Get Secret Scan - list of files scanned

Hi, I have a pipe for secret scanning like this :

- step: name: Secret Scanning script:

- pipe: atlassian/git-secrets-scan:0.4.3

variables:

FILES: "**/*.json ."

I am expecting it to scan my appSettings.json file for exposed secrets, which is placed in my project directory, but it does not. Is there a way I can check what all files it scanned? And does it generate a default report that I can use later in my step?

2 answers

0 votes

Hi @Sachin Kaushik . Thanks for your feedback.
This pipe is based on gitleaks tool.
I also tested your case with using gitleaks:

appSettings.json

{
  "ConnectionStrings": {
    "TestConn": "Data Source=my-test-db;Password=AKIAKEGEYJSDOHQYTEST;Initial Catalog=MyCat;Integrated Security=False;MultiSubnetFailover=true"
  }
}

And gitleaks found a secret inside a file.

○
│╲
│ ○
○ ░
░ gitleaks

10:57AM INF scan completed in 1.17ms
10:57AM WRN leaks found: 1

But here was used AWS pattern, that presented in gitleaks default config.

In case the tool does not scan your secret, you could extend gitleaks config with a required pattern and use it in pipe:

script:
  - pipe: atlassian/git-secrets-scan:3.0.0
    variables:
      DEBUG: "true"
      GITLEAKS_COMMAND: "dir"
      GITLEAKS_EXTRA_ARGS: 
        - "./path_to_directory_or_file"
        - "--config=my-gitleaks-config.toml"

Regards, Igor

You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.

Comment

Thanks for looking further into this, Igor! I was hoping that it would detect the text "password" in the JSON file and flag a violation, whatever format the password string might be. Looking at the default gitleaks config, I wonder why it did not fall under rule id = "generic-api-key" (line 535).

You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.

Comment

@Sachin Kaushik you could try https://regex101.com/ and see
that selected pattern is not match with content of the appSettings.json.

Also, i think, you could ask here about your case.

Regards, Igor

You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.

Comment

0 votes

Hi @Sachin Kaushik. Thanks for your question.

First of all try to update git-secrets-scan pipe to the latest version, so the reports feature will be enabled in this pipe.

I suggest to try basic example so your full repository will be scanned by the tool.

script:
  - pipe: atlassian/git-secrets-scan:3.0.0

In case you want some specific folder to be scanned you could try this example:

script:
  - pipe: atlassian/git-secrets-scan:3.0.0
    variables:
      GITLEAKS_COMMAND: "dir"
      GITLEAKS_EXTRA_ARGS: "./path_to_directory_or_file"

Regards, Igor

You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.

Comment

Thanks for your response, Igor!

I had tried your suggestion before, it did not detect "password" exposed in my appSettings.json file. The report it generated seemed empty. Here is what I have now:

- step:

name: Secret Scanning

script:

- pipe: atlassian/git-secrets-scan:3.0.0

- ls -al

- cat gitleaks-report.json

My repository just has a sample console app, having a default Program.cs file and I added an appSettings.json file with the following connection string in it:

"ConnectionStrings": {

"TestConn": "Data Source=my-test-db;Password=test1234;Initial Catalog=MyCat;Integrated Security=False;MultiSubnetFailover=true"

}

Here is what the log says:

Digest: sha256:097215cfecb2cf34a34189240ebb5c96d7884e8a9d0b738e83af9717a8f7db8a

Status: Downloaded newer image for bitbucketpipelines/git-secrets-scan:3.0.0

[34mINFO: Extend gitleaks command to create reports... [0m

[34mINFO: [0m

[34mINFO: Generating CodeInsights reports... [0m

[32m✔ Pipe has finished successfully. [0m

+ ls -al

total 48

drwxrwxrwx 5 root root 4096 Nov 15 12:54 .

drwxr-xr-x 8 root root 4096 Nov 15 12:54 ..

drwxr-xr-x 3 165536 165536 4096 Nov 15 12:54 .bitbucket

drwxrwxrwx 8 root root 4096 Nov 15 12:54 .git

-rw-rw-rw- 1 root root 689 Nov 15 12:54 .gitignore

drwxrwxrwx 3 root root 4096 Nov 15 12:54 TestConsoleApp

-rw-rw-rw- 1 root root 1468 Nov 15 12:54 TestConsoleApp.sln

-rw-rw-rw- 1 root root 3671 Nov 15 12:54 bitbucket-pipelines.yml

-rw-rw-rw- 1 root root 1733 Nov 15 12:54 create-jira-ticket-bitbucket.sh

-rw-rw-rw- 1 root root 1077 Nov 15 12:54 create-jira-ticket.sh

-rw-r--r-- 1 165536 165536 3 Nov 15 12:54 gitleaks-report.json

-rw-rw-rw- 1 root root 9 Nov 15 12:54 readme.txt

+ cat gitleaks-report.json

[]

Searching for files matching artifact pattern .bitbucket/pipelines/generated/pipeline/pipes/**

Searching for test report files in directories named [test-results, failsafe-reports, test-reports, TestResults, surefire-reports] down to a depth of 4

Finished scanning for test reports. Found 0 test report files.

Merged test suites, total number tests is 0, with 0 failures and 0 errors.

I see that it did generate the report (gitleaks-report.json), but cat command did not show anything.

Could you please point me towards what I am missing or what I am doing wrong? Thanks.

You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.

Comment

Suggest an answer

Was this helpful?

Thanks!

Bitbucket

DEPLOYMENT TYPE

CLOUD

Forums

Product Q&A

Community resources

Support

Top groups

Community resources

Support

Learn

Community resources

Support

Events

Community resources

Support

Get Secret Scan - list of files scanned

2 answers

Suggest an answer

Was this helpful?

Thanks!

DEPLOYMENT TYPE

TAGS

Atlassian Community Events