神兵利器 - SecretScanner(在容器映像和文件系统中查找密码)

  • A+
所属分类:安全工具


        Deepfence SecretScanner帮助用户扫描主机上的容器映像或本地目录,并输出包含找到的所有秘密的详细信息的JSON文件。


神兵利器 - SecretScanner(在容器映像和文件系统中查找密码)

命令使用

$ ./SecretScanner --help
Usage of ./SecretScanner: -config-path string Searches for config.yaml from given directory. If not set, tries to find it from SecretScanner binary's and current directory -debug-level string Debug levels are one of FATAL, ERROR, IMPORTANT, WARN, INFO, DEBUG. Only levels higher than the debug-level are displayed (default "ERROR") -image-name string Name of the image along with tag to scan for secrets -json-filename string Output json file name. If not set, it will automatically create a filename based on image or dir name -local string Specify local directory (absolute path) which to scan. Scans only given directory recursively. -max-multi-match uint Maximum number of matches of same pattern in one file. This is used only when multi-match option is enabled. (default 3) -max-secrets uint Maximum number of secrets to find in one container image or file system. (default 1000) -maximum-file-size uint Maximum file size to process in KB (default 256) -multi-match Output multiple matches of same pattern in one file. By default, only one match of a pattern is output for a file for better performance -output-path string Output directory where json file will be stored. If not set, it will output to current directory -temp-directory string Directory to process and store repositories/matches (default "/tmp") -threads int Number of concurrent threads (default number of logical CPUs)


快速尝试使用Docker

使用以下说明安装docker并在容器映像上运行SecretScanner:

  • 构建SecretScanner:

docker build --rm=true --tag=deepfenceio/secretscanning:latest -f Dockerfile 

  • 或者,通过执行以下操作从docker hub中获取最新版本:

docker pull deepfenceio/secretscanning

  • 拉出容器图像进行扫描:

docker pull node:8.11

  • 运行SecretScanner:

    • 扫描容器图像:

      docker run -it --rm --name=deepfence-secretscanner -v $(pwd):/home/deepfence/output -v /var/run/docker.sock:/var/run/docker.sock -v /usr/bin/docker:/usr/bin/docker deepfenceio/secretscanning -image-name node:8.11
    • 扫描本地目录:

      docker run -it --rm --name=deepfence-secretscanner -v $(pwd):/home/deepfence/output -v /var/run/docker.sock:/var/run/docker.sock -v /usr/bin/docker:/usr/bin/docker deepfenceio/secretscanning -local /home/deepfence/src/SecretScanner/test

默认情况下,SecretScanner还将创建json文件,其中包含在当前工作目录中找到的所有机密的详细信息。您可以使用适当的选项显式指定输出目录和json文件名。


制作说明

  1. 安装Docker

  2. 安装Hyperscan

  3. 为您的平台安装go(版本1.14)

  4. 如果需要gohs请安装go模块:yaml.v3color

  5. go get github.com/deepfence/SecretScanner将自动在$GOPATH/bin$HOME/go/bin目录中下载并构建SecretScanner 或者,克隆此存储库并运行go build -v -i以在当前目录中构建可执行文件。

  6. 根据需要编辑config.yaml文件,并使用适当的配置文件目录运行秘密扫描程序。

作为参考,安装文件包含在ubuntu系统上构建的命令。


项目地址:


https://github.com/deepfence/SecretScanner


本文始发于微信公众号(Khan安全攻防实验室):神兵利器 - SecretScanner(在容器映像和文件系统中查找密码)

发表评论

:?: :razz: :sad: :evil: :!: :smile: :oops: :grin: :eek: :shock: :???: :cool: :lol: :mad: :twisted: :roll: :wink: :idea: :arrow: :neutral: :cry: :mrgreen: