Skip to content

Commit

Permalink
feat(secret): added support of Docker registry credentials (#5720)
Browse files Browse the repository at this point in the history 
Co-authored-by: DmitriyLewen <dmitriy.lewen@smartforce.io>
  • Loading branch information
@sourav977 @DmitriyLewen
sourav977 and DmitriyLewen committed Dec 6, 2023
1 parent 6080e24 commit 108a5b0
Show file tree
Hide file tree
Showing 3 changed files with 85 additions and 0 deletions.
10 changes: 10 additions & 0 deletions pkg/fanal/secret/builtin-rules.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -68,6 +68,7 @@ var (
CategoryLinkedIn = types.SecretRuleCategory("LinkedIn")
CategoryTwitch = types.SecretRuleCategory("Twitch")
CategoryTypeform = types.SecretRuleCategory("Typeform")
CategoryDocker = types.SecretRuleCategory("Docker")
)

// Reusable regex patterns
Expand Down Expand Up @@ -792,4 +793,13 @@ var builtinRules = []Rule{
SecretGroupName: "secret",
Keywords: []string{"typeform"},
},
{
ID: "dockerconfig-secret",
Category: CategoryDocker,
Title: "Dockerconfig secret exposed",
Severity: "HIGH",
Regex: MustCompile(`(?i)(\.(dockerconfigjson|dockercfg):\s*\|*\s*(?P<secret>(ey|ew)+[A-Za-z0-9\/\+=]+))`),
SecretGroupName: "secret",
Keywords: []string{"dockerc"},
},
}
71 changes: 71 additions & 0 deletions pkg/fanal/secret/scanner_test.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -526,6 +526,68 @@ func TestSecretScanner(t *testing.T) {
},
},
}
wantFindingDockerKey1 := types.SecretFinding{
RuleID: "dockerconfig-secret",
Category: secret.CategoryDocker,
Title: "Dockerconfig secret exposed",
Severity: "HIGH",
StartLine: 4,
EndLine: 4,
Match: " .dockercfg: ************",
Code: types.Code{
Lines: []types.Line{
{
Number: 2,
Content: " .dockerconfigjson: ************",
Highlighted: " .dockerconfigjson: ************",
},
{
Number: 3,
Content: "data2:",
Highlighted: "data2:",
},
{
Number: 4,
Content: " .dockercfg: ************",
Highlighted: " .dockercfg: ************",
IsCause: true,
FirstCause: true,
LastCause: true,
},
},
},
}
wantFindingDockerKey2 := types.SecretFinding{
RuleID: "dockerconfig-secret",
Category: secret.CategoryDocker,
Title: "Dockerconfig secret exposed",
Severity: "HIGH",
StartLine: 2,
EndLine: 2,
Match: " .dockerconfigjson: ************",
Code: types.Code{
Lines: []types.Line{
{
Number: 1,
Content: "data1:",
Highlighted: "data1:",
},
{
Number: 2,
Content: " .dockerconfigjson: ************",
Highlighted: " .dockerconfigjson: ************",
IsCause: true,
FirstCause: true,
LastCause: true,
},
{
Number: 3,
Content: "data2:",
Highlighted: "data2:",
},
},
},
}
wantMultiLine := types.SecretFinding{
RuleID: "multi-line-secret",
Category: "general",
Expand Down Expand Up @@ -609,6 +671,15 @@ func TestSecretScanner(t *testing.T) {
Findings: []types.SecretFinding{wantFindingAsymmetricPrivateKeyJson},
},
},
{
name: "find Docker registry credentials",
configPath: filepath.Join("testdata", "skip-test.yaml"),
inputFilePath: filepath.Join("testdata", "docker-secrets.txt"),
want: types.Secret{
FilePath: filepath.Join("testdata", "docker-secrets.txt"),
Findings: []types.SecretFinding{wantFindingDockerKey1, wantFindingDockerKey2},
},
},
{
name: "include when keyword found",
configPath: filepath.Join("testdata", "config-happy-keywords.yaml"),
Expand Down
4 changes: 4 additions & 0 deletions pkg/fanal/secret/testdata/docker-secrets.txt
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,4 @@
data1:
.dockerconfigjson: eyE1x2a3MpLe
data2:
.dockercfg: ewE1x2a3MpLe

0 comments on commit 108a5b0

Please sign in to comment.