glferreira-devsecops/cascavel-secret-scanner

GitHub: glferreira-devsecops/cascavel-secret-scanner

Cascavel Secret Scanner 是一款在 CI/CD 中自动检测硬编码密钥的轻量级开源工具。

Stars: 1 | Forks: 0

🐍 Cascavel Secret Scanner

## 🚀 快速开始添加一行到任意工作流。仅此而已。 ``` name: Security on: [push, pull_request] jobs: secrets: runs-on: ubuntu-latest steps: - uses: actions/checkout@v4 - uses: glferreira-devsecops/cascavel-secret-scanner@v1 ``` ## 💡 为何选择 Cascavel？ | | Cascavel | Other tools | |:--|:---------|:------------| | ⚡ **Setup time** | 1 line, zero config | Config files, Docker images, API keys | | 🎯 **Patterns** | 40+ curated, severity-classified | Often hundreds of noisy rules | | 🔒 **SARIF** | Native output → GitHub Security tab | Usually requires adapters | | 📊 **Step Summary** | Built-in table in workflow run | Manual parsing | | 🔐 **Redaction** | Automatic in logs | Often leaks the secret itself | | 📁 **Languages** | 30+ file types, all major ecosystems | Often language-specific | | 🚫 **Baseline** | Suppress known findings | Limited or absent | | 🕵️ **Git history** | Optional deep scan of deleted files | Separate tool required | | 💰 **Cost** | Free & open source | Free tier limits or paid | ## 🔍 检测模式 ### 🔴 关键 — 立即凭证暴露 | ID | Description | Example Pattern | |:---|:------------|:----------------| | `aws-access-key` | AWS Access Key ID | `AKIA...` | | `aws-secret-key` | AWS Secret Access Key | `aws_secret_access_key = "..."` | | `gcp-service-account` | GCP Service Account Key | `"type": "service_account"` | | `azure-storage-key` | Azure Storage Account Key | `AccountKey=...` | | `github-token` | GitHub PAT / Fine-grained Token | `ghp_...`, `github_pat_...` | | `gitlab-token` | GitLab Personal Access Token | `glpat-...` | | `slack-bot-token` | Slack Bot / User Token | `xoxb-...`, `xoxp-...` | | `stripe-live-secret` | Stripe Live Secret Key | `sk_live_...` | | `stripe-live-restricted` | Stripe Restricted Key | `rk_live_...` | | `paypal-access-token` | PayPal Access Token | `access_token$production$...` | | `square-access-token` | Square Access Token | `sq0atp-...` | | `private-key-*` | RSA, EC, DSA, OpenSSH, PGP Keys | `-----BEGIN ... PRIVATE KEY-----` | ### 🟠 高 — API 密钥与数据库凭证 | ID | Description | Example Pattern | |:---|:------------|:----------------| | `sendgrid-api-key` | SendGrid | `SG....` | | `twilio-api-key` | Twilio | `SK` + 32 hex chars | | `telegram-bot-token` | Telegram Bot | `123456789:ABC-...` | | `firebase-api-key` | Firebase | `AIza...` | | `jwt-token` | Hardcoded JWT | `eyJhbGci...` | | `slack-webhook` | Slack Incoming Webhook | `hooks.slack.com/services/...` | | `discord-webhook` | Discord Webhook | `discord.com/api/webhooks/...` | | `supabase-service-role` | Supabase Service Role Key | JWT with specific prefix | | `database-url` | Database Connection String | `postgres://user:pass@host` | | `generic-password` | Hardcoded password assignments | `password = "..."` | | `generic-api-key` | Hardcoded API key assignments | `api_key = "..."` | ### 🟡 中 & 🔵 低 | ID | Description | |:---|:------------| | `base64-secret` | Base64-encoded credential values | | `hex-secret` | Long hex strings in secret context | | `ip-with-port` | Hardcoded internal IP addresses with ports | | `todo-secret` | TODO/FIXME comments referencing secrets | ## 🔧 高级用法 ### 上传结果至 GitHub Security 标签 ``` - uses: glferreira-devsecops/cascavel-secret-scanner@v1 id: scan with: fail-on-findings: 'false' - uses: github/codeql-action/upload-sarif@v3 if: always() with: sarif_file: ${{ steps.scan.outputs.sarif-path }} ``` ### 仅报告关键与高严重性 ``` - uses: glferreira-devsecops/cascavel-secret-scanner@v1 with: severity: 'high' fail-on-findings: 'true' ``` ### 使用自定义排除项进行扫描 ``` - uses: glferreira-devsecops/cascavel-secret-scanner@v1 with: exclude-paths: '.git,node_modules,vendor,dist,coverage,*.test.js,*.spec.ts,__mocks__' max-file-size: '256' ``` ### 深度扫描包括 Git 历史 ``` - uses: glferreira-devsecops/cascavel-secret-scanner@v1 with: scan-history: 'true' severity: 'critical' ``` ### 在后续步骤中使用输出 ``` - uses: glferreira-devsecops/cascavel-secret-scanner@v1 id: scan with: fail-on-findings: 'false' - name: Notify on critical if: steps.scan.outputs.critical-count > 0 run: | echo "🔴 ${{ steps.scan.outputs.critical-count }} critical secrets found!" echo "📄 Full report: ${{ steps.scan.outputs.report-path }}" ``` ### 使用基线抑制已知发现 ``` - uses: glferreira-devsecops/cascavel-secret-scanner@v1 with: baseline-file: '.cascavel-baseline' ``` ## ⚙️ 输入 | Input | Description | Required | Default | |:------|:------------|:--------:|:--------| | `path` | Root path to scan | No | `.` | | `severity` | Minimum severity: `low` / `medium` / `high` / `critical` | No | `medium` | | `fail-on-findings` | Block pipeline if secrets are found | No | `true` | | `exclude-paths` | Comma-separated glob patterns to exclude | No | `.git,node_modules,...` | | `sarif-output` | Generate SARIF report for Security tab | No | `true` | | `max-file-size` | Skip files larger than N KB | No | `512` | | `scan-history` | Scan git history for deleted secrets | No | `false` | | `baseline-file` | Path to baseline suppression file | No | _(none)_ | | `custom-patterns` | Path to custom patterns JSON file | No | _(none)_ | ## 📤 输出 | Output | Description | Example | |:-------|:------------|:--------| | `findings-count` | Total number of secrets detected | `3` | | `critical-count` | Critical severity findings | `1` | | `high-count` | High severity findings | `2` | | `sarif-path` | Path to SARIF report | `.cascavel/results.sarif` | | `report-path` | Path to JSON report | `.cascavel/findings.json` | ## 📊 示例输出 ``` ╔══════════════════════════════════════════════════╗ ║ 🐍 CASCAVEL SECRET SCANNER v1.0.0 ║ ║ Enterprise Security · RET Tecnologia ║ ║ https://rettecnologia.org ║ ╚══════════════════════════════════════════════════╝ 📂 Target: . 🎯 Threshold: medium 🚫 Excludes: 14 patterns 📏 Max size: 512KB ──────────────────────────────────────────────────── 🔴 [CRITICAL] AWS Access Key ID (CWE-798) Found in 1 location(s): └─ src/config.py:42 aws_key = "***REDACTED***" 🟠 [HIGH] Slack Incoming Webhook (CWE-798) Found in 2 location(s): └─ deploy/notify.sh:8 ***REDACTED*** └─ .env.example:15 ***REDACTED*** ──────────────────────────────────────────────────── 📊 SCAN RESULTS ──────────────────────────────────────────────────── 🔴 Critical: 1 🟠 High: 2 🟡 Medium: 0 🔵 Low: 0 ──────────────────────────────────────────────────── 📋 Total: 3 finding(s) ❌ Pipeline blocked: 3 secret(s) detected 🐍 Cascavel Secret Scanner by RET Tecnologia ``` **GitHub Step Summary** is also generated automatically: | Severity | Count | |:---------|------:| | 🔴 Critical | 1 | | 🟠 High | 2 | | 🟡 Medium | 0 | | 🔵 Low | 0 | | **Total** | **3** | ## 📁 扫描文件类型

30+ languages and config formats (click to expand)

**Languages:** `.py` `.js` `.ts` `.jsx` `.tsx` `.go` `.rs` `.java` `.rb` `.php` `.cs` `.c` `.cpp` `.h` `.kt` `.swift` `.r` `.R` `.jl` `.ex` `.exs` `.sh` `.bash` `.zsh` `.fish` **Config:** `.yml` `.yaml` `.json` `.xml` `.toml` `.cfg` `.conf` `.ini` `.properties` `.env` `.env.*` `.tf` `.hcl` `Dockerfile` **Other:** `.md` `.txt` `.html` `.css` `.sql` `.gradle`

## 🔗 Cascavel Security Suite | Action | Description | Status | |:-------|:------------|:------:| | [🐍 Secret Scanner](https://github.com/marketplace/actions/cascavel-secret-scanner) | Detect hardcoded credentials | ✅ Live | | [🛡️ Header Guard](https://github.com/marketplace/actions/cascavel-header-guard) | HTTP security headers analysis | ✅ Live | | [📦 Dependency Audit](https://github.com/marketplace/actions/cascavel-dependency-audit) | CVE scanning for dependencies | ✅ Live | ### 完整安全流水线示例 ``` name: Cascavel Security Suite on: [push, pull_request] jobs: security: runs-on: ubuntu-latest steps: - uses: actions/checkout@v4 - name: 🐍 Scan for secrets uses: glferreira-devsecops/cascavel-secret-scanner@v1 - name: 📦 Audit dependencies uses: glferreira-devsecops/cascavel-dependency-audit@v1 - name: 🛡️ Check security headers uses: glferreira-devsecops/cascavel-header-guard@v1 with: urls: 'https://staging.your-app.com' ``` ## 🤝 贡献 Contributions are welcome! See [CONTRIBUTING.md](CONTRIBUTING.md). **Adding a new detection pattern:** 1. Edit `scanner.sh` 2. Add to the `TERNS` array: `"id|severity|Description|REGEX|CWE-XXX"` 3. Test against known samples 4. Submit a PR ## 📄 许可证 [MIT](LICENSE) — free for personal and commercial use. ## 🔐 安全 Found a vulnerability? See [SECURITY.md](SECURITY.md) or email contato@rettecnologia.org.

_{Built with ❤️ by Gabriel Ferreira at RET Tecnologia · Brazil 🇧🇷}

标签：Cascavel Secret Scanner, CI/CD 安全, DevSecOps, GitHub Actions, GraphQL安全矩阵, RET Tecnologia, SARIF, SAST, 上游代理, 企业级安全, 凭证泄露, 安全合规, 安全扫描器, 对抗攻击, 开源安全工具, 敏感信息检测, 数据投毒防御, 流水线安全, 盲注攻击, 秘密检测, 网络代理, 自动笔记, 逆向工具, 逆向工程平台, 零配置, 静态应用安全测试