credsweeper 1.12.1__py3-none-any.whl → 1.13.3__py3-none-any.whl

credsweeper/__init__.py

@@ -24,4 +24,4 @@ __all__ = [
     "__version__"
 ]
 
-__version__ = "1.12.1"
+__version__ = "1.13.3"

credsweeper/__main__.py

@@ -1,4 +1,5 @@
 import binascii
+import contextlib
 import logging
 import os
 import sys
@@ -34,24 +35,24 @@ def positive_int(value: Any) -> int:
     return int_value
 
 
-def threshold_or_float(arg: str) -> Union[float, ThresholdPreset]:
+def threshold_or_float_or_zero(arg: str) -> Union[int, float, ThresholdPreset]:
     """Return ThresholdPreset or a float from the input string
 
     Args:
         arg: string that either a float or one of allowed values in ThresholdPreset
 
     Returns:
-        float if arg convertible to float, ThresholdPreset if one of the allowed values
+        int = 0 to disable ML validator, float if arg convertible to float, ThresholdPreset if one of the allowed values
 
     Raises:
         ArgumentTypeError: if arg cannot be interpreted as float or ThresholdPreset
 
     """
     allowed_presents = [e.value for e in ThresholdPreset]
-    try:
+    if '0' == arg:
+        return 0
+    with contextlib.suppress(ValueError):
         return float(arg)  # try convert to float
-    except ValueError:
-        pass
     if arg in allowed_presents:
         return ThresholdPreset[arg]
     raise ArgumentTypeError(f"value must be a float or one of {allowed_presents}")
@@ -158,6 +159,10 @@ def get_arguments() -> Namespace:
                         help="find files by predefined extension",
                         dest="find_by_ext",
                         action="store_true")
+    parser.add_argument("--pedantic",
+                        help="process files without extension",
+                        action=BooleanOptionalAction,
+                        default=False)
     parser.add_argument("--depth",
                         help="additional recursive search in data (experimental)",
                         type=positive_int,
@@ -172,11 +177,11 @@ def get_arguments() -> Namespace:
                         "The lower the threshold - the more credentials will be reported. "
                         f"Allowed values: float between 0 and 1, or any of {[e.value for e in ThresholdPreset]} "
                         "(default: medium)",
-                        type=threshold_or_float,
+                        type=threshold_or_float_or_zero,
                         default=ThresholdPreset.medium,
                         dest="ml_threshold",
                         required=False,
-                        metavar="FLOAT_OR_STR")
+                        metavar="THRESHOLD_OR_FLOAT_OR_ZERO")
     parser.add_argument("--ml_batch_size",
                         "-b",
                         help="batch size for model inference (default: 16)",
@@ -299,6 +304,7 @@ def get_credsweeper(args: Namespace) -> CredSweeper:
                        ml_model=args.ml_model,
                        ml_providers=args.ml_providers,
                        find_by_ext=args.find_by_ext,
+                       pedantic=args.pedantic,
                        depth=args.depth,
                        doc=args.doc,
                        severity=args.severity,
@@ -335,7 +341,8 @@ def scan(args: Namespace, content_provider: AbstractProvider) -> int:
 def get_commit_providers(commit: Commit, repo: Repo) -> Sequence[ByteContentProvider]:
     """Process a commit and for providers"""
     result = {}
-    ancestors = commit.parents or [repo.tree()]
+    # use the hardcoded sha1 until sha256 objects are not supported by GitPython
+    ancestors = commit.parents or [repo.tree("4b825dc642cb6eb9a060e54bf8d69288fbee4904")]
     for parent in ancestors:
         for diff in parent.diff(commit):
             # only result files
@@ -372,9 +379,11 @@ def drill(args: Namespace) -> Tuple[int, int]:
         # then - credsweeper
         credsweeper = get_credsweeper(args)
         # use flat iterations to avoid recursive limits
-        to_scan = list(commits_sha1)
+        to_scan = set(commits_sha1)
         # local speedup for already scanned commits - avoid file system interactive
         scanned = set()
+        # to avoid double-check
+        skipped = set()
         while to_scan:
             commit_sha1 = to_scan.pop()
             if commit_sha1 in scanned:
@@ -382,8 +391,8 @@ def drill(args: Namespace) -> Tuple[int, int]:
                 continue
             commit = repo.commit(commit_sha1)
             if commit.parents:
-                # add parents anyway
-                to_scan.extend(x.hexsha for x in commit.parents)
+                # add parents only when they were not skipped or scanned previously
+                to_scan.update(x.hexsha for x in commit.parents if x.hexsha not in skipped and x.hexsha not in scanned)
             # check whether the commit has been checked and the report is present
             skip_already_scanned = False
             if args.json_filename:
@@ -401,9 +410,10 @@ def drill(args: Namespace) -> Tuple[int, int]:
                 else:
                     credsweeper.xlsx_filename = xlsx_path
             if skip_already_scanned:
-                logger.info("Skip already scanned commit: %s", commit_sha1)
+                skipped.add(commit_sha1)
+                logger.info("Skip already scanned commit: %s %s", commit_sha1, commit.committed_datetime.isoformat())
                 continue
-            logger.info("Scan commit: %s", commit_sha1)
+            logger.info("Scan commit: %s %s", commit_sha1, commit.committed_datetime.isoformat())
             # prepare all files to scan in the commit with bytes->IO transformation to avoid a multiprocess issue
             if providers := get_commit_providers(commit, repo):
                 credsweeper.credential_manager.candidates.clear()

credsweeper/app.py

@@ -52,11 +52,12 @@ class CredSweeper:
                  use_filters: bool = True,
                  pool_count: int = 1,
                  ml_batch_size: Optional[int] = None,
-                 ml_threshold: Union[float, ThresholdPreset] = ThresholdPreset.medium,
+                 ml_threshold: Union[int, float, ThresholdPreset] = ThresholdPreset.medium,
                  ml_config: Union[None, str, Path] = None,
                  ml_model: Union[None, str, Path] = None,
                  ml_providers: Optional[str] = None,
                  find_by_ext: bool = False,
+                 pedantic: bool = False,
                  depth: int = 0,
                  doc: bool = False,
                  severity: Union[Severity, str] = Severity.INFO,
@@ -86,6 +87,7 @@ class CredSweeper:
             ml_model: str or Path to set custom ml model
             ml_providers: str - comma separated list with providers
             find_by_ext: boolean - files will be reported by extension
+            pedantic: boolean - scan all files
             depth: int - how deep container files will be scanned
             doc: boolean - document-specific scanning
             severity: Severity - minimum severity level of rule
@@ -103,6 +105,7 @@ class CredSweeper:
         config_dict = self._get_config_dict(config_path=config_path,
                                             use_filters=use_filters,
                                             find_by_ext=find_by_ext,
+                                            pedantic=pedantic,
                                             depth=depth,
                                             doc=doc,
                                             severity=_severity,
@@ -145,6 +148,7 @@ class CredSweeper:
             config_path: Optional[str],  #
             use_filters: bool,  #
             find_by_ext: bool,  #
+            pedantic: bool,  #
             depth: int,  #
             doc: bool,  #
             severity: Severity,  #
@@ -155,6 +159,7 @@ class CredSweeper:
         config_dict["use_filters"] = use_filters
         config_dict["find_by_ext"] = find_by_ext
         config_dict["size_limit"] = size_limit
+        config_dict["pedantic"] = pedantic
         config_dict["depth"] = depth
         config_dict["doc"] = doc
         config_dict["severity"] = severity.value
@@ -169,7 +174,7 @@ class CredSweeper:
     # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # #
 
     def _use_ml_validation(self) -> bool:
-        if isinstance(self.ml_threshold, (float, int)) and 0 >= self.ml_threshold:
+        if isinstance(self.ml_threshold, int) and 0 == self.ml_threshold:
             logger.info("ML validation is disabled")
             return False
         if not self.credential_manager.candidates:

credsweeper/common/keyword_pattern.py

@@ -3,7 +3,10 @@ import re
 
 class KeywordPattern:
     """Pattern set of keyword types"""
-    directive = r"(?P<directive>(?:(?:[#%]define|%global)(?:\s|\\t)|\bset))?"
+    directive = r"(?P<directive>(?:" \
+                r"(?:[#%]define|define(?=(\s|\\{1,8}[tnr])*\()|%global)" \
+                r"(?:\s?\(|\s|\\{1,8}[tnr]){1,8}|\bset(?=\b|\w*(\s|\\{1,8}[tnr])*\()" \
+                r"))?"
     key_left = r"(?:\\[nrt]|(\\\\*u00|%)[0-9a-f]{2}|\s)*" \
                r"(?P<variable>(([\"'`]{1,8}[^:=\"'`}<>\\/&?]*|[^:=\"'`}<>\s()\\/&?;,%]*)"
     # keyword will be inserted here
@@ -13,7 +16,7 @@ class KeywordPattern:
                 r")"  # <variable>
     separator = r"(?(directive)|(\s|\\{1,8}[tnr])*\]?(\s|\\{1,8}[tnr])*)" \
                 r"(?P<separator>:(\s[a-z]{3,9}[?]?\s)?=|:(?!:)|=(>|&gt;|(\\\\*u00|%)26gt;)|!==|!=|===|==|=~|=" \
-                r"|(?(directive)(\\t|\s|\((?!\))){1,80}|%3d))" \
+                r"|(?(directive)(,|\\t|\s|\((?!\))){1,80}|%3d))" \
                 r"(\s|\\{1,8}[tnr])*"
     # might be curly, square or parenthesis with words before
     wrap = r"(?P<wrap>(" \
@@ -23,7 +26,7 @@ class KeywordPattern:
            r"\s*" \
            r"(\[(?!\])|\((?!\))|\{(?!\}))" \
            r"(\s|\\{1,8}[tnr])*" \
-           r"(?(get)('[^']+'|\"[^\"]+\")\s*,\s*|)" \
+           r"(?(get)('[^']{1,31}'|\"[^\"]{1,31}\")\s*,\s*|)" \
            r"([0-9a-z_]{1,32}\s*[:=]\s*)?" \
            r"){1,8})?"
     string_prefix = r"(((b|r|br|rb|u|f|rf|fr|l|@)(?=(\\*[\"'`])))?"

credsweeper/common/morpheme_checklist.txt

@@ -14,11 +14,15 @@
 /var
 000
 111
+14159265
+18284590
 222
 333
 444
 555
+65358979
 666
+71828182
 777
 80211
 888
@@ -195,7 +199,7 @@ aux
 avail
 avatar
 aver
-awesome
+awesom
 axis
 azure
 back
@@ -227,12 +231,14 @@ bind
 bio
 bipol
 bit
+bixby
 black
 blan
 bless
 blic
 blish
 blob
+blood
 blue
 board
 bob
@@ -243,7 +249,7 @@ boost
 boot
 boss
 bot
-bound
+boun
 box
 branch
 break
@@ -497,6 +503,7 @@ dust
 dvb
 dynamic
 dynamo
+eadbee
 easin
 easy
 ecdhe
@@ -607,6 +614,7 @@ fleet
 flick
 flix
 float
+flood
 floor
 fluent
 fluid
@@ -615,7 +623,7 @@ focus
 foo
 for
 fossil
-found
+foun
 fpga
 frame
 free
@@ -648,6 +656,7 @@ git
 given
 global
 gobble
+good
 google
 grab
 grace
@@ -703,6 +712,7 @@ home
 hook
 horizon
 host
+houn
 hours
 html
 http
@@ -789,6 +799,7 @@ jpg_
 json
 jump
 justif
+kafka
 kerberos
 kernel
 key
@@ -798,6 +809,7 @@ kind
 kinesis
 kirk
 know
+knox
 kris
 lab
 lag
@@ -854,7 +866,7 @@ local
 lock
 log
 long
-lookup
+look
 loop
 loose
 lost
@@ -947,6 +959,7 @@ ndow
 ned
 need
 neigh
+neo4j
 ner
 net
 neutr
@@ -991,6 +1004,7 @@ oncat
 one
 onfig
 only
+ookup
 open
 opt/
 opted
@@ -1008,6 +1022,7 @@ ormat
 orph
 otorola
 ottle
+ound
 ously
 out
 over
@@ -1067,6 +1082,7 @@ pose
 posit
 possib
 post
+poun
 power
 pre_
 pred
@@ -1211,7 +1227,7 @@ rotat
 rotocol
 rottl
 rough
-round
+roun
 roup
 row
 rroga
@@ -1317,9 +1333,10 @@ sock
 soft
 solid
 solve
+some
 sony
 sort
-sound
+soun
 source
 space
 spacing
@@ -1429,6 +1446,7 @@ tio
 tish
 title
 titud
+tizen
 tmp/
 to_
 tod
@@ -1440,6 +1458,7 @@ topic
 tory
 total
 touch
+tour
 trace
 tract
 traffic
@@ -1573,6 +1592,7 @@ yield
 you
 zeppelin
 zero
+zigbee
 zing
 zona
 zorro

credsweeper/config/config.py

@@ -35,6 +35,7 @@ class Config:
         self.candidate_output: List[str] = config["candidate_output"]
         self.find_by_ext: bool = config["find_by_ext"]
         self.size_limit: Optional[int] = parse_size(config["size_limit"]) if config["size_limit"] is not None else None
+        self.pedantic: bool = bool(config["pedantic"])
         self.depth: int = int(config["depth"])
         self.doc: bool = config["doc"]
         self.severity: Severity = Severity.get(config.get("severity"))

credsweeper/credentials/line_data.py

@@ -163,6 +163,7 @@ class LineData:
             self.clean_url_parameters()
             self.clean_bash_parameters()
             self.clean_toml_parameters()
+            self.clean_tag_parameters()
             if 0 <= self.value_start and 0 <= self.value_end and len(self.value) < len(_value):
                 start = _value.find(self.value)
                 self.value_start += start
@@ -196,15 +197,14 @@ class LineData:
         If line seem to be a URL - split by & character.
         Variable should be right most value after & or ? ([-1]). And value should be left most before & ([0])
         """
-        if self.check_url_part():
+        # skip sanitize in case of URL credential rule - the regex is mature enough
+        if self.check_url_part() and not self.variable.endswith("://"):
             # all checks have passed - line before the value may be a URL
             self.variable = self.variable.rsplit('&')[-1].rsplit('?')[-1].rsplit(';')[-1]
             self.value = self.value.split('&', maxsplit=1)[0].split(';', maxsplit=1)[0].split('#', maxsplit=1)[0]
-            if not self.variable.endswith("://"):
-                # skip sanitize in case of URL credential rule
-                self.value = self.url_unicode_split.split(self.value)[0]
-                if self._3d_escaped_separator:
-                    self.value = self.url_percent_split.split(self.value)[0]
+            self.value = self.url_unicode_split.split(self.value)[0]
+            if self._3d_escaped_separator:
+                self.value = self.url_percent_split.split(self.value)[0]
 
     def clean_bash_parameters(self) -> None:
         """Split variable and value by bash special characters, if line assumed to be CLI command."""
@@ -232,6 +232,21 @@ class LineData:
                     self.value = self.value[:-1]
                     cleaning_required = True
 
+    def clean_tag_parameters(self) -> None:
+        """Remove closing tag from value if the opened is somewhere before in line"""
+        cleaning_required = self.value and self.value.endswith('>')
+        while cleaning_required:
+            closing_tag_pos = self.value.rfind("</")
+            if 0 <= closing_tag_pos:
+                # use `<a` to avoid tag parameters
+                opening_tag_prefix = f"<{self.value[closing_tag_pos + 2:-1]}"
+                if cleaning_required := (opening_tag_prefix not in self.value
+                                         and 0 <= self.line.find(opening_tag_prefix, 0, self.value_start)):
+                    self.value = self.value[:closing_tag_pos]
+                    cleaning_required = self.value and self.value.endswith('>')
+            else:
+                break
+
     def sanitize_variable(self) -> None:
         """Remove trailing spaces, dashes and quotations around the variable. Correct position."""
         sanitized_var_len = 0

credsweeper/deep_scanner/abstract_scanner.py

@@ -51,6 +51,7 @@ class AbstractScanner(ABC):
     @abstractmethod
     def get_deep_scanners(data: bytes, descriptor: Descriptor, depth: int) -> Tuple[List[Any], List[Any]]:
         """Returns possibly scan methods for the data depends on content and fallback scanners"""
+        raise NotImplementedError(__name__)
 
     # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # #
 

credsweeper/deep_scanner/csv_scanner.py

@@ -0,0 +1,71 @@
+import csv
+import io
+import logging
+from abc import ABC
+from typing import List, Optional, Dict, Any
+
+from credsweeper.common.constants import MAX_LINE_LENGTH
+from credsweeper.credentials.candidate import Candidate
+from credsweeper.deep_scanner.abstract_scanner import AbstractScanner
+from credsweeper.file_handler.data_content_provider import DataContentProvider
+from credsweeper.file_handler.struct_content_provider import StructContentProvider
+
+logger = logging.getLogger(__name__)
+
+
+class CsvScanner(AbstractScanner, ABC):
+    """Implements CSV scanning"""
+
+    sniffer = csv.Sniffer()
+    # do not use space as separator to avoid hallucinations
+    delimiters = ",;\t|\x1F"
+
+    @classmethod
+    def get_structure(cls, text: str) -> List[Dict[str, Any]]:
+        """Reads a text as CSV standard with guessed dialect"""
+        # windows style \r\n
+        first_line_end = text.find('\r', 0, MAX_LINE_LENGTH)
+        line_terminator = "\r\n"
+        if 0 > first_line_end:
+            # unix style \n
+            first_line_end = text.find('\n', 0, MAX_LINE_LENGTH)
+            line_terminator = "\n"
+            if 0 > first_line_end:
+                raise ValueError(f"No suitable line end found in {MAX_LINE_LENGTH} symbols")
+
+        first_line = text[:first_line_end]
+        dialect = cls.sniffer.sniff(first_line, delimiters=cls.delimiters)
+        rows = []
+        reader = csv.DictReader(io.StringIO(text),
+                                delimiter=dialect.delimiter,
+                                lineterminator=line_terminator,
+                                strict=True)
+        # check the constant columns number for all rows
+        fields_number = sum(1 for x in reader.fieldnames if x is not None)
+        for row in reader:
+            if not isinstance(row, dict):
+                raise ValueError(f"ERROR: wrong row '{row}'")
+            if len(row) != fields_number or any(x is None for x in row.values()):
+                # None means no separator used
+                raise ValueError(f"Different columns number in row '{row}' - mismatch {fields_number}")
+            rows.append(row)
+        return rows
+
+    def data_scan(
+            self,  #
+            data_provider: DataContentProvider,  #
+            depth: int,  #
+            recursive_limit_size: int) -> Optional[List[Candidate]]:
+        """Tries to scan each row as structure with column name in key"""
+        try:
+            if rows := self.get_structure(data_provider.text):
+                struct_content_provider = StructContentProvider(struct=rows,
+                                                                file_path=data_provider.file_path,
+                                                                file_type=data_provider.file_type,
+                                                                info=f"{data_provider.info}|CSV")
+                new_limit = recursive_limit_size - sum(len(x) for x in rows)
+                struct_candidates = self.structure_scan(struct_content_provider, depth, new_limit)
+                return struct_candidates
+        except Exception as csv_exc:
+            logger.debug(f"{data_provider.file_path}:{csv_exc}")
+        return None

credsweeper/deep_scanner/deep_scanner.py

@@ -1,12 +1,12 @@
 import logging
 from typing import List, Any, Tuple
 
-from credsweeper.common.constants import MIN_DATA_LEN
 from credsweeper.config.config import Config
 from credsweeper.scanner.scanner import Scanner
 from credsweeper.utils.util import Util
 from .byte_scanner import ByteScanner
 from .bzip2_scanner import Bzip2Scanner
+from .csv_scanner import CsvScanner
 from .deb_scanner import DebScanner
 from .docx_scanner import DocxScanner
 from .eml_scanner import EmlScanner
@@ -23,7 +23,9 @@ from .pdf_scanner import PdfScanner
 from .pkcs_scanner import PkcsScanner
 from .pptx_scanner import PptxScanner
 from .rpm_scanner import RpmScanner
+from .rtf_scanner import RtfScanner
 from .sqlite3_scanner import Sqlite3Scanner
+from .strings_scanner import StringsScanner
 from .tar_scanner import TarScanner
 from .tmx_scanner import TmxScanner
 from .xlsx_scanner import XlsxScanner
@@ -38,6 +40,7 @@ class DeepScanner(
     ByteScanner,  #
     Bzip2Scanner,  #
     DocxScanner,  #
+    CsvScanner,  #
     EncoderScanner,  #
     GzipScanner,  #
     HtmlScanner,  #
@@ -49,8 +52,10 @@ class DeepScanner(
     PdfScanner,  #
     PkcsScanner,  #
     PptxScanner,  #
+    RtfScanner,  #
     RpmScanner,  #
     Sqlite3Scanner,  #
+    StringsScanner,  #
     TarScanner,  #
     DebScanner,  #
     XmlScanner,  #
@@ -133,6 +138,9 @@ class DeepScanner(
                 deep_scanners.append(Sqlite3Scanner)
         elif Util.is_asn1(data):
             deep_scanners.append(PkcsScanner)
+        elif Util.is_rtf(data):
+            deep_scanners.append(RtfScanner)
+            fallback_scanners.append(ByteScanner)
         elif Util.is_xml(data):
             if Util.is_html(data):
                 deep_scanners.append(HtmlScanner)
@@ -150,24 +158,26 @@ class DeepScanner(
                 deep_scanners.append(XmlScanner)
                 fallback_scanners.append(ByteScanner)
         elif Util.is_eml(data):
-            if ".eml" == descriptor.extension:
+            if descriptor.extension in (".eml", ".mht"):
                 deep_scanners.append(EmlScanner)
             else:
                 if 0 < depth:
-                    # formal patch looks like an eml
+                    # a formal patch looks like an eml
                     deep_scanners.append(PatchScanner)
                 fallback_scanners.append(EmlScanner)
             fallback_scanners.append(ByteScanner)
-        elif Util.is_known(data):
-            # the format is known but cannot be scanned
-            pass
         elif not Util.is_binary(data):
+            # keep ByteScanner first to apply real value position if possible
+            deep_scanners.append(ByteScanner)
             if 0 < depth:
                 deep_scanners.append(PatchScanner)
                 deep_scanners.append(EncoderScanner)
                 deep_scanners.append(LangScanner)
-            deep_scanners.append(ByteScanner)
+                deep_scanners.append(CsvScanner)
         else:
-            logger.warning("Cannot apply a deep scanner for type %s prefix %s %d", descriptor,
-                           repr(data[:MIN_DATA_LEN]), len(data))
+            if 0 < depth:
+                deep_scanners.append(StringsScanner)
+            else:
+                logger.warning("Cannot apply a deep scanner for type %s prefix %s %d", descriptor, repr(data[:32]),
+                               len(data))
         return deep_scanners, fallback_scanners

credsweeper/deep_scanner/jks_scanner.py

@@ -4,6 +4,7 @@ from typing import List, Optional
 
 import jks
 
+from credsweeper.common.constants import Severity, Confidence
 from credsweeper.credentials.candidate import Candidate
 from credsweeper.deep_scanner.abstract_scanner import AbstractScanner
 from credsweeper.file_handler.data_content_provider import DataContentProvider
@@ -24,14 +25,22 @@ class JksScanner(AbstractScanner, ABC):
             try:
                 keystore = jks.KeyStore.loads(data_provider.data, pw_probe, try_decrypt_keys=True)
                 # the password probe has passed, it will be the value
-                info = (f"{data_provider.info}|JKS:"
-                        f"{'sensitive data' if keystore.private_keys or keystore.secret_keys else 'default password'}")
+                if keystore.private_keys or keystore.secret_keys:
+                    severity = Severity.HIGH
+                    confidence = Confidence.STRONG
+                    info = f"{data_provider.info}|JKS:default password"
+                else:
+                    severity = Severity.LOW
+                    confidence = Confidence.WEAK
+                    info = f"{data_provider.info}|JKS:sensitive data"
                 candidate = Candidate.get_dummy_candidate(
                     self.config,  #
                     data_provider.file_path,  #
                     data_provider.file_type,  #
                     info,  #
                     "Java Key Storage")
+                candidate.severity = severity
+                candidate.confidence = confidence
                 value = pw_probe or "<EMPTY PASSWORD>"
                 candidate.line_data_list[0].line = f"'{value}' is the password"
                 candidate.line_data_list[0].value = pw_probe or "<EMPTY PASSWORD>"

credsweeper/deep_scanner/pkcs_scanner.py

@@ -3,6 +3,7 @@ import logging
 from abc import ABC
 from typing import List, Optional
 
+from credsweeper.common.constants import Severity, Confidence
 from credsweeper.credentials.candidate import Candidate
 from credsweeper.deep_scanner.abstract_scanner import AbstractScanner
 from credsweeper.file_handler.data_content_provider import DataContentProvider
@@ -35,6 +36,9 @@ class PkcsScanner(AbstractScanner, ABC):
                         "PKCS")
                     candidate.line_data_list[0].line = base64.b64encode(data_provider.data).decode()
                     candidate.line_data_list[0].value = repr(password)
+                    # high severity is assigned to private key rules
+                    candidate.severity = Severity.HIGH
+                    candidate.confidence = Confidence.STRONG
                     return [candidate]
             except Exception as pkcs_exc:
                 logger.debug(f"{data_provider.file_path}:{pw_probe}:{pkcs_exc}")