search

cloud-gov / caulking

Prevent leaks with gitleaks, and use tests to validate
Other
32 stars 11 forks source link

Generic credentials is triggered too easily #62

Open pburkholder opened 2 years ago

pburkholder commented 2 years ago

In order to avoid false positives, commits like adding cg-scripts/log4j*files should not trigger the Generic Credentials rules:

Here's sample output: 

INFO[0000] opening .
{
    "line": "csvwriter.writerow([\"Path\",\"Node_0\",\"Instance_GUID\",\"Customer_Path\",\"Plugin_URLS\",\"App_GUID\",\"App_Name\",\"Space_Name\",\"Org_Name\",\"Org_Managers\",\"Space_Devs\"])",
    "lineNumber": 2,
    "offender": "GUID\",\"Customer_Path\",\"Plugin_URLS\",\"App_GUID\",\"App_Name\",\"Space_Name\",\"Org_Name\",\"Org_Managers\",\"Space_Devs\"",
    "offenderEntropy": -1,
    "commit": "0000000000000000000000000000000000000000",
    "repo": "cg-scripts",
    "repoURL": "",
    "leakURL": "",
    "rule": "Generic Credential",
    "commitMessage": "",
    "author": "",
    "email": "",
    "file": "audit/log4j-nessus-parser.py",
    "date": "1970-01-01T00:00:00Z",
    "tags": "key, API, generic"
}
{
    "line": "app_guid_file = open(\"app_guids\", \"r\")",
    "lineNumber": 2,
    "offender": "guid_file = open(\"app_guids\"",
    "offenderEntropy": -1,
    "commit": "0000000000000000000000000000000000000000",
    "repo": "cg-scripts",
    "repoURL": "",
    "leakURL": "",
    "rule": "Generic Credential",
    "commitMessage": "",
    "author": "",
    "email": "",
    "file": "audit/log4j-report-users.py",
    "date": "1970-01-01T00:00:00Z",
    "tags": "key, API, generic"
}

Acceptance Criteria

Security considerations

Reducing false positives supports use of this tool.