Deepfence SecretScanner帮助用户扫描主机上的容器映像或本地目录，并输出包含找到的所有秘密的详细信息的JSON文件。

命令使用

$ ./SecretScanner --help

Usage of ./SecretScanner:
  -config-path string
      Searches for config.yaml from given directory. If not set, tries to find it from SecretScanner binary's and current directory
  -debug-level string
      Debug levels are one of FATAL, ERROR, IMPORTANT, WARN, INFO, DEBUG. Only levels higher than the debug-level are displayed (default "ERROR")
  -image-name string
      Name of the image along with tag to scan for secrets
  -json-filename string
      Output json file name. If not set, it will automatically create a filename based on image or dir name
  -local string
      Specify local directory (absolute path) which to scan. Scans only given directory recursively.
  -max-multi-match uint
      Maximum number of matches of same pattern in one file. This is used only when multi-match option is enabled. (default 3)
  -max-secrets uint
      Maximum number of secrets to find in one container image or file system. (default 1000)
  -maximum-file-size uint
      Maximum file size to process in KB (default 256)
  -multi-match
      Output multiple matches of same pattern in one file. By default, only one match of a pattern is output for a file for better performance
  -output-path string
      Output directory where json file will be stored. If not set, it will output to current directory
  -temp-directory string
      Directory to process and store repositories/matches (default "/tmp")
  -threads int
      Number of concurrent threads (default number of logical CPUs)

快速尝试使用Docker

使用以下说明安装docker并在容器映像上运行SecretScanner：

• 构建SecretScanner：

docker build --rm=true --tag=deepfenceio/secretscanning:latest -f Dockerfile 

• 或者，通过执行以下操作从docker hub中获取最新版本：

docker pull deepfenceio/secretscanning

• 拉出容器图像进行扫描：

docker pull node:8.11

• 运行SecretScanner：

• 扫描容器图像：

  docker run -it --rm --name=deepfence-secretscanner -v $(pwd):/home/deepfence/output -v /var/run/docker.sock:/var/run/docker.sock -v /usr/bin/docker:/usr/bin/docker deepfenceio/secretscanning -image-name node:8.11

• 扫描本地目录：

  docker run -it --rm --name=deepfence-secretscanner -v $(pwd):/home/deepfence/output -v /var/run/docker.sock:/var/run/docker.sock -v /usr/bin/docker:/usr/bin/docker deepfenceio/secretscanning -local /home/deepfence/src/SecretScanner/test

默认情况下，SecretScanner还将创建json文件，其中包含在当前工作目录中找到的所有机密的详细信息。您可以使用适当的选项显式指定输出目录和json文件名。

制作说明

1. 安装Docker

2. 安装Hyperscan

3. 为您的平台安装go（版本1.14）

4. 如果需要gohs，请安装go模块：yaml.v3和color

5. go get github.com/deepfence/SecretScanner将自动在$GOPATH/bin或$HOME/go/bin目录中下载并构建SecretScanner 。或者，克隆此存储库并运行go build -v -i以在当前目录中构建可执行文件。

6. 根据需要编辑config.yaml文件，并使用适当的配置文件目录运行秘密扫描程序。

作为参考，安装文件包含在ubuntu系统上构建的命令。

项目地址

https://github.com/deepfence/SecretScanner