Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

add plugin to look for AWS key IDs #100

Merged
merged 3 commits into from
Dec 11, 2018
Merged

add plugin to look for AWS key IDs #100

merged 3 commits into from
Dec 11, 2018

Conversation

calvinli
Copy link
Member

AWS key IDs are not strictly speaking secrets, although we've found that files containing one almost always contain the corresponding private key. (The only notable false positives I could find in an internal search are AWS S3 pre-signed URLs, which include the signing key's ID in the URL. These are arguably potentially secret anyway.)

This was implemented by adding a new plugin base class (RegexBasedDetector) and adding the AKIA regex as a subclass; this is a bit verbose, but necessary if we want the ability to turn individual regex-based checks on and off. It looks like potentially KeywordDetector, PrivateKeyDetector, and BasicAuthDetector could also be implemented usingRegexBasedDetector too, if we wanted to consolidate code a bit.

Change is test-coverage neutral.

@KevinHock KevinHock self-requested a review December 10, 2018 22:39
KevinHock
KevinHock reviewed Dec 10, 2018
View reviewed changes
Copy link
Collaborator

@KevinHock KevinHock left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks great so far

detect_secrets/plugins/core/initialize.py Outdated Show resolved Hide resolved
detect_secrets/plugins/regexes.py Outdated Show resolved Hide resolved
domanchi
domanchi reviewed Dec 10, 2018
View reviewed changes
detect_secrets/plugins/regexes.py Outdated Show resolved Hide resolved
detect_secrets/plugins/regexes.py Outdated Show resolved Hide resolved
detect_secrets/plugins/core/initialize.py Outdated Show resolved Hide resolved
@domanchi
Copy link
Contributor

Mostly LGTM. We can keep things DRYer by refactoring plugins/basic_auth.py and plugins/private_key.py too! I'd probably stay away from touching plugins/keyword.py though, because of the improvements still sitting in queue.

@calvinli
Copy link
Member Author

Mostly LGTM. We can keep things DRYer by refactoring plugins/basic_auth.py and plugins/private_key.py too! I'd probably stay away from touching plugins/keyword.py though, because of the improvements still sitting in queue.

let's do that in a different PR...

KevinHock
KevinHock approved these changes Dec 10, 2018
View reviewed changes
Copy link
Collaborator

@KevinHock KevinHock left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🚢
🏯
🛥

@calvinli
nit: cls -> self, return NotImplementedError -> raise NotImplementedE…
0c89fe1 
…rror

(doesn't actually matter for anything, but...)
@calvinli calvinli merged commit 11696f8 into master Dec 11, 2018
@calvinli calvinli deleted the akia_plugin branch December 11, 2018 00:02
@joshuarli joshuarli mentioned this pull request Dec 18, 2018
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@domanchi domanchi domanchi left review comments

@KevinHock KevinHock KevinHock approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@calvinli @domanchi @KevinHock