search

intrigueio / intrigue-core

Discover Your Attack Surface!
https://core.intrigue.io
Other
1.35k stars 262 forks source link

GitlabCredential Entity Support #437

Closed m-q-t closed 2 years ago

m-q-t commented 2 years ago

Hi team,

Please find attached the PR which adds support for the GitlabCredential entity. In order to support this entity, the task had to be slightly refactored to include an additional API route.

The original specs https://github.com/intrigueio/intrigue-core/blob/develop/spec/integration/gitlab_gather_projects.rb can be used to validate the task.

Here is a snippet of the bootstrap config which will add a GitlabCredential entity:

"seeds": [{
    "entity": "GitlabCredential#MyCreds1",
    "sensitive_details": {
        "gitlab_host": "https://gitlab.com",
        "gitlab_access_token": "EXAMPLE"
    }
},
{
    "entity": "GitlabCredential#gnome",
    "sensitive_details": {
        "gitlab_host": "https://gitlab.gnome.org",
        "gitlab_access_token": "EXAMPLE"
    }
}
]

Thank you.

Best regards, Maxim

m-q-t commented 2 years ago

@shpendk brought up a wonderful point that if a GitlabProject was created using a GitlabCredential that credential would not be associated with the project. Because of this, if a private GitlabProject was passed to the Gitleaks task, there would be no results found as Gitleaks would be unable to access the private project.

As such, GitlabProject entities store the Entity ID of the GitlabCredential it was created with (if one was used in the first place as GitlabProject entities could be created from the key stored in the task.config or with no key at all (private repos)).