dumpsterdiver
DumpsterDiver is a tool, which can analyze big volumes of data in search of hardcoded secrets like keys (e.g. AWS Access Key, Azure Share Key or SSH keys) or passwords. Additionally, it allows creating a simple search rules with basic conditions (e.g. report only csv files including at least 10 email addresses). The main idea of this tool is to detect any potential secret leaks.
Details
Category: Static Code Analysis
Publisher: trickest
Created Date: 6/23/2021
Container: quay.io/trickest/dumpsterdiver:a54c190
Source URL: https://github.com/securing/dumpsterdiver
Parameters
Command:
-r
- When this flag is set, then files which don't contain any secret (or anything interesting if -a flag is set) will be removed.Command:
-s
- When this flag is set, then all files will be additionally analyzed in search of hardcoded passwords.Command:
--grep-words
- Specifies the grep words to look for. Multiple words should be separated by space. Wildcards are supported. Requires adding -a flag to the syntax.Command:
--level
- Search level for key length. Options: --level 0 - short keys (20-40B), e.g. AWS Access Key ID. --level 1 (default) - typical keys (40-70B), e.g. AWS Secret Access Key or Azure Shared Key. --level 2 - long keys (1000-1800B), e.g. SSH private key. --level 3 - any key (20-1800B). Be careful with this setting, because it may generate lots of false positives.Command:
-p
- Path to the folder containing files to be analyzedCommand:
--max-key
- Specifies the maximum key length to be analyzed (default is 80).Command:
--min-key
- Specifies the minimum key length to be analyzed (default is 20).Command:
--bad-expressions
- Specifies bad expressions. If the DumpsterDiver find such expression in a file, then this file won't be analyzed. Multiple bad expressions should be separated by space.Command:
--exclude-files
- Specifies file names or extensions which shouldn't be analyzed. File extension should contain . character (e.g. .pdf). Multiple file names and extensions should be separated by space.Command:
-a
- when this flag is set, then all files will be additionally analyzed using rules specified in rules.yaml file.Command:
--max-pass
- Specifies the maximum password length to be analyzed (default is 12). Requires adding -s flag to the syntax.Command:
--min-pass
- Specifies the minimum password length to be analyzed (default is 8). Requires adding -s flag to the syntax.Command:
--pass-complex
- Specifies the edge of password complexity between 1 (trivial passwords) to 9 (very complex passwords) (default is 8). Requires adding -s flag to the syntax.Command:
--entropy
- Specifies the edge of high entropy (default is 4.3).