Add user friendly method for adding additional secret patterns about ripsecrets HOT 12 CLOSED

All the patterns are defined by regex currently, and that's what makes it so fast, so I would definitely want to start with custom regex patterns.

from ripsecrets.

I just published a new release that allows you to specify additional secret regexes using the --additional-pattern CLI argument. I chose against having a config file for now since if you're using it as a precommit hook you can specify the CLI arguments as part of the hook, which avoids the complexity of adding yet another config file to your repo.

@pkgh-mp in addition to the above, passwords in URLs are now detected by default (not just MySQL connection strings). It will check for the randomness of the secret to avoid reporting things like example connection strings.

I'm going to close this issue for now but if anyone feels like they need the ability to define the secrets via config file please open a new issue.

from ripsecrets.

I'd prefer to have one file for all ripsecrets config, if possible. Config file format could remain simple: I know it's easy to reach for serde but there might be something more lightweight that keeps the code and binary small.

from ripsecrets.

Another thought, inspired by but unrelated to the GitHub incident today, it'd be great if whatever format this comes into being is passable through the command line, as well. I'd love to be able to pass around a pre-commit configuration that has what's needed without having to pass around additional files.

e.g.

repos:
-   repo: https://github.com/sirwart/ripsecrets
    rev: v0.1.5  # Use latest tag on GitHub
    hooks:
    -   id: ripsecrets
         args:
         - --reject-with-pattern '/privkey_.*/'

from ripsecrets.

Thanks! I think user configurable patterns are on the list of things that I want to support but have been waiting for a motivating use case for. Do you have an example you want to support?

from ripsecrets.

I'd like to catch:

• Old-style GitHub tokens, which are still used in still-supported GitHub Enterprise installations (although this could be added to the prepackaged list, but probably shouldn't because the old-style ones didn't really have set format)
• My company's internal OAuth API key format

from ripsecrets.

My initial thought is to have something like a .secretpatterns file that is similar to the .gitignore file where each line is a new pattern. ripsecrets would look in the git root as well as the users home directory for this file when searching. What do folks think?

from ripsecrets.

Are regex patterns enough? I think so but there's some allure in embedding a scripting language like Lua or Passerine.

from ripsecrets.

I'd love to be able to add a custom pattern as well.
We're working with Python in Jupyter Notebooks and like to overwrite the injected secrets for the DB connection during development so a dev DB is used.

Basically what I'm missing is a check for credentials in the authority part of an URL, e.g.: mysql://USERNAME:[email protected]

see https://en.wikipedia.org/wiki/URL

from ripsecrets.

I'd like to +1 this feature as well.

Basically, the reason I'm not using the tool at the moment is trufflehog is detecting stuff I need detected.

from ripsecrets.

@pkgh-mp secrets in URLs should probably be supported by default. I can take a crack at adding that soon.

@kengodwin I can also look at adding custom regex patterns to search for. It's pretty trivial to support, just need to decide on how to specify it.

from ripsecrets.

Appreciate it when you have the time, thanks for looking into it.

from ripsecrets.