credscan not detecting anything

[crazy-matt]

Hi,

I tested all combinations of configuration possible and I can't make credscan working. How I tested? Injecting a file containing:

username='administrator'
email='tester@gmail.com'

and using this workflow https://github.com/crazy-matt/pre-commit-manager/blob/main/.github/workflows/security_scanner.yml

which triggers a job working with the proper gitleaks action and a second one with your action.

While the first job fails reporting 2 findings, the second one run successfully outputing a table with 0 findings. The NG json file has his findings node empty too.

I run your action by overriding the credscan settings in .sastscanrc because I noticed that not doing so does not run credscan at all. I don't see the Secrets row in the Summary table at all when removing the scan_tools_args_map config from .sastscanrc

[prabhu]

@crazy-matt Let's setup an example repo to test and see what is going on. I remember excluding simple username and emails since these are usually not considered as secrets in a typical enterprise.

[crazy-matt]

It depends on the context actually. With GDPR, we should be able to scan them because some devs might be tempted pushing Personal Identifiable Information to do some mock testing

[prabhu]

Could you add a new rule similar to this one for capturing username and email. You can reduce the entropy to capture broad values.

https://github.com/ShiftLeftSecurity/sast-scan/blob/master/tools_config/credscan-config.toml#L175

[crazy-matt]

Isn't the rule below enough to do the job without entropy?

https://github.com/crazy-matt/pre-commit-manager/blob/feat%2Ftf-hooks/.security/credscan-config.toml#L84

[[rules]]
    description = "Email"
    regex = '''[a-zA-Z0-9._%+-]+@[a-zA-Z0-9.-]+\.[a-zA-Z]{2,4}'''
    tags = ["email"]
    [rules.allowlist]
        description = "ignore gitconfig emails"
        regexes = [
            '''[a-zA-Z0-9._%+-]+@users.noreply.github.com''',
            '''git@github.com''',
            '''git@gitlab.com''',
            '''(.*)Copyright(.*)''',
        ]

[crazy-matt]

I tried again with my rule (https://github.com/crazy-matt/pre-commit-manager/blob/6a8d586ecf4ec288ebbf935de0e793d7f9dafa4b/.security/credscan-config.toml#L84)

• yours (https://github.com/crazy-matt/pre-commit-manager/blob/6a8d586ecf4ec288ebbf935de0e793d7f9dafa4b/.security/credscan-config.toml#L100) slightly modified, but I'm not sure this one can handle this kind of leak.

And as you can see on the workflow below, the gitleaks action detects while credscan doesn't see anything: https://github.com/crazy-matt/pre-commit-manager/runs/3657105592?check_suite_focus=true

[prabhu]

can you set the env variable SCAN_DEBUG_MODE to debug. Let's see what file is passed to gitleaks via scan.

[prabhu]

@crazy-matt How about we invoke both credscan and credscan-git automatically? That would cover both existing and upcoming changes right?