Updated
over 1 year
ago.
1 hackers ♥️.
1 follower.
Project Description
The token revoker aims to scan git repos for exposed rancher tokens. Once a token has been identified, the revoker can (based on configuration) warn/disable/delete the exposed token automatically.
Features:
- Warn/Disable/Delete when an exposed token is detected
- Specify specific repos that you want to watch for exposed tokens
- Scan private/public repos
Design Overview:
- Deployed as a helm chart
- Configuration option for action to be taken on token exposure (warn, disable, delete)
- Custom CRD for repos that the revoker will watch ("watchRepo"/name TBD)
- Each time a new "watchRepo" is created, we spin off a go routine which, every 5/10/30 seconds (interval TBD, possibly customizable by user in the CRD or in the chart) scans the repo for exposed tokens.
- watchRepo should also store configuration allowing the revoker to access private repos (probably a reference to a secret containing ssh key allowing access)
- The actual logic to scan for a secret should probably utilize an established opensource project such as https://github.com/zricethezav/gitleaks . We can also contribute upstream by adding a pattern for rancher tokens, allowing a wider benefit to the work done for this project.
Goal for this Hackweek
Basic Goals:
- Warn/Disable/Delete when an exposed token is detected
- Scan public and private repos
- Helm chart/CRD allowing install/use of basic functionality
Stretch Goals:
- Scan/specify organizations for larger git providers (i.e. scan an entire Github/Gitlab org)
- Scan Output of CI pipelines (probably for popular providers like drone/travis/circle-ci/github-actions/gitlab-runners)
Resources
Upstream project that we can utilize for some of our functionality: https://github.com/zricethezav/gitleaks
Looking for hackers with the skills:
This project is part of:
Hack Week 22
Activity
Comments
-
over 1 year ago by mbolot | Reply
End of Hack Week update: I was able to get done with all basic goals and the github org scanning stretch goal, meaning that the revoker can:
- Warn/disable/delete exposed tokens
- Scan public/private repos (over https or ssh)
- Can be installed using helm
- Can scan entire github organizations.
Similar Projects
Kanidm: A safe and modern IDM system by firstyear
Kanidm is an IDM system written in Rust for mod...