cred-scan/scan.sh at main · outscale/cred-scan · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
#!/bin/bash
set -eu

function test_command {
    cmd=${*:1}
    set +e
    if ! $cmd &> /dev/null; then
        echo "error: command $cmd not found"
        exit 1
    fi
    set -e
}

function dependencies_check {
    test_command file --help
    test_command find --help
    test_command rm --help
    test_command sed --help
}

function scan {
    local path=$1
    local result_path
    local result
    result_path=$(mktemp)
    echo 0 > "$result_path"
    find "$path" -type f | while read -r file; do
	local file_mime
	echo -n "checking ${file}... "
	file_mime="$(file -b --mime-encoding "$file")"
	if [[ "$file_mime" = "binary" ]]; then
	    echo "skipped (binary)"
	    continue
	fi
	if ! search_sk "$file"; then
	    echo "ko (potential Secret Key found)"
	    echo 1 > "$result_path"
	    continue
	fi
	if ! search_ak "$file"; then
	    echo "ko (potential Access Key found)"
	    echo 1 > "$result_path"
	    continue
	fi
	echo "ok"
    done
    result=$(cat "$result_path")
    rm "$result_path"
    return "$result"
}

function search_ak {
    local file=$1
    local matched
    local digits
    local alphas
    matched=$(sed -nE 's/(^|.*[^a-zA-Z0-9]+)([A-Z0-9]{20})([^a-zA-Z0-9]+.*|$)/\2/p' "$file")
    if [[ -z "$matched" ]]; then
	return 0
    fi
    for ak in $matched; do
	digits=$(echo -n "$ak" | tr -d "\[^0-9\]" | wc -c)
	alphas=$(echo -n "$ak" | tr -d "\[^A-Z\]" | wc -c)
	if (( digits < 3 )) || (( alphas < 3 )); then
	    continue
	fi
	if ! is_ignored_ak "$ak"; then
	    continue
	fi
	return 1
    done
    return 0
}

function is_ignored_ak {
    local ak=$1
    local ignored_aks
    ignored_aks=(0123456789ABCDEFGHIJ ABCDEFGHIJ0123456789)
    for ignored in "${ignored_aks[@]}"; do
	if [[ "$ak" = "$ignored" ]]; then
	    return 1
	fi
    done
    return 0
}

function search_sk {
    local file=$1
    local matched
    local digits
    local alphas
    matched=$(sed -nE 's/(^|.*[^a-zA-Z0-9]+)([A-Z0-9]{40})([^a-zA-Z0-9]+.*|$)/\2/p' "$file")
    if [[ -z "$matched" ]]; then
	return 0
    fi
    for sk in $matched; do
	digits=$(echo -n "$sk" | tr -d "\[^0-9\]" | wc -c)
	alphas=$(echo -n "$sk" | tr -d "\[^A-Z\]" | wc -c)
	if (( digits < 5 )) || (( alphas < 5 )); then
	    continue
	fi
	return 1
    done
    return 0
}

function print_help {
    echo "scan credentials in a specific folder"
    echo "$0 FOLDER_PATH"
    echo ""
    echo "Supported credentials:"
    echo "- Access Keys (20 capital alphanumeric string)"
    echo "- Secret Keys (40 capital alphanumeric string)"
}

if [ "$#" -ne 1 ]; then
    print_help
    exit 1
fi

dependencies_check

path=$1
if ! scan "$path" ; then
    echo "!!! Potential leak found !!!"
    exit 1
fi
echo "All good, bye"