Project Description
The token revoker aims to scan git repos for exposed rancher tokens. Once a token has been identified, the revoker can (based on configuration) warn/disable/delete the exposed token automatically.
Features:
- Warn/Disable/Delete when an exposed token is detected
- Specify specific repos that you want to watch for exposed tokens
- Scan private/public repos
Design Overview:
- Deployed as a helm chart
- Configuration option for action to be taken on token exposure (warn, disable, delete)
- Custom CRD for repos that the revoker will watch ("watchRepo"/name TBD)
- Each time a new "watchRepo" is created, we spin off a go routine which, every 5/10/30 seconds (interval TBD, possibly customizable by user in the CRD or in the chart) scans the repo for exposed tokens.
- watchRepo should also store configuration allowing the revoker to access private repos (probably a reference to a secret containing ssh key allowing access)
- The actual logic to scan for a secret should probably utilize an established opensource project such as https://github.com/zricethezav/gitleaks . We can also contribute upstream by adding a pattern for rancher tokens, allowing a wider benefit to the work done for this project.
Goal for this Hackweek
Basic Goals:
- Warn/Disable/Delete when an exposed token is detected
- Scan public and private repos
- Helm chart/CRD allowing install/use of basic functionality
Stretch Goals:
- Scan/specify organizations for larger git providers (i.e. scan an entire Github/Gitlab org)
- Scan Output of CI pipelines (probably for popular providers like drone/travis/circle-ci/github-actions/gitlab-runners)
Resources
Upstream project that we can utilize for some of our functionality: https://github.com/zricethezav/gitleaks
Looking for hackers with the skills:
This project is part of:
Hack Week 22
Activity
Comments
-
about 2 months ago by mbolot | Reply
Github repo can be found here: https://github.com/MbolotSuse/rancher-token-revoker
-
about 2 months ago by mbolot | Reply
End of Hack Week update: I was able to get done with all basic goals and the github org scanning stretch goal, meaning that the revoker can:
- Warn/disable/delete exposed tokens
- Scan public/private repos (over https or ssh)
- Can be installed using helm
- Can scan entire github organizations.
Similar Projects
K3S Control Planes as a service by ademicev0
[comment]: # (Please use the project descriptio...
Vai: a Kubernetes API accelerator/cache by moio
![Kubernetes API caching layer according to Sta...
Real-time container runtime support by a_faerber
[comment]: # (Please use the project descriptio...
A CLI for Harvester by mohamed.belgaied
[comment]: # Harvester does not officially come...
Humidity sensors with dashboard by joachimwerner
Build a network of ("edge") humidity sensors...
Hack on project MONAI (Medical Open Network for Artificial Intelligence) by jordimassaguerpla
Project Description
MONAI is a set of o...
image-tools: simple tool for mirror/save/load container images & KDM and chart image list generator. by StarryWang
[comment]: # (Please use the project descriptio...
Deploy Uyuni proxy using Elemental and Fleet by cbosdonnat
Project Description
Now that Uyuni proxy ...
Generic Wrangler Controllers by kjoiner
[comment]: # (Please use the project descriptio...
A CLI for Harvester by mohamed.belgaied
[comment]: # Harvester does not officially come...
Rancher Manager of Managers with KCP by rcase
[comment]: # (Please use the project descriptio...
Create tool for managing RPM package signing keys by dheidler
[comment]: # (Please use the project descriptio...
Sandboxed USB Inspection by nguyens
[comment]: # (Please use the project descriptio...
Run sandboxed Firefox with image and sound inside a container by nguyens
[comment]: # (Please use the project descriptio...