-
Notifications
You must be signed in to change notification settings - Fork 2.4k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
feat(secret): enhance secret scanning for python binary files #7223
Conversation
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
For binary files, we should not show the line as it is not printable. grep
just shows "matches".
$ grep github_pat __pycache__/main.cpython-312.pyc
Binary file __pycache__/main.cpython-312.pyc matches
pkg/fanal/utils/utils.go
Outdated
printalbe = append(printalbe, byte(' ')) | ||
wasReadable = true | ||
} | ||
printalbe = append(printalbe, current[0]) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This implementation concats all single printable characters, leading to the long string. Even in a binary file, there are many printable character strings when viewed on a per-byte basis. I think the strings
way, setting the minimum length, is better like I shared.
pkg/fanal/analyzer/secret/secret.go
Outdated
@@ -63,6 +66,10 @@ func init() { | |||
analyzer.RegisterAnalyzer(NewSecretAnalyzer(secret.Scanner{}, "")) | |||
} | |||
|
|||
func isAllowedBinary(filename string) bool { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
What if we omit the is
prefix?
func isAllowedBinary(filename string) bool { | |
func allowedBinary(filename string) bool { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
done
pkg/fanal/secret/scanner.go
Outdated
if args.Binary { | ||
for _, match := range matched { | ||
findings = append(findings, types.SecretFinding{ | ||
RuleID: match.Rule.ID, | ||
Category: match.Rule.Category, | ||
Severity: lo.Ternary(match.Rule.Severity == "", "UNKNOWN", match.Rule.Severity), | ||
Title: match.Rule.Title, | ||
Match: fmt.Sprintf("Binary file %q matches a rule %q", args.FilePath, match.Rule.Title), | ||
StartLine: 1, | ||
EndLine: 1, | ||
}) | ||
} | ||
} else { | ||
for _, match := range matched { | ||
findings = append(findings, toFinding(match.Rule, match.Location, censored)) | ||
} |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I sugest to use toFinding
function.
something like this:
if args.Binary { | |
for _, match := range matched { | |
findings = append(findings, types.SecretFinding{ | |
RuleID: match.Rule.ID, | |
Category: match.Rule.Category, | |
Severity: lo.Ternary(match.Rule.Severity == "", "UNKNOWN", match.Rule.Severity), | |
Title: match.Rule.Title, | |
Match: fmt.Sprintf("Binary file %q matches a rule %q", args.FilePath, match.Rule.Title), | |
StartLine: 1, | |
EndLine: 1, | |
}) | |
} | |
} else { | |
for _, match := range matched { | |
findings = append(findings, toFinding(match.Rule, match.Location, censored)) | |
} | |
for _, match := range matched { | |
finding := toFinding(match.Rule, match.Location, censored) | |
// These fields will be unreadable for binaries, | |
// Therefore overwrite them. | |
if args.Binary { | |
finding.Match = fmt.Sprintf("Binary file %q matches a rule %q", args.FilePath, match.Rule.Title) | |
finding.Code = types.Code{} | |
} | |
findings = append(findings, finding) | |
} |
It might make sense to add flag to toFinding
function to skip findLocation
.
wdyt?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
sure! it's a better way!
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM
Signed-off-by: knqyf263 <knqyf263@gmail.com>
Description
Notes
this way doesn't detect secrets inside
.odt
(LibreOffice format) and.pdf
.Demo file:
$ python3 -m compileall .
Before:
After:
Related issues
Checklist