initial commit

Author: cutler-scott-newrelic

.gitignore

@@ -0,0 +1,19 @@
+/target
+**/*.rs.bk
+Cargo.lock
+.idea
+*.iml
+*.ipr
+*.iws
+.gradle
+out/
+build/
+gen/
+deps/
+exampleProject
+testData
+.DS_Store
+*.json
+bootstrap
+*.zip
+temp_token

CODE_OF_CONDUCT.md

@@ -0,0 +1,46 @@
+# Contributor Covenant Code of Conduct
+
+## Our Pledge
+
+In the interest of fostering an open and welcoming environment, we as contributors and maintainers pledge to making participation in our project and our community a harassment-free experience for everyone, regardless of age, body size, disability, ethnicity, gender identity and expression, level of experience, nationality, personal appearance, race, religion, or sexual identity and orientation.
+
+## Our Standards
+
+Examples of behavior that contributes to creating a positive environment include:
+
+* Using welcoming and inclusive language
+* Being respectful of differing viewpoints and experiences
+* Gracefully accepting constructive criticism
+* Focusing on what is best for the community
+* Showing empathy towards other community members
+
+Examples of unacceptable behavior by participants include:
+
+* The use of sexualized language or imagery and unwelcome sexual attention or advances
+* Trolling, insulting/derogatory comments, and personal or political attacks
+* Public or private harassment
+* Publishing others' private information, such as a physical or electronic address, without explicit permission
+* Other conduct which could reasonably be considered inappropriate in a professional setting
+
+## Our Responsibilities
+
+Project maintainers are responsible for clarifying the standards of acceptable behavior and are expected to take appropriate and fair corrective action in response to any instances of unacceptable behavior.
+
+Project maintainers have the right and responsibility to remove, edit, or reject comments, commits, code, wiki edits, issues, and other contributions that are not aligned to this Code of Conduct, or to ban temporarily or permanently any contributor for other behaviors that they deem inappropriate, threatening, offensive, or harmful.
+
+## Scope
+
+This Code of Conduct applies both within project spaces and in public spaces when an individual is representing the project or its community. Examples of representing a project or community include using an official project e-mail address, posting via an official social media account, or acting as an appointed representative at an online or offline event. Representation of a project may be further defined and clarified by project maintainers.
+
+## Enforcement
+
+Instances of abusive, harassing, or otherwise unacceptable behavior may be reported by contacting the project team at opensource@newrelic.com. The project team will review and investigate all complaints, and will respond in a way that it deems appropriate to the circumstances. The project team is obligated to maintain confidentiality with regard to the reporter of an incident. Further details of specific enforcement policies may be posted separately.
+
+Project maintainers who do not follow or enforce the Code of Conduct in good faith may face temporary or permanent repercussions as determined by other members of the project's leadership.
+
+## Attribution
+
+This Code of Conduct is adapted from the [Contributor Covenant][homepage], version 1.4, available at [http://contributor-covenant.org/version/1/4][version]
+
+[homepage]: http://contributor-covenant.org
+[version]: http://contributor-covenant.org/version/1/4/

CONTRIBUTING.md

@@ -0,0 +1,30 @@
+# Contributing
+
+Contributions are always welcome. Before contributing please read the
+[code of conduct](./CODE_OF_CONDUCT.md) and [search the issue tracker](issues); your issue may have already been discussed or fixed in `master`. To contribute,
+[fork](https://help.github.com/articles/fork-a-repo/) this repository, commit your changes, and [send a Pull Request](https://help.github.com/articles/using-pull-requests/).
+
+Note that our [code of conduct](./CODE_OF_CONDUCT.md) applies to all platforms and venues related to this project; please follow it in all your interactions with the project and its participants.
+
+## Feature Requests
+
+Feature requests should be submitted in the [Issue tracker](../../issues), with a description of the expected behavior & use case, where they’ll remain closed until sufficient interest, [e.g. :+1: reactions](https://help.github.com/articles/about-discussions-in-issues-and-pull-requests/), has been [shown by the community](../../issues?q=label%3A%22votes+needed%22+sort%3Areactions-%2B1-desc).
+Before submitting an Issue, please search for similar ones in the
+[closed issues](../../issues?q=is%3Aissue+is%3Aclosed+label%3Aenhancement).
+
+## Pull Requests
+
+1. Ensure any install or build dependencies are removed before the end of the layer when doing a build.
+2. Increase the version numbers in any examples files and the README.md to the new version that this Pull Request would represent. The versioning scheme we use is [SemVer](http://semver.org/).
+3. You may merge the Pull Request in once you have the sign-off of two other developers, or if you do not have permission to do that, you may request the second reviewer to merge it for you.
+
+## Contributor License Agreement
+
+Keep in mind that when you submit your Pull Request, you'll need to sign the CLA via the click-through using CLA-Assistant. If you'd like to execute our corporate CLA, or if you have any questions, please drop us an email at opensource@newrelic.com.
+
+For more information about CLAs, please check out Alex Russell’s excellent post,
+[“Why Do I Need to Sign This?”](https://infrequently.org/2008/06/why-do-i-need-to-sign-this/).
+
+## Slack
+
+For contributors and maintainers of open source projects hosted by New Relic, we host a public Slack with a channel dedicated to this project. If you are contributing to this project, you're welcome to request access to that  community space.

Cargo.toml

@@ -0,0 +1,36 @@
+[package]
+name = "rusty_hogs"
+version = "0.4.4"
+authors = ["Scott Cutler <scutler@newrelic.com>"]
+edition = "2018"
+
+# See more keys and their definitions at https://doc.rust-lang.org/cargo/reference/manifest.html
+[lib]
+name = "secret_scanning"
+path = "src/lib.rs"
+
+[dependencies]
+git2 = "0.10"
+serde = { version = "1.0", features = ["derive"] }
+serde_json = "1.0"
+serde_derive = "^1"
+clap = "2"
+regex = "1"
+url = "2"
+tempdir = "0.3"
+base64 = "0.11.0"
+log = "^0.4"
+simple_logger = "^1"
+simple-error = "0.2"
+chrono = "0.4"
+encoding = "0.2"
+hex = "0.4"
+lambda_runtime = "0.2"
+rust-s3 = "0.18.3"
+google-drive3 = "*"
+# This project intentionally uses an old version of Hyper. See
+# https://github.com/Byron/google-apis-rs/issues/173 for more
+# information.
+hyper = "^0.10"
+hyper-rustls = "^0.6"
+yup-oauth2 = "^1.0"

README.md

@@ -0,0 +1,220 @@
+# Rusty Hogs
+A suite of secret scanners built in Rust for performance. Based on [TruffleHog](https://github.com/dxa4481/truffleHog)
+which is written in Python.
+
+Ankamali Hog: Scan for secrets in a Google Doc
+
+Berkshire Hog: Scan for secrets in an S3 bucket
+
+Choctaw Hog: Scan for secrets in a Git repository
+
+* [Rusty Hogs](#rusty-hogs)
+* [How to run](#how-to-run)
+* [How to build](#how-to-build)
+* [Anakamali Hog Usage](#anakamali-hog-usage)
+* [Berkshire Hog (CLI) Usage](#berkshire-hog-cli-usage)
+* [Berkshire Hog (Lambda) Usage](#berkshire-hog-lambda-usage)
+* [Choctaw Hog Usage](#choctaw-hog-usage)
+* [Open Source License](#open-source-license)
+* [Support](#support)
+* [Community](#community)
+* [Issues / Enhancement Requests](#issues--enhancement-requests)
+* [Contributing](#contributing)
+* [Feature Roadmap](#feature-roadmap)
+* [Performance comparison](#performance-comparison)
+* [What does the name mean?](#what-does-the-name-mean)
+
+## How to run
+Download and unzip the [latest ZIP](https://source.datanerd.us/security/rusty_hogs/releases/download/0.4.1/release.zip)
+on the releases tab, then you can run each binary with `-h` to see the usage.
+
+```shell script
+wget https://source.datanerd.us/security/rusty_hogs/releases/download/0.4.1/release.zip
+unzip release.zip
+cd darwin_releases
+./choctaw_hog -h
+```
+
+## How to build
+Ensure you have [Rust](https://www.rust-lang.org/learn/get-started) installed and on your path.
+
+Perform a git clone, then run `cargo build --release`. The binaries will be located in `target/release`
+
+To cross-compile Berkshire Hog for the AWS Lambda environment, first install 
+[cross](https://github.com/rust-embedded/cross). Then run the following commands and upload berkshire_lambda.zip:
+```shell script
+cross build --release --target x86_64-unknown-linux-musl
+cp target/x86_64-unknown-linux-musl/release/berkshire_hog bootstrap
+zip -j berkshire_lambda.zip bootstrap
+```
+
+## Anakamali Hog Usage
+```
+USAGE:
+    ankamali_hog [FLAGS] [OPTIONS] <GDRIVEID>
+
+FLAGS:
+        --caseinsensitive    Sets the case insensitive flag for all regexes
+        --entropy            Enables entropy scanning
+        --prettyprint        Output the JSON in human readable format
+    -v, --verbose            Sets the level of debugging information
+    -h, --help               Prints help information
+    -V, --version            Prints version information
+
+OPTIONS:
+    -o, --outputfile <OUTPUT>    Sets the path to write the scanner results to (stdout by default)
+        --regex <REGEX>          Sets a custom regex JSON file
+
+ARGS:
+    <GDRIVEID>    The ID of the google drive file you want to scan
+```
+
+## Berkshire Hog (CLI) Usage
+```
+USAGE:
+    berkshire_hog [FLAGS] [OPTIONS] <S3URI> <S3REGION>
+
+FLAGS:
+        --caseinsensitive    Sets the case insensitive flag for all regexes
+        --entropy            Enables entropy scanning
+        --prettyprint        Output the JSON in human readable format
+    -r, --recursive          Will recursively scan files under the prefix.
+    -v, --verbose            Sets the level of debugging information
+    -h, --help               Prints help information
+    -V, --version            Prints version information
+
+OPTIONS:
+    -o, --outputfile <OUTPUT>    Sets the path to write the scanner results to (stdout by default)
+        --profile <PROFILE>      When using a configuration file, use a non-default profile
+        --regex <REGEX>          Sets a custom regex JSON file
+
+ARGS:
+    <S3URI>       The location of a S3 bucket and optional prefix or filename to scan. This must be written in the form
+                  s3://mybucket[/prefix_or_file]
+    <S3REGION>    Sets the region of the S3 bucket to scan.
+```
+
+
+## Berkshire Hog (Lambda) Usage
+Berkshire Hog is currently designed to be used as a Lambda function. It was written with this overall data-flow
+in mind:
+<pre>
+    ┌───────────┐              ┌───────┐     ┌────────────────┐     ┌────────────┐
+    │ S3 Bucket │ ┌────────┐   │       │     │ Berkshire Hog  │     │ S3 Bucket  │
+    │  (input) ─┼─┤S3 Event├──▶│  SQS  │────▶│    (Lambda)    │────▶│  (output)  │
+    │           │ └────────┘   │       │     │                │     │            │
+    └───────────┘              └───────┘     └────────────────┘     └────────────┘
+</pre>
+
+In order to run this you will need to setup the following things:
+1) The input bucket must be configured to send an "event" to SQS for each PUSH/PUT event
+2) The SQS topic must be setup to accept events from S3, including IAM permissions.
+3) Berkshire hog must be running with IAM access to SQS and S3.
+
+## Choctaw Hog Usage
+```
+USAGE:
+    choctaw_hog [FLAGS] [OPTIONS] <GITPATH>
+
+FLAGS:
+        --caseinsensitive    Sets the case insensitive flag for all regexes
+        --entropy            Enables entropy scanning
+        --prettyprint        Output the JSON in human readable format
+    -v, --verbose            Sets the level of debugging information
+    -h, --help               Prints help information
+    -V, --version            Prints version information
+
+OPTIONS:
+    -o, --outputfile <OUTPUT>            Sets the path to write the scanner results to (stdout by default)
+        --regex <REGEX>                  Sets a custom regex JSON file, defaults to ./trufflehog_rules.json
+        --since_commit <SINCECOMMIT>     Filters commits based on date committed (branch agnostic)
+        --sshkeypath <SSHKEYPATH>        Takes a path to a private SSH key for git authentication, defaults to ssh-agent
+        --sshkeyphrase <SSHKEYPHRASE>    Takes a passphrase to a private SSH key for git authentication, defaults to
+                                         none
+
+ARGS:
+    <GITPATH>    Sets the path (or URL) of the Git repo to scan. SSH links must include username (git@)
+```
+
+## Open Source License
+
+This project is distributed under the [Apache 2 license](LICENSE).
+
+## Support
+
+New Relic has open-sourced this project. This project is provided AS-IS WITHOUT WARRANTY OR SUPPORT, although you can report issues and contribute to the project here on GitHub.
+
+_Please do not report issues with this software to New Relic Global Technical Support._
+
+## Community
+
+New Relic hosts and moderates an online forum where customers can interact with New Relic employees as well as other customers to get help and share best practices. Like all official New Relic open source projects, there's a related Community topic in the New Relic Explorer's Hub. You can find this project's topic/threads here:
+
+TODO: Create topic in discuss.newrelic.com and put the link here.
+
+## Issues / Enhancement Requests
+
+Issues and enhancement requests can be submitted in the [Issues tab of this repository](../../issues). Please search for and review the existing open issues before submitting a new issue.
+
+## Contributing
+
+Contributions are welcome (and if you submit a Enhancement Request, expect to be invited to contribute it yourself :grin:). Please review our [Contributors Guide](CONTRIBUTING.md).
+
+Keep in mind that when you submit your pull request, you'll need to sign the CLA via the click-through using CLA-Assistant. If you'd like to execute our corporate CLA, or if you have any questions, please drop us an email at opensource@newrelic.com.
+
+
+## Feature Roadmap
+- 1.0: Initial open-source release
+    - [x] Refactor git-agnostic code into a reusable library
+    - [x] Implement logging correctly
+    - [x] Prep for New Relic Homebrew release
+    - [x] Prep for New Relic GitHub release
+    - [x] Implement licensing
+    - [x] Clear with New Relic open source committee
+    - [x] Finish initial implementation of Ankamali Hog and Berkshire Hog CLI
+    - [ ] Finish New Relic Open Source checklist
+    - [ ] Unit tests
+    - [ ] Prep for crates.io release
+    - [ ] Flatten original Git repo
+
+- 1.1: Enterprise features
+    - [ ] Support config files (instead of command line args)
+    - [ ] Save state between scans, remember and filter "false positives"
+    - [ ] Multi-threading
+    - [ ] Better context detection and false positive filtering (GitHound, machine learning)
+    - [ ] Support for other modes of use for Berkshire Hog (CLI, lambda without SQS)
+    - [ ] Use Rusoto instead of s3-rust
+
+- 1.2: Integration with larger scripts and UIs
+    - [ ] Support Github API for larger org management
+        - [ ] Scan all repos for a list of users
+        - [ ] Scan all repos in an org
+    - [ ] Generate a web-report or web-interface. Support "save state" generation from UI.
+    - [ ] Agent/manager model
+    - [ ] Scheduler process (blocked by save state support)
+
+
+## Performance comparison
+Using this repo as a test: `git clone git@github.com:NathanRomike/dictionary-builder.git`
+
+I ran trufflehog 50 times and saw it take 81 seconds...
+```
+time ( repeat 50 { trufflehog --rules trufflehog_rules.json --regex --entropy=False ../dictionary-builder/ })
+
+37.67s user 40.56s system 95% cpu 1:21.88 total
+```
+
+Then I ran Choctaw Hog 50 times and saw it take 49 seconds...
+```
+time ( repeat 50 { target/release/choctaw_hog ../dictionary-builder })
+
+46.28s user 1.94s system 98% cpu 48.749 total
+```
+
+## What does the name mean?
+TruffleHog is considered the de-facto standard / original secret scanner. I have been
+building a suite of secret scanning tools for various platforms based on TruffleHog
+and needed a naming scheme, so I started at the top of Wikipedia's 
+[list of pig breeds](https://en.wikipedia.org/wiki/List_of_pig_breeds). 
+Thus each tool name is a breed of pig starting at A and working up.
+