Currently we rely on the secret scan results of the tools we are using. If the secret scan does not categorize findings with the appropriate severity we currently take the default of the tool, or in case of SARIF the default of the reporting format. We want to be able to categorize the findings more accurately, e.g. by using defaults on our own experience or trying to verify secrets or tokens by performing API calls.
Example
To verify a Github personal access token we can try to access the Github API. This can be done for other APIs as well, which makes it easier to change the severity of a finding. Verified findings like valid Github personal access tokens will always be CRITICAL inside the SecHub report.
Solution
an application that can run inside any secret scan pds-solution
the application takes the given secret scan report (we start with the SARIF-2.1.0 format) and applies a more accurate categorization of the secrets
the application also tries to verify secrets by calling dedicated APIs
each finding of the SARIF report will then be provided with a generic SARIF properties bag, with defined key value patterns like:
the spring application must be provided with a configuration that knows about the secret scanning tools rule structure. Here an example on how this could look like for pds-gitleaks:
The verification of the secrets will be an iterative process, because for each secret some research is necessary to collect all necessary data on the respective webservice that is needed to verify potential secrets.
Situation
Currently we rely on the secret scan results of the tools we are using. If the secret scan does not categorize findings with the appropriate severity we currently take the default of the tool, or in case of SARIF the default of the reporting format. We want to be able to categorize the findings more accurately, e.g. by using defaults on our own experience or trying to verify secrets or tokens by performing API calls.
Example
To verify a Github personal access token we can try to access the Github API. This can be done for other APIs as well, which makes it easier to change the severity of a finding. Verified findings like valid Github personal access tokens will always be
CRITICAL
inside the SecHub report.Solution
Remark
The verification of the secrets will be an iterative process, because for each secret some research is necessary to collect all necessary data on the respective webservice that is needed to verify potential secrets.