Comments (4)
the alkfjlaf^*flkajlfkay7782085ljafg
is just I press the keyboard randomly to generate some string :)
from ripsecrets.
I investigated and a regression was recently introduced that didn't detect secrets assigned with the :=
operator, but I just pushed a fix for that.
Even with that change though it still doesn't detect that as a secret though for 2 reasons:
^
and*
are not considered characters that are normally part of secrets- Even without them, the string you typed is not likely to occur randomly. The probability engine gave it only a 0.00000000007% percent chance of happening randomly, which is below our threshold for considering it a secret.
from ripsecrets.
To +1 Sherlock-Holo's original point though -- there's no easy way to tell what secrets ripsecrets
does support.
e.g. I just tried dropping a yubikey string into a file and running ripsecrets and nothing came up.
As it is the only way to understand what the program does and whether it's useful is to figure out how it works, where the files are, and then decipher the Rust + Regex. It's not ergonomic or safe to use if we don't know whether it can catch what we're trying to protect against.
Seems like a very cool tool, but strangely opaque, given it's security focus.
Even a quick walkthrough in the README on how it works and where in the source file to look woudl be helpful. (It looks like there are a small number of predetermined patterns in find_secrets.rs
in predefined_secrets_regexes()
and then the rest comes down to a "randomness" estimate in p_random.rs
which is using some sort of binomial calculation with a focus on bigrams. But I'm not even sure that's everything. Nor is it immediately obvious how the "randomness" calculator works.
Again, awesome work -- but there are a lot of decisions and judgements and not much transparency.
Inviting the user to the inner workings would be apprciated.
from ripsecrets.
@ethanmsl I added a "How it works" section to the README to address your feedback: https://github.com/sirwart/ripsecrets#how-it-works. I hope it helps!
from ripsecrets.
Related Issues (20)
- False positive HOT 2
- False positive, and problems with ignoring HOT 3
- Allow installing ripsecrets via homebrew HOT 6
- Return proper range match for random secrets HOT 1
- Finalize pre-commit configuration HOT 4
- Consider supporting BIND9 config format
- Alternative tools HOT 6
- Running cargo install downloads sentry submodule HOT 4
- Add user friendly method for adding additional secret patterns HOT 12
- Bug: Long secrets are not ignored
- Feature request: Allow global .secretsignore
- `.secretsignore` without `[secrets]` isnβt used
- FR: Consider adding gitlab private token pattern. HOT 3
- Check against SEDATED regexes for more
- `pre-commit` hook should use pre-built binaries instead of requiring `cargo install` HOT 8
- Inconsistent behavior on secretsignore HOT 2
- It doesn't work HOT 9
- Blockers to 1.0.0? HOT 1
- Does not work in Windows
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
π Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. πππ
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google β€οΈ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from ripsecrets.