Giters

venominfosec / SecretsChecker

Automatically check for secrets in files using only default Python libraries

Geek Repo:Geek Repo

Github PK Tool:Github PK Tool

SecretsChecker

Automatically check for secrets in files

Quick Run

git clone https://github.com/venominfosec/SecretsChecker.git
python SecretsChecker.py --file secret_file.txt
python SecretsChecker.py --path /etc

Input

There are three input options:

  1. A single file (--file)
  2. All files in a given path (--path)
  3. Input from standard in (--stdin)

Single File

# python SecretsChecker.py --file C:\secrets\secrets.txt
        [1/1] Checking C:\secrets\secrets.txt
Results written to secrets_checker.csv
Checked 1 files in 0.01 seconds

Multiple Files

Argument Purpose
--path Check all files in the provided path
--depth Depth when enumerating files within the provided path
--ignore Do not check files whose name or path contains the provided string
--text Process a binary file as if it were text 
# python SecretsChecker.py --path C:\secrets --ignore "node_modules" --depth 1 --output custom_name.csv
Enumerating files in path "C:\secrets"
Filtered out 10 files containing the string "node_modules"
        [1/5] Checking C:\secrets\access_keys.txt
        [2/5] Checking C:\secrets\password.txt
        [3/5] Checking C:\secrets\secrets.txt
        [4/5] Checking C:\secrets\tokens.txt
        [5/5] Checking C:\secrets\config\web.config
Results written to custom_name.csv
Checked 5 files in 0.01 seconds

Standard Input

# cat secrets.txt | python SecretsChecker.py --stdin
Results written to secrets_checker.csv

Output

There are two output options:

  1. Write to CSV file, secrets_checker.csv by default or a custom name with --output argument
  2. Standard out (--stdout)

CSV File

An example output is below:

File Type FoundList
C:\secrets\access_keys.txt AWS API Key - Check 1 aws_access_key_id = AKIAIOSFODNN7EXAMPLE
C:\secrets\access_keys.txt AWS API Key - Check 2 aws_access_key_id = AKIAIOSFODNN7EXAMPLE
C:\secrets\access_keys.txt Generic Access Key - Check 1 aws_access_key_id = AKIAIOSFODNN7EXAMPLE
C:\secrets\access_keys.txt AWS API Key - Check 3 aws_secret_access_key = wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY
C:\secrets\access_keys.txt Potential Secret aws_secret_access_key = wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY
C:\secrets\access_keys.txt Generic Access Key - Check 1 aws_secret_access_key = wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY
C:\secrets\password.txt Potential Password - Check 1 MyPassword123!
C:\secrets\password.txt Potential Secret {"passwd": "SuperSecret")
C:\secrets\password.txt Potential Password - Check 2 {"passwd": "SuperSecret")
C:\secrets\secrets.txt Potential SSN 333-22-4444
C:\secrets\secrets.txt RSA private key -----BEGIN RSA PRIVATE KEY-----
C:\secrets\secrets.txt Potential Private Key -----BEGIN RSA PRIVATE KEY-----

Standard Out

An example output is below:

# cat secrets.txt | python SecretsChecker.py --stdin --stdout
[
    {
        "File": "StandardInput",
        "Type": "Potential SSN",
        "FoundList": "333-22-4444"
    },
    {
        "File": "StandardInput",
        "Type": "RSA private key",
        "FoundList": "-----BEGIN RSA PRIVATE KEY-----"
    },
    {
        "File": "StandardInput",
        "Type": "Potential Private Key",
        "FoundList": "-----BEGIN RSA PRIVATE KEY-----"
    }
]

Supported Secret Types

  • AWS API Key
  • AWS AppSync GraphQL Key
  • Amazon MWS Auth Token
  • Facebook Access Token
  • Facebook OAuth
  • Generic API Key
  • Generic Access Key
  • Generic Secret
  • GitHub
  • Google (GCP) Service-account
  • Google API Key
  • Google Cloud Platform API Key
  • Google Cloud Platform OAuth
  • Google Drive API Key
  • Google Drive OAuth
  • Google Gmail API Key
  • Google Gmail OAuth
  • Google OAuth Access Token
  • Google YouTube API Key
  • Google YouTube OAuth
  • Heroku API Key
  • MailChimp API Key
  • Mailgun API Key
  • PGP private key block
  • Password in URL
  • PayPal Braintree Access Token
  • Picatic API Key
  • Potential Authorization Token
  • Potential Password
  • Potential Private Key
  • Potential SSN
  • Potential Secret
  • RSA private key
  • SSH (DSA) private key
  • SSH (EC) private key
  • Slack Token
  • Slack Webhook
  • Square Access Token
  • Square OAuth Secret
  • Stripe API Key
  • Stripe Restricted API Key
  • Telegram Bot API Key
  • Twilio API Key
  • Twitter Access Token
  • Twitter OAuth

How does it work?

  • Arguments are provided
  • If --path argument is specified, a list of applicable files is enumerated
  • The enumerated files are opened and checked for secrets using Python's re.search() function
  • Results are written to disk

Help

# python SecretsChecker.py --help
usage: SecretsChecker.py [-h] (--path PATH | --file FILE | --stdin)
                         [--depth DEPTH] [--ignore IGNORE] [--output OUTPUT]
                         [--stdout]

Automatically check for secrets in files

optional arguments:
  -h, --help       show this help message and exit
  --path PATH      Path where files should be checked
  --file FILE      Check only the file provided
  --stdin          Check the input from standard in for secrets

File enumeration options:
  --depth DEPTH    Depth when enumerating files, default=0
  --ignore IGNORE  Do not check files whose name or path contains the provided
                   string

Output options:
  --output OUTPUT  File to write results to, default="secrets_checker.csv"
  --stdout         Print results to standard out

About

Automatically check for secrets in files using only default Python libraries

Languages

Language:Python 100.0%