{"id":18833978,"url":"https://github.com/jetstack/paranoia","last_synced_at":"2025-04-09T07:05:40.644Z","repository":{"id":61679803,"uuid":"496249540","full_name":"jetstack/paranoia","owner":"jetstack","description":"Inspect certificate authorities in container images","archived":false,"fork":false,"pushed_at":"2025-03-25T13:39:04.000Z","size":333,"stargazers_count":232,"open_issues_count":7,"forks_count":9,"subscribers_count":9,"default_branch":"main","last_synced_at":"2025-04-02T06:09:05.444Z","etag":null,"topics":["certificate-authority","container-security","containers","security","tls"],"latest_commit_sha":null,"homepage":"","language":"Go","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"apache-2.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/jetstack.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE.txt","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2022-05-25T13:46:14.000Z","updated_at":"2025-03-30T16:50:14.000Z","dependencies_parsed_at":"2024-06-20T14:03:11.100Z","dependency_job_id":"d310cc07-31df-4ed7-b576-e6def99a0a11","html_url":"https://github.com/jetstack/paranoia","commit_stats":{"total_commits":98,"total_committers":8,"mean_commits":12.25,"dds":0.4591836734693877,"last_synced_commit":"4733550a31bf31c6b59af34c255a5916dcfe047f"},"previous_names":[],"tags_count":6,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/jetstack%2Fparanoia","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/jetstack%2Fparanoia/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/jetstack%2Fparanoia/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/jetstack%2Fparanoia/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/jetstack","download_url":"https://codeload.github.com/jetstack/paranoia/tar.gz/refs/heads/main","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":247994119,"owners_count":21030050,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["certificate-authority","container-security","containers","security","tls"],"created_at":"2024-11-08T02:05:57.599Z","updated_at":"2025-04-09T07:05:40.610Z","avatar_url":"https://github.com/jetstack.png","language":"Go","funding_links":[],"categories":[],"sub_categories":[],"readme":"# Paranoia\n\n_Who do you trust?_\n\nParanoia is a tool to analyse and export trust bundles (e.g., \"ca-certificates\") from container images.\nThese certificates identify the certificate authorities that your container trusts when establishing TLS connections.\nThe design of TLS is that any certificate authority that your container trusts can issue a certificate for any domain.\nThis means that a malicious or compromised certificate authority could issue a certificate to impersonate any other service, including your internal infrastructure.\n\nParanoia can be used to inspect and validate the certificates within your container images.\nThis gives you visibility into which certificate authorities your container images are trusting; allows you to forbid or require certificates at build-time in CI; and help you decide _who to trust_ in your container images.\n\nParanoia is built by [Jetstack](https://jetstack.io) and made available under the Apache 2.0 license, see [LICENSE.txt](LICENSE.txt).\n\n## Installation\n\n### Homebrew\n\nOn macOS and Linux, if you have [Homebrew](https://brew.sh) you can install Paranoia with:\n\n```shell\nbrew install jetstack/jetstack/paranoia\n```\n\nThis will also install man pages and shell completion.\n\n### Binaries\n\nBinaries for common platforms and architectures are provided on the [releases](https://github.com/jetstack/paranoia/releases/latest).\nMan pages are also attached to the release.\nYou can generate shell completion from Paranoia itself with `paranoia completion`.\n\n### Go Install\n\nIf you have [Go](https://go.dev/) installed you can install Paranoia using Go directly.\n\n```shell\ngo install github.com/jetstack/paranoia@latest\n```\n\n## Examples\n\nParanoia can be used to list out the certificates in a container image:\n\n```shell\n$ paranoia export alpine:latest\nFile Location                       Subject                                                                                                                                                                        \n/etc/ssl/certs/ca-certificates.crt  CN=ACCVRAIZ1,OU=PKIACCV,O=ACCV,C=ES                                                                                                                                            \n/etc/ssl/certs/ca-certificates.crt  OU=AC RAIZ FNMT-RCM,O=FNMT-RCM,C=ES                                                                                                                                            \n/etc/ssl/certs/ca-certificates.crt  CN=AC RAIZ FNMT-RCM SERVIDORES SEGUROS,OU=Ceres,O=FNMT-RCM,C=ES,2.5.4.97=#130f56415445532d51323832363030344a                                                                   \n…\n/etc/ssl/certs/ca-certificates.crt  CN=vTrus ECC Root CA,O=iTrusChina Co.\\,Ltd.,C=CN                                                                                                                               \n/etc/ssl/certs/ca-certificates.crt  CN=vTrus Root CA,O=iTrusChina Co.\\,Ltd.,C=CN                                                                                                                                   \nFound 140 certificates\n```\n\nExport them for further audit:\n\n```shell\nparanoia export --output json python:3 | jq '.certificates[].fingerprintSHA256' | head -n 5\n\n\"ebd41040e4bb3ec742c9e381d31ef2a41a48b6685c96e7cef3c1df6cd4331c99\"\n\"6dc47172e01cbcb0bf62580d895fe2b8ac9ad4f873801e0c10b9c837d21eb177\"\n\"16af57a9f676b0ab126095aa5ebadef22ab31119d644ac95cd4b93dbf3f26aeb\"\n\"73c176434f1bc6d5adf45b0e76e727287c8de57616c1e6e6141a2b2cbc7d8e4c\"\n\"d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef4\"\n```\n\nDetect internal certificates left over from internal testing:\n\n```shell\ncat \u003c\u003c EOF \u003e .paranoia.yaml\nversion: \"1\"\nforbid:\n  - comment: \"An internal-only cert\"\n    fingerprints:\n      sha256: bd40be0eccfce513ab318882f03962e4e2ec3799b51392e82805d9249e426d28\nEOF\nparanoia validate my-image\n```\n\nFind certificates inside binaries:\n\n```shell\nparanoia export -o json consul:latest | jq '.certificates[] | select(.fileLocation == \"/bin/consul\")'\n{\n  \"fileLocation\": \"/bin/consul\",\n  \"owner\": \"CN=Circonus Certificate Authority,OU=Circonus,O=Circonus\\\\, Inc.,L=Columbia,ST=Maryland,C=US,1.2.840.113549.1.9.1=#0c0f636140636972636f6e75732e6e6574\",\n  \"parser\": \"pem\",\n  \"signature\": \"01C1B65D790706D2CAAD1D30406911D41884789A9D4FEBBCE31EE7B7628019A8C7B6643C46C1FDB684B18272B33880DAB68EB51C5546D731B9948C8A3D918890EC2F1CC8A751FAD1786BF2599FEEA17A63EB1997B577E8A65B9F67B368EA11B6C425F5D86A10C7BCCE02FBEA9F5867913AF409749A08A27D3B5EC8D8E332E216\",\n  \"notBefore\": \"2009-12-23T19:17:06Z\",\n  \"notAfter\": \"2019-12-21T19:17:06Z\",\n  \"fingerprintSHA1\": \"063ff657e055b0036d794cda892c85417c07739a\",\n  \"fingerprintSHA256\": \"0c97e0898343c5b1973c6568a15c8c853dd663d363020071e34f789859ece19f\"\n}\n```\n\n## Limitations\n\nParanoia will detect certificate authorities in most cases, and is especially useful at finding accidental inclusion or for conducting a certificate authority inventory.\nHowever, there are some limitations to bear in mind while using Paranoia:\n\n- Paranoia only functions on container images, not running containers.\n  Anything added into the container at runtime is not seen.\n- If a certificate is found, that doesn’t guarantee that the container will trust it as a certificate authority.\n  It could, for example, be an unused leftover file.\n- It’s possible for an attacker to ‘hide’ a certificate authority from Paranoia (e.g., by encoding it in a format Paranoia doesn’t understand).\n  In general Paranoia isn’t designed to defend against an adversary with supply chain write access intentionally sneaking obfuscated certificate authorities into container images.\n\n## Usage\n\nThe usage documentation for Paranoia is included in the help text.\nInvoke a command with `--help` for usage instructions, or see the manual pages.\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fjetstack%2Fparanoia","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fjetstack%2Fparanoia","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fjetstack%2Fparanoia/lists"}