Ecosyste.ms: Awesome

An open API service indexing awesome lists of open source software.

https://github.com/bjompen/PSSecretScanner

Scan your repos for accidentily exposed secrets using powershell
https://github.com/bjompen/PSSecretScanner

Last synced: 14 days ago
JSON representation

Scan your repos for accidentily exposed secrets using powershell

Host: GitHub
URL: https://github.com/bjompen/PSSecretScanner
Owner: bjompen
License: mit
Created: 2022-02-08T20:18:12.000Z (over 2 years ago)
Default Branch: main
Last Pushed: 2022-10-26T21:16:15.000Z (over 1 year ago)
Last Synced: 2024-03-14T16:23:03.449Z (3 months ago)
Language: PowerShell
Size: 192 KB
Stars: 41
Watchers: 1
Forks: 4
Open Issues: 4
Metadata Files:
- Readme: README.md
- Changelog: CHANGELOG.md
- License: LICENSE

Lists

awesome-stars - bjompen/PSSecretScanner - Scan your repos for accidentily exposed secrets using powershell (PowerShell)

README

![PSSecretScanner logo goes here](./images/PSSecretScanner.png)

# PSSecretScanner

Super simple passwordscanner built using PowerShell.

Scan your code, files, folders, and repos for accidentily exposed secrets using PowerShell.

## Features

- Give a list of files to scan and we will check for any pattern matches in those files.

- Outputs the result and metadata. (Use [Get-Member](https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.utility/get-member?view=powershell-7.2) to get all scan data)

![Example output](./images/output.png)

- Use an excludelist to prevent false positives, or if you _really_ want to include secrets in your code, by creating a exclude file and passing it to the `-Excludelist` parameter. Either be specific and include File, LineNumber, Pattern, _or_ use wildcards to exclude entire files or folders.

```Text
# Comments supported

# Relative paths supported (starting with .\)
.\Docs\Help\Find-Secret.md
.\Source\config.json

# Wildcards supported. All files within this and subfolders will be excluded.
.\bin\*

# Paths to files. All matches in these files will be excluded
.\Tests\RegexPatternTests\TestCases.json
C:\MyRepo\PSSecretScanner\README.md

# Patterns on specific lines supported in the format
# ;;
.\ExcludeList.csv;1;"C:\BicepLab\template.json;51;-----BEGIN RSA PRIVATE KEY-----"
C:\MyRepo\PSSecretScanner\Docs\Help\Find-Secret.md;51;"C:\MyFiles\template.json;51;-----BEGIN RSA PRIVATE KEY-----"
```

To have `Write-SecretStatus` automatically pick up and use your ignore list for all your repo, name your excludelist `.ignoresecrets` and put it in your repo root folder!

## Installation

- From the PSGallery, run `Install-Module PSSecretScanner`

- Clone this repo, and run `Invoke-Build` to build the module localy.

## Background

I couldn't find a proper secret scanner for PowerShell so I wrote my own.

From the beginning it was just a list of regex patterns stolen from the [OWASP SEDATED security scanner repo](https://github.com/OWASP/SEDATED) that I ran through `Select-String`, as I thought the OWASP tools was way to advanced for my needs, and way to hard to wrap in a powershell script.
From there it kind of grew, and hopefully it will grow even more.

## About Regex patterns

- The baseline is the list found at the OWASP repo, but converted to PowerShell Regex standard (PCRE I think it's called..)
- Added `_Azure_AccountKey` pattern found at [Detect-secrets from YELP](https://github.com/Yelp/detect-secrets)
- Added patterns from [h33tlit](https://github.com/h33tlit/secret-regex-list#readme) (thank you [Simon Wåhlin](https://github.com/SimonWahlin/) for telling me)

_The added underscore `_` to names in the pattern list is simply to make them easier to work with in PowerShell._

## Features to add

Yes, even keeping it simple there are stuff I might want to add some day, or if you want to, feel free to create a PR.

- Parallelization - make it faster on huge repos.
- More filetypes! I kind of just winged it for now.