https://github.com/pixincreate/keywatch
KeyWatch – the vigilant guardian that sniffs out hidden keys and secrets in your code with a wink and a nod.
https://github.com/pixincreate/keywatch
Last synced: about 1 year ago
JSON representation
KeyWatch – the vigilant guardian that sniffs out hidden keys and secrets in your code with a wink and a nod.
- Host: GitHub
- URL: https://github.com/pixincreate/keywatch
- Owner: pixincreate
- License: gpl-3.0
- Created: 2025-02-12T18:43:45.000Z (over 1 year ago)
- Default Branch: main
- Last Pushed: 2025-04-01T17:15:04.000Z (over 1 year ago)
- Last Synced: 2025-04-01T18:27:05.721Z (over 1 year ago)
- Language: Rust
- Size: 78.1 KB
- Stars: 1
- Watchers: 1
- Forks: 0
- Open Issues: 2
-
Metadata Files:
- Readme: README.md
- Changelog: CHANGELOG.md
- License: LICENSE
Awesome Lists containing this project
README
# KeyWatch
KeyWatch is a secret scanner written in Rust that analyzes files or directories for secrets such as API keys, passwords, tokens, and more. It leverages a flexible and configurable set of detectors (defined via a TOML configuration) to help you secure your codebase by catching accidental exposures early. Whether you’re integrating it into your CI/CD pipeline or using it as a pre-commit hook, KeyWatch is designed to be fast, efficient, and easily extendable.
## Table of Contents
- [Features](#features)
- [Project Structure](#project-structure)
- [Installation](#installation)
- [Prerequisites](#prerequisites)
- [Building from Source](#building-from-source)
- [Installing the Binary](#installing-the-binary)
- [Usage](#usage)
- [Scanning Files and Directories](#scanning-files-and-directories)
- [Windows Users](#windows-users)
- [Adding More Detectors](#adding-more-detectors)
- [Integration with pre-commit](#integrating-keywatch-with-pre-commit)
- [Running Tests](#running-tests)
- [License](#license)
## Features
- **Recursive Scanning:** Easily scan a single file or an entire directory recursively to detect potential security breaches.
- **Comprehensive Detection:** The built-in detectors cover AWS keys, Google API keys, Slack tokens, JWT tokens, SSH keys, passwords, email addresses, IP addresses, and many more.
- **Configurable Detectors:** The detection logic is defined in [`detectors.toml`], which is simple to extend or customize according to your needs.
- **Output Options:** Generate JSON-formatted reports that can be directed to the console (in verbose mode) or saved to a file.
- **Integration Ready:** Designed to integrate with CI/CD pipelines, pre-commit hooks, or any other automated workflow.
## Project Structure
The KeyWatch project is organized as follows:
```txt
KeyWatch/
├── .gitignore # Specifies intentionally untracked files to ignore.
├── Cargo.lock # Cargo's lock file ensuring reproducible builds.
├── Cargo.toml # Project manifest (dependencies, metadata, etc.)
├── LICENSE # MIT License file.
├── README.md # This documentation file.
├── detectors.toml # Configuration file defining secret detectors and regex patterns.
├── src
│ ├── cli.rs // Contains CLI definitions using clap.
│ ├── detector.rs // Implements secret detectors and regex patterns.
│ ├── lib.rs // Re-exports modules for integration testing.
│ ├── main.rs // Application entry point.
│ ├── report.rs // Generates JSON reports from scan results.
│ ├── scanner.rs // Implements file and directory scanning.
│ └── utils.rs // Contains utility functions (e.g., file I/O).
└── tests
└── integration_tests.rs // Integration tests for end-to-end functionality.
```
The relationships between key modules are illustrated below:
```mermaid
graph TD
A[main.rs] --> B[cli.rs]
A --> C[scanner.rs]
C --> D[detector.rs]
D --> E[detectors.toml]
C --> F[report.rs]
A --> G[utils.rs]
```
## Installation
### Prerequisites
- [Rust](https://www.rust-lang.org/tools/install) (version 1.70 or later) must be installed on your system.
- Linux and macOS users: Standard Unix tools (`grep`, `chmod`, etc.) should be available.
- Windows users: Consider installing Git Bash or enabling Windows Subsystem for Linux (WSL2) for an enhanced Unix-like experience, though native Windows commands work as well.
### Building from Source
1. Clone the repository:
```sh
git clone https://github.com/pixincreate/KeyWatch.git
cd KeyWatch
```
2. Build the project using Cargo:
```sh
cargo build
```
This command compiles the KeyWatch binary into the `target/debug` directory.
### Installing the Binary
You can install KeyWatch globally so it is available from any command prompt:
1. **Cargo Install (Recommended):**
Run the following command from the KeyWatch directory:
```sh
cargo install --path .
```
> [!NOTE]
> This command copies the binary to Cargo’s bin directory (typically `~/.cargo/bin` on Unix or `%USERPROFILE%\.cargo\bin` on Windows), which should be part of your `PATH` already.
> This will let you invoke the binary simply by typing `key-watch`.
2. **Manual Installation:**
You may manually copy the binary into a directory included in your PATH:
- **For Unix-based systems (Linux/macOS):**
```sh
cp target/debug/key-watch /usr/local/bin
```
Or create a symbolic link:
```sh
ln -s /path/to/target/release/key-watch /usr/local/bin/key-watch
```
- **For Windows (PowerShell):**
1. Navigate to the release directory:
```ps1
cd target\release
```
2. Copy the binary (e.g., `key-watch.exe`) to a directory that is part of your PATH (such as `C:\Program Files\KeyWatch`—ensure that directory is added to your PATH):
```ps1
Copy-Item -Path "key-watch.exe" -Destination "C:\Program Files\KeyWatch\key-watch.exe"
```
You can also add the `–Force` parameter if you want to overwrite the destination file without any prompts
3. Alternatively, you can add `%USERPROFILE%\.cargo\bin` to your system `PATH` if it’s not already included. This is where Cargo installs binaries by default.
## Usage
### Scanning Files and Directories
After installing or building the binary, you can start scanning files for secrets:
- **Scanning a Single File (Output to Console):**
```sh
cargo run -- --file ./path/to/your/file --verbose
```
This command scans the specified file and prints a detailed JSON report to the console.
- **Recursively Scanning a Directory (Output to File):**
```sh
cargo run -- --dir ./path/to/your/directory --output results.json
```
The scanner will recursively inspect all eligible files within the directory tree, and the JSON report will be written to `results.json`.
### Windows Users
KeyWatch works well on Windows with a few adjustments:
- **Using Command Prompt or PowerShell:**
The commands above work in either Command Prompt or PowerShell (preferred). Just ensure that Rust and Cargo are in your `PATH`, and that when installed via cargo, your binaries are located in `%USERPROFILE%\.cargo\bin`.
- **Windows Environment Tips:**
- If using PowerShell, remember to escape arguments properly if needed.
- For better Unix-like behavior, consider installing Git Bash which provides a more consistent experience with the documentation examples.
- If integrating KeyWatch with Windows-based CI systems (e.g., Azure Pipelines), you may need to adjust the shell commands accordingly.
- **Running on Windows:**
To run KeyWatch on a specific file from Command Prompt:
```cmd
key-watch --file "C:\path\to\your\file" --verbose
```
Or to scan a directory recursively:
```cmd
key-watch --dir "C:\path\to\your\directory" --output "C:\path\to\results.json"
```
## Adding More Detectors
KeyWatch uses a flexible detector system configured via the [`detectors.toml`] file. You can modify this file to add new secret detectors or adjust the regular expressions and configurations of existing ones. For example:
- Open `detectors.toml` in your preferred editor.
- Define a new section with a unique identifier for your custom detector.
- Provide the regex patterns, severity levels, and any additional metadata necessary.
This design means you can continuously tailor KeyWatch to meet the needs of your security policies.
## Integrating KeyWatch with pre-commit
Integrate KeyWatch into your development workflow by setting it up as a pre-commit hook. This ensures that any secrets accidentally committed to your repository get caught immediately.
1. **Install pre-commit:**
Ensure Python is installed on your system, then use pip:
```sh
pip install pre-commit
```
> [!NOTE]
> Make sure that you have the `pre-commit` binary in your PATH.
2. **Create the Hook Script:**
1. Make a hooks directory in your project root:
```sh
mkdir -p hooks
```
2. Create a file named `hooks/keywatch.sh` with the following content:
```sh
#!/bin/sh
EXIT_CODE=0
for FILE in "$@"; do
# Only scan text files
if file "$FILE" | grep -q text; then
echo "Scanning $FILE for secrets..."
REPORT=$(key-watch --file "$FILE" --verbose)
if echo "$REPORT" | grep -q '"status": "FAIL"'; then
echo "Secret found in $FILE:"
echo "$REPORT"
EXIT_CODE=1
fi
fi
done
exit $EXIT_CODE
```
3. Make the script executable:
```sh
chmod +x hooks/keywatch.sh
```
3. **Configure pre-commit:**
Create a `.pre-commit-config.yaml` file in your project root with these contents:
```yaml
repos:
- repo: local
hooks:
- id: keywatch
name: KeyWatch Secret Scanner
entry: ./hooks/keywatch.sh
language: script
files: .*\.(rs|txt|py|js)$ # Adjust the pattern as necessary
```
4. **Install the pre-commit Hooks:**
Run the following command to install the hook into your local Git configuration:
```sh
pre-commit install
```
5. **Test the Integration:**
To see the hook in action, stage files with potential secrets and try committing:
```sh
git add
git commit -m "Test commit: should run secret scanner"
```
If KeyWatch detects a secret, the commit will be blocked with a detailed error message. Correct the issue (or update your detector configuration) and try committing again.
## Running Tests
KeyWatch comes with integration tests located in the `/tests` directory. To run all tests, execute:
```sh
cargo test
```
This command will run the complete suite of tests ensuring that the scanning and reporting components behave as expected.
## License
KeyWatch is distributed under the terms of the [MIT License](LICENSE), which means you’re free to use and modify the software as long as the license terms are met.