Project Description
The token revoker aims to scan git repos for exposed rancher tokens. Once a token has been identified, the revoker can (based on configuration) warn/disable/delete the exposed token automatically.
Features:
- Warn/Disable/Delete when an exposed token is detected
- Specify specific repos that you want to watch for exposed tokens
- Scan private/public repos
Design Overview:
- Deployed as a helm chart
- Configuration option for action to be taken on token exposure (warn, disable, delete)
- Custom CRD for repos that the revoker will watch ("watchRepo"/name TBD)
- Each time a new "watchRepo" is created, we spin off a go routine which, every 5/10/30 seconds (interval TBD, possibly customizable by user in the CRD or in the chart) scans the repo for exposed tokens.
- watchRepo should also store configuration allowing the revoker to access private repos (probably a reference to a secret containing ssh key allowing access)
- The actual logic to scan for a secret should probably utilize an established opensource project such as https://github.com/zricethezav/gitleaks . We can also contribute upstream by adding a pattern for rancher tokens, allowing a wider benefit to the work done for this project.
Goal for this Hackweek
Basic Goals:
- Warn/Disable/Delete when an exposed token is detected
- Scan public and private repos
- Helm chart/CRD allowing install/use of basic functionality
Stretch Goals:
- Scan/specify organizations for larger git providers (i.e. scan an entire Github/Gitlab org)
- Scan Output of CI pipelines (probably for popular providers like drone/travis/circle-ci/github-actions/gitlab-runners)
Resources
Upstream project that we can utilize for some of our functionality: https://github.com/zricethezav/gitleaks
Looking for hackers with the skills:
This project is part of:
Hack Week 22
Activity
Comments
-
about 1 year ago by mbolot | Reply
Github repo can be found here: https://github.com/MbolotSuse/rancher-token-revoker
-
about 1 year ago by mbolot | Reply
End of Hack Week update: I was able to get done with all basic goals and the github org scanning stretch goal, meaning that the revoker can:
- Warn/disable/delete exposed tokens
- Scan public/private repos (over https or ssh)
- Can be installed using helm
- Can scan entire github organizations.
Similar Projects
Rancher Upgrader - Upgrades your rancher install via helm, and communicates critical changes from release A to B. by rweir
[comment]: # (Please use the project descriptio...
WebUI for your data by avicenzi
[comment]: # (Please use the project descriptio...
A CLI for Harvester by mohamed.belgaied
[comment]: # Harvester does not officially come...
Cluster API Provider for Harvester by rcase
[comment]: # (Please use the project descriptio...
Learn Golang contribuing to opensource projects by mbussolotto
Project Description
Get practice in Golan...
Rancher Upgrader - Upgrades your rancher install via helm, and communicates critical changes from release A to B. by rweir
[comment]: # (Please use the project descriptio...
A CLI for Harvester by mohamed.belgaied
[comment]: # Harvester does not officially come...
HAKube UI plugin for Rancher by epenchev
[comment]: # (Please use the project descriptio...
Hangar: tool for mirror container images & generate rancher image lists. by StarryWang
Project Description
Hangar is a tool for ...
Rancher Upgrader - Upgrades your rancher install via helm, and communicates critical changes from release A to B. by rweir
[comment]: # (Please use the project descriptio...
Port NeuVector zero-trust security functions to host/VM by feih
Project Description
Today, NeuVector on...
Predefined app security policy template for NeuVector by feih
Project Description
Idea is to predefin...
Model checking the BPF verifier by shunghsiyu
Project Description
BPF verifier plays a ...