• Stars
    star
    3,092
  • Rank 14,544 (Top 0.3 %)
  • Language
    Go
  • License
    MIT License
  • Created about 4 years ago
  • Updated 2 months ago

Reviews

There are no reviews yet. Be the first to send feedback to the community and the maintainers!

Repository Details

πŸ”“ πŸ”“ Find secrets and passwords in container images and file systems πŸ”“ πŸ”“

SecretScanner

Documentation GitHub license GitHub stars Hacktoberfest GitHub issues Slack Twitter

SecretScanner has been integrated into ThreatMapper 1.3.0, and also remains as this standalone project.

SecretScanner

Deepfence SecretScanner can find unprotected secrets in container images or file systems.

  • SecretScanner is a standalone tool that retrieves and searches container and host filesystems, matching the contents against a database of approximately 140 secret types.
  • SecretScanner is also included in ThreatMapper, an open source scanner that identifies vulnerable dependencies and unprotected secrets in cloud native applications, and ranks these vulnerabilities based on their risk-of-exploit (example)

What are Secrets?

Secrets are any kind of sensitive or private data which gives authorized users permission to access critical IT infrastructure (such as accounts, devices, network, cloud based services), applications, storage, databases and other kinds of critical data for an organization. For example, passwords, AWS access IDs, AWS secret access keys, Google OAuth Key etc. are secrets. Secrets should be strictly kept private. However, sometimes attackers can easily access secrets due to flawed security policies or inadvertent mistakes by developers. Sometimes developers use default secrets or leave hard-coded secrets such as passwords, API keys, encryption keys, SSH keys, tokens etc. in container images, especially during rapid development and deployment cycles in CI/CD pipeline. Also, sometimes users store passwords in plain text. Leakage of secrets to unauthorized entities can put your organization and infrastructure at serious security risk.

Deepfence SecretScanner helps users scan their container images or local directories on hosts and outputs a JSON file with details of all the secrets found.

Check out our blog for more details.

When to use SecretScanner

Use SecretScanner if you need a lightweight, efficient method to scan container images and filesystems for possible secrets (keys, tokens, passwords). You can then review these possible 'secrets' to determine if any of them should be removed from production deployments.

Quick Start

For full instructions, refer to the SecretScanner Documentation.

SecretScanner QuickStart

Install docker and run SecretScanner on a container image using the following instructions:

  • Build SecretScanner:
./bootstrap.sh
docker build --rm=true --tag=deepfenceio/deepfence_secret_scanner:latest -f Dockerfile .
  • Or, pull the latest build from docker hub by doing:
docker pull deepfenceio/deepfence_secret_scanner:latest
  • Pull a container image for scanning:
docker pull node:8.11
  • Scan the container image:
    docker run -it --rm --name=deepfence-secretscanner -v $(pwd):/home/deepfence/output -v /var/run/docker.sock:/var/run/docker.sock deepfenceio/deepfence_secret_scanner:latest -image-name node:8.11

Credits

We have built upon the configuration file from shhgit project.

Get in touch

Thank you for using SecretScanner.

  • Start with the documentation
  • Got a question, need some help? Find the Deepfence team on Slack
  • GitHub issues Got a feature request or found a bug? Raise an issue
  • productsecurity at deepfence dot io: Found a security issue? Share it in confidence
  • Find out more at deepfence.io

Security and Support

For any security-related issues in the SecretScanner project, contact productsecurity at deepfence dot io.

Please file GitHub issues as needed, and join the Deepfence Community Slack channel.

Disclaimer

This tool is not meant to be used for hacking. Please use it only for legitimate purposes like detecting secrets on the infrastructure you own, not on others' infrastructure. DEEPFENCE shall not be liable for loss of profit, loss of business, other financial loss, or any other loss or damage which may be caused, directly or indirectly, by the inadequacy of SecretScanner for any purpose or use thereof or by any defect or deficiency therein.

More Repositories

1

ThreatMapper

Open Source Cloud Native Application Protection Platform (CNAPP)
TypeScript
4,763
star
2

PacketStreamer

⭐ ⭐ Distributed tcpdump for cloud native environments ⭐ ⭐
Go
1,870
star
3

YaraHunter

πŸ”πŸ” Malware scanner for cloud-native, as part of CI/CD and at Runtime πŸ”πŸ”
Go
1,234
star
4

FlowMeter

⭐ ⭐ Use ML to classify flows and packets as benign or malicious. ⭐ ⭐
Go
1,105
star
5

ebpfguard

Rust library for writing Linux security policies using eBPF
Rust
281
star
6

community

Deepfence Community
69
star
7

deepfence_runtime_api

Deepfence Runtime API & code samples
HTML
50
star
8

vessel

Vessel is the Go based utility that autodetects underlying Container Runtime in Kubernetes
Go
45
star
9

ThreatStryker-docs

ThreatStryker Documentation
42
star
10

package-scanner

Go
41
star
11

yara-rules

YARA
38
star
12

DocumentationWebsite

JavaScript
36
star
13

terraform-gcp-cloud-scanner

Deepfence Cloud Scanner runs in your cloud environment, gathering inventory and compliance information for the assets deployed in that environment. It submits that information to your Deepfence ThreatMapper or ThreatStryker Management Console
HCL
35
star
14

terraform-aws-cloud-scanner

Deepfence Cloud Scanner runs in your cloud environment, gathering inventory and compliance information for the assets deployed in that environment. It submits that information to your Deepfence ThreatMapper or ThreatStryker Management Console
HCL
35
star
15

helm-charts

Smarty
34
star
16

terraform-azure-cloud-scanner

Deepfence Cloud Scanner runs in your cloud environment, gathering inventory and compliance information for the assets deployed in that environment. It submits that information to your Deepfence ThreatMapper or ThreatStryker Management Console
HCL
33
star
17

CI-CD-Integrations

CI/CD plugins for image scanning, integrations with AWS ECR, Google Container Registry
HCL
32
star
18

secretscanner-docker-extension

⛴️ Docker extension for deepfence/SecretScanner πŸ”
JavaScript
25
star
19

yarahunter-docker-extension

⛴️Docker extension for deepfence/YaraHunterπŸ”Ž
JavaScript
24
star
20

terraform-aws-threatmapper

ThreatMapper Terraform module for AWS
HCL
24
star
21

agent-plugins-grpc

Agent plugins' gRPC definitions
Makefile
23
star
22

pcap-tools

C
22
star
23

compliance

Compliance Scripts Handler
Shell
21
star
24

apache-struts

This repository contains sample attacks that can be used to exploit vulnerabilities in the Jakarta Multipart Parser of Apache Struts
Java
20
star
25

.github

18
star
26

sock-app-canary

Shell
17
star
27

golang_deepfence_sdk

Golang deepfence SDK
Go
15
star
28

kubernetes-scanner

Kubernetes Security Posture Management
Go
14
star
29

cloud-scanner

Deepfence Cloud Scanner runs in your cloud environment, gathering inventory and compliance information for the assets deployed in that environment. It submits that information to your Deepfence ThreatMapper or ThreatStryker Management Console.
Go
4
star
30

ThreatMapperWorkshop

CNAPP Security Workshop using ThreatMapper
4
star
31

open-tracer

Open tracer that uses eBPF kernel features
Rust
3
star
32

threatmapper-python-client

ThreatMapper python client
Python
3
star
33

ebpfguard-blog-example

Sample of eBPFGuard capabilities for upcoming blogpost.
Rust
3
star
34

deepfence-playground

Deepfence's Sandbox on killercoda Platform
Shell
2
star
35

terraform-provider-deepfence

Deepfence Terraform provider
2
star
36

CommunityThreatIntel

Threat Intelligence by and for the community
1
star
37

http2viewer

HTTP2 message viewer
Go
1
star
38

match-scanner

Go
1
star