Secret Scan
Secret scanning can be used to collect secrets based on a rule file (Secret Config). The Secret config file contains rules that define what should be treated as a secret. This file can be specified using --secret-config-file <file_path>. If the config file is not provided or does not contain any configurations, QScanner downloads secret-config from the backend.
QScanner downloads secret-config from backend and store it in the cache directory - {QSCANNER_CACHE_DIR}/secret_config.json
On subsequent runs, it uses the cached rule file. This file remains in cache by default for 24 hours (configurable via --secret-config-refresh-duration) after which QScanner attempts to check backend if there are any changes to the rules file. If there are no changes, then it will continue using the existing secret_config.json.
If the rules have been updated (decided based on the content hash), a new Secret Config file will be downloaded.
To forcefully refresh the secret-config, use --force-refresh-secret-config=true flag.
To use a custom secret-config rules file, use --secret-config-file <path-to-rule-file>. If this file is provided, QScanner will not attempt to download secret-config from the Qualys backend.
Secret Config
The Secret Config file contains the following parameters:
- id: Unique identifier for each rule.
- category: Rule category.
- title: User-friendly name of the rule.
- regex: Actual regex that is matched against the file content to categorize it as secret. This is encoded in base64 format.
- severity: Severity of the secret detected using this rule.
- keywords: These keywords are matched against the content of the file before evaluating the regex. If the file does not have any of the mentioned keywords, then this rule is not evaluated. If no keywords are provided, the rule will be evaluated against the regex.
- show-secret-content: By default, if a secret is detected, only its line number and filename are shown in the secret results. If the matched content of a rule is required to be revealed, then this field can be set to true.