rusty_hogs 1.0.1

This project provides a set of scanners that will use regular expressions to try and detect the presence of sensitive information such as API keys, passwords, and personal information. It includes a set of regular expressions by default, but will also accept a JSON object containing your custom regular expressions.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111

//! Git secret scanner in Rust (the original TruffleHog replacement)
//!
//! # Usage
//! ```
//!     choctaw_hog [FLAGS] [OPTIONS] <GITPATH>
//!
//!FLAGS:
//!        --caseinsensitive    Sets the case insensitive flag for all regexes
//!        --entropy            Enables entropy scanning
//!        --prettyprint        Outputs the JSON in human readable format
//!    -v, --verbose            Sets the level of debugging information
//!    -h, --help               Prints help information
//!    -V, --version            Prints version information
//!
//!OPTIONS:
//!        --httpspass <HTTPSPASS>          Takes a password for HTTPS-based authentication
//!        --httpsuser <HTTPSUSER>          Takes a username for HTTPS-based authentication
//!    -o, --outputfile <OUTPUT>            Sets the path to write the scanner results to (stdout by default)
//!    -r, --regex <REGEX>                  Sets a custom regex JSON file, defaults to built-in
//!        --since_commit <SINCECOMMIT>     Filters commits based on date committed (branch agnostic)
//!        --sshkeypath <SSHKEYPATH>        Takes a path to a private SSH key for git authentication, defaults to ssh-agent
//!        --sshkeyphrase <SSHKEYPHRASE>    Takes a passphrase to a private SSH key for git authentication, defaults to
//!                                         none
//!        --until_commit <UNTILCOMMIT>     Filters commits based on date committed (branch agnostic)
//!
//!ARGS:
//!    <GITPATH>    Sets the path (or URL) of the Git repo to scan. SSH links must include username (git@)
//! ```

#[macro_use]
extern crate clap;

extern crate tempdir;

extern crate chrono;

extern crate encoding;

use clap::ArgMatches;
use log::{self, info};
use simple_error::SimpleError;
use std::str;
use tempdir::TempDir;

use rusty_hogs::git_scanning::GitScanner;
use rusty_hogs::{SecretScanner, SecretScannerBuilder};

/// Main entry function that uses the [clap crate](https://docs.rs/clap/2.33.0/clap/)
fn main() {
    let matches = clap_app!(choctaw_hog =>
        (version: "1.0.1")
        (author: "Scott Cutler <scutler@newrelic.com>")
        (about: "Git secret scanner in Rust")
        (@arg REGEX: -r --regex +takes_value "Sets a custom regex JSON file")
        (@arg GITPATH: +required "Sets the path (or URL) of the Git repo to scan. SSH links must include username (git@)")
        (@arg VERBOSE: -v --verbose ... "Sets the level of debugging information")
        (@arg ENTROPY: --entropy ... "Enables entropy scanning")
        (@arg CASE: --caseinsensitive "Sets the case insensitive flag for all regexes")
        (@arg OUTPUT: -o --outputfile +takes_value "Sets the path to write the scanner results to (stdout by default)")
        (@arg PRETTYPRINT: --prettyprint "Outputs the JSON in human readable format")
        (@arg SINCECOMMIT: --since_commit +takes_value "Filters commits based on date committed (branch agnostic)")
        (@arg UNTILCOMMIT: --until_commit +takes_value "Filters commits based on date committed (branch agnostic)")
        (@arg SSHKEYPATH: --sshkeypath +takes_value "Takes a path to a private SSH key for git authentication, defaults to ssh-agent")
        (@arg SSHKEYPHRASE: --sshkeyphrase +takes_value "Takes a passphrase to a private SSH key for git authentication, defaults to none")
        (@arg HTTPSUSER: --httpsuser +takes_value "Takes a username for HTTPS-based authentication")
        (@arg HTTPSPASS: --httpspass +takes_value "Takes a password for HTTPS-based authentication")
    )
    .get_matches();
    match run(&matches) {
        Ok(()) => {}
        Err(e) => panic!("error: {}", e),
    }
}

/// Main logic contained here. Get the CLI variables, and use them to initialize a GitScanner
fn run(arg_matches: &ArgMatches) -> Result<(), SimpleError> {
    // Set logging
    SecretScanner::set_logging(arg_matches.occurrences_of("VERBOSE"));

    // Initialize some more variables
    let secret_scanner = SecretScannerBuilder::new().conf_argm(arg_matches).build();
    let sshkeypath = arg_matches.value_of("SSHKEYPATH");
    let sshkeyphrase = arg_matches.value_of("SSHKEYPHRASE");
    let httpsuser = arg_matches.value_of("HTTPSUSER");
    let httpspass = arg_matches.value_of("HTTPSPASS");
    let since_commit = arg_matches.value_of("SINCECOMMIT");
    let until_commit = arg_matches.value_of("UNTILCOMMIT");
    let scan_entropy = arg_matches.is_present("ENTROPY");

    // Get Git objects
    let dest_dir = TempDir::new("rusty_hogs").unwrap();
    let dest_dir_path = dest_dir.path();
    let source_path: &str = arg_matches.value_of("GITPATH").unwrap();

    // Do the scan
    let git_scanner = GitScanner::new_from_scanner(secret_scanner).init_git_repo(
        source_path,
        &dest_dir_path,
        sshkeypath,
        sshkeyphrase,
        httpsuser,
        httpspass,
    );
    let findings = git_scanner.perform_scan(None, since_commit, until_commit, scan_entropy);

    // Output the results
    info!("Found {} secrets", findings.len());
    git_scanner.secret_scanner.output_findings(&findings);

    Ok(())
}