dumpsterdiver
DumpsterDiver is a tool, which can analyze big volumes of data in search of hardcoded secrets like keys (e.g. AWS Access Key, Azure Share Key or SSH keys) or passwords. Additionally, it allows creating a simple search rules with basic conditions (e.g. report only csv files including at least 10 email addresses). The main idea of this tool is to detect any potential secret leaks.
Details
Category: Static Code Analysis
Publisher: trickest
Created Date: 6/23/2021
Container: quay.io/trickest/dumpsterdiver:a54c190
Source URL: https://github.com/securing/dumpsterdiver
Parameters
remove
boolean
Command:
-r
- When this flag is set, then files which don't contain any secret (or anything interesting if -a flag is set) will be removed.secret
boolean
Command:
-s
- When this flag is set, then all files will be additionally analyzed in search of hardcoded passwords.grep-words
string
Command:
--grep-words
- Specifies the grep words to look for. Multiple words should be separated by space. Wildcards are supported. Requires adding -a flag to the syntax.search-level
string
Command:
--level
- Search level for key length. Options: --level 0 - short keys (20-40B), e.g. AWS Access Key ID. --level 1 (default) - typical keys (40-70B), e.g. AWS Secret Access Key or Azure Shared Key. --level 2 - long keys (1000-1800B), e.g. SSH private key. --level 3 - any key (20-1800B). Be careful with this setting, because it may generate lots of false positives.path-to-files
folder
requiredCommand:
-p
- Path to the folder containing files to be analyzedmax-key-length
string
Command:
--max-key
- Specifies the maximum key length to be analyzed (default is 80).min-key-length
string
Command:
--min-key
- Specifies the minimum key length to be analyzed (default is 20).bad-expressions
string
Command:
--bad-expressions
- Specifies bad expressions. If the DumpsterDiver find such expression in a file, then this file won't be analyzed. Multiple bad expressions should be separated by space.files-to-exclude
string
Command:
--exclude-files
- Specifies file names or extensions which shouldn't be analyzed. File extension should contain . character (e.g. .pdf). Multiple file names and extensions should be separated by space.advanced-analysis
boolean
Command:
-a
- when this flag is set, then all files will be additionally analyzed using rules specified in rules.yaml file.max-password-length
string
Command:
--max-pass
- Specifies the maximum password length to be analyzed (default is 12). Requires adding -s flag to the syntax.min-password-length
string
Command:
--min-pass
- Specifies the minimum password length to be analyzed (default is 8). Requires adding -s flag to the syntax.password-complexity
string
Command:
--pass-complex
- Specifies the edge of password complexity between 1 (trivial passwords) to 9 (very complex passwords) (default is 8). Requires adding -s flag to the syntax.enge-of-high-entropy
string
Command:
--entropy
- Specifies the edge of high entropy (default is 4.3).