Skip to content

Commit

Permalink
Merge branch 'dev'
Browse files Browse the repository at this point in the history
  • Loading branch information
@Plazmaz
Plazmaz committed Nov 15, 2019
2 parents 4ad3f90 + 607ec15 commit 84a1d59
Show file tree
Hide file tree
Showing 9 changed files with 169 additions and 74 deletions.
9 changes: 9 additions & 0 deletions .leaky-meta/CHANGELOG.md
View file
Original file line number Diff line number Diff line change
@@ -1,4 +1,13 @@
# Changelog
## 1.1.1
System/logic changes:
* Added support for benchmarking gitleaks
* Fixed up install and benchmark scripts
* Added secret coverage percentage for benchmarks

Changes to secrets:
* Added a password value for robomongo

## 1.1.0
System/logic changes:
* Added system for automatically generating benchmarks
Expand Down
54 changes: 39 additions & 15 deletions .leaky-meta/benchmark.py
View file
Original file line number Diff line number Diff line change
Expand Up @@ -38,6 +38,22 @@ def get_secret_count_detectsecrets():

return cmd, finds

def get_secret_count_gitleaks():
finds = {}
cmd = ['gitleaks', '--report=.leaky-meta/gitleaks.json', '--repo-path', '.']
stdout, stderr = get_command_stdout(cmd)
with open('gitleaks.json') as f:
data = json.load(f)
for obj in data:
filename = obj.get('file')
if not filename in finds:
finds[filename] = 0
finds[filename] += 1

# Clean up
os.remove('gitleaks.json')
return cmd, finds

def get_secret_count_trufflehog():
finds = {}
trufflehog_cmd = ['trufflehog', '--json', '--regex', '.']
Expand All @@ -58,25 +74,25 @@ def build_markdown_rows(secrets_function, expected_counts):
name = row[0]
expected = row[1] + row[2]
if not name in secrets:
dat[name] = {"name": name, "found": 0, "expected": expected, "false_positives" :0 }
dat[name] = {'name': name, 'found': 0, 'expected': expected, 'false_positives' :0 }
continue

found = secrets[name]
# If found > expected, we have false positives. This will be negative or zero of there's no false positives.
false_positives = found - expected
# This will be zero or positive.
false_positives = max(false_positives, 0)
dat[name] = {"name": name, "found": found, "expected": expected, "false_positives" :false_positives }
dat[name] = {'name': name, 'found': found, 'expected': expected, 'false_positives' :false_positives }
return cmd, dat

def build_table_header(filename_cols):
template = "File Name{}| Found/Total | False Positives |\n{}|----------------|-----------------|\n"
# 9 = len("File Name")
return template.format(" " * (filename_cols - 9), "-" * filename_cols)
template = 'File Name{}| Found/Total | False Positives |\n{}|----------------|-----------------|\n'
# 9 = len('File Name')
return template.format(' ' * (filename_cols - 9), '-' * filename_cols)

def build_md_table(secrets_function):
# {name}{padding}| {found}/{total} |{false positives}
print_template = "{}{}| {}/{} | {}\n"
print_template = '{}{}| {}/{} | {}\n'

expected_counts = [x for x in get_secret_counts()]
# Get the max length of a filename, so we can put a column seperator after it
Expand All @@ -99,7 +115,7 @@ def build_md_table(secrets_function):

# Determine right padding for name column
right_padding = sep_col - len(name)
right_padding_str = (" " * right_padding)
right_padding_str = (' ' * right_padding)

# For metrics we exclude false positives.
total_finds += found - false_positives
Expand All @@ -115,7 +131,7 @@ def build_md(secrets_function, tool_url):
header_fmt = 'Tool: {} ' \
'\nCommand Used: `{}` ' \
'\nFiles covered: {}/{} ({}% coverage) ' \
'\nTotal finds: {}/{} ' \
'\nTotal finds: {}/{} ({}% coverage) ' \
'\nFalse Positives: {} ' \
'\n\n{}'

Expand All @@ -126,18 +142,26 @@ def build_md(secrets_function, tool_url):

# Get a % coverage value
file_coverage = (files_covered / total_files) * 100

find_coverage = (total_finds / total_expected) * 100

# Sanity!
file_coverage = round(file_coverage, 2)
find_coverage = round(find_coverage, 2)
out = header_fmt.format(tool_url, cmd,
files_covered, total_files, file_coverage,
total_finds, total_expected, false_positives, table)
files_covered, total_files, file_coverage,
total_finds, total_expected, find_coverage,
false_positives, table)
return out

if __name__ == "__main__":
detect_secrets = build_md(get_secret_count_detectsecrets, "https://github.com/Yelp/detect-secrets")
truffle_hog = build_md(get_secret_count_trufflehog, "https://github.com/dxa4481/truffleHog")
with open('benchmarking' + os.path.sep + "TRUFFLEHOG.md", 'w+') as f:
if __name__ == '__main__':
detect_secrets = build_md(get_secret_count_detectsecrets, 'https://github.com/Yelp/detect-secrets')
truffle_hog = build_md(get_secret_count_trufflehog, 'https://github.com/dxa4481/truffleHog')
gitleaks = build_md(get_secret_count_gitleaks, 'https://github.com/zricethezav/gitleaks')
with open('benchmarking' + os.path.sep + 'TRUFFLEHOG.md', 'w+') as f:
f.write(truffle_hog)
with open('benchmarking' + os.path.sep + "DETECT-SECRETS.md", 'w+') as f:
with open('benchmarking' + os.path.sep + 'DETECT-SECRETS.md', 'w+') as f:
f.write(detect_secrets)
with open('benchmarking' + os.path.sep + 'GITLEAKS.md', 'w+') as f:
f.write(gitleaks)

3 changes: 3 additions & 0 deletions .leaky-meta/benchmark.sh
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,3 @@
#!/bin/bash
source ./install-test-tools.sh
python benchmark.py
58 changes: 29 additions & 29 deletions .leaky-meta/benchmarking/DETECT-SECRETS.md
View file
Original file line number Diff line number Diff line change
@@ -1,52 +1,52 @@
Tool: https://github.com/Yelp/detect-secrets
Command Used: `detect-secrets scan`
Files covered: 23/44 (52.27% coverage)
Total finds: 41/179
Total finds: 41/179 (22.91% coverage)
False Positives: 0

File Name | Found/Total | False Positives |
---------------------------------------|----------------|-----------------|
.mozilla/firefox/logins.json | 6/28 | 0
.bash_profile | 4/11 | 0
.bashrc | 3/6 | 0
web/var/www/.env | 3/10 | 0
web/ruby/secrets.yml | 3/3 | 0
cloud/.credentials | 2/4 | 0
web/var/www/.env | 3/10 | 0
.bashrc | 3/6 | 0
ventrilo_srv.ini | 2/2 | 0
cloud/heroku.json | 2/2 | 0
cloud/.credentials | 2/4 | 0
high-entropy-misc.txt | 2/2 | 0
ventrilo_srv.ini | 2/2 | 0
.ssh/id_rsa | 1/1 | 0
db/mongoid.yml | 1/1 | 0
misc-keys/cert-key.pem | 1/1 | 0
cloud/.tugboat | 1/3 | 0
.vscode/sftp.json | 1/4 | 0
hub | 1/2 | 0
.docker/config.json | 1/6 | 0
.remote-sync.json | 1/3 | 0
sftp-config.json | 1/4 | 0
.idea/WebServers.xml | 1/2 | 0
misc-keys/putty-example.ppk | 1/2 | 0
.docker/.dockercfg | 1/6 | 0
.ssh/id_rsa | 1/1 | 0
web/var/www/public_html/config.php | 1/4 | 0
.remote-sync.json | 1/3 | 0
misc-keys/putty-example.ppk | 1/2 | 0
cloud/.tugboat | 1/3 | 0
.idea/WebServers.xml | 1/2 | 0
hub | 1/2 | 0
.vscode/sftp.json | 1/4 | 0
deployment-config.json | 1/4 | 0
db/.pgpass | 0/1 | 0
.docker/config.json | 1/6 | 0
misc-keys/cert-key.pem | 1/1 | 0
db/mongoid.yml | 1/1 | 0
filezilla/recentservers.xml | 0/6 | 0
web/var/www/public_html/.htpasswd | 0/1 | 0
.netrc | 0/2 | 0
cloud/.s3cfg | 0/3 | 0
web/django/settings.py | 0/1 | 0
.ftpconfig | 0/5 | 0
.npmrc | 0/3 | 0
db/dump.sql | 0/10 | 0
proftpdpasswd | 0/1 | 0
etc/shadow | 0/1 | 0
.ssh/id_rsa.pub | 0/1 | 0
.npmrc | 0/3 | 0
config | 0/4 | 0
web/js/salesforce.js | 0/1 | 0
web/var/www/public_html/wp-config.php | 0/12 | 0
web/django/settings.py | 0/1 | 0
.ftpconfig | 0/5 | 0
.git-credentials | 0/1 | 0
proftpdpasswd | 0/1 | 0
filezilla/filezilla.xml | 0/3 | 0
.esmtprc | 0/3 | 0
db/dbeaver-data-sources.xml | 0/1 | 0
web/ruby/config/master.key | 0/1 | 0
cloud/.s3cfg | 0/3 | 0
config | 0/4 | 0
web/js/salesforce.js | 0/1 | 0
filezilla/recentservers.xml | 0/6 | 0
.netrc | 0/2 | 0
.esmtprc | 0/3 | 0
db/.pgpass | 0/1 | 0
db/robomongo.json | 0/7 | 0
web/ruby/config/master.key | 0/1 | 0
.git-credentials | 0/1 | 0
.ssh/id_rsa.pub | 0/1 | 0
52 changes: 52 additions & 0 deletions .leaky-meta/benchmarking/GITLEAKS.md
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,52 @@
Tool: https://github.com/zricethezav/gitleaks
Command Used: `gitleaks --report=.leaky-meta/gitleaks.json --repo-path .`
Files covered: 6/44 (13.64% coverage)
Total finds: 8/179 (4.47% coverage)
False Positives: 0

File Name | Found/Total | False Positives |
---------------------------------------|----------------|-----------------|
.bash_profile | 2/11 | 0
.bashrc | 2/6 | 0
cloud/heroku.json | 1/2 | 0
.ssh/id_rsa | 1/1 | 0
misc-keys/cert-key.pem | 1/1 | 0
db/mongoid.yml | 1/1 | 0
filezilla/recentservers.xml | 0/6 | 0
ventrilo_srv.ini | 0/2 | 0
web/var/www/public_html/.htpasswd | 0/1 | 0
.remote-sync.json | 0/3 | 0
sftp-config.json | 0/4 | 0
.docker/.dockercfg | 0/6 | 0
cloud/.s3cfg | 0/3 | 0
web/django/settings.py | 0/1 | 0
.ftpconfig | 0/5 | 0
.npmrc | 0/3 | 0
web/var/www/public_html/config.php | 0/4 | 0
.mozilla/firefox/logins.json | 0/28 | 0
web/ruby/secrets.yml | 0/3 | 0
cloud/.credentials | 0/4 | 0
misc-keys/putty-example.ppk | 0/2 | 0
db/dump.sql | 0/10 | 0
etc/shadow | 0/1 | 0
cloud/.tugboat | 0/3 | 0
.idea/WebServers.xml | 0/2 | 0
config | 0/4 | 0
web/js/salesforce.js | 0/1 | 0
hub | 0/2 | 0
.vscode/sftp.json | 0/4 | 0
web/var/www/public_html/wp-config.php | 0/12 | 0
proftpdpasswd | 0/1 | 0
filezilla/filezilla.xml | 0/3 | 0
web/var/www/.env | 0/10 | 0
db/dbeaver-data-sources.xml | 0/1 | 0
.netrc | 0/2 | 0
deployment-config.json | 0/4 | 0
.docker/config.json | 0/6 | 0
.esmtprc | 0/3 | 0
db/.pgpass | 0/1 | 0
db/robomongo.json | 0/7 | 0
web/ruby/config/master.key | 0/1 | 0
.git-credentials | 0/1 | 0
.ssh/id_rsa.pub | 0/1 | 0
high-entropy-misc.txt | 0/2 | 0
2 changes: 1 addition & 1 deletion .leaky-meta/benchmarking/GITROB.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -2,7 +2,7 @@
Tool: https://github.com/michenriksen/gitrob
Command Used: `gitrob (web interface)`
Files covered: 2/44 (4.54% coverage)
Total finds: 3/179
Total finds: 3/179 (1.67% coverage)
False Positives: 0

File Name | Found/Total | False Positives |
Expand Down
54 changes: 27 additions & 27 deletions .leaky-meta/benchmarking/TRUFFLEHOG.md
View file
Original file line number Diff line number Diff line change
@@ -1,7 +1,7 @@
Tool: https://github.com/dxa4481/truffleHog
Command Used: `trufflehog --json --regex .`
Files covered: 23/44 (52.27% coverage)
Total finds: 40/179
Total finds: 40/179 (22.35% coverage)
False Positives: 43

File Name | Found/Total | False Positives |
Expand All @@ -10,43 +10,43 @@ misc-keys/cert-key.pem | 25/1 | 24
misc-keys/putty-example.ppk | 21/2 | 19
db/dump.sql | 8/10 | 0
web/ruby/secrets.yml | 3/3 | 0
filezilla/recentservers.xml | 2/6 | 0
.docker/.dockercfg | 2/6 | 0
.mozilla/firefox/logins.json | 2/28 | 0
cloud/.credentials | 2/4 | 0
cloud/.tugboat | 2/3 | 0
high-entropy-misc.txt | 2/2 | 0
.docker/config.json | 2/6 | 0
.mozilla/firefox/logins.json | 2/28 | 0
.docker/.dockercfg | 2/6 | 0
filezilla/recentservers.xml | 2/6 | 0
.bashrc | 1/6 | 0
high-entropy-misc.txt | 2/2 | 0
cloud/.s3cfg | 1/3 | 0
cloud/heroku.json | 1/2 | 0
.ssh/id_rsa | 1/1 | 0
web/var/www/.env | 1/10 | 0
db/mongoid.yml | 1/1 | 0
proftpdpasswd | 1/1 | 0
etc/shadow | 1/1 | 0
cloud/heroku.json | 1/2 | 0
hub | 1/2 | 0
.ssh/id_rsa.pub | 1/1 | 0
web/ruby/config/master.key | 1/1 | 0
cloud/.s3cfg | 1/3 | 0
proftpdpasswd | 1/1 | 0
.bash_profile | 1/11 | 0
db/.pgpass | 0/1 | 0
web/var/www/.env | 1/10 | 0
web/ruby/config/master.key | 1/1 | 0
db/mongoid.yml | 1/1 | 0
.bashrc | 1/6 | 0
.ssh/id_rsa.pub | 1/1 | 0
ventrilo_srv.ini | 0/2 | 0
web/var/www/public_html/.htpasswd | 0/1 | 0
.netrc | 0/2 | 0
.vscode/sftp.json | 0/4 | 0
.npmrc | 0/3 | 0
web/var/www/public_html/wp-config.php | 0/12 | 0
.remote-sync.json | 0/3 | 0
sftp-config.json | 0/4 | 0
web/django/settings.py | 0/1 | 0
.ftpconfig | 0/5 | 0
.git-credentials | 0/1 | 0
filezilla/filezilla.xml | 0/3 | 0
sftp-config.json | 0/4 | 0
.esmtprc | 0/3 | 0
db/dbeaver-data-sources.xml | 0/1 | 0
.npmrc | 0/3 | 0
web/var/www/public_html/config.php | 0/4 | 0
.idea/WebServers.xml | 0/2 | 0
config | 0/4 | 0
web/js/salesforce.js | 0/1 | 0
web/var/www/public_html/config.php | 0/4 | 0
ventrilo_srv.ini | 0/2 | 0
db/robomongo.json | 0/7 | 0
.remote-sync.json | 0/3 | 0
.vscode/sftp.json | 0/4 | 0
web/var/www/public_html/wp-config.php | 0/12 | 0
filezilla/filezilla.xml | 0/3 | 0
db/dbeaver-data-sources.xml | 0/1 | 0
.netrc | 0/2 | 0
deployment-config.json | 0/4 | 0
.esmtprc | 0/3 | 0
db/.pgpass | 0/1 | 0
db/robomongo.json | 0/7 | 0
.git-credentials | 0/1 | 0
9 changes: 8 additions & 1 deletion .leaky-meta/install-test-tools.sh
View file
Original file line number Diff line number Diff line change
@@ -1,7 +1,14 @@
#!/bin/bash
if if ! type "pip" > /dev/null; then
if ! type "pip" > /dev/null
then
echo "Pip and Python are required for installing detect-secrets and truffleHog, but pip was not found!"
exit 1
fi

mkdir -p ~/.local/bin
if [ ! -f ~/.local/bin/gitleaks ]; then
wget https://github.com/zricethezav/gitleaks/releases/download/v2.1.0/gitleaks-linux-amd64 -O ~/.local/bin/gitleaks
chmod +x ~/.local/bin/gitleaks
fi

pip install detect-secrets truffleHog
2 changes: 1 addition & 1 deletion db/robomongo.json
View file
Original file line number Diff line number Diff line change
Expand Up @@ -24,7 +24,7 @@
"sshPrivateKey" : "",
"sshPublicKey" : "",
"sshUserName" : "root",
"sshUserPassword" : "",
"sshUserPassword" : "roboMongoSSHPass",
"sslEnabled" : false,
"sslPemKeyFile" : ""
}
Expand Down

0 comments on commit 84a1d59

Please sign in to comment.