search

grab / secret-scanner

MIT License
46 stars 11 forks source link

Needed Installation steps #1

Open vikas1389 opened 4 years ago

vikas1389 commented 4 years ago

Hi - we wanted to do a local repo scan- could u please list the steps for installation! it would be best!

wkokolis commented 4 years ago

Hi - we wanted to do a local repo scan- could u please list the steps for installation! it would be best!

I tried to submit a PR for this, but cannot push to the repo.

Assuming you already have Go installed, do the following:

cd cmd/secret-scanner
go build

You can then copy the finished binary to wherever you'd like (somewhere on your PATH is best):

cp secret-scanner /usr/local/bin/secret-scanner
vikas1389 commented 4 years ago

@wkokolis By any chance would we have a docker image which will make its onboarding smooth?

vikas1389 commented 4 years ago

@wkokolis as when I run go build I get below errors:

main . Go: 18: 2: Canot find package -github.com/grab/secret-scanner/scanner" in any of: /usrflib/golang/src/github.cm/grab/secret-scanner/scanner (from $GOROOT) frootfgo/src/github.com/grab/secret-scanner/scanner (from $GOPATH) main . go: 19:2: cannot find package -github.com/grab/secret-scanner/scanner/gitprovider" in any of: /usrflib/golang/src/github.com/grab/secret-scanner/scanner/gitprovider (frorn $GOROOT) /root/go/src/github.cm/grab/secret-scanner/scanner/gitprovider (fpm $GOPATH) main cannot find package "github.com/grab/secret-scanner/scanner/optionsn in any of: /usr/lib/golang/src/github.com/grab/secret-scanner/scanner/options (from $GOROOT) /root/go/src/github.cm/grab/secret-scanner/scanner/options (from $GOPATH) go:21:2: cannot find package -github.com/grab/secret-scanner/scanner/session- in any of: main . /usr/lib/golang/src/github.cm/grab/secret-scanner/scanner/session (from $GOROOT) /root/go/src/github.com/grab/secret-scanner/scanner/session (from $GOPATH) main .go:16:2: cannot find package -github.com/joho/godotenv" in any of: /usr/1Lb/golang/src/gLthub.cm/joho/godotenv (from $GOROOT) /root/go/src/github.cm/joho/godotenv (frm $GOPATH)

wkokolis commented 4 years ago

@vikas1389 I could try to put one together, but either I'm messing up the build process as well or the software just doesn't work. I've scanned a repository that I am extremely confident should trigger a positive result, but the output is:

{
        "Stats": {
                "StartedAt": "2020-09-02T08:38:09.538004071-04:00",
                "FinishedAt": "2020-09-02T08:38:32.827943112-04:00",
                "Status": "finished",
                "Progress": 100,
                "Targets": 1,
                "Repositories": 1,
                "Commits": 0,
                "Files": 0,
                "Findings": 0
        },
        "Findings": null,
        "Repositories": [
                {
                        "Owner": "",
                        "ID": "REDACTED",
                        "Name": "REDACTED",
                        "FullName": "REDACTED/REDACTED",
                        "CloneURL": "https://github.com/REDACTED/REDACTED.git",
                        "URL": "https://api.github.com/repos/REDACTED/REDACTED",
                        "DefaultBranch": "master",
                        "Description": "",
                        "Homepage": ""
                }
        ],
        "StateStore": {
                "DataFile": {},
                "Records": {}
        }
}

I tried a second set of build commands, but the test results were no different:

git clone git@github.com:grab/secret-scanner
cd secret-scanner
cp cmd/secret-scanner/main.go .
CGO_ENABLED=0 GOOS=linux go build -a -installsuffix cgo -tags static_all -o ~/bin/scanner2 -v

For what it's worth, I'm running go 1.12.17 linux/amd64. I will keep working at it a little while longer, but it feels like a lost cause.

wkokolis commented 4 years ago

@vikas1389 Here's a Dockerfile which should at least help you get the software built. Again, I'm not really sure if I'm building this incorrectly or if it just doesn't work:

ARG GOVER=1.15.1-alpine
FROM golang:$GOVER

ENV GITHUB_TOKEN use
ENV ORG real
ENV REPO values

COPY . /build

WORKDIR /build

RUN addgroup appguy \
  && adduser -S -G appguy appguy \
  && apk add --no-cache bash git \
  && cp cmd/secret-scanner/main.go . \
  && CGO_ENABLED=0 GOOS=linux go build -a -installsuffix cgo -tags static_all -o /usr/local/bin/secret-scanner -v \
  && chmod +x /usr/local/bin/secret-scanner

WORKDIR /

USER appguy

CMD secret-scanner -repos ${ORG}/${REPO}

Once built, run as follows: docker run --rm -e GITHUB_TOKEN=<your_github_access_token> -e ORG=<github_org_name> -e REPO=<github_repo_name> <image_name>

Same results (shorter because no JSON output):

Github Scanning Started at 2020-09-02T13:10:26Z
Loaded 121 signatures
 Retrieved repository: <my_org>/<my_repo>
 Retrieved 1 repository from github
Analyzing 1 repository...
Gitlab Scanning Finished at 2020-09-02T13:10:37Z

Findings....: 0
Files.......: 0
Commits.....: 0
Repositories: 1
Targets.....: 1