Security News
Research
Data Theft Repackaged: A Case Study in Malicious Wrapper Packages on npm
The Socket Research Team breaks down a malicious wrapper package that uses obfuscation to harvest credentials and exfiltrate sensitive data.
CredSweeper is a tool to detect credentials in any directories or files. CredSweeper could help users to detect unwanted exposure of credentials (such as tokens, passwords, api keys etc.) in advance. By scanning lines, filtering, and using AI model as option, CredSweeper reports lines with possible credentials, where the line is, and expected type of the credential as a result.
Full documentation can be found here: https://credsweeper.readthedocs.io/
Details here.
pip install credsweeper
Get all argument list:
python -m credsweeper --help
Run CredSweeper:
python -m credsweeper --path tests/samples/password.gradle --save-json output.json
To check JSON file run:
cat output.json
[
{
"api_validation": "NOT_AVAILABLE",
"ml_validation": "VALIDATED_KEY",
"ml_probability": 0.99755,
"rule": "Password",
"severity": "medium",
"confidence": "moderate",
"line_data_list": [
{
"line": "password = \"cackle!\"",
"line_num": 1,
"path": "tests/samples/password.gradle",
"info": "",
"value": "cackle!",
"value_start": 12,
"value_end": 19,
"variable": "password",
"entropy_validation": {
"iterator": "BASE64_CHARS",
"entropy": 2.120589933192232,
"valid": false
}
}
]
}
]
credsweeper/secret/config.json - Configuration file for pre-processing of CredSweeper. For more details please check here.
You can set the pattern
, extension
and path
you want to exclude from scanning as below.
{
"exclude": {
"pattern": [
"AKIA[0-9A-Z]{9}EXAMPLE",
...
],
"extension": [
"gif",
"jpg",
...
],
"path": [
"/.git/",
"/openssl/",
...
]
},
...
}
And you can also set source_ext
, source_quote_ext
, find_by_ext_list
, check_for_literals
, line_data_output
, and candidate_output
as below.
source_ext
: List of extensions for scanning categorized as source files.source_quote_ext
: List of extensions for scanning categorized as source files that using quote.find_by_ext_list
: List of extensions to detect only extensions.check_for_literals
: Bool value for whether to check line has string literal declaration or not.line_data_output
: List of attributes of line_data for output.candidate_output
: List of attributes of candidate for output.{
...
"source_ext": [
".py",
".cpp",
...
],
"source_quote_ext": [
".py",
".cpp",
...
],
"find_by_ext_list": [
".pem",
".cer",
...
],
"check_for_literals": true,
"line_data_output": [
"line",
"line_num",
...
],
"candidate_output": [
"rule",
"severity",
...
]
}
credsweeper/rules/config.yaml - Configuration file for setting Rule. For more details please check here.
...
- name: API
severity: medium
confidence: moderate
type: keyword
values:
- api
filter_type: GeneralKeyword
use_ml: true
validations: []
- name: AWS Client ID
...
To run all tests:
python -m pytest --cov=credsweeper --cov-report=term-missing -s tests/
To run only tests independent of external api:
python -m pytest -m "not api_validation_test" tests/
To obtain manageable (without subprocesses) coverage:
python -m pytest --cov=credsweeper --cov-report=html tests/ --ignore=tests/test_app.py
We have a dataset for testing credential scanners that called CredData. If you want to test CredSweeper with this dataset please check here.
To check overall architecture of CredSweeper please check here.
If you want to check how model was trained or retrain it on your own data, please refer to the experiment folder
The CredSweeper is an Open Source project released under the terms of MIT License V2.
In addition to developing under an Open Source license, A use an Open Source Development approach, welcoming everyone to participate, contribute, and engage with each other through the project.
A recognizes the following formal roles: Contributor and Maintainer. Informally, the community may organize itself and give rights and responsibilities to the necessary people to achieve its goals.
A Contributor is anyone who wishes to contribute to the project, at any level. Contributors are granted the following rights, to:
If you want to participate in the project development, check out the how to contribute guideline in advance.
Contributors who show dedication and skill are rewarded with additional rights and responsibilities. Their opinions weigh more when decisions are made, in a fully meritocratic fashion.
A Maintainer is a Contributor who is also responsible for knowing, directing and anticipating the needs of a given a Module. As such, Maintainers have the right to set the overall organization of the source code in the Module, and the right to participate in the decision-making. Maintainers are required to review the contributor’s requests and decide whether to accept or not.
Name | |
---|---|
Jaeku Yun | jk0113.yun@samsung.com |
Shinhyung Choi | sh519.choi@samsung.com |
Roman Babenko | r.babenko@samsung.com |
Yuliia Tatarinova | yuliia.t@samsung.com |
Please post questions, issues, or suggestions in issues. This is the best way to communicate with the developers.
FAQs
Credential Sweeper
We found that credsweeper demonstrated a healthy version release cadence and project activity because the last version was released less than a year ago. It has 4 open source maintainers collaborating on the project.
Did you know?
Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.
Security News
Research
The Socket Research Team breaks down a malicious wrapper package that uses obfuscation to harvest credentials and exfiltrate sensitive data.
Research
Security News
Attackers used a malicious npm package typosquatting a popular ESLint plugin to steal sensitive data, execute commands, and exploit developer systems.
Security News
The Ultralytics' PyPI Package was compromised four times in one weekend through GitHub Actions cache poisoning and failure to rotate previously compromised API tokens.