Last active
February 11, 2021 16:13
-
-
Save klustic/676e58ebd800dc628460d9e3d36c9f3f to your computer and use it in GitHub Desktop.
Run ripgrep using Trufflehog patterns
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
#!/usr/bin/env python3 | |
# Deps: | |
# ripgrep: https://github.com/BurntSushi/ripgrep | |
# Credit: | |
# Trufflehog: https://github.com/dxa4481/truffleHog | |
import argparse | |
import logging | |
import os | |
import pathlib | |
import subprocess | |
import time | |
rules = { | |
"Slack Token": "(xox[p|b|o|a]-[0-9]{12}-[0-9]{12}-[0-9]{12}-[a-z0-9]{32})", | |
"RSA private key": "-----BEGIN RSA PRIVATE KEY-----", | |
"SSH (OPENSSH) private key": "-----BEGIN OPENSSH PRIVATE KEY-----", | |
"SSH (DSA) private key": "-----BEGIN DSA PRIVATE KEY-----", | |
"SSH (EC) private key": "-----BEGIN EC PRIVATE KEY-----", | |
"PGP private key block": "-----BEGIN PGP PRIVATE KEY BLOCK-----", | |
"Facebook Oauth": "[f|F][a|A][c|C][e|E][b|B][o|O][o|O][k|K].{0,30}['\"\\s][0-9a-f]{32}['\"\\s]", | |
"Twitter Oauth": "[t|T][w|W][i|I][t|T][t|T][e|E][r|R].{0,30}['\"\\s][0-9a-zA-Z]{35,44}['\"\\s]", | |
"GitHub": "[g|G][i|I][t|T][h|H][u|U][b|B].{0,30}['\"\\s][0-9a-zA-Z]{35,40}['\"\\s]", | |
"Google Oauth": "(\"client_secret\":\"[a-zA-Z0-9-_]{24}\")", | |
"AWS API Key": "AKIA[0-9A-Z]{16}", | |
"Heroku API Key": "[h|H][e|E][r|R][o|O][k|K][u|U].{0,30}[0-9A-F]{8}-[0-9A-F]{4}-[0-9A-F]{4}-[0-9A-F]{4}-[0-9A-F]{12}", | |
"Generic Secret": "[s|S][e|E][c|C][r|R][e|E][t|T].{0,30}['\"\\s][0-9a-zA-Z]{32,45}['\"\\s]", | |
"Generic API Key": "[a|A][p|P][i|I][_]?[k|K][e|E][y|Y].{0,30}['\"\\s][0-9a-zA-Z]{32,45}['\"\\s]", | |
"Slack Webhook": "https://hooks.slack.com/services/T[a-zA-Z0-9_]{8}/B[a-zA-Z0-9_]{8}/[a-zA-Z0-9_]{24}", | |
"Google (GCP) Service-account": "\"type\": \"service_account\"", | |
"Twilio API Key": "SK[a-z0-9]{32}", | |
"Password in URL": "[a-zA-Z]{3,10}://[^/\\s:@]{3,20}:[^/\\s:@]{3,20}@.{1,100}[\"'\\s]", | |
"SlackInternal": "slack-corp", | |
} | |
def mkdirr(path): | |
pathlib.Path(path).mkdir(parents=True, exist_ok=True) | |
def ripgrep_trufflehog(path, output_path): | |
output_path = os.path.join(output_path, str(int(time.time()))) | |
mkdirr(output_path) | |
for description, rex in rules.items(): | |
output_fname = os.path.join(output_path, description+'.txt') | |
logging.info(f'Checking {description}...') | |
data = subprocess.run(['rg', '-H', '-n', '--', rex, path], check=False, stdout=subprocess.PIPE).stdout | |
if data: | |
logging.warning(f'Results found, writing to {output_fname}') | |
with open(output_fname, 'w') as f: | |
f.write(data.decode()) | |
if __name__ == '__main__': | |
parser = argparse.ArgumentParser() | |
parser.add_argument('--output-path', default=os.path.join(os.path.expanduser("~"), 'rghog-output'), help='Where to put results') | |
parser.add_argument('path', help='The path of the directory containing files to search') | |
args = parser.parse_args() | |
logging.basicConfig(format='[{asctime} ripgrep {levelname}] {message}', datefmt='%Y-%m-%d %H:%M:%S', style='{', level=logging.INFO) | |
ripgrep_trufflehog(args.path, args.output_path) |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment