Documentation
¶
Index ¶
- Variables
- func HasDigit(key string) bool
- func IsKnownFalsePositive(match string, falsePositives []FalsePositive, wordCheck bool) bool
- func KeyIsRandom(key string) bool
- func MustGetBenchmarkData() map[string][]byte
- func PrefixRegex(keywords []string) string
- func RedactURL(u url.URL) string
- type Detector
- type EndpointCustomizer
- type EndpointSetter
- type FalsePositive
- type Result
- type ResultWithMetadata
- type Versioner
- type Wordlists
Constants ¶
This section is empty.
Variables ¶
var DefaultFalsePositives = []FalsePositive{"example", "xxxxxx", "aaaaaa", "abcde", "00000", "sample", "www"}
var FalsePositiveWordlists = Wordlists{ // contains filtered or unexported fields }
Functions ¶
func IsKnownFalsePositive ¶
func IsKnownFalsePositive(match string, falsePositives []FalsePositive, wordCheck bool) bool
IsKnownFalsePositives will not return a valid secret finding if any of the disqualifying conditions are met Currently that includes: No number, english word in key, or matches common example pattens. Only the secret key material should be passed into this function
func KeyIsRandom ¶
KeyIsRandom is a Low cost check to make sure that 'keys' include a number to reduce FPs. Golang doesn't support regex lookaheads, so must be done in separate calls. TODO improve checks. Shannon entropy did not work well.
func MustGetBenchmarkData ¶
func PrefixRegex ¶
PrefixRegex ensures that at least one of the given keywords is within 20 characters of the capturing group that follows. This can help prevent false positives.
Types ¶
type Detector ¶
type Detector interface {
// FromData will scan bytes for results, and optionally verify them.
FromData(ctx context.Context, verify bool, data []byte) ([]Result, error)
// Keywords are used for efficiently pre-filtering chunks using substring operations.
// Use unique identifiers that are part of the secret if you can, or the provider name.
Keywords() []string
// Type returns the DetectorType number from detectors.proto for the given detector.
Type() detectorspb.DetectorType
}
Detector defines an interface for scanning for and verifying secrets.
type EndpointCustomizer ¶
EndpointCustomizer is an optional interface that a detector can implement to support verifying against user-supplied endpoints.
type EndpointSetter ¶
type EndpointSetter struct {
// contains filtered or unexported fields
}
EndpointSetter implements a sensible default for the SetEndpoints function of the EndpointCustomizer interface. A detector can embed this struct to gain the functionality.
func (*EndpointSetter) Endpoints ¶
func (e *EndpointSetter) Endpoints(defaultEndpoint string) []string
func (*EndpointSetter) SetEndpoints ¶
func (e *EndpointSetter) SetEndpoints(endpoints ...string) error
type FalsePositive ¶
type FalsePositive string
type Result ¶
type Result struct {
// DetectorType is the type of Detector.
DetectorType detectorspb.DetectorType
// DetectorName is the name of the Detector. Used for custom detectors.
DetectorName string
// DecoderType is the type of Decoder.
DecoderType detectorspb.DecoderType
Verified bool
// Raw contains the raw secret identifier data. Prefer IDs over secrets since it is used for deduping after hashing.
Raw []byte
// RawV2 contains the raw secret identifier that is a combination of both the ID and the secret.
// This is used for secrets that are multi part and could have the same ID. Ex: AWS credentials
RawV2 []byte
// Redacted contains the redacted version of the raw secret identification data for display purposes.
// A secret ID should be used if available.
Redacted string
ExtraData map[string]string
StructuredData *detectorspb.StructuredData
// This field should only be populated if the verification process itself failed in a way that provides no
// information about the verification status of the candidate secret, such as if the verification request timed out.
VerificationError error
}
func CleanResults ¶
CleanResults returns all verified secrets, and if there are no verified secrets, just one unverified secret if there are any.
type ResultWithMetadata ¶
type ResultWithMetadata struct {
// SourceMetadata contains source-specific contextual information.
SourceMetadata *source_metadatapb.MetaData
// SourceID is the ID of the source that the API uses to map secrets to specific sources.
SourceID sources.SourceID
// SourceType is the type of Source.
SourceType sourcespb.SourceType
// SourceName is the name of the Source.
SourceName string
Result
// Data from the sources.Chunk which this result was emitted for
Data []byte
}
func CopyMetadata ¶
func CopyMetadata(chunk *sources.Chunk, result Result) ResultWithMetadata
CopyMetadata returns a detector result with included metadata from the source chunk.
Source Files
Directories