Enhancement request: OAuth with Github to scan repos for Access Keys #10
Comments
|
There's also the potential to actively scan https://api.github.com/events while running (or as part of a premium service) for leaked keys. |
|
This is a really awesome idea. I'm trying to think through some logistics, but I imagine by using OAuth, we could just scan the user's public repos (or even private for a less severe warning) for known keys from their accounts. Hitting /events may be a bit resource intensive (although I have seen scripts out there that do something similar). |
|
It's actually real-world, not pointing fingers but I've indirectly been bit by this problem twice now (users pushing their |
|
Well, even hitting private repos (organizations can have 100s of repos, 1000s of files, 1000s of commits, plus 100s of users with public non-org repos multiplied by N commits...) with all git history commits to scan.... it's definitely intensive even at a small scale. |
|
Quick search by hand even yielded a key: |
|
Agreed, it's well beyond the scale of the existing scans, so I'm going to have to think on this one in order to fit it into the setup of the existing plugins. Perhaps GitHub offers a search API which could be hit directly on behalf of a user and include history, deleted files, etc. There was a hacker news thread once on GitHub searches for locating all sorts of things (SSH keys, AWS access keys, etc.). Will try to find it. |
|
I recall that HN posting as well but can't find that repo quickly either. https://github.com/michenriksen/gitrob maybe? |
|
yeah I think this is it it... gluing these two projects together would be magical - the output of potential sensitive keys from cloudsploit-scan is compared with output of gitrob scan. |
|
Played around with Gitrob also flags a lot of odd false-positives, combining this code with CloudSploit might really want to focus on using the iteration + oauth features from |
|
I also wrapped it in a Dockerized container if you want to try it out with potentially less setup: |
|
Thanks for locating these projects, they'll be useful in doing something similar here. I took a look at we could do a combination of Oauth and GitHub search: https://developer.github.com/v3/search/ The only issue is, it's rate limited to 30 searches per minute, so accounts with large numbers of keys may take awhile to complete. Also, AWS does not allow you to retrieve the secrets, so we may wind up with a lot of false positives (user hard-coded the access key, but not the secret). |
|
Well, general good practice policiies are that all keys (including access keys) are considered secrets and belong in the I wonder... with the IAM SDK, could you just use these two: http://docs.aws.amazon.com/sdkforruby/api/Aws/IAM/Types/ListUsersRequest.html combined with Wouldn't matter if the secret keys were in github or not, but usually they're either both there, or neither of them are there. |
|
I've been working on a project called keynuker that is really similar to what @mikeatlas described. It uses the github events API and pretty much the exact AWS SDK calls described. |
|
Revivalist @tleyden takes a post from 2yr ago and turns it into a project! |
This is even something I'd consider building myself / adding to the project. Even secure keys on AWS can be insecure and exposed on a public github repo (even in deleted commit histories). Any interest?
The text was updated successfully, but these errors were encountered: