secator 0.22.0__py3-none-any.whl

secator/tasks/testssl.py

@@ -0,0 +1,283 @@
+import json
+import os
+import re
+import shlex
+
+from datetime import datetime
+
+from secator.config import CONFIG
+from secator.decorators import task
+from secator.output_types import Vulnerability, Certificate, Error, Info, Ip, Tag
+from secator.definitions import (PROXY, HOST, USER_AGENT, HEADER, OUTPUT_PATH,
+								CERTIFICATE_STATUS_UNKNOWN, CERTIFICATE_STATUS_TRUSTED, CERTIFICATE_STATUS_REVOKED,
+								TIMEOUT)
+from secator.tasks._categories import Command, OPTS
+
+
+@task()
+class testssl(Command):
+	"""SSL/TLS security scanner, including ciphers, protocols and cryptographic flaws."""
+	cmd = 'testssl.sh'
+	input_types = [HOST]
+	output_types = [Certificate, Vulnerability, Ip, Tag]
+	tags = ['dns', 'recon', 'tls']
+	input_flag = None
+	file_flag = '-iL'
+	file_eof_newline = True
+	version_flag = ''
+	opt_prefix = '--'
+	opts = {
+		'verbose': {'is_flag': True, 'default': False, 'internal': True, 'display': True, 'help': 'Record all SSL/TLS info, not only critical info'},  # noqa: E501
+		'parallel': {'is_flag': True, 'default': False, 'help': 'Test multiple hosts in parallel'},
+		'warnings': {'type': str, 'default': None, 'help': 'Set to "batch" to stop on errors, and "off" to skip errors and continue'},  # noqa: E501
+		'ids_friendly': {'is_flag': True, 'default': False, 'help': 'Avoid IDS blocking by skipping a few vulnerability checks'},  # noqa: E501
+		'hints': {'is_flag': True, 'default': False, 'help': 'Additional hints to findings'},
+		'server_defaults': {'is_flag': True, 'default': False, 'help': 'Displays the server default picks and certificate info'},  # noqa: E501
+	}
+	meta_opts = {
+		PROXY: OPTS[PROXY],
+		USER_AGENT: OPTS[USER_AGENT],
+		HEADER: OPTS[HEADER],
+		TIMEOUT: OPTS[TIMEOUT],
+	}
+	opt_key_map = {
+		PROXY: 'proxy',
+		USER_AGENT: 'user-agent',
+		HEADER: 'reqheader',
+		TIMEOUT: 'connect-timeout',
+		'ipv6': '-6',
+	}
+	proxy_http = True
+	proxychains = False
+	proxy_socks5 = False
+	profile = 'io'
+	install_cmd_pre = {
+		'apk': ['hexdump', 'coreutils', 'procps', 'bash'],
+		'pacman': ['util-linux', 'bash'],
+		'*': ['bsdmainutils', 'bash']
+	}
+	install_version = 'v3.2.0'
+	install_cmd = (
+		f'git clone --depth 1 --single-branch -b [install_version] https://github.com/drwetter/testssl.sh.git {CONFIG.dirs.share}/testssl.sh_[install_version] || true && '  # noqa: E501
+		f'ln -sf {CONFIG.dirs.share}/testssl.sh_[install_version]/testssl.sh {CONFIG.dirs.bin}'
+	)
+	install_github_bin = False
+	github_handle = 'testssl/testssl.sh'
+
+	@staticmethod
+	def on_cmd(self):
+		output_path = self.get_opt_value(OUTPUT_PATH)
+		if not output_path:
+			output_path = f'{self.reports_folder}/.outputs/{self.unique_name}.json'
+		self.output_path = output_path
+		self.cmd += f' --jsonfile {shlex.quote(self.output_path)}'
+
+		# Hack because target needs to be the last argument in testssl.sh
+		if len(self.inputs) == 1:
+			target = self.inputs[0]
+			target_quoted = shlex.quote(target)
+			self.cmd = re.sub(re.escape(f' {target_quoted}'), "", self.cmd)
+			self.cmd += f' {target_quoted}'
+
+	@staticmethod
+	def on_cmd_done(self):
+		if not os.path.exists(self.output_path):
+			yield Error(message=f'Could not find JSON results in {self.output_path}')
+			return
+		yield Info(message=f'JSON results saved to {self.output_path}')
+
+		verbose = self.get_opt_value('verbose')
+		with open(self.output_path, 'r') as f:
+			data = json.load(f)
+			bad_cyphers = {}
+			retrieved_certificates = {}
+			ignored_item_ids = ["scanTime", "overall_grade", "DNS_CAArecord"]
+			ip_addresses = []
+			host_to_ips = {}
+
+			for item in data:
+				host, ip = tuple(item['ip'].split('/'))
+				id = item['id']
+				# port = item['port']
+				finding = item['finding']
+				severity = item['severity'].lower()
+				cwe = item.get('cwe')
+				vuln_tags = ['ssl', 'tls']
+				if cwe:
+					vuln_tags.append(cwe)
+
+				# Skip ignored items
+				if id.startswith(tuple(ignored_item_ids)):
+					continue
+
+				# Add IP to address pool
+				host_to_ips.setdefault(host, []).append(ip)
+				if ip not in ip_addresses:
+					ip_addresses.append(ip)
+					yield Ip(
+						host=host,
+						ip=ip,
+						alive=True
+					)
+
+				# Process errors
+				if id.startswith("scanProblem"):
+					yield Error(message=finding)
+
+				# Process bad ciphers
+				elif id.startswith('cipher-'):
+					splited_item = item["finding"].split(" ")
+					concerned_protocol = splited_item[0]
+					bad_cypher = splited_item[-1]
+					bad_cyphers.setdefault(ip, {}).setdefault(concerned_protocol, []).append(bad_cypher)  # noqa: E501
+
+				# Process certificates
+				elif id.startswith('cert_') or id.startswith('cert '):
+					retrieved_certificates.setdefault(ip, []).append(item)
+
+				# Process intermediate certificates
+				elif id.startswith('intermediate_cert_'):
+					# TODO: implement this
+					pass
+
+				# If info or ok, create a tag only if 'verbose' option is set
+				elif severity in ['info', 'ok']:
+					if not verbose:
+						continue
+					yield Tag(
+						category='info',
+						name='ssl_tls',
+						match=host,
+						value=finding,
+						extra_data={
+							'subtype': id,
+						}
+					)
+
+				# Create vulnerability
+				else:
+					if id in ['TLS1', 'TLS1_1']:
+						human_name = f'SSL/TLS deprecated protocol offered: {id}'
+					else:
+						human_name = f'SSL/TLS {id}'
+					yield Vulnerability(
+						name=human_name,
+						matched_at=host,
+						ip=ip,
+						tags=vuln_tags,
+						severity=severity,
+						confidence='high',
+						extra_data={
+							'id': id,
+							'finding': finding
+						}
+					)
+
+			# Creating vulnerability for the deprecated ciphers
+			for ip, protocols in bad_cyphers.items():
+				for protocol, cyphers in protocols.items():
+					yield Vulnerability(
+						name=f'SSL/TLS vulnerability ciphers for {protocol} deprecated',
+						matched_at=ip,
+						ip=ip,
+						confidence='high',
+						severity='low',
+						extra_data={
+							'cyphers': cyphers
+						}
+					)
+
+			# Creating certificates for each founded target
+			host_to_ips = {k: set(v) for k, v in host_to_ips.items()}
+			for ip, certs in retrieved_certificates.items():
+				host = [k for k, v in host_to_ips.items() if ip in v][0]
+				cert_data = {
+					'host': host,
+					'ip': ip,
+					'fingerprint_sha256': None,
+					'subject_cn': None,
+					'subject_an': None,
+					'not_before': None,
+					'not_after': None,
+					'issuer_cn': None,
+					'self_signed': None,
+					'trusted': None,
+					'status': None,
+					'keysize': None,
+					'serial_number': None,
+				}
+				for cert in certs:
+					host = [k for k, v in host_to_ips.items() if ip in v][0]
+					id = cert['id']
+					finding = cert['finding']
+
+					if id.startswith('cert_crlDistributionPoints') and finding != '--':
+						# TODO not implemented, need to find a certificate that is revoked by CRL
+						cert_data['status'] = CERTIFICATE_STATUS_UNKNOWN
+
+					if id.startswith('cert_ocspRevoked'):
+						if finding.startswith('not revoked'):
+							cert_data['status'] = CERTIFICATE_STATUS_TRUSTED
+						else:
+							cert_data['status'] = CERTIFICATE_STATUS_REVOKED
+
+					if id.startswith('cert_fingerprintSHA256'):
+						cert_data['fingerprint_sha256'] = finding
+
+					if id.startswith('cert_commonName'):
+						cert_data['subject_cn'] = finding
+
+					if id.startswith('cert_subjectAltName'):
+						cert_data['subject_an'] = finding.split(" ")
+
+					if id.startswith('cert_notBefore'):
+						cert_data['not_before'] = datetime.strptime(finding, "%Y-%m-%d %H:%M")
+
+					if id.startswith('cert_notAfter'):
+						cert_data['not_after'] = datetime.strptime(finding, "%Y-%m-%d %H:%M")
+
+					if id.startswith('cert_caIssuers'):
+						cert_data['issuer_cn'] = finding
+
+					if id.startswith('cert_chain_of_trust'):
+						cert_data['self_signed'] = 'self signed' in finding
+
+					if id.startswith('cert_chain_of_trust'):
+						cert_data['trusted'] = finding.startswith('passed')
+
+					if id.startswith('cert_keySize'):
+						cert_data['keysize'] = int(finding.split(" ")[1])
+
+					if id.startswith('cert_serialNumber'):
+						cert_data['serial_number'] = finding
+
+					if id.startswith('cert ') and finding.startswith('-----BEGIN CERTIFICATE-----'):
+						cert_data['raw_value'] = finding
+
+				# For the following attributes commented, it's because at the time of writting it
+				# I did not found the value inside the result of testssl
+				cert = Certificate(
+					**cert_data
+					# issuer_dn='',
+					# issuer='',
+					# TODO: delete the ciphers attribute from certificate outputType
+					# ciphers=None,
+					# TODO: need to find a way to retrieve the parent certificate,
+					# parent_certificate=None,
+				)
+				yield cert
+				if cert.is_expired():
+					yield Vulnerability(
+						name='SSL certificate expired',
+						provider='testssl',
+						description='The SSL certificate is expired. This can easily lead to domain takeovers',
+						matched_at=host,
+						ip=ip,
+						tags=['ssl', 'tls'],
+						severity='medium',
+						confidence='high',
+						extra_data={
+							'id': id,
+							'expiration_date': Certificate.format_date(cert.not_after)
+						}
+					)

secator/tasks/trivy.py

@@ -0,0 +1,130 @@
+import click
+import os
+import yaml
+import shlex
+
+from pathlib import Path
+
+from secator.config import CONFIG
+from secator.decorators import task
+from secator.definitions import (THREADS, OUTPUT_PATH, OPT_NOT_SUPPORTED, HEADER, DELAY, FOLLOW_REDIRECT,
+								PATH, PROXY, RATE_LIMIT, RETRIES, TIMEOUT, USER_AGENT, STRING)
+from secator.output_types import Vulnerability, Tag, Info, Error
+from secator.tasks._categories import Vuln
+from secator.utils import caml_to_snake
+from secator.rich import console
+
+
+TRIVY_MODES = ['image', 'fs', 'repo']
+
+
+def convert_mode(mode):
+	return 'fs' if mode == 'filesystem' else 'repo' if mode == 'git' else mode
+
+
+@task()
+class trivy(Vuln):
+	"""Comprehensive and versatile security scanner."""
+	cmd = 'trivy'
+	input_types = [PATH, STRING]
+	output_types = [Tag, Vulnerability]
+	tags = ['vuln', 'scan']
+	input_chunk_size = 1
+	json_flag = '-f json'
+	version_flag = '--version'
+	opts = {
+		"mode": {"type": click.Choice(TRIVY_MODES), 'help': f'Scan mode ({", ".join(TRIVY_MODES)})', 'internal': True, 'required': False}  # noqa: E501
+	}
+	opt_key_map = {
+		THREADS: OPT_NOT_SUPPORTED,
+		HEADER: OPT_NOT_SUPPORTED,
+		DELAY: OPT_NOT_SUPPORTED,
+		FOLLOW_REDIRECT: OPT_NOT_SUPPORTED,
+		PROXY: OPT_NOT_SUPPORTED,
+		RATE_LIMIT: OPT_NOT_SUPPORTED,
+		RETRIES: OPT_NOT_SUPPORTED,
+		TIMEOUT: OPT_NOT_SUPPORTED,
+		USER_AGENT: OPT_NOT_SUPPORTED
+	}
+	opt_value_map = {
+		'mode': lambda x: convert_mode(x)
+	}
+	install_version = 'v0.61.1'
+	install_cmd = (
+		'curl -sfL https://raw.githubusercontent.com/aquasecurity/trivy/main/contrib/install.sh |'
+		f'sudo sh -s -- -b {CONFIG.dirs.bin} [install_version]'
+	)
+	github_handle = 'aquasecurity/trivy'
+
+	@staticmethod
+	def on_cmd(self):
+		mode = self.cmd_options.get('mode', {}).get('value')
+		if mode and mode not in TRIVY_MODES:
+			raise Exception(f'Invalid mode: {mode}')
+		if not mode and len(self.inputs) > 0:
+			git_path = Path(self.inputs[0]) / '.git'
+			if git_path.exists():
+				mode = 'repo'
+			elif Path(self.inputs[0]).exists():
+				mode = 'fs'
+			else:
+				mode = 'image'
+			console.print(Info(message=f'Auto mode detected: {mode} for input: {self.inputs[0]}'))
+
+		output_path = self.get_opt_value(OUTPUT_PATH)
+		if not output_path:
+			output_path = f'{self.reports_folder}/.outputs/{self.unique_name}.json'
+		self.output_path = output_path
+		self.cmd = self.cmd.replace(f' -mode {mode}', '').replace('trivy', f'trivy {mode}')
+		self.cmd += f' -o {shlex.quote(self.output_path)}'
+
+	@staticmethod
+	def on_cmd_done(self):
+		if not os.path.exists(self.output_path):
+			yield Error(message=f'Could not find JSON results in {self.output_path}')
+			return
+
+		yield Info(message=f'JSON results saved to {self.output_path}')
+		with open(self.output_path, 'r') as f:
+			results = yaml.safe_load(f.read()).get('Results', [])
+		for item in results:
+			for vuln in item.get('Vulnerabilities', []):
+				vuln_id = vuln['VulnerabilityID']
+				extra_data = {}
+				if 'PkgName' in vuln:
+					extra_data['product'] = vuln['PkgName']
+				if 'InstalledVersion' in vuln:
+					extra_data['version'] = vuln['InstalledVersion']
+				cvss = vuln.get('CVSS', {})
+				cvss_score = -1
+				for _, cvss_data in cvss.items():
+					cvss_score = cvss_data.get('V3Score', -1) or cvss_data.get('V2Score', -1)
+				data = {
+					'name': vuln_id.replace('-', '_'),
+					'id': vuln_id,
+					'provider': vuln.get('DataSource', {}).get('ID', ''),
+					'description': vuln.get('Description'),
+					'matched_at': self.inputs[0],
+					'confidence': 'high',
+					'severity': vuln['Severity'].lower(),
+					'cvss_score': cvss_score,
+					'reference': vuln.get('PrimaryURL', ''),
+					'references': vuln.get('References', []),
+					'extra_data': extra_data
+				}
+				if vuln_id.startswith('CVE'):
+					remote_data = Vuln.lookup_cve(vuln_id)
+					if remote_data:
+						data.update(remote_data)
+				yield Vulnerability(**data)
+			for secret in item.get('Secrets', []):
+				code_context = '\n'.join([line['Content'] for line in secret.get('Code', {}).get('Lines') or []])
+				extra_data = {'code_context': code_context}
+				extra_data.update({caml_to_snake(k): v for k, v in secret.items() if k not in ['RuleID', 'Match', 'Code']})
+				yield Tag(
+					category='secret',
+					name=secret['RuleID'].replace('-', '_'),
+					value=secret['Match'],
+					match=item['Target'],
+					extra_data=extra_data
+				)

secator/tasks/trufflehog.py

@@ -0,0 +1,240 @@
+import click
+
+from pathlib import Path
+
+from secator.config import CONFIG
+from secator.decorators import task
+from secator.runners import Command
+from secator.definitions import (PATH, URL, STRING, OPT_SPACE_SEPARATED, GCS_URL, ADDONS_ENABLED, SLUG)
+from secator.utils import caml_to_snake
+from secator.output_types import Tag, Info, Warning, Error
+from secator.rich import console
+from secator.serializers import JSONSerializer
+
+TRUFFLEHOG_MODES = [
+    'git',
+    'github',
+    'gitlab',
+    's3',
+    'filesystem',
+    'gcs',
+    'docker',
+    'postman',
+    'jenkins',
+    'elasticsearch',
+    'huggingface',
+    'syslog',
+]
+
+
+@task()
+class trufflehog(Command):
+    """Tool for finding secrets in git repositories and filesystems using TruffleHog."""
+    cmd = 'trufflehog'
+    tags = ['secret', 'scan']
+    input_types = [PATH, URL, STRING, GCS_URL, SLUG]
+    item_loaders = [JSONSerializer()]
+    input_flag = None
+    file_flag = OPT_SPACE_SEPARATED
+    json_flag = '--json'
+    opt_prefix = '--'
+    opts = {
+        'mode': {
+            'type': click.Choice(TRUFFLEHOG_MODES),
+            'help': f'Scan mode ({", ".join(TRUFFLEHOG_MODES)})',
+            'internal': True
+        },
+        'status': {'type': str, 'help': 'Results status (verified, unknown, unverified, filtered_unverified)'},
+        'concurrency': {'type': int, 'help': 'Number of concurrent workers'},
+        'config': {'type': str, 'short': 'config', 'help': 'Config file path'},
+        'git_branch': {'type': str, 'help': 'Branch to scan (git mode only)'},
+        'git_depth': {'type': int, 'help': 'Commit depth to scan (git mode only)'},
+        'git_since_commit': {'type': str, 'help': 'Scan commits starting from this commit'},
+        'git_max_depth': {'type': int, 'help': 'Maximum depth of commits to scan'},
+        'jenkins_username': {'type': str, 'help': 'Jenkins username to use when --mode jenkins'},
+        'jenkins_password': {'type': str, 'help': 'Jenkins password to use when --mode jenkins'},
+        'postman_collection_id': {'type': str, 'help': 'Postman collection ID to use when --mode postman'},
+        'postman_token': {'type': str, 'help': 'Postman API token to use when --mode postman'},
+        'postman_workspace_id': {'type': str, 'help': 'Postman workspace ID to use when --mode postman'},
+        'gitlab_token': {'type': str, 'help': 'Gitlab token to use when --mode gitlab'},
+        'gitlab_endpoint': {'type': str, 'default': 'https://gitlab.com', 'help': 'Gitlab endpoint to use when --mode gitlab', 'internal': True},  # noqa: E501
+        'elasticsearch_nodes': {'type': str, 'help': 'Elasticsearch nodes (space separated) to use when --mode elasticsearch'},  # noqa: E501
+        'elasticsearch_service_token': {'type': str, 'help': 'Elasticsearch service token to use when --mode elasticsearch'},  # noqa: E501
+        'elasticsearch_cloud_id': {'type': str, 'help': 'Elasticsearch cloud ID to use when --mode elasticsearch'},
+        'elasticsearch_api_key': {'type': str, 'help': 'Elasticsearch API key to use when --mode elasticsearch'},
+    }
+    opt_key_map = {
+        'jenkins_username': '--username',
+        'jenkins_password': '--password',
+        'postman_collection_id': '--collection-id',
+        'postman_token': '--token',
+        'postman_workspace_id': '--workspace-id',
+        'git_branch': '--branch',
+        'git_depth': '--depth',
+        'git_since_commit': '--since-commit',
+        'git_max_depth': '--max-depth',
+        'gitlab_token': '--token',
+        'gitlab_endpoint': '--endpoint',
+        'elasticsearch_nodes': '--nodes',
+        'elasticsearch_service_token': '--service-token',
+        'elasticsearch_cloud_id': '--cloud-id',
+        'elasticsearch_api_key': '--api-key',
+        'status': '--results',
+    }
+    output_types = [Tag, Info]
+    ignore_return_code = True
+    install_version = 'v3.91.0'
+    install_cmd = (
+        f'git clone https://github.com/trufflesecurity/trufflehog.git '
+        f'{CONFIG.dirs.share}/trufflehog_[install_version] || true && '
+        f'cd {CONFIG.dirs.share}/trufflehog_[install_version] && go build -o trufflehog . && '
+        f'mv {CONFIG.dirs.share}/trufflehog_[install_version]/trufflehog {CONFIG.dirs.bin}'
+    )
+    github_handle = 'trufflesecurity/trufflehog'
+
+    @staticmethod
+    def before_init(self):
+        blob_folder = f'{self.reports_folder}/.inputs'
+        del_indexes = []
+        gcs_objects = False
+        for i, input in enumerate(self.inputs):
+            if input.startswith('gs://'):
+                if not ADDONS_ENABLED['gcs']:
+                    raise Exception('GCS addon is not installed. Please install it using `secator install addons gcs`.')
+                gcs_objects = True
+                from secator.hooks.gcs import download_blob
+                split_input = input.split('/')
+                bucket_name, source_blob_name = split_input[2], '/'.join(split_input[3:])
+                destination_file_name = f'{blob_folder}/{source_blob_name}'
+                download_blob(bucket_name, source_blob_name, destination_file_name)
+                del_indexes.append(i)
+        for i in reversed(del_indexes):
+            del self.inputs[i]
+        if gcs_objects:
+            self.inputs.append(blob_folder)
+
+    @staticmethod
+    def on_cmd(self):
+        mode = self.get_opt_value('mode')
+        new_input = None
+        submode = None
+        input = self.inputs[0] if self.inputs else None
+        if mode and mode not in TRUFFLEHOG_MODES:
+            raise Exception(f'Invalid mode: {mode}')
+        if not mode and input:
+            git_path = Path(input).joinpath('.git')
+            if git_path.exists():
+                mode = 'git'
+                submode = 'local'
+            elif Path(input).exists():
+                mode = 'filesystem'
+            elif input.startswith('https://github.com/'):
+                mode = 'github'
+                len_args = len(input.split('/'))
+                if len_args == 4:
+                    submode = 'org'
+                    new_input = input.split('/')[-1]
+                elif len_args == 5:
+                    submode = 'repo'
+                    new_input = '/'.join(input.split('/')[-2:])
+            elif input.startswith('https://gitlab.com/'):
+                mode = 'gitlab'
+
+            if mode:
+                console.print(Info(message=f'Auto mode detected: {mode} for input: {input}'))
+            else:
+                error = (f'Could not determine mode for input "{input}". Please specify the mode manually using the --mode option')  # noqa: E501
+                raise Exception(error)
+
+        # Add correct option
+        mode_to_option = {
+            'github_org': '--org',
+            'github_repo': '--repo',
+            'git': None,
+            'gitlab': '--repo',
+            's3': '--bucket',
+            'gcs': '--cloud-environment --project-id',
+            'docker': '--image',
+            'jenkins': '--url',
+            None: None,
+        }
+        submode_to_option = {
+            'local': 'file://',
+            'org': '--org ',
+            'repo': '--repo ',
+            None: None,
+        }
+        if new_input:
+            console.print(Info(message=f'Replacing input {input} with {new_input}'))
+            self.cmd = self.cmd.replace(input, f'{new_input}')
+            input = new_input
+        submode_option = submode_to_option.get(submode)
+        if submode_option:
+            self.cmd = self.cmd.replace(input, f'{submode_option}{input}')
+        option = mode_to_option.get(mode)
+        if option:
+            self.cmd = self.cmd.replace(input, f'{option} {input}')
+        if f'trufflehog {mode}' not in self.cmd:
+            self.cmd = self.cmd.replace('trufflehog', f'trufflehog {mode}', 1)
+
+    @staticmethod
+    def on_json_loaded(self, item):
+        level = item.get('level')
+        if level:
+            msg = item.get('msg', '').capitalize()
+            if level.startswith('info'):
+                yield Info(message=msg)
+            elif msg == 'Error running scan':
+                error = item.get('error')
+                msg += ' - ' + error if error else ''
+                yield Error(message=msg)
+            return
+
+        if 'SourceMetadata' not in item:
+            return item
+
+        rule_id = caml_to_snake(item.get('DetectorName', 'Unknown'))
+        source_metadata = item.get('SourceMetadata', {}).get('Data', {})
+        raw = item.get('RawV2') or item.get('Raw')
+        detector_data = {caml_to_snake(k): v for k, v in item.items() if k not in ['SourceMetadata', 'Raw', 'RawV2']}
+        data = {caml_to_snake(k): v for k, v in source_metadata[list(source_metadata.keys())[0]].items()}
+        if 'timestamp' in data:
+            del data['timestamp']
+        subtype = list(source_metadata.keys())[0].lower()
+        extra_data = {
+            'subtype': subtype,
+            'detector_data': {caml_to_snake(k): v for k, v in detector_data.items()}
+        }
+        extra_data.update({caml_to_snake(k): v for k, v in data.items()})
+        match = ''
+        repo_path = data.get('repository', '')
+        if 'file://' in repo_path:
+            repo_path = repo_path.replace('file://', '')
+        file = data.get('file')
+        line_no = data.get('line')
+        link = data.get('link')
+        if file:
+            match += file
+        if line_no:
+            match += f":{line_no}"
+        if link:
+            match = link
+        if repo_path and subtype != 'github':
+            match = repo_path + '/' + match
+
+        if not match:
+            console.print(Warning(message=f'Could not determine match for subtype: {subtype}'))
+            match = self.inputs[0]
+
+        item_extra_data = item.get('ExtraData') or {}
+        rtype = item_extra_data.get('resource_type')
+        name = rule_id.lower()
+        if rtype:
+            name = f"{name}_{rtype.lower().replace(' ', '_')}"
+        yield Tag(
+            category='secret',
+            name=name,
+            value=raw,
+            match=match,
+            extra_data=extra_data
+        )