/PSSecretScanner

Scan your repos for accidentily exposed secrets using powershell

Primary LanguagePowerShellMIT LicenseMIT

PSSecretScanner logo goes here

PSSecretScanner

Super simple passwordscanner built using PowerShell.

Scan your code, files, folders, and repos for accidentily exposed secrets using PowerShell.

Features

  • Give a list of files to scan and we will check for any pattern matches in those files.

  • Outputs the result and metadata. (Use Get-Member to get all scan data)

Example output

  • Use an excludelist to prevent false positives, or if you really want to include secrets in your code, by creating a exclude file and passing it to the -Excludelist parameter. Either be specific and include File, LineNumber, Pattern, or use wildcards to exclude entire files or folders.
# Comments supported

# Relative paths supported (starting with .\)
.\Docs\Help\Find-Secret.md
.\Source\config.json

# Wildcards supported. All files within this and subfolders will be excluded.
.\bin\*

# Paths to files. All matches in these files will be excluded
.\Tests\RegexPatternTests\TestCases.json
C:\MyRepo\PSSecretScanner\README.md

# Patterns on specific lines supported in the format
# <path\to\file>;<line number>;<pattern>
.\ExcludeList.csv;1;"C:\BicepLab\template.json;51;-----BEGIN RSA PRIVATE KEY-----"
C:\MyRepo\PSSecretScanner\Docs\Help\Find-Secret.md;51;"C:\MyFiles\template.json;51;-----BEGIN RSA PRIVATE KEY-----"

To have Write-SecretStatus automatically pick up and use your ignore list for all your repo, name your excludelist .ignoresecrets and put it in your repo root folder!

Installation

  • From the PSGallery, run Install-Module PSSecretScanner

  • Clone this repo, and run Invoke-Build to build the module localy.

Background

I couldn't find a proper secret scanner for PowerShell so I wrote my own.

From the beginning it was just a list of regex patterns stolen from the OWASP SEDATED security scanner repo that I ran through Select-String, as I thought the OWASP tools was way to advanced for my needs, and way to hard to wrap in a powershell script. From there it kind of grew, and hopefully it will grow even more.

About Regex patterns

  • The baseline is the list found at the OWASP repo, but converted to PowerShell Regex standard (PCRE I think it's called..)
  • Added _Azure_AccountKey pattern found at Detect-secrets from YELP
  • Added patterns from h33tlit (thank you Simon Wåhlin for telling me)

The added underscore _ to names in the pattern list is simply to make them easier to work with in PowerShell.

Features to add

Yes, even keeping it simple there are stuff I might want to add some day, or if you want to, feel free to create a PR.

  • Parallelization - make it faster on huge repos.
  • More filetypes! I kind of just winged it for now.