DuckBaccon / intro-to-semgrep

https://lab.github.com/returntocorp/intro-to-semgrep
MIT License
0 stars 0 forks source link

Scanning for Secrets #4

Open github-learning-lab[bot] opened 2 years ago

github-learning-lab[bot] commented 2 years ago

Including hard-coded secrets in source code is dangerous, as the source code may leak, be compromised, or be pushed to a public location on GitHub.

There have been a number of cases where leaked AWS, GitHub, or other API keys have lead to companies being compromised, having user data leaked, huge cloud bills run up, and more.

Let's try to prevent that from happening in the first place.

⌨️ Activity: Finding Secrets

The Semgrep Registry comes with over 1,000 rules from r2c and the community that provide out-of-the-box coverage for a variety of vulnerability classes, including the Top 10.

Here we're going to leverage the Registry to quickly start scanning for secrets.

(Note: at the time of this writing, the Secrets pack is included in Semgrep Cloud's default policies. This means that the first step is unnecessary. I've left those instructions in as examples of how to add rulesets to your scanning Policies.)

  1. Visit the Secrets ruleset page, click the "Add to Policy" button to add it to your "Security Policy" policy, and re-scan this PR.
  2. Review the files changed in this PR (you can also click on the "Files changed" tab at the top of this page), and note that it looks like there are some API tokens that are not currently being flagged by Semgrep's built-in secret detection rules.
    • Let's create a rule to detect these secrets! We can see that they appear to start with CUSTOMAPI_ and end with 10 digits.
    • We can copy the structure of one of the existing secrets rules. I've done that for you here.
    • Add a regex that matches both cases. Hint: use regex101 if you need help.
  3. When you're done, click the "Add to Policy" button to add it to your "Security Policy" policy, and [re-scan this PR]().

Yay, you're done!

DuckBaccon commented 2 years ago

.