feat: add secret scanning (fanal#431)

Co-authored-by: VaismanLior <[email protected]>

Author: knqyf263

analyzer/all/import.go

@@ -31,4 +31,5 @@ import (
 	_ "github.com/aquasecurity/fanal/analyzer/pkg/dpkg"
 	_ "github.com/aquasecurity/fanal/analyzer/pkg/rpm"
 	_ "github.com/aquasecurity/fanal/analyzer/repo/apk"
+	_ "github.com/aquasecurity/fanal/analyzer/secret"
 )

analyzer/analyzer.go

@@ -9,6 +9,7 @@ import (
 	"strings"
 	"sync"
 
+	"golang.org/x/exp/slices"
 	"golang.org/x/sync/semaphore"
 	"golang.org/x/xerrors"
 
@@ -84,6 +85,7 @@ type AnalysisResult struct {
 	PackageInfos         []types.PackageInfo
 	Applications         []types.Application
 	Configs              []types.Config
+	Secrets              []types.Secret
 	SystemInstalledFiles []string // A list of files installed by OS package manager
 
 	// For Red Hat
@@ -96,7 +98,8 @@ type AnalysisResult struct {
 
 func (r *AnalysisResult) isEmpty() bool {
 	return r.OS == nil && r.Repository == nil && len(r.PackageInfos) == 0 && len(r.Applications) == 0 &&
-		len(r.Configs) == 0 && len(r.SystemInstalledFiles) == 0 && r.BuildInfo == nil && len(r.CustomResources) == 0
+		len(r.Configs) == 0 && len(r.Secrets) == 0 && len(r.SystemInstalledFiles) == 0 && r.BuildInfo == nil &&
+		len(r.CustomResources) == 0
 }
 
 func (r *AnalysisResult) Sort() {
@@ -122,6 +125,19 @@ func (r *AnalysisResult) Sort() {
 			return app.Libraries[i].Version < app.Libraries[j].Version
 		})
 	}
+
+	// Secrets
+	sort.Slice(r.Secrets, func(i, j int) bool {
+		return r.Secrets[i].FilePath < r.Secrets[j].FilePath
+	})
+	for _, sec := range r.Secrets {
+		sort.Slice(sec.Findings, func(i, j int) bool {
+			if sec.Findings[i].RuleID != sec.Findings[j].RuleID {
+				return sec.Findings[i].RuleID < sec.Findings[j].RuleID
+			}
+			return sec.Findings[i].StartLine < sec.Findings[j].StartLine
+		})
+	}
 }
 
 func (r *AnalysisResult) Merge(new *AnalysisResult) {
@@ -155,7 +171,7 @@ func (r *AnalysisResult) Merge(new *AnalysisResult) {
 	}
 
 	r.Configs = append(r.Configs, new.Configs...)
-
+	r.Secrets = append(r.Secrets, new.Secrets...)
 	r.SystemInstalledFiles = append(r.SystemInstalledFiles, new.SystemInstalledFiles...)
 
 	if new.BuildInfo != nil {
@@ -233,11 +249,16 @@ func (ag AnalyzerGroup) ImageConfigAnalyzerVersions() map[string]int {
 }
 
 func (ag AnalyzerGroup) AnalyzeFile(ctx context.Context, wg *sync.WaitGroup, limit *semaphore.Weighted, result *AnalysisResult,
-	dir, filePath string, info os.FileInfo, opener Opener, opts AnalysisOptions) error {
+	dir, filePath string, info os.FileInfo, opener Opener, disabled []Type, opts AnalysisOptions) error {
 	if info.IsDir() {
 		return nil
 	}
 	for _, a := range ag.analyzers {
+		// Skip disabled analyzers
+		if slices.Contains(disabled, a.Type()) {
+			continue
+		}
+
 		// filepath extracted from tar file doesn't have the prefix "/"
 		if !a.Required(strings.TrimLeft(filePath, "/"), info) {
 			continue

analyzer/analyzer_test.go

@@ -418,7 +418,7 @@ func TestAnalyzeFile(t *testing.T) {
 					}
 					return os.Open(tt.args.testFilePath)
 				},
-				analyzer.AnalysisOptions{},
+				nil, analyzer.AnalysisOptions{},
 			)
 
 			wg.Wait()

analyzer/const.go

@@ -80,6 +80,11 @@ const (
 	TypeTerraform      Type = "terraform"
 	TypeCloudFormation Type = "cloudFormation"
 
+	// ========
+	// Secrets
+	// ========
+	TypeSecret Type = "secret"
+
 	// =======
 	// Red Hat
 	// =======

analyzer/secret/secret.go

@@ -0,0 +1,149 @@
+package secret
+
+import (
+	"context"
+	"io"
+	"math"
+	"os"
+	"path/filepath"
+	"strings"
+
+	"golang.org/x/exp/slices"
+	"golang.org/x/xerrors"
+
+	"github.com/aquasecurity/fanal/analyzer"
+	"github.com/aquasecurity/fanal/secret"
+	"github.com/aquasecurity/fanal/types"
+	dio "github.com/aquasecurity/go-dep-parser/pkg/io"
+)
+
+const version = 1
+
+var (
+	skipFiles = []string{
+		"go.mod",
+		"go.sum",
+		"package-lock.json",
+		"yarn.lock",
+		"Pipfile.lock",
+		"Gemfile.lock",
+	}
+	skipDirs = []string{".git", "node_modules"}
+	skipExts = []string{".jpg", ".png", ".gif", ".doc", ".pdf", ".bin", ".svg", ".socket", ".deb", ".rpm",
+		".zip", ".gz", ".gzip", ".tar", ".pyc"}
+)
+
+type ScannerOption struct {
+	ConfigPath string
+}
+
+// SecretAnalyzer is an analyzer for secrets
+type SecretAnalyzer struct {
+	scanner secret.Scanner
+}
+
+func RegisterSecretAnalyzer(opt ScannerOption) error {
+	a, err := newSecretAnalyzer(opt.ConfigPath)
+	if err != nil {
+		return xerrors.Errorf("secret scanner init error: %w", err)
+	}
+	analyzer.RegisterAnalyzer(a)
+	return nil
+}
+
+func newSecretAnalyzer(configPath string) (SecretAnalyzer, error) {
+	s, err := secret.NewScanner(configPath)
+	if err != nil {
+		return SecretAnalyzer{}, xerrors.Errorf("secret scanner error: %w", err)
+	}
+	return SecretAnalyzer{scanner: s}, nil
+}
+
+func (a SecretAnalyzer) Analyze(_ context.Context, input analyzer.AnalysisInput) (*analyzer.AnalysisResult, error) {
+	// Do not scan binaries
+	binary, err := isBinary(input.Content, input.Info.Size())
+	if binary || err != nil {
+		return nil, nil
+	}
+
+	content, err := io.ReadAll(input.Content)
+	if err != nil {
+		return nil, xerrors.Errorf("read error %s: %w", input.FilePath, err)
+	}
+
+	result := a.scanner.Scan(secret.ScanArgs{
+		FilePath: input.FilePath,
+		Content:  content,
+	})
+
+	if len(result.Findings) == 0 {
+		return nil, nil
+	}
+
+	return &analyzer.AnalysisResult{
+		Secrets: []types.Secret{result},
+	}, nil
+}
+
+func isBinary(content dio.ReadSeekerAt, fileSize int64) (bool, error) {
+	headSize := int(math.Min(float64(fileSize), 300))
+	head := make([]byte, headSize)
+	if _, err := content.Read(head); err != nil {
+		return false, err
+	}
+	if _, err := content.Seek(0, io.SeekStart); err != nil {
+		return false, err
+	}
+
+	// cf. https://github.com/file/file/blob/f2a6e7cb7db9b5fd86100403df6b2f830c7f22ba/src/encoding.c#L151-L228
+	for _, b := range head {
+		if b < 7 || b == 11 || (13 < b && b < 27) || (27 < b && b < 0x20) || b == 0x7f {
+			return true, nil
+		}
+	}
+
+	return false, nil
+}
+
+func (a SecretAnalyzer) Required(filePath string, fi os.FileInfo) bool {
+	// Skip small files
+	if fi.Size() < 10 {
+		return false
+	}
+
+	dir, fileName := filepath.Split(filePath)
+	dir = filepath.ToSlash(dir)
+	dirs := strings.Split(dir, "/")
+
+	// Check if the directory should be skipped
+	for _, skipDir := range skipDirs {
+		if slices.Contains(dirs, skipDir) {
+			return false
+		}
+	}
+
+	// Check if the file should be skipped
+	if slices.Contains(skipFiles, fileName) {
+		return false
+	}
+
+	// Check if the file extension should be skipped
+	ext := filepath.Ext(fileName)
+	if slices.Contains(skipExts, ext) {
+		return false
+	}
+
+	if a.scanner.AllowPath(filePath) {
+		return false
+	}
+
+	return true
+}
+
+func (a SecretAnalyzer) Type() analyzer.Type {
+	return analyzer.TypeSecret
+}
+
+func (a SecretAnalyzer) Version() int {
+	return version
+}

analyzer/secret/secret_test.go

@@ -0,0 +1,132 @@
+package secret
+
+import (
+	"context"
+	"os"
+	"testing"
+
+	"github.com/stretchr/testify/assert"
+	"github.com/stretchr/testify/require"
+
+	"github.com/aquasecurity/fanal/analyzer"
+	"github.com/aquasecurity/fanal/types"
+)
+
+func TestSecretAnalyzer(t *testing.T) {
+	wantFinding1 := types.SecretFinding{
+		RuleID:    "rule1",
+		Category:  "general",
+		Title:     "Generic Rule",
+		Severity:  "HIGH",
+		StartLine: 2,
+		EndLine:   3,
+		Match:     "generic secret line secret=\"*****\"",
+	}
+	wantFinding2 := types.SecretFinding{
+		RuleID:    "rule1",
+		Category:  "general",
+		Title:     "Generic Rule",
+		Severity:  "HIGH",
+		StartLine: 4,
+		EndLine:   5,
+		Match:     "secret=\"*****\"",
+	}
+	tests := []struct {
+		name       string
+		configPath string
+		filePath   string
+		want       *analyzer.AnalysisResult
+	}{
+		{
+			name:       "return results",
+			configPath: "testdata/config.yaml",
+			filePath:   "testdata/secret.txt",
+			want: &analyzer.AnalysisResult{
+				Secrets: []types.Secret{{
+					FilePath: "testdata/secret.txt",
+					Findings: []types.SecretFinding{wantFinding1, wantFinding2},
+				},
+				},
+			},
+		},
+		{
+			name:       "return nil when no results",
+			configPath: "",
+			filePath:   "testdata/secret.txt",
+			want:       nil,
+		},
+		{
+			name:       "skip binary file",
+			configPath: "",
+			filePath:   "testdata/binaryfile",
+			want:       nil,
+		},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			a, err := newSecretAnalyzer(tt.configPath)
+			require.NoError(t, err)
+			content, err := os.Open(tt.filePath)
+			require.NoError(t, err)
+			fi, err := content.Stat()
+			require.NoError(t, err)
+
+			got, err := a.Analyze(context.TODO(), analyzer.AnalysisInput{
+				FilePath: tt.filePath,
+				Content:  content,
+				Info:     fi,
+			})
+
+			require.NoError(t, err)
+			assert.Equal(t, tt.want, got)
+		})
+	}
+}
+
+func TestSecretRequire(t *testing.T) {
+	tests := []struct {
+		name     string
+		filePath string
+		want     bool
+	}{
+		{
+			name:     "pass regular file",
+			filePath: "testdata/secret.txt",
+			want:     true,
+		},
+		{
+			name:     "skip small file",
+			filePath: "testdata/emptyfile",
+			want:     false,
+		},
+		{
+			name:     "skip folder",
+			filePath: "testdata/node_modules/secret.txt",
+			want:     false,
+		},
+		{
+			name:     "skip file",
+			filePath: "testdata/package-lock.json",
+			want:     false,
+		},
+		{
+			name:     "skip extension",
+			filePath: "testdata/secret.doc",
+			want:     false,
+		},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			a, err := newSecretAnalyzer("")
+			require.NoError(t, err)
+
+			fi, err := os.Stat(tt.filePath)
+			require.NoError(t, err)
+
+			got := a.Required(tt.filePath, fi)
+			assert.Equal(t, tt.want, got)
+		})
+	}
+}

analyzer/secret/testdata/binaryfile

@@ -0,0 +1,9 @@
+rules:
+  - id: rule1
+    category: general
+    title: Generic Rule
+    severity: HIGH
+    regex: (?i)(?P<key>(secret))(=|:).{0,5}['"](?P<secret>[0-9a-zA-Z\-_=]{8,64})['"]
+    secret-group-name: secret
+
+