├── LICENSE ├── README.md ├── cred_scanner.py └── requirements.txt /LICENSE: -------------------------------------------------------------------------------- 1 | MIT License 2 | 3 | Copyright (c) 2018 DisruptOps, Inc. 4 | 5 | Permission is hereby granted, free of charge, to any person obtaining a copy 6 | of this software and associated documentation files (the "Software"), to deal 7 | in the Software without restriction, including without limitation the rights 8 | to use, copy, modify, merge, publish, distribute, sublicense, and/or sell 9 | copies of the Software, and to permit persons to whom the Software is 10 | furnished to do so, subject to the following conditions: 11 | 12 | The above copyright notice and this permission notice shall be included in all 13 | copies or substantial portions of the Software. 14 | 15 | THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR 16 | IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, 17 | FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE 18 | AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER 19 | LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, 20 | OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE 21 | SOFTWARE. 22 | -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | # cred_scanner 2 | A simple command line tool for finding AWS credentials in files. Optimized for use with Jenkins and other CI systems. 3 | 4 | I suspect there are other, better tools out there (such as [git-secrets](https://github.com/awslabs/git-secrets/blob/master/git-secrets)), but I couldn't find anything to run a quick and dirty scan that also integrates well with Jenkins. 5 | 6 | ## Usage: 7 | 8 | To install just copy it where you want it and install the requirements: 9 | 10 | pip install -r ./requirements.txt 11 | 12 | This was written in Python 3.6. 13 | 14 | To run: 15 | 16 | python cred_scanner.py 17 | 18 | That will scan the local directory and all subdirectories. It will list the files, which ones have potential access keys, and which files can't be scanned due to the file format. cred_scanner exits with a code of 1 if it finds any potential keys. 19 | 20 | Usage: cred_scanner.py [OPTIONS] 21 | 22 | Options: 23 | --path TEXT Path other than the local directory to scan 24 | --secret Also look for Secret Key patterns. This may result in many 25 | false matches due to the nature of secret keys. 26 | --help Show this message and exit. 27 | 28 | To run as a test in Jenkins just use the command line or add it as a step to your Jenkins build. Jenkins will automatically fail the build if it sees the exit code 1. -------------------------------------------------------------------------------- /cred_scanner.py: -------------------------------------------------------------------------------- 1 | import os 2 | import re 3 | import sys 4 | import click 5 | 6 | @click.command() 7 | @click.option('--path', default='.', help='Path other than the local directory to scan') 8 | @click.option('--secret', is_flag=True, help='Also look for Secret Key patterns. This may result in many false matches due to the nature of secret keys.') 9 | def scan(path, secret): 10 | fail = False 11 | for dirname, dirnames, filenames in os.walk(path): 12 | # print path to all subdirectories first. 13 | for subdirname in dirnames: 14 | print(os.path.join(dirname, subdirname)) 15 | 16 | # print path to all filenames. 17 | for filename in filenames: 18 | click.echo(os.path.join(dirname, filename)) 19 | f = open(os.path.join(dirname, filename)) 20 | if secret: 21 | pattern = re.compile('(?