create a secrets detection testbed branch with revoked credentials

[commjoen]

Steps to take:

• [x] List secrets present in this issue
• [x] Create a link to this issue in the web interface https://github.com/commjoen/wrongsecrets/pull/250
• [x] Implement keys below in a separate branch with a script to generate a container from it which can be scanned
• [x] Add master merging script for the .github/scripts/docker-create-and-push.sh

Keys that can be added:

• [x] Azure
• [x] AWS
• [x] GCP
• [x] Git credentials :SSH key
• [x] Git credentials: developer token
• [x] private key RSA key & private ECC key
• [x] GPG keychain (armored and notarmored)
• [x] AES keys
• [x] Slack callback
• [x] kubeconfig
• [x] QR-code (will be hard to represent a secret which is detactable other than through entropy,skipping it)
• [x] BasicAuth
• [x] gradle credentials
• [x] mvn credentials
• [x] NPM
• [x] Firebase push notification keys (android/ios)
• [x] OTP Seed
• [x] segment.io access keys
• [x] Vault root token & unseal keys
• [x] Any JWT Token
• [x] Gitlab PAT
• [x] Gpg armoured export private and public keys
• [x] Azure devops access token
• [x] onepassword emergency kit, 1password-credentials.json and accesstokens
• [x] keybase paperkey
• [ ] IBM-cloud?
• [ ] Nomad credentials (wait till https://github.com/commjoen/wrongsecrets/issues/299 happens)
• [ ] Spring boot Session token
• [x] Slack access tokens:bottoken & usertoken, applevel token & config token (requested..pending)
• [ ] Braze API-keys (requested)
• [ ] Lastpass integration/api-key
• [ ] Confidant key
• [x] Docker hub access token
• [x] Vagrant cloud access token
• [ ] confluence/jira secrets
• [ ] AWS instance profile
• [ ] add dockerconfig (https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/)
• [ ] secrets above with encodings (base64, Hex encoding)
• [ ] Database connection strings
• [ ] OIDC token

which other secret would you like to add? please comment

[commjoen]

Current secrets stored in the repo/docker/k8s/cloud:

1. 5 Random human rememberable passwords in Git & Docker container
2. 1 file containing a secret base64 encoded in Docker
3. 1 random passwords in Java code with higher entropy (not used)
4. 3 AWS keypairs in git history
5. 3 secrets in TF state (requires cloud installation)
6. 1 human readable secret in k8s/secret, 1 in k8s/configmap (requires k8s/cloud installation)
7. 1 root token for vault after deployment of vault(requires vault&k8s/cloud installation)
8. 1 root token and unseal keys comitted (git show 6c4715c)
9. 1 random value generated after startup
10. 1 secret in github action
11. 1 AES key
12. multiple ciphertexts (6)
13. 1 human readable secret in pw manager file(keepass)
14. 5 canarytoken-urls in container&code
15. multiple secrets in java testing code (of which some used in the actual app)
16. secrets in cross-compiled C binaries (2 secrets/binary for 3 binaries)
17. 1 client credential
18. 2 weak password hashes (md5/sha1)
19. 3 hardcoded passwords in binaries (C/C++/Golang)

In https://github.com/commjoen/wrongsecrets/tree/experiment-bed :

1. 1 Azure dotifle
2. 1 Azure Devops access token
3. 1 AES key
4. 1 basic auth enriched curl script
5. 1 Callback url for Slack (invalidated)
6. 1 Docker hub access token
7. 1 ECC keypair
8. 1 Firebase project config
9. 1 gCP service account access key export (blocked/disabled)
10. github dev token (revoked)
11. gitlab access/email/feed tokens (revoked)
12. github access key(ssh)/1 SSH key pair (RSA-4096)
13. 1 gpg armored gpg exported private/public key
14. 1 gpg binary private/secret keyring
15. 1 kubeconfig (canarytoken)
16. jwt.io generated jwt token with rs256 required keys
17. Keybase paperkey
18. Maven and Gradle auth setup (not working)
19. NPM credentials (not working)
20. 1 OTP seed
21. 1 1Password emergency kit, JWT, and credentials file
22. 1RSA keypair
23. segment.io token
24. 1 Slack callback
25. 1 Vagrant access token
26. 2 slack tokens

[commjoen]

@bendehaan , what would be a good place to dump the other secrets for benchmarking? i guess we have to spread it a bit...

[commjoen]

Asked Slack via twitter for possible canarytokens...