add gitleaks secret scanner (#20)

openclarity · Dec 15, 2022 · 736bd8f · 736bd8f
1 parent 938f7ad
commit 736bd8f
Show file tree

Hide file tree

Showing 15 changed files with 390 additions and 22 deletions.
diff --git a/.families.yaml b/.families.yaml
@@ -1,5 +1,5 @@
 sbom:
-  enabled: true
+  enabled: false
   analyzers_list:
     - "syft"
     - "gomod"
@@ -26,7 +26,7 @@ sbom:
         token: "token"
 
 vulnerabilities:
-  enabled: true
+  enabled: false
   scanners_list:
     - "grype"
   inputs:
@@ -61,11 +61,8 @@ secrets:
   scanners_list:
     - "gitleaks"
   inputs:
-    - input: "/dir"
+    - input: "./"
       input_type: "dir"
-    - input: "/rootfs"
-      input_type: "rootfs"
-  gitleaks_config:
-    foo: "bar"
-
-
+  scanners_config:
+    gitleaks:
+      binary_path: "/usr/local/bin/gitleaks"
diff --git a/Makefile b/Makefile
@@ -128,6 +128,7 @@ check: lint test ## Run tests and linters
 gomod-tidy:
 	cd backend && go mod tidy
 	cd runtime_scan && go mod tidy
+	cd shared && go mod tidy
 
 .PHONY: api
 api: ## Generating API code

diff --git a/cli/cmd/root.go b/cli/cmd/root.go
@@ -29,6 +29,7 @@ import (
 	"github.com/openclarity/vmclarity/shared/pkg/families"
 	"github.com/openclarity/vmclarity/shared/pkg/families/results"
 	"github.com/openclarity/vmclarity/shared/pkg/families/sbom"
+	"github.com/openclarity/vmclarity/shared/pkg/families/secrets"
 	"github.com/openclarity/vmclarity/shared/pkg/families/vulnerabilities"
 )
 
@@ -78,6 +79,19 @@ var rootCmd = &cobra.Command{
 			}
 		}
 
+		if config.Secrets.Enabled {
+			secretsResults, err := results.GetResult[*secrets.Results](res)
+			if err != nil {
+				return fmt.Errorf("failed to get secrets results: %v", err)
+			}
+
+			bytes, _ := json.Marshal(secretsResults)
+			err = Output(bytes, "secrets")
+			if err != nil {
+				return fmt.Errorf("failed to output secrets results: %v", err)
+			}
+		}
+
 		return nil
 	},
 }

diff --git a/shared/pkg/families/manager.go b/shared/pkg/families/manager.go
@@ -75,8 +75,8 @@ func New(logger *log.Entry, config *Config) *Manager {
 func (m *Manager) Run() (*results.Results, error) {
 	familiesResults := results.New()
 
-	for _, analyzer := range m.families {
-		ret, err := analyzer.Run(familiesResults)
+	for _, family := range m.families {
+		ret, err := family.Run(familiesResults)
 		if err != nil {
 			return nil, err
 		}

diff --git a/shared/pkg/families/sbom/family.go b/shared/pkg/families/sbom/family.go
@@ -27,15 +27,15 @@ import (
 	log "github.com/sirupsen/logrus"
 
 	_interface "github.com/openclarity/vmclarity/shared/pkg/families/interface"
-	"github.com/openclarity/vmclarity/shared/pkg/families/results"
+	familiesresults "github.com/openclarity/vmclarity/shared/pkg/families/results"
 )
 
 type SBOM struct {
 	logger *log.Entry
 	conf   Config
 }
 
-func (s SBOM) Run(res *results.Results) (_interface.IsResults, error) {
+func (s SBOM) Run(res *familiesresults.Results) (_interface.IsResults, error) {
 	s.logger.Info("SBOM Run...")
 
 	if len(s.conf.Inputs) == 0 {

diff --git a/shared/pkg/families/secrets/common/config.go b/shared/pkg/families/secrets/common/config.go
@@ -0,0 +1,26 @@
+// Copyright © 2022 Cisco Systems, Inc. and its affiliates.
+// All rights reserved.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package common
+
+import (
+	gitleaksconfig "github.com/openclarity/vmclarity/shared/pkg/families/secrets/gitleaks/config"
+)
+
+type ScannersConfig struct {
+	Gitleaks gitleaksconfig.Config `yaml:"gitleaks" mapstructure:"gitleaks"`
+}
+
+func (ScannersConfig) IsConfig() {}
diff --git a/shared/pkg/families/secrets/common/results.go b/shared/pkg/families/secrets/common/results.go
@@ -0,0 +1,65 @@
+// Copyright © 2022 Cisco Systems, Inc. and its affiliates.
+// All rights reserved.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package common
+
+// Results for now will be as the gitleaks results struct since it is our only secret scanner.
+// once another secret scanner is integrated, we will need to think of a common scheme.
+type Results struct {
+	Findings    []Findings
+	Source      string
+	ScannerName string
+	Error       error
+}
+
+type Findings struct {
+	Description string `json:"description"`
+	StartLine   int    `json:"start_line"`
+	EndLine     int    `json:"end_line"`
+	StartColumn int    `json:"start_column"`
+	EndColumn   int    `json:"end_column"`
+
+	Line string `json:"-" json:"line"`
+
+	Match string `json:"match"`
+
+	// Secret contains the full content of what is matched in
+	// the tree-sitter query.
+	Secret string `json:"secret"`
+
+	// File is the name of the file containing the finding
+	File        string `json:"file"`
+	SymlinkFile string `json:"symlink_file"`
+	Commit      string `json:"commit"`
+
+	// Entropy is the shannon entropy of Value
+	Entropy float32 `json:"entropy"`
+
+	Author  string   `json:"author"`
+	Email   string   `json:"email"`
+	Date    string   `json:"date"`
+	Message string   `json:"message"`
+	Tags    []string `json:"tags"`
+
+	// Rule is the name of the rule that was matched
+	RuleID string `json:"rule_id"`
+
+	// unique identifer
+	Fingerprint string `json:"fingerprint"`
+}
+
+func (r *Results) GetError() error {
+	return r.Error
+}
diff --git a/shared/pkg/families/secrets/config.go b/shared/pkg/families/secrets/config.go
@@ -15,10 +15,15 @@
 
 package secrets
 
+import (
+	"github.com/openclarity/vmclarity/shared/pkg/families/secrets/common"
+)
+
 type Config struct {
-	Enabled      bool     `yaml:"enabled" mapstructure:"enabled"`
-	ScannersList []string `yaml:"scanners_list" mapstructure:"scanners_list"`
-	Inputs       []Inputs `yaml:"inputs" mapstructure:"inputs"`
+	Enabled        bool                   `yaml:"enabled" mapstructure:"enabled"`
+	ScannersList   []string               `yaml:"scanners_list" mapstructure:"scanners_list"`
+	Inputs         []Inputs               `yaml:"inputs" mapstructure:"inputs"`
+	ScannersConfig *common.ScannersConfig `yaml:"scanners_config" mapstructure:"scanners_config"`
 }
 
 type Inputs struct {

diff --git a/shared/pkg/families/secrets/family.go b/shared/pkg/families/secrets/family.go
@@ -16,26 +16,50 @@
 package secrets
 
 import (
+	"fmt"
+
 	log "github.com/sirupsen/logrus"
 
-	_interface "github.com/openclarity/vmclarity/shared/pkg/families/interface"
-	"github.com/openclarity/vmclarity/shared/pkg/families/results"
+	"github.com/openclarity/kubeclarity/shared/pkg/job_manager"
+	"github.com/openclarity/kubeclarity/shared/pkg/utils"
+	familiesinterface "github.com/openclarity/vmclarity/shared/pkg/families/interface"
+	familiesresults "github.com/openclarity/vmclarity/shared/pkg/families/results"
+	"github.com/openclarity/vmclarity/shared/pkg/families/secrets/common"
+	"github.com/openclarity/vmclarity/shared/pkg/families/secrets/job"
 )
 
 type Secrets struct {
 	conf   Config
 	logger *log.Entry
 }
 
-func (s Secrets) Run(res *results.Results) (_interface.IsResults, error) {
-	//TODO implement me
+func (s Secrets) Run(res *familiesresults.Results) (familiesinterface.IsResults, error) {
 	s.logger.Info("Secrets Run...")
+
+	manager := job_manager.New(s.conf.ScannersList, s.conf.ScannersConfig, s.logger, job.Factory)
+	mergedResults := NewMergedResults()
+
+	for _, input := range s.conf.Inputs {
+		results, err := manager.Run(utils.SourceType(input.InputType), input.Input)
+		if err != nil {
+			return nil, fmt.Errorf("failed to scan input %q for secrets: %v", input.Input, err)
+		}
+
+		// Merge results.
+		for name, result := range results {
+			s.logger.Infof("Merging result from %q", name)
+			mergedResults = mergedResults.Merge(result.(*common.Results)) // nolint:forcetypeassert
+		}
+	}
+
 	s.logger.Info("Secrets Done...")
-	return &Results{}, nil
+	return &Results{
+		MergedResults: mergedResults,
+	}, nil
 }
 
 // ensure types implement the requisite interfaces
-var _ _interface.Family = &Secrets{}
+var _ familiesinterface.Family = &Secrets{}
 
 func New(logger *log.Entry, conf Config) *Secrets {
 	return &Secrets{

diff --git a/shared/pkg/families/secrets/gitleaks/config/config.go b/shared/pkg/families/secrets/gitleaks/config/config.go
@@ -0,0 +1,20 @@
+// Copyright © 2022 Cisco Systems, Inc. and its affiliates.
+// All rights reserved.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package config
+
+type Config struct {
+	BinaryPath string `yaml:"binary_path" mapstructure:"binary_path"`
+}