diff --git a/.talismanrc b/.talismanrc
index 8bd1dfbd..029c9257 100644
--- a/.talismanrc
+++ b/.talismanrc
@@ -1,26 +1,27 @@
fileignoreconfig:
-- filename: detector/pattern_detector_test.go
- checksum: 4d70b790f28f2d23d506f808d489aa43f1efd2514549ae6a83a535e1223382e3
- filename: detector/detection_results_test.go
checksum: 69fed055782cddfe0f0d23ea440cef9f9dd0b9e8a3c8a73856741bb26257b223
ignore_detectors:
- filecontent
-- filename: detector/match_pattern_test.go
- checksum: d68aa0e06355e3b848941727d1fcb32cf47e3d615f9921f0db39855325010446
- ignore_detectors: []
-- filename: global_install_scripts/install.bash
- checksum: 5d659125ecbe619ea99f5bc71c2d761b586ce3ec9ccab7683ee54f4ebde9f748
- filename: detector/filecontent/filecontent_detector_test.go
checksum: affb25839a87476dcef4f4169ccb9b54b2d2f2437cef3aca24f4d3b69d5886c5
+- filename: detector/filename/filename_detector.go
+ checksum: 5404565683a7e812fa98ff2d14237c4d1ba7dc5b4aca2dd3ba663b33dc8ddae7
+- filename: detector/filename/filename_detector_test.go
+ checksum: 0a9c9f113e203ca29d3a9bf0b4802a252e990c2132e1f168a46ab49ed532e6c9
+- filename: detector/match_pattern_test.go
+ checksum: d68aa0e06355e3b848941727d1fcb32cf47e3d615f9921f0db39855325010446
- filename: detector/pattern/match_pattern_test.go
checksum: b90530d286fbc0ee864d2350fc0c532e0fb2f01149d51e81339b420439014238
+- filename: detector/pattern/pattern_detector.go
+ checksum: 98c4edddc95b4b974ed9b3e4f48079f2503b5c85309fadf37878a3d28de31e72
- filename: detector/pattern/pattern_detector_test.go
checksum: 4d70b790f28f2d23d506f808d489aa43f1efd2514549ae6a83a535e1223382e3
-- filename: detector/pattern/pattern_detector.go
- checksum: 248bc5f67fa12d39b0fa1b63319a5b125006858a11603a837d8c53dbab2277c3
-- filename: detector/filename/filename_detector.go
- checksum: 5782cb11c373723ec7b40279a3dd375c0cd1d285ac0d032599f0300d9e133eec
-- filename: detector/filename/filename_detector_test.go
- checksum: 0a9c9f113e203ca29d3a9bf0b4802a252e990c2132e1f168a46ab49ed532e6c9
+- filename: detector/pattern_detector_test.go
+ checksum: 4d70b790f28f2d23d506f808d489aa43f1efd2514549ae6a83a535e1223382e3
+- filename: detector/severity/severity_config.go
+ checksum: 7e5442d7ee07a6fad12cf636c5dc2880c69b9593fd286e44d567e178ffdd0194
+- filename: global_install_scripts/install.bash
+ checksum: 5d659125ecbe619ea99f5bc71c2d761b586ce3ec9ccab7683ee54f4ebde9f748
scopeconfig:
- scope: go
diff --git a/README.md b/README.md
index a688f66d..3cb8fd45 100644
--- a/README.md
+++ b/README.md
@@ -363,9 +363,9 @@ custom_patterns:
## Configuring severity threshold
Each validation is associated with a severity
-1. low
-2. medium
-3. high
+1. Low
+2. Medium
+3. High
You can specify a threshold in your .talismanrc:
@@ -374,7 +374,9 @@ threshold: medium
```
This will report all Medium severity issues and higher (Potential risks that are below the threshold will be reported in the warnings)
-By default, the threshold is set to low
+1. A list of all risks with their severity level can be found in this [configuration file](detector/severity/severity_config.go).
+2. By default, the threshold is set to low.
+3. Any custom search patterns you add, are considered to be of high severity.
## Talisman as a CLI utility
diff --git a/detector/filecontent/filecontent_detector.go b/detector/filecontent/filecontent_detector.go
index 0142f474..04c3fed0 100644
--- a/detector/filecontent/filecontent_detector.go
+++ b/detector/filecontent/filecontent_detector.go
@@ -85,17 +85,17 @@ func (fc *FileContentDetector) Test(comparator helpers.ChecksumCompare, currentA
{
contentType: base64Content,
fn: checkBase64,
- severity: severity.Medium(),
+ severity: severity.SeverityConfiguration["Base64Content"],
},
{
contentType: hexContent,
fn: checkHex,
- severity: severity.Medium(),
+ severity: severity.SeverityConfiguration["HexContent"],
},
{
contentType: creditCardContent,
fn: checkCreditCardNumber,
- severity: severity.High(),
+ severity: severity.SeverityConfiguration["CreditCardContent"],
},
}
re := regexp.MustCompile(`(?i)checksum[ \t]*:[ \t]*[0-9a-fA-F]+`)
diff --git a/detector/filename/filename_detector.go b/detector/filename/filename_detector.go
index 5bb484ba..50eab0e8 100644
--- a/detector/filename/filename_detector.go
+++ b/detector/filename/filename_detector.go
@@ -15,53 +15,53 @@ import (
var (
filenamePatterns = []*severity.PatternSeverity{
- {Pattern: regexp.MustCompile(`^.+_rsa$`), Severity: severity.Low()},
- {Pattern: regexp.MustCompile(`^.+_dsa.*$`), Severity: severity.High()},
- {Pattern: regexp.MustCompile(`^.+_ed25519$`), Severity: severity.Low()},
- {Pattern: regexp.MustCompile(`^.+_ecdsa$`), Severity: severity.Low()},
- {Pattern: regexp.MustCompile(`^\.\w+_history$`), Severity: severity.Low()},
- {Pattern: regexp.MustCompile(`^.+\.pem$`), Severity: severity.High()},
- {Pattern: regexp.MustCompile(`^.+\.ppk$`), Severity: severity.High()},
- {Pattern: regexp.MustCompile(`^.+\.key(pair)?$`), Severity: severity.High()},
- {Pattern: regexp.MustCompile(`^.+\.pkcs12$`), Severity: severity.Low()},
- {Pattern: regexp.MustCompile(`^.+\.pfx$`), Severity: severity.Low()},
- {Pattern: regexp.MustCompile(`^.+\.p12$`), Severity: severity.Low()},
- {Pattern: regexp.MustCompile(`^.+\.asc$`), Severity: severity.Low()},
- {Pattern: regexp.MustCompile(`^\.?htpasswd$`), Severity: severity.Low()},
- {Pattern: regexp.MustCompile(`^\.?netrc$`), Severity: severity.Low()},
- {Pattern: regexp.MustCompile(`^.*\.tblk$`), Severity: severity.Low()},
- {Pattern: regexp.MustCompile(`^.*\.ovpn$`), Severity: severity.Low()},
- {Pattern: regexp.MustCompile(`^.*\.kdb$`), Severity: severity.Low()},
- {Pattern: regexp.MustCompile(`^.*\.agilekeychain$`), Severity: severity.Low()},
- {Pattern: regexp.MustCompile(`^.*\.keychain$`), Severity: severity.Low()},
- {Pattern: regexp.MustCompile(`^.*\.key(store|ring)$`), Severity: severity.Low()},
- {Pattern: regexp.MustCompile(`^jenkins\.plugins\.publish_over_ssh\.BapSshPublisherPlugin.xml$`), Severity: severity.Low()},
- {Pattern: regexp.MustCompile(`^credentials\.xml$`), Severity: severity.Low()},
- {Pattern: regexp.MustCompile(`^.*\.pubxml(\.user)?$`), Severity: severity.Low()},
- {Pattern: regexp.MustCompile(`^\.?s3cfg$`), Severity: severity.Low()},
- {Pattern: regexp.MustCompile(`^\.gitrobrc$`), Severity: severity.Low()},
- {Pattern: regexp.MustCompile(`^\.?(bash|zsh)rc$`), Severity: severity.Low()},
- {Pattern: regexp.MustCompile(`^\.?(bash_|zsh_)?profile$`), Severity: severity.Low()},
- {Pattern: regexp.MustCompile(`^\.?(bash_|zsh_)?aliases$`), Severity: severity.Low()},
- {Pattern: regexp.MustCompile(`^secret_token.rb$`), Severity: severity.High()},
- {Pattern: regexp.MustCompile(`^omniauth.rb$`), Severity: severity.Low()},
- {Pattern: regexp.MustCompile(`^carrierwave.rb$`), Severity: severity.Low()},
- {Pattern: regexp.MustCompile(`^schema.rb$`), Severity: severity.Low()},
- {Pattern: regexp.MustCompile(`^database.yml$`), Severity: severity.Low()},
- {Pattern: regexp.MustCompile(`^settings.py$`), Severity: severity.Low()},
- {Pattern: regexp.MustCompile(`^.*(config)(\.inc)?\.php$`), Severity: severity.Low()},
- {Pattern: regexp.MustCompile(`^LocalSettings.php$`), Severity: severity.Low()},
- {Pattern: regexp.MustCompile(`\.?env`), Severity: severity.Low()},
- {Pattern: regexp.MustCompile(`\bdump|dump\b`), Severity: severity.Low()},
- {Pattern: regexp.MustCompile(`\bsql|sql\b`), Severity: severity.Low()},
- {Pattern: regexp.MustCompile(`\bdump|dump\b`), Severity: severity.Low()},
- {Pattern: regexp.MustCompile(`password`), Severity: severity.Low()},
- {Pattern: regexp.MustCompile(`backup`), Severity: severity.Low()},
- {Pattern: regexp.MustCompile(`private.*key`), Severity: severity.High()},
- {Pattern: regexp.MustCompile(`(oauth).*(token)`), Severity: severity.Low()},
- {Pattern: regexp.MustCompile(`^.*\.log$`), Severity: severity.Low()},
- {Pattern: regexp.MustCompile(`^\.?kwallet$`), Severity: severity.Low()},
- {Pattern: regexp.MustCompile(`^\.?gnucash$`), Severity: severity.Low()},
+ {Pattern: regexp.MustCompile(`^.+_rsa$`), Severity: severity.SeverityConfiguration["RSAFile"]},
+ {Pattern: regexp.MustCompile(`^.+_dsa.*$`), Severity: severity.SeverityConfiguration["DSAFile"]},
+ {Pattern: regexp.MustCompile(`^.+_ed25519$`), Severity: severity.SeverityConfiguration["DSAFile"]},
+ {Pattern: regexp.MustCompile(`^.+_ecdsa$`), Severity: severity.SeverityConfiguration["DSAFile"]},
+ {Pattern: regexp.MustCompile(`^\.\w+_history$`), Severity: severity.SeverityConfiguration["ShellHistory"]},
+ {Pattern: regexp.MustCompile(`^.+\.pem$`), Severity: severity.SeverityConfiguration["PemFile"]},
+ {Pattern: regexp.MustCompile(`^.+\.ppk$`), Severity: severity.SeverityConfiguration["PpkFile"]},
+ {Pattern: regexp.MustCompile(`^.+\.key(pair)?$`), Severity: severity.SeverityConfiguration["KeyPairFile"]},
+ {Pattern: regexp.MustCompile(`^.+\.pkcs12$`), Severity: severity.SeverityConfiguration["PKCSFile"]},
+ {Pattern: regexp.MustCompile(`^.+\.pfx$`), Severity: severity.SeverityConfiguration["PFXFile"]},
+ {Pattern: regexp.MustCompile(`^.+\.p12$`), Severity: severity.SeverityConfiguration["P12File"]},
+ {Pattern: regexp.MustCompile(`^.+\.asc$`), Severity: severity.SeverityConfiguration["ASCFile"]},
+ {Pattern: regexp.MustCompile(`^\.?htpasswd$`), Severity: severity.SeverityConfiguration["HTPASSWDFile"]},
+ {Pattern: regexp.MustCompile(`^\.?netrc$`), Severity: severity.SeverityConfiguration["NetrcFile"]},
+ {Pattern: regexp.MustCompile(`^.*\.tblk$`), Severity: severity.SeverityConfiguration["TunnelBlockFile"]},
+ {Pattern: regexp.MustCompile(`^.*\.ovpn$`), Severity: severity.SeverityConfiguration["OpenVPNFile"]},
+ {Pattern: regexp.MustCompile(`^.*\.kdb$`), Severity: severity.SeverityConfiguration["KDBFile"]},
+ {Pattern: regexp.MustCompile(`^.*\.agilekeychain$`), Severity: severity.SeverityConfiguration["AgileKeyChainFile"]},
+ {Pattern: regexp.MustCompile(`^.*\.keychain$`), Severity: severity.SeverityConfiguration["KeyChainFile"]},
+ {Pattern: regexp.MustCompile(`^.*\.key(store|ring)$`), Severity: severity.SeverityConfiguration["KeyStoreFile"]},
+ {Pattern: regexp.MustCompile(`^jenkins\.plugins\.publish_over_ssh\.BapSshPublisherPlugin.xml$`), Severity: severity.SeverityConfiguration["JenkinsPublishOverSSHFile"]},
+ {Pattern: regexp.MustCompile(`^credentials\.xml$`), Severity: severity.SeverityConfiguration["CredentialsXML"]},
+ {Pattern: regexp.MustCompile(`^.*\.pubxml(\.user)?$`), Severity: severity.SeverityConfiguration["PubXML"]},
+ {Pattern: regexp.MustCompile(`^\.?s3cfg$`), Severity: severity.SeverityConfiguration["s3Config"]},
+ {Pattern: regexp.MustCompile(`^\.gitrobrc$`), Severity: severity.SeverityConfiguration["GitRobRC"]},
+ {Pattern: regexp.MustCompile(`^\.?(bash|zsh)rc$`), Severity: severity.SeverityConfiguration["ShellRC"]},
+ {Pattern: regexp.MustCompile(`^\.?(bash_|zsh_)?profile$`), Severity: severity.SeverityConfiguration["ShellProfile"]},
+ {Pattern: regexp.MustCompile(`^\.?(bash_|zsh_)?aliases$`), Severity: severity.SeverityConfiguration["ShellAlias"]},
+ {Pattern: regexp.MustCompile(`^secret_token.rb$`), Severity: severity.SeverityConfiguration["SecretToken"]},
+ {Pattern: regexp.MustCompile(`^omniauth.rb$`), Severity: severity.SeverityConfiguration["OmniAuth"]},
+ {Pattern: regexp.MustCompile(`^carrierwave.rb$`), Severity: severity.SeverityConfiguration["CarrierWaveRB"]},
+ {Pattern: regexp.MustCompile(`^schema.rb$`), Severity: severity.SeverityConfiguration["SchemaRB"]},
+ {Pattern: regexp.MustCompile(`^database.yml$`), Severity: severity.SeverityConfiguration["DatabaseYml"]},
+ {Pattern: regexp.MustCompile(`^settings.py$`), Severity: severity.SeverityConfiguration["PythonSettings"]},
+ {Pattern: regexp.MustCompile(`^.*(config)(\.inc)?\.php$`), Severity: severity.SeverityConfiguration["PhpConfig"]},
+ {Pattern: regexp.MustCompile(`^LocalSettings.php$`), Severity: severity.SeverityConfiguration["PhpLocalSettings"]},
+ {Pattern: regexp.MustCompile(`\.?env`), Severity: severity.SeverityConfiguration["EnvFile"]},
+ {Pattern: regexp.MustCompile(`\bdump|dump\b`), Severity: severity.SeverityConfiguration["BDumpFile"]},
+ {Pattern: regexp.MustCompile(`\bsql|sql\b`), Severity: severity.SeverityConfiguration["BSQLFile"]},
+ {Pattern: regexp.MustCompile(`\bdump|dump\b`), Severity: severity.SeverityConfiguration["BDumpFile"]},
+ {Pattern: regexp.MustCompile(`password`), Severity: severity.SeverityConfiguration["PasswordFile"]},
+ {Pattern: regexp.MustCompile(`backup`), Severity: severity.SeverityConfiguration["BackupFile"]},
+ {Pattern: regexp.MustCompile(`private.*key`), Severity: severity.SeverityConfiguration["PrivateKeyFile"]},
+ {Pattern: regexp.MustCompile(`(oauth).*(token)`), Severity: severity.SeverityConfiguration["OauthTokenFile"]},
+ {Pattern: regexp.MustCompile(`^.*\.log$`), Severity: severity.SeverityConfiguration["LogFile"]},
+ {Pattern: regexp.MustCompile(`^\.?kwallet$`), Severity: severity.SeverityConfiguration["KWallet"]},
+ {Pattern: regexp.MustCompile(`^\.?gnucash$`), Severity: severity.SeverityConfiguration["GNUCash"]},
}
)
diff --git a/detector/filesize/filesize_detector.go b/detector/filesize/filesize_detector.go
index 2e264c8c..a4058e39 100644
--- a/detector/filesize/filesize_detector.go
+++ b/detector/filesize/filesize_detector.go
@@ -20,7 +20,7 @@ func NewFileSizeDetector(size int) detector.Detector {
}
func (fd FileSizeDetector) Test(comparator helpers.ChecksumCompare, currentAdditions []gitrepo.Addition, ignoreConfig *talismanrc.TalismanRC, result *helpers.DetectionResults) {
- severity := severity.Medium()
+ severity := severity.SeverityConfiguration["LargeFileSize"]
for _, addition := range currentAdditions {
if ignoreConfig.Deny(addition, "filesize") || comparator.IsScanNotRequired(addition) {
log.WithFields(log.Fields{
diff --git a/detector/pattern/match_pattern.go b/detector/pattern/match_pattern.go
index 46b7a554..05801a71 100644
--- a/detector/pattern/match_pattern.go
+++ b/detector/pattern/match_pattern.go
@@ -40,7 +40,7 @@ func (pm *PatternMatcher) add(ps talismanrc.PatternString) {
return
}
logrus.Infof("added custom pattern '%s' with high severity", ps)
- pm.regexes = append(pm.regexes, &severity.PatternSeverity{Pattern: re, Severity: severity.High()})
+ pm.regexes = append(pm.regexes, &severity.PatternSeverity{Pattern: re, Severity: severity.SeverityConfiguration["CustomPattern"]})
}
func NewPatternMatcher(patterns []*severity.PatternSeverity) *PatternMatcher {
diff --git a/detector/pattern/pattern_detector.go b/detector/pattern/pattern_detector.go
index dead2aed..4d9d450e 100644
--- a/detector/pattern/pattern_detector.go
+++ b/detector/pattern/pattern_detector.go
@@ -18,13 +18,13 @@ type PatternDetector struct {
var (
detectorPatterns = []*severity.PatternSeverity{
- {Pattern: regexp.MustCompile(`(?i)((.*)(password|passphrase|secret|key|pwd|pword|pass)(.*) *[:=>][^,;\n]{8,})`), Severity: severity.Medium()},
- {Pattern: regexp.MustCompile(`(?i)(['"_]?pw['"]? *[:=][^,;\n]{8,})`), Severity: severity.Medium()},
- {Pattern: regexp.MustCompile(`(?i)(\S*)`), Severity: severity.High()},
- {Pattern: regexp.MustCompile(`(?i)(\S*)`), Severity: severity.High()},
- {Pattern: regexp.MustCompile(`(?i)(AWS[ \w]+key[ \w]+[:=])`), Severity: severity.High()},
- {Pattern: regexp.MustCompile(`(?i)(AWS[ \w]+secret[ \w]+[:=])`), Severity: severity.High()},
- {Pattern: regexp.MustCompile(`(?s)(BEGIN RSA PRIVATE KEY.*END RSA PRIVATE KEY)`), Severity: severity.High()},
+ {Pattern: regexp.MustCompile(`(?i)((.*)(password|passphrase|secret|key|pwd|pword|pass)(.*) *[:=>][^,;\n]{8,})`), Severity: severity.SeverityConfiguration["PasswordPhrasePattern"]},
+ {Pattern: regexp.MustCompile(`(?i)(['"_]?pw['"]? *[:=][^,;\n]{8,})`), Severity: severity.SeverityConfiguration["PasswordPhrasePattern"]},
+ {Pattern: regexp.MustCompile(`(?i)(\S*)`), Severity: severity.SeverityConfiguration["ConsumerKeyPattern"]},
+ {Pattern: regexp.MustCompile(`(?i)(\S*)`), Severity: severity.SeverityConfiguration["ConsumerSecretParrern"]},
+ {Pattern: regexp.MustCompile(`(?i)(AWS[ \w]+key[ \w]+[:=])`), Severity: severity.SeverityConfiguration["AWSKeyPattern"]},
+ {Pattern: regexp.MustCompile(`(?i)(AWS[ \w]+secret[ \w]+[:=])`), Severity: severity.SeverityConfiguration["AWSSecretPattern"]},
+ {Pattern: regexp.MustCompile(`(?s)(BEGIN RSA PRIVATE KEY.*END RSA PRIVATE KEY)`), Severity: severity.SeverityConfiguration["RSAKeyPattern"]},
}
)
diff --git a/detector/severity/severity_config.go b/detector/severity/severity_config.go
new file mode 100644
index 00000000..8b73cf9c
--- /dev/null
+++ b/detector/severity/severity_config.go
@@ -0,0 +1,59 @@
+package severity
+
+var SeverityConfiguration = map[string]Severity{
+ "ConsumerKeyPattern": High(),
+ "ConsumerSecretParrern": High(),
+ "AWSKeyPattern": High(),
+ "AWSSecretPattern": High(),
+ "RSAKeyPattern": High(),
+ "DSAFile": High(),
+ "PrivateKeyFile":High(),
+ "CreditCardContent": High(),
+ "PemFile": High(),
+ "PpkFile": High(),
+ "SecretToken": High(),
+ "KeyPairFile": High(),
+ "CustomPattern": High(),
+ "PasswordPhrasePattern": Medium(),
+ "LargeFileSize": Medium(),
+ "Base64Content": Medium(),
+ "HexContent": Medium(),
+ "RSAFile": Low(),
+ "ShellHistory": Low(),
+ "PKCSFile": Low(),
+ "PFXFile": Low(),
+ "P12File": Low(),
+ "ASCFile": Low(),
+ "HTPASSWDFile": Low(),
+ "NetrcFile": Low(),
+ "TunnelBlockFile": Low(),
+ "OpenVPNFile": Low(),
+ "KDBFile": Low(),
+ "AgileKeyChainFile": Low(),
+ "KeyChainFile": Low(),
+ "KeyStoreFile": Low(),
+ "JenkinsPublishOverSSHFile": Low(),
+ "CredentialsXML": Low(),
+ "PubXML": Low(),
+ "s3Config": Low(),
+ "GitRobRC": Low(),
+ "ShellRC": Low(),
+ "ShellProfile": Low(),
+ "ShellAlias": Low(),
+ "OmniAuth": Low(),
+ "CarrierWaveRB": Low(),
+ "SchemaRB": Low(),
+ "DatabaseYml": Low(),
+ "PythonSettings": Low(),
+ "PhpConfig": Low(),
+ "PhpLocalSettings": Low(),
+ "EnvFile": Low(),
+ "BDumpFile": Low(),
+ "BSQLFile": Low(),
+ "PasswordFile":Low(),
+ "BackupFile":Low(),
+ "OauthTokenFile":Low(),
+ "LogFile":Low(),
+ "KWallet":Low(),
+ "GNUCash":Low(),
+}
\ No newline at end of file