Implement first version of a spring application that helps to categorize and verify secretscan results

[winzj]

Situation

Currently we rely on the secret scan results of the tools we are using. If the secret scan does not categorize findings with the appropriate severity we currently take the default of the tool, or in case of SARIF the default of the reporting format. We want to be able to categorize the findings more accurately, e.g. by using defaults on our own experience or trying to verify secrets or tokens by performing API calls.

Example

To verify a Github personal access token we can try to access the Github API. This can be done for other APIs as well, which makes it easier to change the severity of a finding. Verified findings like valid Github personal access tokens will always be CRITICAL inside the SecHub report.

Solution

• an application that can run inside any secret scan pds-solution
• the application takes the given secret scan report (we start with the SARIF-2.1.0 format) and applies a more accurate categorization of the secrets
• the application also tries to verify secrets by calling dedicated APIs
• each finding of the SARIF report will then be provided with a generic SARIF properties bag, with defined key value patterns like:

  {
  "sechubSeverity": "CRITICAL",
  "sechubVerifiedBy": "https://api.example.com"
  }

• the spring application must be provided with a configuration that knows about the secret scanning tools rule structure. Here an example on how this could look like for pds-gitleaks:

  {
  "config" : [ {
  "ruleId" : "github-pat",
  "urls" : [ "https://api.github.com" ],
  "defaultSeverity" : "high",
  "verificationInformation" : {
        "verifiedHTTPStatus" : 200,
        "responseContains" : [ "" ],
  }
  }]
  }

Remark

The verification of the secrets will be an iterative process, because for each secret some research is necessary to collect all necessary data on the respective webservice that is needed to verify potential secrets.