• Stars
    star
    189
  • Rank 204,649 (Top 5 %)
  • Language
    Python
  • License
    BSD 3-Clause "New...
  • Created over 5 years ago
  • Updated about 2 months ago

Reviews

There are no reviews yet. Be the first to send feedback to the community and the maintainers!

Repository Details

Monitors Github for leaked secrets

secret-bridge

A bridge to help increase your ability to detect secrets shared on Github.

More details on the methodology can be found in our blog post.

How It Works

There are two ways this can operate:

  • Event Polling - In this mode, the script polls the Github Events API for an organization, developer, or set or repositories. This is useful when you may not have control over the thing you're watching.
  • Webhook - In this mode, the script sets up a server which can receive webhook events. This is useful when you have control over the thing you're watching, since it provides data in near real-time.

Once events are received indicating that new code has been pushed, this script executes configured detectors to detect secrets in the changes. At this time, the following detectors are supported:

A more general listing of tools which can be used to detect secrets in Git repositories can be found in TOOLS.md

If a secret is found, it is sent upstream to a notifier. At this time, we support notifying both via stdout as well as Slack and Microsoft Teams.

Installation

Via Docker

The easiest way to get started is by using our Docker image. You can see how to run the Docker image in the Usage section.

Installation from Source

First, you need to clone the repository:

git clone https://github.com/duo-labs/secret-bridge.git

Then, install the required dependencies:

pip install -r requirements.txt

Configuration

Configuration is done through config.toml. In this file, you set your access_token, the organizations, developers, and repositories you want to monitor for secrets, and more.

Setting Up the Access Token

You may wish to avoid having the access token in a file. Instead, you can set this value to env, and put the access token in the GITHUB_WATCHER_TOKEN environment variable.

Setting Up the Monitors

If you're monitoring via event polling (as opposed to using the webhook server), then you can configure what to monitor via the monitors configuration value.

You have the option of configuring one or more Github organization, user, or repository.

Setting Up the Detectors

This tool doesn't actually implement secret detection for Git repositories, since we consider that largely a solved problem. Instead, we handle running various secret detection tools for you in near real-time.

Detectors are configured via the detectors configuration value. Right now, the following values are accepted:

  • detect-secrets
  • git-secrets
  • trufflehog

Note: It's expected that the detector you use is installed and available on your $PATH. If you are running this via the Docker image, all the required tools are pre-installed.

Setting Up the Notifiers

If a secret is detected, we will notify you using your configured notifiers. Currently, the two notification methods are printing to the console, and notifying via a Slack/Teams webhook.

For webhook notifications, both Slack and Microsoft Teams implementations work identically: the JSON structure used to call the Slack webhook is the same as for Microsoft Teams, the implementation is just currently not updated to reflect this. To configure Teams notifications, follow these same steps but with a Teams Connector.

To configure Slack/Teams notifications, create the following configuration option with the webhook_url provided by Slack:

[notifiers.slack_webhook]
    webhook_url='your_webhook_url'

Usage

python main.py --help
Usage: main.py [OPTIONS] COMMAND [ARGS]...

Options:
  -f, --config PATH  [default: config.toml]
  -v, --verbose      Print verbose debug information
  --help             Show this message and exit.

Commands:
  poll
  webhook

Running Via Docker

docker run -ti --rm -e GITHUB_WATCHER_TOKEN=your_access_token duolabs/secret-bridge poll

Note that this is the only docker command needed to get the tool up and running. Relevant images will be automatically pulled if they are not found locally.

More Repositories

1

cloudmapper

CloudMapper helps you analyze your Amazon Web Services (AWS) environments.
JavaScript
5,990
star
2

parliament

AWS IAM linting library
Python
1,044
star
3

webauthn

WebAuthn (FIDO2) server library written in Go
Go
1,028
star
4

cloudtracker

CloudTracker helps you find over-privileged IAM users and roles by comparing CloudTrail logs with current IAM policies.
Python
885
star
5

py_webauthn

Pythonic WebAuthn ๐Ÿ
Python
863
star
6

webauthn.io

The source code for webauthn.io, a demonstration of WebAuthn.
Python
654
star
7

EFIgy

A small client application that uses the Duo Labs EFIgy API to inform you about the state of your Mac EFI firmware
Python
512
star
8

dlint

Dlint is a tool for encouraging best coding practices and helping ensure we're writing secure Python code.
Python
331
star
9

markdown-to-confluence

Syncs Markdown files to Confluence
Python
307
star
10

isthislegit

Dashboard to collect, analyze, and respond to reported phishing emails.
Python
286
star
11

idapython

A collection of IDAPython modules made with ๐Ÿ’š by Duo Labs
Python
285
star
12

chrome-extension-boilerplate

Boilerplate code for a Chrome extension using TypeScript, React, and Webpack.
TypeScript
209
star
13

apple-t2-xpc

Tools to explore the XPC interface of Apple's T2 chip
Python
160
star
14

twitterbots

The code used in the "Don't @ Me: Hunting Twitter Bots at Scale" Black Hat presentation
Python
151
star
15

cloudtrail-partitioner

Python
150
star
16

phish-collect

Python script to hunt phishing kits
Python
137
star
17

phinn

A toolkit to generate an offline Chrome extension to detect phishing attacks using a bespoke convolutional neural network.
JavaScript
130
star
18

xray

X-Ray allows you to scan your Android device for security vulnerabilities that put your device at risk.
Java
121
star
19

android-webauthn-authenticator

A WebAuthn Authenticator for Android leveraging hardware-backed key storage and biometric user verification.
Java
110
star
20

appsec-education

Presentations, training modules, and other education materials from Duo Security's Application Security team.
JavaScript
71
star
21

mysslstrip

CVE-2015-3152 PoC
Python
43
star
22

EFIgy-GUI

A Mac app that uses the Duo Labs EFIgy API to inform you about the state of your EFI firmware.
Objective-C
40
star
23

lookalike-domains

generate lookalike domains using a few simple techniques (homoglyphs, alt TLDs, prefix/suffix)
Python
31
star
24

apk2java

Automatically decompile APK's using Docker
Dockerfile
23
star
25

journal

The boilerplate for a new Journal site
21
star
26

srtgen

Automatic '.srt' subtitle generator
Python
21
star
27

markflow

Make your Markdown sparkle!
Python
20
star
28

neustar2mmdb

Tool to convert Neustar's GeoPoint data to Maxmind's GeoIP database format for ease of use.
Python
19
star
29

narrow

Low-effort reachability analysis for third-party code vulnerabilities.
Python
19
star
30

datasci-ctf

A capture-the-flag exercise based on data analysis challenges
Jupyter Notebook
16
star
31

duo-blog-going-passwordless-with-py-webauthn

Python
15
star
32

tutorials

Python
15
star
33

sharedsignals

Python tools for using OpenID's Shared Signals Framework (including CAEP)
15
star
34

chain-of-fools

A set of tools that allow researchers to experiment with certificate chain validation issues
Python
13
star
35

journal-cli

The command-line client for Journal
Jupyter Notebook
12
star
36

unmasking_data_leaks

The code from the talk "Unmasking Data Leaks: A Guide to Finding, Fixing, and Prevention" given at BSides SATX 2019.
Python
7
star
37

journal-theme

The Hugo theme that powers Journal
HTML
7
star
38

golang-workshop

Source files for a Golang Workshop
Go
5
star
39

vimes

A local DNS proxy based on CoreDNS.
Python
3
star
40

journal-docs

The documentation for Journal
2
star
41

dlint-plugin-example

An example plugin for dlint
Python
2
star
42

twitterbots-wallpapers

Wallpapers created from the crawlers in our "Don't @ Me" technical research paper
1
star
43

holidayhack-2019

Scripts and artifacts used to solve the 2019 SANS Holiday Hack Challenge
Python
1
star