Project Description

The token revoker aims to scan git repos for exposed rancher tokens. Once a token has been identified, the revoker can (based on configuration) warn/disable/delete the exposed token automatically.

Features:

  • Warn/Disable/Delete when an exposed token is detected
  • Specify specific repos that you want to watch for exposed tokens
  • Scan private/public repos

Design Overview:

  • Deployed as a helm chart
  • Configuration option for action to be taken on token exposure (warn, disable, delete)
  • Custom CRD for repos that the revoker will watch ("watchRepo"/name TBD)
  • Each time a new "watchRepo" is created, we spin off a go routine which, every 5/10/30 seconds (interval TBD, possibly customizable by user in the CRD or in the chart) scans the repo for exposed tokens.
  • watchRepo should also store configuration allowing the revoker to access private repos (probably a reference to a secret containing ssh key allowing access)
  • The actual logic to scan for a secret should probably utilize an established opensource project such as https://github.com/zricethezav/gitleaks . We can also contribute upstream by adding a pattern for rancher tokens, allowing a wider benefit to the work done for this project.

Goal for this Hackweek

Basic Goals:

  • Warn/Disable/Delete when an exposed token is detected
  • Scan public and private repos
  • Helm chart/CRD allowing install/use of basic functionality

Stretch Goals:

  • Scan/specify organizations for larger git providers (i.e. scan an entire Github/Gitlab org)
  • Scan Output of CI pipelines (probably for popular providers like drone/travis/circle-ci/github-actions/gitlab-runners)

Resources

Upstream project that we can utilize for some of our functionality: https://github.com/zricethezav/gitleaks

Looking for hackers with the skills:

go helm kuberentes rancher security

This project is part of:

Hack Week 22

Activity

  • over 1 year ago: paulgonin liked this project.
  • over 1 year ago: mbolot added keyword "kuberentes" to this project.
  • over 1 year ago: mbolot added keyword "rancher" to this project.
  • over 1 year ago: mbolot added keyword "security" to this project.
  • over 1 year ago: mbolot added keyword "go" to this project.
  • over 1 year ago: mbolot added keyword "helm" to this project.
  • over 1 year ago: mbolot started this project.
  • over 1 year ago: mbolot originated this project.

  • Comments

    • mbolot
      over 1 year ago by mbolot | Reply

      Github repo can be found here: https://github.com/MbolotSuse/rancher-token-revoker

    • mbolot
      over 1 year ago by mbolot | Reply

      End of Hack Week update: I was able to get done with all basic goals and the github org scanning stretch goal, meaning that the revoker can:

      • Warn/disable/delete exposed tokens
      • Scan public/private repos (over https or ssh)
      • Can be installed using helm
      • Can scan entire github organizations.

    Similar Projects

    Learn Golang contribuing to opensource projects by mbussolotto

    Project Description

    Get practice in Golan...


    Rancher Upgrader - Upgrades your rancher install via helm, and communicates critical changes from release A to B. by rweir

    [comment]: # (Please use the project descriptio...


    A CLI for Harvester by mohamed.belgaied

    [comment]: # Harvester does not officially come...


    Cluster API Provider for Harvester by rcase

    [comment]: # (Please use the project descriptio...


    WebUI for your data by avicenzi

    [comment]: # (Please use the project descriptio...


    Exploring DPDK within containers by paolodepa

    Project Description

    Containerization is h...


    Rancher Upgrader - Upgrades your rancher install via helm, and communicates critical changes from release A to B. by rweir

    [comment]: # (Please use the project descriptio...


    HAKube UI plugin for Rancher by epenchev

    [comment]: # (Please use the project descriptio...


    A CLI for Harvester by mohamed.belgaied

    [comment]: # Harvester does not officially come...


    Hangar: tool for mirror container images & generate rancher image lists. by StarryWang

    Project Description

    Hangar is a tool for ...


    Model checking the BPF verifier by shunghsiyu

    Project Description

    BPF verifier plays a ...


    Predefined app security policy template for NeuVector by feih

    Project Description

    Idea is to predefin...


    Port NeuVector zero-trust security functions to host/VM by feih

    Project Description

    Today, NeuVector on...