leaktk / scanner

Provides a consistent API around some existing scanning tools to integrate them with the rest of the tool kit
MIT License
5 stars 0 forks source link

RFE: Secret redaction feature #78

Open ascerra opened 1 day ago

ascerra commented 1 day ago

This issue is a request for new functionality.

When integrating the leaktk tool into our CI we are using the command

leaktk scan --kind Files --resource /workspace | leaktk-remove-files /workspace

This presents a problem when debugging failures with our users. Having the option to instead of remove the file completely could we just redact the problematic line or string that was identified?

For example take this output.log file this is my token: eydhn94mksknvkk2 (don't worry not a real token) and turn it into this is my token: XXXXXXXXXXXXXXXX

bplaxco commented 20 hours ago

It's defiantly doable; though, I do have a few concerns:

[1] One concrete example of this is that the AWS access key id rule is very good at finding things, but the secret key rule can miss things sometimes. By blowing away the whole file, it handles the keypair match in either case.

Would you be up for brainstorming a few alternate ideas?

Examples:

ascerra commented 20 hours ago

Ya we're definitely up for a brainstorm on this.

The good news is that the file removal is not a blocker for us. We will implement this till using that for now to improve security then we can have this brainstorm to discuss possible ways to make debugging easier for our users.