Skip to content

Instantly share code, notes, and snippets.

@klustic
Last active February 11, 2021 16:13
Show Gist options
  • Save klustic/676e58ebd800dc628460d9e3d36c9f3f to your computer and use it in GitHub Desktop.
Save klustic/676e58ebd800dc628460d9e3d36c9f3f to your computer and use it in GitHub Desktop.
Run ripgrep using Trufflehog patterns
#!/usr/bin/env python3
# Deps:
# ripgrep: https://github.com/BurntSushi/ripgrep
# Credit:
# Trufflehog: https://github.com/dxa4481/truffleHog
import argparse
import logging
import os
import pathlib
import subprocess
import time
rules = {
"Slack Token": "(xox[p|b|o|a]-[0-9]{12}-[0-9]{12}-[0-9]{12}-[a-z0-9]{32})",
"RSA private key": "-----BEGIN RSA PRIVATE KEY-----",
"SSH (OPENSSH) private key": "-----BEGIN OPENSSH PRIVATE KEY-----",
"SSH (DSA) private key": "-----BEGIN DSA PRIVATE KEY-----",
"SSH (EC) private key": "-----BEGIN EC PRIVATE KEY-----",
"PGP private key block": "-----BEGIN PGP PRIVATE KEY BLOCK-----",
"Facebook Oauth": "[f|F][a|A][c|C][e|E][b|B][o|O][o|O][k|K].{0,30}['\"\\s][0-9a-f]{32}['\"\\s]",
"Twitter Oauth": "[t|T][w|W][i|I][t|T][t|T][e|E][r|R].{0,30}['\"\\s][0-9a-zA-Z]{35,44}['\"\\s]",
"GitHub": "[g|G][i|I][t|T][h|H][u|U][b|B].{0,30}['\"\\s][0-9a-zA-Z]{35,40}['\"\\s]",
"Google Oauth": "(\"client_secret\":\"[a-zA-Z0-9-_]{24}\")",
"AWS API Key": "AKIA[0-9A-Z]{16}",
"Heroku API Key": "[h|H][e|E][r|R][o|O][k|K][u|U].{0,30}[0-9A-F]{8}-[0-9A-F]{4}-[0-9A-F]{4}-[0-9A-F]{4}-[0-9A-F]{12}",
"Generic Secret": "[s|S][e|E][c|C][r|R][e|E][t|T].{0,30}['\"\\s][0-9a-zA-Z]{32,45}['\"\\s]",
"Generic API Key": "[a|A][p|P][i|I][_]?[k|K][e|E][y|Y].{0,30}['\"\\s][0-9a-zA-Z]{32,45}['\"\\s]",
"Slack Webhook": "https://hooks.slack.com/services/T[a-zA-Z0-9_]{8}/B[a-zA-Z0-9_]{8}/[a-zA-Z0-9_]{24}",
"Google (GCP) Service-account": "\"type\": \"service_account\"",
"Twilio API Key": "SK[a-z0-9]{32}",
"Password in URL": "[a-zA-Z]{3,10}://[^/\\s:@]{3,20}:[^/\\s:@]{3,20}@.{1,100}[\"'\\s]",
"SlackInternal": "slack-corp",
}
def mkdirr(path):
pathlib.Path(path).mkdir(parents=True, exist_ok=True)
def ripgrep_trufflehog(path, output_path):
output_path = os.path.join(output_path, str(int(time.time())))
mkdirr(output_path)
for description, rex in rules.items():
output_fname = os.path.join(output_path, description+'.txt')
logging.info(f'Checking {description}...')
data = subprocess.run(['rg', '-H', '-n', '--', rex, path], check=False, stdout=subprocess.PIPE).stdout
if data:
logging.warning(f'Results found, writing to {output_fname}')
with open(output_fname, 'w') as f:
f.write(data.decode())
if __name__ == '__main__':
parser = argparse.ArgumentParser()
parser.add_argument('--output-path', default=os.path.join(os.path.expanduser("~"), 'rghog-output'), help='Where to put results')
parser.add_argument('path', help='The path of the directory containing files to search')
args = parser.parse_args()
logging.basicConfig(format='[{asctime} ripgrep {levelname}] {message}', datefmt='%Y-%m-%d %H:%M:%S', style='{', level=logging.INFO)
ripgrep_trufflehog(args.path, args.output_path)
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment