RepoSsessed: parse public source code repositories & find various types of vulnerabilities
RepoSsessed is a project designed to parse public source code repositories and find various types of vulnerabilities. The current focus is on finding secrets, but see the Next Steps section to see what is being added.
The tool has two main audiences:
- Internal teams looking to make sure they don’t have secrets in their code repositories.
- Consultants looking to check their customers’ repositories for secrets, i.e., vulnerabilities.
Finding flaws in public source code repositories is not a new idea, and many have done great work in the area.
The reason this project was created was twofold:
- To add source code flaws to the public source code repository conversation. So, not just looking for information disclosure, but actual coding flaws as well, e.g., input validation mistakes that can lead to critical bugs in various languages.
- I am looking to collapse all useful code repository signatures, including my own for coding flaws, into a single, flat, transparent format that can be used by ANY engine. This way you can write whatever interface you’d like and use the evergreen signatures from this project.
- Due to regular issues with leveraging search APIs, e.g., limiting sensitive (dangerous) searches and rate limiting, this project works by searching the repo locally post-clone.
Currently, the tool works in two ways:
- Searches within a repo for a number of sensitive files.
- Searches within a repo for a number of sensitive strings within files.
- Clone the directory: git clone https://github.com/IOActive/RepoSsessed.git
- Install ripgrep.
There are two primary ways to use this project.
- Create your own tool and use the filetypes.txt and strings.txt and regex.txt files as your search content.
- Use the provided script to perform the actual searches.
If you’re doing #2, simply clone this repo, cd into it, drop the repo you want to test into the ./target directory, and then run the ./repossessed.sh script, which will send your results to the console.
With secrets being covered fairly well, the next thing I want to add to the project is some rudimentary source code checks.
- Use of deprecated APIs within the code.
- Use of dangerous functions.
- Use of blacklisted patterns.
Basically, if it’s possible to grep for a string within a particular language’s code, and find something that should not ever be done, I’m going to try to include it here.
High false negative, but also low false positive. I think that’s the right tradeoff for something like this. And if you have any examples you’d like to see included, please let me know via Issues.