Project Description
The token revoker aims to scan git repos for exposed rancher tokens. Once a token has been identified, the revoker can (based on configuration) warn/disable/delete the exposed token automatically.
Features:
- Warn/Disable/Delete when an exposed token is detected
- Specify specific repos that you want to watch for exposed tokens
- Scan private/public repos
Design Overview:
- Deployed as a helm chart
- Configuration option for action to be taken on token exposure (warn, disable, delete)
- Custom CRD for repos that the revoker will watch ("watchRepo"/name TBD)
- Each time a new "watchRepo" is created, we spin off a go routine which, every 5/10/30 seconds (interval TBD, possibly customizable by user in the CRD or in the chart) scans the repo for exposed tokens.
- watchRepo should also store configuration allowing the revoker to access private repos (probably a reference to a secret containing ssh key allowing access)
- The actual logic to scan for a secret should probably utilize an established opensource project such as https://github.com/zricethezav/gitleaks . We can also contribute upstream by adding a pattern for rancher tokens, allowing a wider benefit to the work done for this project.
Goal for this Hackweek
Basic Goals:
- Warn/Disable/Delete when an exposed token is detected
- Scan public and private repos
- Helm chart/CRD allowing install/use of basic functionality
Stretch Goals:
- Scan/specify organizations for larger git providers (i.e. scan an entire Github/Gitlab org)
- Scan Output of CI pipelines (probably for popular providers like drone/travis/circle-ci/github-actions/gitlab-runners)
Resources
Upstream project that we can utilize for some of our functionality: https://github.com/zricethezav/gitleaks
Looking for hackers with the skills:
This project is part of:
Hack Week 22
Activity
Comments
-
about 1 year ago by mbolot | Reply
Github repo can be found here: https://github.com/MbolotSuse/rancher-token-revoker
-
about 1 year ago by mbolot | Reply
End of Hack Week update: I was able to get done with all basic goals and the github org scanning stretch goal, meaning that the revoker can:
- Warn/disable/delete exposed tokens
- Scan public/private repos (over https or ssh)
- Can be installed using helm
- Can scan entire github organizations.
Similar Projects
A CLI for Harvester by mohamed.belgaied
[comment]: # Harvester does not officially come...
Learn Golang contribuing to opensource projects by mbussolotto
Project Description
Get practice in Golan...
Rancher Upgrader - Upgrades your rancher install via helm, and communicates critical changes from release A to B. by rweir
[comment]: # (Please use the project descriptio...
WebUI for your data by avicenzi
[comment]: # (Please use the project descriptio...
Cluster API Provider for Harvester by rcase
[comment]: # (Please use the project descriptio...
Rancher Upgrader - Upgrades your rancher install via helm, and communicates critical changes from release A to B. by rweir
[comment]: # (Please use the project descriptio...
A CLI for Harvester by mohamed.belgaied
[comment]: # Harvester does not officially come...
HAKube UI plugin for Rancher by epenchev
[comment]: # (Please use the project descriptio...
Hangar: tool for mirror container images & generate rancher image lists. by StarryWang
Project Description
Hangar is a tool for ...
Rancher Upgrader - Upgrades your rancher install via helm, and communicates critical changes from release A to B. by rweir
[comment]: # (Please use the project descriptio...
Predefined app security policy template for NeuVector by feih
Project Description
Idea is to predefin...
Port NeuVector zero-trust security functions to host/VM by feih
Project Description
Today, NeuVector on...
Model checking the BPF verifier by shunghsiyu
Project Description
BPF verifier plays a ...