { // close file immediately
fmt.Println("clserr:"+closeErr.Error())
fmt.Println("clserr:" + closeErr.Error())
return err
}
if cpErr != nil {
Expand Down