Skip to content
Atomist SDM to find exposed secrets in repos
Branch: master
Clone or download
Fetching latest commit…
Cannot retrieve the latest commit at this time.
Permalink
Type Name Latest commit message Commit time
Failed to load latest commit information.
.atomist/kubernetes Initial commit from Atomist Apr 4, 2019
assets/kubectl Initial commit from Atomist Apr 4, 2019
legal
lib Polishing Apr 8, 2019
test/machine
.dockerignore Initial commit from Atomist Apr 4, 2019
.gitattributes Initial commit from Atomist Apr 4, 2019
.gitignore
.npmignore Initial commit from Atomist Apr 4, 2019
CHANGELOG.md
CODE_OF_CONDUCT.md Initial commit from Atomist Apr 4, 2019
CONTRIBUTING.md Initial commit from Atomist Apr 4, 2019
Dockerfile
LICENSE Initial commit from Atomist Apr 4, 2019
README.md
index.ts Initial commit from Atomist Apr 4, 2019
package-lock.json Update to latest SDM for return value fix Apr 6, 2019
package.json Update to latest SDM for return value fix Apr 6, 2019
secrets.yml Show sha of project Apr 8, 2019
tsconfig.json Initial commit from Atomist Apr 4, 2019
tslint.json Initial commit from Atomist Apr 4, 2019

README.md

@atomist-blogs/secret-beagle

Simple SDM that finds exposed secrets in projects. Based on the paper How Bad Can it Git.

Starting the SDM

If you have an Atomist workspace, start the SDM with atomist start. It will check every push in your workspace.

To run it locally, start the SDM with atomist start --local. This is purely open source and does not require an Atomist workspace. Please refer to Atomist documentation to ensure you have the necessary git hooks.

Configuration

The definition of secrets is in the secrets.yml file in the root directory. It covers more than a dozen common token types that you may want to scan for. It should look as follows:

# List of glob patterns to match files
globs:
  - "**"
  
scanOnlyChangedFiles: false

secrets:
  # List of secrets, with regex and description
  - secret:
      pattern: "AKIA[0-9A-Z]{16}"
      description: "AWS secret"

# List of acceptable secret-like literals
whitelist:

Sections are as follows:

  • globs: List of glob strings specifying the type of files to look in. Default is all files. Binary files won't be examined in any case.

  • scanOnlyChangedFiles: Whether to scan only files changed in the commit.

  • secrets: List of secret structure. Consists of pattern (regular expression matching the secret in a file) and human readable description (typically what kind of secret this is)

  • whitelist: List of secret literals, if any, that are acceptable in your project. For example, the test suite of this project contains secret-like strings that are not actual secrets, and should be let through.

See the Developer Quick Start for information on how to extend this SDM.

Contributing

Contributions to this project from community members are encouraged and appreciated. Please review the Contributing Guidelines for more information. Also see the Development section in this document.

Code of conduct

This project is governed by the Code of Conduct. You are expected to act in accordance with this code by participating. Please report any unacceptable behavior to code-of-conduct@atomist.com.

Documentation

Please see docs.atomist.com for developer documentation.

Connect

Follow @atomist and the Atomist blog.

Support

General support questions should be discussed in the #support channel in the Atomist community Slack workspace.

If you find a problem, please create an issue.

Development

You will need to install Node.js to build and test this project.

Build and test

Install dependencies.

$ npm install

Use the build package script to compile, test, lint, and build the documentation.

$ npm run build

Release

Releases are handled via the Atomist SDM. Just press the 'Approve' button in the Atomist dashboard or Slack.


Created by Atomist. Need Help? Join our Slack workspace.

You can’t perform that action at this time.