Framework to scan all of our unarchived repositories for any leaks, ever.
To use, `cd org-scan/; ./scan_org.sh
This is not perfect. It represents a working 0.1 release. It's still lacking:
A README with guidance on why the patterns excluded from the parent are reasonable - DONE
A mechanism for checkpointing the last scanned commit, and only scanning forward from that point in the future
This is needed as the patterns now pick up a lot of matches in YAML files that I reviewed along with our 3PAO. So we should only scan using --commit-to flags from now on.
ALSO - removed the test for 40 consecutive base64 characters - it produced too many false positives, especially since Git commit hashes are also matches.
This PR also includes the results from two scans, in ./org-scan/results-2020-05-29 and ./org-scan/results.2020-06-17/ The first of these is a "clean" scan with no WARN messages. The second has a lot of "WARN" messages, but I have reviewed the results from those scans and determined they're all false positives.
Changes proposed in this pull request:
Framework to scan all of our unarchived repositories for any leaks, ever.
To use, `cd org-scan/; ./scan_org.sh
This is not perfect. It represents a working 0.1 release. It's still lacking:
--commit-to
flags from now on.This PR also includes the results from two scans, in
./org-scan/results-2020-05-29
and./org-scan/results.2020-06-17/
The first of these is a "clean" scan with no WARN messages. The second has a lot of "WARN" messages, but I have reviewed the results from those scans and determined they're all false positives.security considerations
Not operational code, no information leakage.