-
Notifications
You must be signed in to change notification settings - Fork 27
/
Copy pathsecretsscanner.go
122 lines (106 loc) · 4.32 KB
/
secretsscanner.go
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
package secrets
import (
"path/filepath"
"strings"
clientutils "github.com/jfrog/jfrog-client-go/utils"
jfrogappsconfig "github.com/jfrog/jfrog-apps-config/go"
"github.com/jfrog/jfrog-cli-security/jas"
"github.com/jfrog/jfrog-cli-security/utils"
"github.com/jfrog/jfrog-cli-security/utils/formats/sarifutils"
"github.com/jfrog/jfrog-cli-security/utils/jasutils"
"github.com/jfrog/jfrog-client-go/utils/log"
"github.com/owenrumney/go-sarif/v2/sarif"
)
const (
secretsScanCommand = "sec"
secretsDocsUrlSuffix = "secrets"
SecretsScannerType SecretsScanType = "secrets-scan" // #nosec
SecretsScannerDockerScanType SecretsScanType = "secrets-docker-scan" // #nosec
)
type SecretsScanType string
type SecretScanManager struct {
scanner *jas.JasScanner
scanType SecretsScanType
configFileName string
resultsFileName string
}
// The getSecretsScanResults function runs the secrets scan flow, which includes the following steps:
// Creating an SecretScanManager object.
// Running the analyzer manager executable.
// Parsing the analyzer manager results.
func RunSecretsScan(scanner *jas.JasScanner, scanType SecretsScanType, module jfrogappsconfig.Module, threadId int) (vulnerabilitiesResults []*sarif.Run, violationsResults []*sarif.Run, err error) {
var scannerTempDir string
if scannerTempDir, err = jas.CreateScannerTempDirectory(scanner, jasutils.Secrets.String()); err != nil {
return
}
secretScanManager := newSecretsScanManager(scanner, scanType, scannerTempDir)
log.Info(clientutils.GetLogMsgPrefix(threadId, false) + "Running secrets scan...")
if vulnerabilitiesResults, violationsResults, err = secretScanManager.scanner.Run(secretScanManager, module); err != nil {
return
}
log.Info(utils.GetScanFindingsLog(utils.SecretsScan, sarifutils.GetResultsLocationCount(vulnerabilitiesResults...), sarifutils.GetResultsLocationCount(violationsResults...), threadId))
return
}
func newSecretsScanManager(scanner *jas.JasScanner, scanType SecretsScanType, scannerTempDir string) (manager *SecretScanManager) {
return &SecretScanManager{
scanner: scanner,
scanType: scanType,
configFileName: filepath.Join(scannerTempDir, "config.yaml"),
resultsFileName: filepath.Join(scannerTempDir, "results.sarif"),
}
}
func (ssm *SecretScanManager) Run(module jfrogappsconfig.Module) (vulnerabilitiesSarifRuns []*sarif.Run, violationsSarifRuns []*sarif.Run, err error) {
if err = ssm.createConfigFile(module, append(ssm.scanner.Exclusions, ssm.scanner.ScannersExclusions.SecretsExcludePatterns...)...); err != nil {
return
}
if err = ssm.runAnalyzerManager(); err != nil {
return
}
return jas.ReadJasScanRunsFromFile(ssm.resultsFileName, module.SourceRoot, secretsDocsUrlSuffix, ssm.scanner.MinSeverity)
}
type secretsScanConfig struct {
Scans []secretsScanConfiguration `yaml:"scans"`
}
type secretsScanConfiguration struct {
Roots []string `yaml:"roots"`
Output string `yaml:"output"`
Type string `yaml:"type"`
SkippedDirs []string `yaml:"skipped-folders"`
}
func (s *SecretScanManager) createConfigFile(module jfrogappsconfig.Module, exclusions ...string) error {
roots, err := jas.GetSourceRoots(module, module.Scanners.Secrets)
if err != nil {
return err
}
configFileContent := secretsScanConfig{
Scans: []secretsScanConfiguration{
{
Roots: roots,
Output: s.resultsFileName,
Type: string(s.scanType),
SkippedDirs: jas.GetExcludePatterns(module, module.Scanners.Secrets, exclusions...),
},
},
}
return jas.CreateScannersConfigFile(s.configFileName, configFileContent, jasutils.Secrets)
}
func (s *SecretScanManager) runAnalyzerManager() error {
return s.scanner.AnalyzerManager.Exec(s.configFileName, secretsScanCommand, filepath.Dir(s.scanner.AnalyzerManager.AnalyzerManagerFullPath), s.scanner.ServerDetails, s.scanner.EnvVars)
}
func maskSecret(secret string) string {
if len(secret) <= 3 {
return "***"
}
return secret[:3] + strings.Repeat("*", 12)
}
func processSecretScanRuns(sarifRuns []*sarif.Run) []*sarif.Run {
for _, secretRun := range sarifRuns {
// Hide discovered secrets value
for _, secretResult := range secretRun.Results {
for _, location := range secretResult.Locations {
sarifutils.SetLocationSnippet(location, maskSecret(sarifutils.GetLocationSnippetText(location)))
}
}
}
return sarifRuns
}