You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
The scan command can now be given Git https URLs, GitHub usernames, and GitHub organization names as inputs, and will enumerate, clone, and scan as appropriate (#14).
Nosey Parker now has rudimentary support for enumerating repositories from GitHub users and organizations (#15). The new github repos list command uses the GitHub REST API to enumerate repositories belonging to one or more users or organizations. An optional GitHub Personal Access Token can be provided via the NP_GITHUB_TOKEN environment variable.
Nosey Parker now has an optional rule_profiling crate feature that causes performance-related statistics to be collected and reported when scanning. This feature imposes some performance cost and is only useful to rule authors, and so is disabled by default.
Many new rules have been added:
Adobe OAuth Client Secret
Age Identity (X22519 secret key)
Age Recipient (X25519 public key)
crates.io API Key
DigitalOcean Application Access Token
DigitalOcean Personal Access Token
DigitalOcean Refresh Token
Figma Personal Access Token
GitLab Personal Access Token
GitLab Pipeline Trigger Token
GitLab Runner Registration Token
Google OAuth Client Secret (prefixed)
New Relic API Service Key
New Relic Admin API Key
New Relic Insights Insert Key
New Relic Insights Query Key
New Relic License Key
New Relic License Key (non-suffixed)
New Relic Pixie API Key
New Relic Pixie Deploy Key
New Relic REST API Key
NPM Access Token (fine-grained)
OpenAI API Key
Segment Public API Token
Shopify Access Token (Custom App)
Shopify Access Token (Legacy Private App)
Shopify Access Token (Public App)
Shopify App Secret
Shopify Domain
RubyGems API Key
Telegram Bot Token
These rules match token formats that are well-specified fixed-length strings with notable prefixes or suffixes, and so should produce very few false positives.
Several existing rules were modified to improve signal-to-noise:
Azure Connection String
Credentials in ODBC Connection String
PyPI Upload Token
The report command now offers rudimentary SARIF support (#4). Thanks you @Coruscant11!
Changes
Several default rules have been revised to improve performance of the matching engine and to produce fewer false positives. In particular, several rules previously had avoided using a trailing \b anchor after secret content which could include a literal - character, due to a matching discrepancy between Hyperscan and Rust's regex library. These have been revised to use a more complicated but functional anchoring pattern.
The JSON Web Token (base64url-encoded) rule has been changed to only produce a single match group instead of three.
The Google Client Secret rule has been improved to detect additional occurrences and has been renamed to Google OAuth Client Secret.
Blobs are now deduplicated at enumeration time when first enumerating a Git repository, rather than only at scan time. This results in more accurate progress bars.
When scanning, Git repositories are now opened twice: once at input enumeration time, and once at scanning time. This drastically reduces the amount of memory required to scan a large number of Git repositories.
Fixes
When scanning, the datastore is now explicitly excluded from filesystem enumeration. This ensures that files used internally for Nosey Parker's operation are not inadvertently scanned (#32).
This discussion was created from the release v0.12.0.
reacted with thumbs up emoji reacted with thumbs down emoji reacted with laugh emoji reacted with hooray emoji reacted with confused emoji reacted with heart emoji reacted with rocket emoji reacted with eyes emoji
-
v0.12.0 (2023-03-02)
A prebuilt Docker image for this release is available for x86_64 architectures:
Additions
The
scan
command can now be given Git https URLs, GitHub usernames, and GitHub organization names as inputs, and will enumerate, clone, and scan as appropriate (#14).Nosey Parker now has rudimentary support for enumerating repositories from GitHub users and organizations (#15). The new
github repos list
command uses the GitHub REST API to enumerate repositories belonging to one or more users or organizations. An optional GitHub Personal Access Token can be provided via theNP_GITHUB_TOKEN
environment variable.Nosey Parker now has an optional
rule_profiling
crate feature that causes performance-related statistics to be collected and reported when scanning. This feature imposes some performance cost and is only useful to rule authors, and so is disabled by default.Many new rules have been added:
These rules match token formats that are well-specified fixed-length strings with notable prefixes or suffixes, and so should produce very few false positives.
Several existing rules were modified to improve signal-to-noise:
The
report
command now offers rudimentary SARIF support (#4). Thanks you @Coruscant11!Changes
Several default rules have been revised to improve performance of the matching engine and to produce fewer false positives. In particular, several rules previously had avoided using a trailing
\b
anchor after secret content which could include a literal-
character, due to a matching discrepancy between Hyperscan and Rust'sregex
library. These have been revised to use a more complicated but functional anchoring pattern.The
JSON Web Token (base64url-encoded)
rule has been changed to only produce a single match group instead of three.The
Google Client Secret
rule has been improved to detect additional occurrences and has been renamed toGoogle OAuth Client Secret
.Blobs are now deduplicated at enumeration time when first enumerating a Git repository, rather than only at scan time. This results in more accurate progress bars.
When scanning, Git repositories are now opened twice: once at input enumeration time, and once at scanning time. This drastically reduces the amount of memory required to scan a large number of Git repositories.
Fixes
This discussion was created from the release v0.12.0.
Beta Was this translation helpful? Give feedback.
All reactions