stacs v0.4.6 releases: Static Token And Credential Scanner

Static Token And Credential Scanner

STACS is a YARA-powered static credential scanner that supports binary file formats, analysis of nested archives, composable rulesets and ignores lists, and SARIF reporting.

What does STACS support?

Currently, STACS supports recursive unpacking of tarballs, gzips, bzips, zips, and xz files. As STACS works on detected file types, rather than the filename, proprietary file formats based on these types are automatically supported (such as Docker images, Android APKs, and Java JAR files).

Who should use STACS?

STACS is designed for use by any teams that release binary artifacts. STACS provides developers the ability to automatically check for accidental inclusion of static credentials and key material in their releases.

However, this doesn’t mean STACS can’t help with SaaS applications, enterprise software, or even source code!

As an example, STACS can be used to find static credentials in Docker images uploaded to public and private container registries. It can also be used to find credentials accidentally compiled in to executables, packages for mobile devices, and “enterprise archives” – such as those used by Java application servers.

How does it work?

STACS detects static credentials using “rule packs” provided to STACS when to run. These rule packs define a set of YARA rules to run against files provided to STACS. When a match against a rule is found, a “finding” is generated. These findings represent potential credentials inside of a file, and are reported on for a developer to remediate or “ignore”.

If the finding is found to be a false positive – that is, a match on something other than a real credential – the developer can generate a set of “ignore lists” to ensure that these matches don’t appear in future reports.

The real power from STACS comes from the automatic detection and unpacking of nested archives, and composable ignore lists and rule packs.

Ignore lists?

In order to allow flexible and collaborative usage, STACS supports composable ignore lists. This allows for an ignore list to include other ignore lists which enable the composition of a “tree of ignores” based on organisational guidelines. These ignore lists are especially useful in organisations where many of the same frameworks or products are used. If a team has already marked a finding as a false positive, other teams get the benefit of not having to triage the same finding.

Rule packs?

In the same manner as ignore lists, rule packs are also compostable. This enables an organisation to define a baseline set of rules for use by all teams, while still allowing teams to maintain rulesets specific to their products.

Changelog v0.4.6

Overview

This release introduces a number of convenience and performance improvements to STACS.

🛠️ New Features

• Exit status is now non-zero if there are unsuppressed findings.
  • This was based on the suggestion as part of #19.
  • Exit status is now 100 when there are unsuppressed findings.
• STACS supports multiple paths to scan.
  • This was based on the suggestion as part of #18.
  • Mutiple paths can now be passed directly to STACS at runtime, and they will all be scanned.
• When running a container, specification of thread count, whether to enable debug, and whether to skip unprocessable archives can be controlled by environment variables
  • STACS_SKIP_UNPROCESSABLE
  • STACS_THREADS
  • STACS_DEBUG

🍩 Improvements

• SIGNIFICANT performance improvements due to optimisation of rules.
  • In testing this has seen scan runtime improvements of up to 8x in some cases.
• Dependencies have been updated.

🐛 Bug Fixes

• Resolved a minor edge-case where non UTF-8 characters would break sample generation.
  • Unprocessable samples will now be base64 encoded – the same way that binary data is handled.

Install & Use

Copyright (c) 2021, Peter Adkins
All rights reserved.