vgarvardt/scan-k8s-secrets.sh

## scan-k8s-secrets.sh
#!/usr/bin/env bash

set -e

token=$1
if [[ -z "${token}" ]]; then
  echo "Pass an argument to a script to use as a search term"
  exit 1
fi

# secrets are using base64-encoded version
token_b64=$(echo -n "${token}" | base64 -i- -o-)

for ns in $(kubectl get namespaces --no-headers | awk '{print $1}'); do
  echo "Checking namespace: ${ns}"

  # secrets starting with "sh.helm.release" are chart metadata, skip them
  for secret in $(kubectl get secrets --no-headers --namespace="${ns}" | awk '{print $1}' | grep -v sh.helm.release); do
    echo "Checking Secret: ${secret} @ ${ns}"
    secret_yaml=$(kubectl get secret --namespace="${ns}" "${secret}" -o yaml)

    result=$(echo -n "${secret_yaml}" | grep "${token}" || true)
    if [[ -n "${result}" ]]; then
      echo "=> Found token in Secret: kubectl get secret --namespace=${ns} ${secret} -o yaml"
    fi

    result=$(echo -n "${secret_yaml}" | grep "${token_b64}" || true)
    if [[ -n "${result}" ]]; then
      echo "=> Found base64-encoded token in Secret: kubectl get secret --namespace=${ns} ${secret} -o yaml"
    fi
  done

  # config maps having ".v" are release information, e.g. "auth-service.v469"
  for cm in $(kubectl get configmaps --no-headers --namespace="${ns}" | awk '{print $1}' | grep -v ".v"); do
    echo "Checking ConfigMap: ${cm} @ ${ns}"
    cm_yaml=$(kubectl get configmap --namespace="${ns}" "${cm}" -o yaml)

    result=$(echo -n "${cm_yaml}" | grep "${token}" || true)
    if [[ -n "${result}" ]]; then
      echo "=> Found token in ConfigMap: kubectl get configmap --namespace=${ns} ${cm} -o yaml"
    fi

    result=$(echo -n "${cm_yaml}" | grep "${token_b64}" || true)
    if [[ -n "${result}" ]]; then
      echo "=> Found base64-encoded token in ConfigMap: kubectl get configmap --namespace=${ns} ${cm} -o yaml"
    fi
  done
done
	#!/usr/bin/env bash

	set -e

	token=$1
	if [[ -z "${token}" ]]; then
	echo "Pass an argument to a script to use as a search term"
	exit 1
	fi

	# secrets are using base64-encoded version
	token_b64=$(echo -n "${token}" \| base64 -i- -o-)

	for ns in $(kubectl get namespaces --no-headers \| awk '{print $1}'); do
	echo "Checking namespace: ${ns}"

	# secrets starting with "sh.helm.release" are chart metadata, skip them
	for secret in $(kubectl get secrets --no-headers --namespace="${ns}" \| awk '{print $1}' \| grep -v sh.helm.release); do
	echo "Checking Secret: ${secret} @ ${ns}"
	secret_yaml=$(kubectl get secret --namespace="${ns}" "${secret}" -o yaml)

	result=$(echo -n "${secret_yaml}" \| grep "${token}" \|\| true)
	if [[ -n "${result}" ]]; then
	echo "=> Found token in Secret: kubectl get secret --namespace=${ns} ${secret} -o yaml"
	fi

	result=$(echo -n "${secret_yaml}" \| grep "${token_b64}" \|\| true)
	if [[ -n "${result}" ]]; then
	echo "=> Found base64-encoded token in Secret: kubectl get secret --namespace=${ns} ${secret} -o yaml"
	fi
	done

	# config maps having ".v" are release information, e.g. "auth-service.v469"
	for cm in $(kubectl get configmaps --no-headers --namespace="${ns}" \| awk '{print $1}' \| grep -v ".v"); do
	echo "Checking ConfigMap: ${cm} @ ${ns}"
	cm_yaml=$(kubectl get configmap --namespace="${ns}" "${cm}" -o yaml)

	result=$(echo -n "${cm_yaml}" \| grep "${token}" \|\| true)
	if [[ -n "${result}" ]]; then
	echo "=> Found token in ConfigMap: kubectl get configmap --namespace=${ns} ${cm} -o yaml"
	fi

	result=$(echo -n "${cm_yaml}" \| grep "${token_b64}" \|\| true)
	if [[ -n "${result}" ]]; then
	echo "=> Found base64-encoded token in ConfigMap: kubectl get configmap --namespace=${ns} ${cm} -o yaml"
	fi
	done
	done