diff --git a/.github/workflows/trufflehog-scan.yaml b/.github/workflows/trufflehog-scan.yaml new file mode 100644 index 00000000..bf1b4fa1 --- /dev/null +++ b/.github/workflows/trufflehog-scan.yaml @@ -0,0 +1,47 @@ +name: TruffleHog Scan + +on: + push: + branches: + - trufflehog-new + - main + - dev + pull_request: + branches: + - main + - dev + +jobs: + trufflehog-scan: + runs-on: ubuntu-22.04 + services: + docker: + image: docker:19.03.12 + options: --privileged + steps: + - name: Checkout repository + uses: actions/checkout@v3 + + - name: Set up Python + uses: actions/setup-python@v4 + with: + python-version: '3.10' + + - name: Set up Docker + run: | + sudo apt-get update + sudo apt-get install -y docker-ce docker-ce-cli containerd.io + + - name: TruffleHog scan + run: | + echo "Starting TruffleHog scan..." + docker run -v "$PWD:/pwd" -v $GITHUB_WORKSPACE:/privado ghcr.io/trufflesecurity/trufflehog:latest filesystem --directory /privado --exclude_paths /privado/trufflehog/exclude-patterns.txt > trufflehog_output.text + python3 $GITHUB_WORKSPACE/trufflehog/trufflehog-exception.py + echo "TruffleHog scan completed." + cat trufflehog_filtered_output.text + if grep -qE 'Found (unverified|verified) result' trufflehog_filtered_output.text; then + echo "TruffleHog found sensitive information. Failing the pipeline." + exit 1 + else + echo "No sensitive information found." + fi diff --git a/.gitignore b/.gitignore index 379e8018..56c8a94e 100644 --- a/.gitignore +++ b/.gitignore @@ -248,4 +248,6 @@ privado notes.md #Directory created by IDE -workspace \ No newline at end of file +workspace + +trufflehog_filtered_output.text diff --git a/config/exclusions/javascript.yaml b/config/exclusions/javascript.yaml index 9115eca3..0e2c4303 100644 --- a/config/exclusions/javascript.yaml +++ b/config/exclusions/javascript.yaml @@ -19,3 +19,8 @@ exclusions: name: Exclude file which cannot be read patterns: - "|" + + - id: Exclusions.JQuery + name: Exclude JQuery Folder + patterns: + - ".*(jquery).*([.]js).*" diff --git a/rules/collections/android/any.yaml b/rules/collections/android/any.yaml index 9fe9a80b..9037577c 100644 --- a/rules/collections/android/any.yaml +++ b/rules/collections/android/any.yaml @@ -61,3 +61,87 @@ collections: - ".*(?i)password.*" tags: sourceId: Data.Sensitive.AccountData.AccountPassword + + - id: Collections.Android.Form.DateofBirth + name: Android Form DateofBirth + patterns: + - ".*(?i)(?i)(dob|(.*(date[^\\s/(;)#|,=!>]{0,5}of[^\\s/(;)#|,=!>]{0,5}birth|birth[^\\s/(;)#|,=!>]{0,5}(?:day|date|month|year)|birth[-_]{0,2}dt))).*" + tags: + sourceId: Data.Sensitive.PersonalIdentification.DateofBirth + + - id: Collections.Android.Form.Age + name: Android Form Age + patterns: + - ".*(?i)(user|person|customer|under|years|yrs|human)?(_)?(of|in)?(_)?(age).*" + tags: + sourceId: Data.Sensitive.PersonalIdentification.Age + + - id: Collections.Android.Form.Gender + name: Android Form Gender + patterns: + - "(?i)((.*gender)|is[_-]{0,1}male|is[_-]{0,1}female|sex)" + tags: + sourceId: Data.Sensitive.PersonalIdentification.Gender + + - id: Collections.Android.Form.Photograph + name: Android Form Photograph + patterns: + - "(?i).*(?:profile|employee|user)[^\\s/(;)#|,=!>]{0,5}(?:picture|image|pic|photo).*" + tags: + sourceId: Data.Sensitive.PersonalIdentification.Photograph + + - id: Collections.Android.Form.Passport + name: Android Form Passport + patterns: + - ".*(?i)(.*passport[^\\s/(;)#|,=!>]{0,10}(?:no|number|id|expiry|validity|country)).*" + tags: + sourceId: Data.Sensitive.NationalIdentificationNumbers.Passport + + - id: Collections.Android.Form.DrivingLicense + name: Android Form DrivingLicense + patterns: + - ".*(?i)((?:driving|driver)[^\\s/(;)#|,=!>]{0,5}(?:license|lisense|licence)[^\\s/(;)#|,=!>]{0,5}(?:no|number|id)|(?:driving|driver)[^\\s/(;)#|,=!>]{0,5}(?:license|lisense|licence)).*" + tags: + sourceId: Data.Sensitive.NationalIdentificationNumbers.DrivingLicense + + - id: Collections.Android.Form.SocialSecurityNumber + name: Android Form SocialSecurityNumber + patterns: + - ".*(?i)(social[^\\s/(;)#|,=!>]{0,5}security[^\\s/(;)#|,=!>]{0,5}(?:number|no|id)|.*_ssn|ssn).*" + tags: + sourceId: Data.Sensitive.NationalIdentificationNumbers.SocialSecurityNumber + + - id: Collections.Android.Form.DisabilityorSpecificCondition + name: Android Form DisabilityorSpecificCondition + patterns: + - "(?i).*(locomotor[^\\s/(;)#|,=!>]*disability|mental[^\\s/(;)#|,=!>]*illness|cerebral[^\\s/(;)#|,=!>]*palsy|hearing[^\\s/(;)#|,=!>]*impairment|muscular[^\\s/(;)#|,=!>]*dystrophy|multiple[^\\s/(;)#|,=!>]*sclerosis|hiv[^\\s/(;)#|,=!>]*aids|physical[^\\s/(;)#|,=!>]*disability|mental[^\\s/(;)#|,=!>]*disability|alzheimer|thalassemia|hemophilia|autism|cancer|dwarfism|blindness|handicapped|wheelchair|diabetic|dyslexia|epilepsy|schizophrenia|depression|physical[^\\s/(;)#|,=!>]disorder).*" + tags: + sourceId: Data.Sensitive.HealthData.DisabilityorSpecificCondition + + - id: Collections.Android.Form.IllnessorMedicalCondition + name: Android Form IllnessorMedicalCondition + patterns: + - "(?i).*(health[^\\s/(;)#|,=!>]{0,10}record|medical[^\\s/(;)#|,=!>]{0,10}condition|(?:user|person|customer|employee)[^\\s/(;)#|,=!>]{0,10}health|illness[^\\s/(;)#|,=!>]{0,10}(?:record|name|data|type|date))" + tags: + sourceId: Data.Sensitive.HealthData.IllnessorMedicalCondition + + - id: Collections.Android.Form.MaternityLeaveDetails + name: Android Form MaternityLeaveDetails + patterns: + - "(?i).*(maternity[^\\s/(;)#|,=!>]{0,10}leave).*" + tags: + sourceId: Data.Sensitive.HealthData.MaternityLeaveDetails + + - id: Collections.Android.Form.PaternityLeaveDetails + name: Android Form PaternityLeaveDetails + patterns: + - "(?i).*(paternity[^\\s/(;)#|,=!>]{0,10}leave).*" + tags: + sourceId: Data.Sensitive.HealthData.PaternityLeaveDetails + + - id: Collections.Android.Form.MedicalCertificates + name: Android Form MedicalCertificates + patterns: + - "(?i).*(blood[^\\s/(;)#|,=!>]{0,10}report|medical[^\\s/(;)#|,=!>]{0,10}(?:report|test)|medical[^\\s/(;)#|,=!>]{0,10}certificate|blood[^\\s/(;)#|,=!>]{0,10}group).*" + tags: + sourceId: Data.Sensitive.HealthData.MedicalCertificates diff --git a/trufflehog/exclude-patterns.txt b/trufflehog/exclude-patterns.txt new file mode 100644 index 00000000..2077cdcf --- /dev/null +++ b/trufflehog/exclude-patterns.txt @@ -0,0 +1,6 @@ +^/privado/trufflehog_output.text +^/privadot/rufflehog/exclude-patterns.txt +^/privado/.git +^/privado/trufflehog/truffleHogAllowRules.json +^/privado/trufflehog_filtered_output.text +^/privado/rules/ diff --git a/trufflehog/truffleHogAllowRules.json b/trufflehog/truffleHogAllowRules.json new file mode 100644 index 00000000..0d4f101c --- /dev/null +++ b/trufflehog/truffleHogAllowRules.json @@ -0,0 +1,2 @@ +[ +] diff --git a/trufflehog/trufflehog-exception.py b/trufflehog/trufflehog-exception.py new file mode 100644 index 00000000..18464077 --- /dev/null +++ b/trufflehog/trufflehog-exception.py @@ -0,0 +1,41 @@ +import json + +# Load patterns from the JSON file +with open("./trufflehog/truffleHogAllowRules.json", "r") as f: + patterns_list = json.load(f) + +# Compile the patterns into regex objects +patterns = [re.compile(pattern) for pattern in patterns_list] + +# Function to determine if a block should be excluded +def should_exclude(block): + for pattern in patterns: + if any(pattern.search(line) for line in block): + return True + return False + +# Read the input file +with open("trufflehog_output.text", "r") as f: + lines = f.readlines() + +# Process the file and remove matching blocks +output_lines = [] +current_block = [] + +for line in lines: + if line.startswith("Found unverified result"): + if current_block and not should_exclude(current_block): + output_lines.extend(current_block) + current_block = [line] + else: + current_block.append(line) + +# Append the last block if it doesn't match the patterns +if current_block and not should_exclude(current_block): + output_lines.extend(current_block) + +# Write the filtered output to a new file +with open("trufflehog_filtered_output.text", "w") as f: + f.writelines(output_lines) + +print("Filtered output saved to trufflehog_filtered_output.text")