sanctify 0.2.5 → 0.3.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA1:
-  metadata.gz: bf59b1007b7caeecd87c0ddd8e7ba24f161d7b09
-  data.tar.gz: 1761816197a0ff15372dfa777494b1dad5e63189
+  metadata.gz: fb2d4bc5fa6962ffe6d54ff7881fe1aa876d4fb1
+  data.tar.gz: 5ac1b2ac6cb425f7c72cf55318fad1fee2a87f03
 SHA512:
-  metadata.gz: 78b2a2a600785a4937480755ab7a14b615a03e6e9509ad863ea537d44756ad88a9a704dac9a958aca826f4c7735f8a33ed19764e32b44cdff2f84e0700f16d4b
-  data.tar.gz: 21ed93a8d1c341bf2d8c673fc754e03939e0dabece00f42de0077efaa5bb134a103106f29971a1f22ddcb34b7ea059c66ab83c8080d1b6b42f7e28d7d17569fb
+  metadata.gz: 012dcb7a0de9b152fa3e94804926d664ebe206f513615b7cfda835952256fa8c6bb2cc227bb6d80e1916df68b5eabd38b3c06c7b4af4b0a73ad0ce96ac751dc1
+  data.tar.gz: 9794b0c234c5bd50a5bee592498fa54998d45d116ad5e534c4f22e49fb0924a470ce02b47699f2b061c355cbb44c5139361ade5435bec8de14cb2411265b7507

data/Gemfile.lock

@@ -1,7 +1,7 @@
 PATH
   remote: .
   specs:
-    sanctify (0.2.4)
+    sanctify (0.3.0)
       git (~> 1.3)
 
 GEM
@@ -40,4 +40,4 @@ DEPENDENCIES
   sanctify!
 
 BUNDLED WITH
-   1.16.0
+   1.16.1

data/README.md

@@ -48,14 +48,15 @@ repos:
 
 ## Configuration
 
-Sanctify supports two top-level objects in the config: `ignored_paths` and `custom_matchers`. Currently sanctify supports a number of default matchers, but you are free to add more to your config file under custom_matchers. If there is a file that you know has secrets or is a false positive, you can add a list of Ruby-style regexes to ignore certain files.
+Sanctify supports 3 top-level objects in the config: `ignored_paths`,`custom_matchers`, and `disabled_matchers`. Currently sanctify supports a number of default matchers, but you are free to add more to your config file under custom_matchers. If there is a file that you know has secrets or is a false positive, you can add a list of Ruby-style regexes to ignore certain files. Currently the `id` field is optional and is used to select matchers from the default list you want to disable. However, we recommend adding an `id` so that in future features you will be able to explicitly reference your custom matcher as well.
 
 Here's an example config file:
 
 ```yaml
 ---
 custom_matchers:
-  - description: "Test Description"
+  - id: test_description
+    description: "Test Description"
     regex: "secret.*"
 
 ignored_paths:
@@ -80,8 +81,27 @@ The list of current default matchers are located in  `lib/sanctify/matcher_list.
 ]
 ```
 
+If you'd like to disable certain matchers from the default list, you can do so by adding the `id` of the matcher you'd like to disable to a list in the config called `disabled_matchers`. For example, if you wanted to disable all default matchers and only use your custom matchers, you can add the following to the config:
+
+```yaml
+disabled_matchers:
+  - aws_access_key_id
+  - aws_secret_key
+  - ssh_rsa_private_key
+  - x509_certificate
+  - redis_url_with_password
+  - url_basic_auth
+  - google_access_token
+  - google_api
+  - slack_api
+  - slack_bot
+  - gem_fury_v1
+  - gem_fury_v2
+```
+
 If you see any problem with a default matcher list or would like to add another to the default list, please feel free to make a pull request.
 
+
 ## Troubleshooting
 
 - If you are facing an issue with integration with a Rail project, where you are using rbenv, and get the following error:

data/lib/sanctify/cli.rb

@@ -42,6 +42,7 @@ module Sanctify
         end
       end
       Scanner.new(args).run
+      puts "SUCCESS! No Secrets Found in #{args[:repo]}"
     end
   end
 end

data/lib/sanctify/matcher.rb

@@ -0,0 +1,15 @@
+module Sanctify
+  class Matcher
+    attr_reader :id, :description, :regex
+    def initialize(id, description, regex, disabled: false)
+      @id = id
+      @description = description
+      @regex = regex
+      @disabled = disabled
+    end
+
+    def disabled?
+      @disabled
+    end
+  end
+end

data/lib/sanctify/matcher_list.rb

@@ -1,12 +1,23 @@
+require 'sanctify/matcher'
+
 module Sanctify
   class ParserError < StandardError; end
   class MatcherList
-    def initialize
-      @matchers = DEFAULT_MATCHERS
+    def initialize(custom_matchers:, disabled_matchers:)
+      # initialize Array in case users have that field blank
+      @disabled_matchers = disabled_matchers || []
+      @custom_matchers = custom_matchers || []
+
+      # Create Matcher objects out of const.
+      @matchers = DEFAULT_MATCHERS.map do |obj|
+        disabled = @disabled_matchers.include?(obj[:id])
+        Matcher.new(obj[:id], obj[:description], obj[:regex], disabled: disabled)
+      end
+      initialize_custom_matchers!
     end
 
-    def add(desc:, regex:)
-      if desc.length.zero?
+    def add(id, description, regex)
+      if description.empty?
         raise ParserError, "Description must exist and be greater length than zero"
       end
 
@@ -14,60 +25,87 @@ module Sanctify
         raise ParserError, "Regex must be of type Regexp"
       end
 
-      @matchers << { description: desc, regex: regex }
-      @matchers
+      @matchers << Matcher.new(id, description, regex)
     end
 
     def each(&blk)
       @matchers.each &blk
     end
 
+    def initialize_custom_matchers!
+      if @custom_matchers.any?
+        @custom_matchers.each do |cust|
+          if cust['description'] && cust['regex']
+            add(cust['id'], cust['description'], Regexp.new(cust['regex']))
+          else
+            raise ParserError, "Improperly configured custom matcher: #{cust}. Must include 'description' and 'regex'"
+          end
+        end
+      end
+    end
+
     DEFAULT_MATCHERS = [
       {
+        id: "aws_access_key_id",
         description: "AWS Access Key ID",
         regex: /AKIA[0-9A-Z]{16}/
       },
       {
+        id: "aws_secret_key",
         description: "AWS Secret Key",
-        regex: /\b(?<![A-Za-z0-9\/+=])(?=.*[\/&?=-@#$%\\^+])[A-Za-z0-9\/+=]{40}(?![A-Za-z0-9\/+=])\b/
+        # NOTE: This regex does not match keys that include a /, which is allowed
+        # in base64. If we added the slash, there would be many false positives
+        # for paths that are exactly 40 characters. PRs welcome if you can figure
+        # out a regex that will match base64 but not paths.
+        regex: /\b(?<![A-Za-z0-9\/+=])(?=.*[&?=-@#$%\\^+])[A-Za-z0-9\/+=]{40}(?![A-Za-z0-9\/+=])\b/
       },
       {
+        id: "ssh_rsa_private_key",
         description: "SSH RSA Private Key",
         regex: /^-----BEGIN RSA PRIVATE KEY-----$/
       },
       {
+        id: "x509_certificate",
         description: "X.509 Certificate",
         regex: /^-----BEGIN CERTIFICATE-----$/
       },
       {
+        id: "redis_url_with_password",
         description: "Redis URL with Password",
         regex: /redis:\/\/[0-9a-zA-Z:@.\\-]+/
       },
       {
+        id: "url_basic_auth",
         description: "URL Basic auth",
         regex: /https?:\/\/[0-9a-zA-z_]+?:[0-9a-zA-z_]+?@.+?/
       },
       {
+        id: "google_access_token",
         description:"Google Access Token",
         regex: /ya29.[0-9a-zA-Z_\\-]{68}/
       },
       {
+        id: "google_api",
         description: "Google API",
         regex: /AIzaSy[0-9a-zA-Z_\\-]{33}/
       },
       {
+        id: "slack_api",
         description: "Slack API",
         regex: /xoxp-\\d+-\\d+-\\d+-[0-9a-f]+/
       },
       {
+        id: "slack_bot",
         description: "Slack Bot",
         regex: /xoxb-\\d+-[0-9a-zA-Z]+/
       },
       {
+        id: "gem_fury_v1",
         description: "Gem Fury v1",
         regex: /https?:\/\/[0-9a-zA-Z]+@[a-z]+\\.(gemfury.com|fury.io)(\/[a-z]+)?/
       },
       {
+        id: "gem_fury_v2",
         description: "Gem Fury v2",
         regex: /https?:\/\/[a-z]+\\.(gemfury.com|fury.io)\/[0-9a-zA-Z]{20}/
       }

data/lib/sanctify/repo.rb

@@ -2,13 +2,14 @@ require 'git'
 
 module Sanctify
   class Repo
-    attr_reader :path, :git, :ignored_paths
-    def initialize(args, ignored_paths = [])
+    attr_reader :path, :git
+    def initialize(args, ignored_paths: [])
       @path = args[:repo]
       @to = args[:to] # The default for `to` in git.diff is nil
       @from = args[:from] || 'HEAD'
       @git = Git.open(path)
-      @ignored_paths = ignored_paths
+      ignored_paths ||= []
+      @ignored_paths = ignored_paths.map { |pattern| Regexp.new(pattern) }
     end
 
     def diff
@@ -36,8 +37,8 @@ module Sanctify
     def should_ignore?(path)
       # Add pattern matching for filenames so users can ignore files that
       # they know contain secrets that they have accepted as false positive.
-      return false if ignored_paths.empty?
-      ignored_paths.each do |regex|
+      return false if @ignored_paths.empty?
+      @ignored_paths.each do |regex|
         return true if regex.match(path)
       end
       false

data/lib/sanctify/scanner.rb

@@ -4,43 +4,30 @@ require 'sanctify/repo'
 module Sanctify
   class ScannerError < StandardError; end
   class Scanner
-    attr_reader :config, :repo, :matcher_list
+    attr_reader :repo, :matcher_list
     def initialize(args)
-      @config = args[:config] || {}
-      @repo = Repo.new(args, ignored_paths)
-      @matcher_list = MatcherList.new
+      config = args[:config] || {}
+      @repo = Repo.new(args, ignored_paths: config['ignored_paths'])
+      @matcher_list = MatcherList.new(
+        custom_matchers: config['custom_matchers'],
+        disabled_matchers: config['disabled_matchers'])
     end
 
     def run
-      initialize_custom_matchers!
       repo.added_lines.each do |line, path|
         matcher_list.each do |matcher|
-          if matcher[:regex].match(line)
-            raise ScannerError, "[ERROR] SECRET FOUND (#{matcher[:description]}): #{line} : #{path}"
+          next if matcher.disabled?
+          if matcher.regex.match(line)
+            raise ScannerError, message(matcher, line, path)
           end
         end
       end
-      puts "SUCCESS! No Secrets Found in #{repo.path}"
     end
 
     private
 
-    def ignored_paths
-      patterns = config['ignored_paths'] || []
-      patterns.map { |patt| Regexp.new patt }
-    end
-
-    def initialize_custom_matchers!
-      custom_matchers = config['custom_matchers'] || []
-      if custom_matchers.any?
-        custom_matchers.each do |cust|
-          if cust['description'] && cust['regex']
-            matcher_list.add(desc: cust['description'], regex: Regexp.new(cust['regex']))
-          else
-            raise ScannerError, "Improperly configured custom matcher: #{cust}. Must include 'description' and 'regex'"
-          end
-        end
-      end
+    def message(matcher, line, path)
+      "[ERROR] SECRET FOUND (#{matcher.description}): #{line} : #{path}"
     end
   end
 end

data/lib/sanctify/version.rb

@@ -1,3 +1,3 @@
 module Sanctify
-  VERSION = "0.2.5"
+  VERSION = "0.3.0"
 end

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: sanctify
 version: !ruby/object:Gem::Version
-  version: 0.2.5
+  version: 0.3.0
 platform: ruby
 authors:
 - Ryan Canty
 autorequire: 
 bindir: exe
 cert_chain: []
-date: 2018-01-16 00:00:00.000000000 Z
+date: 2018-01-27 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: bundler
@@ -105,6 +105,7 @@ files:
 - lib/sanctify.rb
 - lib/sanctify/cli.rb
 - lib/sanctify/console.rb
+- lib/sanctify/matcher.rb
 - lib/sanctify/matcher_list.rb
 - lib/sanctify/repo.rb
 - lib/sanctify/scanner.rb
@@ -131,7 +132,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
       version: '0'
 requirements: []
 rubyforge_project: 
-rubygems_version: 2.5.2
+rubygems_version: 2.6.14
 signing_key: 
 specification_version: 4
 summary: Keep secrets out of your Git repo with Sanctify