Ecosyste.ms: Awesome

An open API service indexing awesome lists of open source software.

Awesome Lists | Featured Topics | Projects

https://github.com/yorcreative/laravel-scrubber

A Laravel package to scrub sensitive information that breaks operational security policies from being leaked on accident or not by developers.
https://github.com/yorcreative/laravel-scrubber

cyber-security cybersecurity data-sanitization data-scrubber laravel laravel-package log log-sanitization log-scrubber logscrubber php scrubber security security-scan security-tools sensitive-data-security

Last synced: about 8 hours ago
JSON representation

A Laravel package to scrub sensitive information that breaks operational security policies from being leaked on accident or not by developers.

Host: GitHub
URL: https://github.com/yorcreative/laravel-scrubber
Owner: YorCreative
License: mit
Created: 2022-08-16T20:36:44.000Z (about 2 years ago)
Default Branch: main
Last Pushed: 2024-04-19T01:47:04.000Z (7 months ago)
Last Synced: 2024-10-02T06:28:19.055Z (about 1 month ago)
Topics: cyber-security, cybersecurity, data-sanitization, data-scrubber, laravel, laravel-package, log, log-sanitization, log-scrubber, logscrubber, php, scrubber, security, security-scan, security-tools, sensitive-data-security
Language: PHP
Homepage:
Size: 153 KB
Stars: 136
Watchers: 4
Forks: 11
Open Issues: 3
Metadata Files:
- Readme: README.md
- Contributing: CONTRIBUTING.md
- License: LICENSE.md

Awesome Lists containing this project

README

        







  

    

  



Laravel Scrubber


















A Laravel package to scrub sensitive information that breaks operational security policies from being leaked on

accident ~~_or not_~~ by developers.

## Installation

install the package via composer:

```bash

composer require yorcreative/laravel-scrubber

```

Publish the packages assets.

```bash

php artisan vendor:publish --provider="YorCreative\Scrubber\ScrubberServiceProvider"

```

## Configuration

Adjust the configuration file to suite your application, located in `/config/scrubber.php`.

```php

return [

    'redaction' => '**redacted**', // Define what you want to overwrite detected information with?

    'secret_manager' => [

        'key' => '44mfXzhGl4IiILZ844mfXzhGl4IiILZ8', // key for cipher to use

        'cipher' => 'AES-256-CBC', 

        'enabled' => false, // Do you want this enabled?

        'providers' => [

            'gitlab' => [

                'enabled' => false,

                'project_id' => env('GITLAB_PROJECT_ID', ''),

                'token' => env('GITLAB_TOKEN', ''),

                'host' => 'https://gitlab.com',

                'keys' => ['*'], // * will grab all the secrets, if you want specific variables

                                 //  define the keys in an array

            ],

        ],

    ],

    'regex_loader' => ['*'] // Opt-in to specific regex classes OR include all with * wildcard.

    'tap_channels' => ['*'] // Opt-in to tap specific log channels OR include all with * wildcard.

];

```

## Usage

The scrubber can be utilized in two ways, the first one being a Log scrubber. A tap is added to detect and sanitize any

sensitive information from hitting a log file. The second way is to integrate into your application and utilize the

Scrubber directly. This way is particular useful if you, for example, would like to detect and sanitize any messages on

a messaging platform.

### Logging Detection & Sanitization

```php

Log::info('some message', [

    'context' => 'accidental',

    'leak_of' => [

        'jwt' => ''

    ]

])

// testing.INFO: some message {"context":"accidental","leak_of":{"jwt": '**redacted**'}} 

Log::info('')

// testing.INFO: **redacted**  

```

### Direct Usage for Detection & Sanitization

```php

Scrubber::processMessage([

    'context' => 'accidental',

    'leak_of' => [

        'jwt' => ''

    ]

]);

// [

//     "context" => "accidental"

//     "leak_of" => [

//         "jwt" => "**redacted**"

//     ]

// ];

Scrubber::processMessage('');

// **redacted**

```

## Log Channel Opt-in

This package provides you the ability to define through the configuration file what channels you want to scrub

specifically. By default, this package ships with a wildcard value and opts in to scrub all the log channels in your

application.

### Defining Log Channel Opt-in

To opt in to one or more channels, list the channel(s) name into the `tap_channels` array in the config.

```php

'tap_channels' => [

    'single',

    'papertrail'

]

```

To disable tap logging functionality and use the package independently and not tap your Laravel application logging, modify the config file by setting the tap_channels field as follows:

```php

'tap_channels' => false

```

## Regex Class Opt-in

You have the ability through the configuration file to define what regex classes you want loaded into the application

when it is bootstrapped. By default, this package ships with a wildcard value.

### Regex Collection & Defining Opt-in

To opt in, utilize the static properties on

the [RegexCollection](https://github.com/YorCreative/Laravel-Scrubber/blob/main/src/Repositories/RegexCollection.php)

class.

```php

 'regex_loader' => [

        RegexCollection::$GOOGLE_API,

        RegexCollection::$AUTHORIZATION_BEARER,

        RegexCollection::$CREDIT_CARD_AMERICAN_EXPRESS,

        RegexCollection::$CREDIT_CARD_DISCOVER,

        RegexCollection::$CREDIT_CARD_VISA,

        RegexCollection::$JSON_WEB_TOKEN

    ],

```

### Opting Into Custom Extended Classes

> To create custom scrubbers, see the [Extending the Scrubber](#extending-the-scrubber) section.

The `regex_loader` array takes strings, not objects. To opt in to specific custom extended regex classes, define the

class name as a string.

For example if I have a custom extended class as such:

```php

 [

        RegexCollection::$GOOGLE_API,

        RegexCollection::$AUTHORIZATION_BEARER,

        RegexCollection::$CREDIT_CARD_AMERICAN_EXPRESS,

        RegexCollection::$CREDIT_CARD_DISCOVER,

        RegexCollection::$CREDIT_CARD_VISA,

        RegexCollection::$JSON_WEB_TOKEN,

        'TestRegex'

    ],

```

## About the Scrubber

This package provides the ability to pull in secrets from external sources. Providing the ability to detect information

leakage, and sanitize secrets without needing an exact regex pattern to detect it.

### Encryption

For enhanced application security, all secrets pulled, from any provider, are encrypted and only decrypted to run the

detection. You can see this in

action [here](https://github.com/YorCreative/Laravel-Scrubber/blob/main/src/Services/ScrubberService.php#L45).

### Gitlab Integration

To utilize the Gitlab Integration, you will need to enable the `secret_manager` and the `gitlab` provider in the

Configuration file. If you are looking for information on how to add secrets in Gitlab. There is an article

on [adding project variables](https://docs.gitlab.com/ee/ci/variables/#add-a-cicd-variable-to-a-project).

## Extending the Scrubber

Creating new Scrubber Detection Classes

```bash

php artisan make:regex-class {name} 

```

This command will create a stubbed out class in `App\Scrubber\RegexCollection`. The Scrubber package will autoload

everything from the `App\Scrubber\RegexCollection` folder with the wildcard value on the `regex_loader` array in the

scrubber config file. You will need to provide a `Regex Pattern` and a `Testable String` for the class and you may also provide a `Replacement Value` if you want to replace the detected value with something other than the default value in the config file.

## Testing

```bash

composer test

```

## Credits

- [Yorda](https://github.com/yordadev)

- [Whizboy-Arnold](https://github.com/Whizboy-Arnold)

- [majchrosoft](https://github.com/majchrosoft)

- [Lucaxue](https://github.com/lucaxue)

- [AlexGodbehere](https://github.com/AlexGodbehere)

- [All Contributors](../../contributors)