synced/infisical
1
0
Fork 0
mirror of https://github.com/Infisical/infisical.git synced 2025-03-27 09:40:45 +00:00
Code Issues Packages Projects Releases Wiki Activity

remove secret engine folder

Browse Source
This commit is contained in:
Maidul Islam
2023-07-16 16:51:01 -04:00
parent 8c844fb188
commit 53abce5780
23 changed files with 0 additions and 15914 deletions
Download Patch File Download Diff File Expand all files Collapse all files

13
secret-engine/.dockerignore
View File

@ -1,13 +0,0 @@
**/node_modules/
**/.git
**/README.md
**/LICENSE
**/.vscode
**/npm-debug.log
**/coverage
**/.env
**/.editorconfig
**/dist
**/lib
**/*.pem
Dockerfile

9
secret-engine/.env.example
View File

@ -1,9 +0,0 @@
# The ID of your GitHub App
APP_ID=
WEBHOOK_SECRET=development
# Use `trace` to get verbose logging or `info` to show less
LOG_LEVEL=debug
# Go to https://smee.io/new set this to the URL that you are redirected to.
WEBHOOK_PROXY_URL=

14
secret-engine/.eslintrc
View File

@ -1,14 +0,0 @@
{
"parser": "@typescript-eslint/parser",
"parserOptions": {
"sourceType": "module",
"ecmaVersion": 2020
},
"plugins": [
"@typescript-eslint"
],
// "extends": [
// "eslint:recommended",
// "plugin:@typescript-eslint/recommended"
// ]
}

7
secret-engine/.gitignore vendored
View File

@ -1,7 +0,0 @@
node_modules
npm-debug.log
*.pem
!mock-cert.pem
.env
coverage
lib

73
secret-engine/CODE_OF_CONDUCT.md
View File

@ -1,73 +0,0 @@
# Contributor Covenant Code of Conduct
## Our Pledge
In the interest of fostering an open and welcoming environment, we as
contributors and maintainers pledge to making participation in our project and
our community a harassment-free experience for everyone, regardless of age, body
size, disability, ethnicity, gender identity and expression, level of experience,
education, socio-economic status, nationality, personal appearance, race,
religion, or sexual identity and orientation.
## Our Standards
Examples of behavior that contributes to creating a positive environment
include:
- Using welcoming and inclusive language
- Being respectful of differing viewpoints and experiences
- Gracefully accepting constructive criticism
- Focusing on what is best for the community
- Showing empathy towards other community members
Examples of unacceptable behavior by participants include:
- The use of sexualized language or imagery and unwelcome sexual attention or
advances
- Trolling, insulting/derogatory comments, and personal or political attacks
- Public or private harassment
- Publishing others' private information, such as a physical or electronic
address, without explicit permission
- Other conduct which could reasonably be considered inappropriate in a
professional setting
## Our Responsibilities
Project maintainers are responsible for clarifying the standards of acceptable
behavior and are expected to take appropriate and fair corrective action in
response to any instances of unacceptable behavior.
Project maintainers have the right and responsibility to remove, edit, or
reject comments, commits, code, wiki edits, issues, and other contributions
that are not aligned to this Code of Conduct, or to ban temporarily or
permanently any contributor for other behaviors that they deem inappropriate,
threatening, offensive, or harmful.
## Scope
This Code of Conduct applies both within project spaces and in public spaces
when an individual is representing the project or its community. Examples of
representing a project or community include using an official project e-mail
address, posting via an official social media account, or acting as an appointed
representative at an online or offline event. Representation of a project may be
further defined and clarified by project maintainers.
## Enforcement
Instances of abusive, harassing, or otherwise unacceptable behavior may be
reported by contacting the project team at . All
complaints will be reviewed and investigated and will result in a response that
is deemed necessary and appropriate to the circumstances. The project team is
obligated to maintain confidentiality with regard to the reporter of an incident.
Further details of specific enforcement policies may be posted separately.
Project maintainers who do not follow or enforce the Code of Conduct in good
faith may face temporary or permanent repercussions as determined by other
members of the project's leadership.
## Attribution
This Code of Conduct is adapted from the [Contributor Covenant][homepage], version 1.4,
available at https://www.contributor-covenant.org/version/1/4/code-of-conduct.html
[homepage]: https://www.contributor-covenant.org

39
secret-engine/CONTRIBUTING.md
View File

@ -1,39 +0,0 @@
## Contributing
[fork]: /fork
[pr]: /compare
[code-of-conduct]: CODE_OF_CONDUCT.md
Hi there! We're thrilled that you'd like to contribute to this project. Your help is essential for keeping it great.
Please note that this project is released with a [Contributor Code of Conduct][code-of-conduct]. By participating in this project you agree to abide by its terms.
## Issues and PRs
If you have suggestions for how this project could be improved, or want to report a bug, open an issue! We'd love all and any contributions. If you have questions, too, we'd love to hear them.
We'd also love PRs. If you're thinking of a large PR, we advise opening up an issue first to talk about it, though! Look at the links below if you're not sure how to open a PR.
## Submitting a pull request
1. [Fork][fork] and clone the repository.
1. Configure and install the dependencies: `npm install`.
1. Make sure the tests pass on your machine: `npm test`, note: these tests also apply the linter, so there's no need to lint separately.
1. Create a new branch: `git checkout -b my-branch-name`.
1. Make your change, add tests, and make sure the tests still pass.
1. Push to your fork and [submit a pull request][pr].
1. Pat your self on the back and wait for your pull request to be reviewed and merged.
Here are a few things you can do that will increase the likelihood of your pull request being accepted:
- Write and update tests.
- Keep your changes as focused as possible. If there are multiple changes you would like to make that are not dependent upon each other, consider submitting them as separate pull requests.
- Write a [good commit message](http://tbaggery.com/2008/04/19/a-note-about-git-commit-messages.html).
Work in Progress pull requests are also welcome to get feedback early on, or if there is something blocked you.
## Resources
- [How to Contribute to Open Source](https://opensource.guide/how-to-contribute/)
- [Using Pull Requests](https://help.github.com/articles/about-pull-requests/)
- [GitHub Help](https://help.github.com)

15
secret-engine/Dockerfile
View File

@ -1,15 +0,0 @@
FROM node:18-slim
WORKDIR /usr/src/app
COPY package.json package-lock.json ./
RUN npm ci --production
RUN npm cache clean --force
ENV NODE_ENV="production"
COPY . .
RUN apt-get update && apt-get install -y bash curl && curl -1sLf \
'https://dl.cloudsmith.io/public/infisical/infisical-cli/setup.deb.sh' | bash \
&& apt-get update && apt-get install -y infisical=0.8.1
RUN npm run build
CMD [ "npm", "run", "start:prod" ]

13
secret-engine/Dockerfile.dev
View File

@ -1,13 +0,0 @@
FROM node:18-slim
WORKDIR app/
COPY package.json package-lock.json ./
RUN npm ci
RUN npm cache clean --force
COPY . .
RUN apt-get update && apt-get install -y bash curl && curl -1sLf \
'https://dl.cloudsmith.io/public/infisical/infisical-cli/setup.deb.sh' | bash \
&& apt-get update && apt-get install -y infisical=0.8.1
CMD [ "npm", "run", "start:dev" ]

15
secret-engine/LICENSE
View File

@ -1,15 +0,0 @@
ISC License
Copyright (c) 2023, Maidul Islam
Permission to use, copy, modify, and/or distribute this software for any
purpose with or without fee is hereby granted, provided that the above
copyright notice and this permission notice appear in all copies.
THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.

33
secret-engine/README.md
View File

@ -1,33 +0,0 @@
# secret-engine
> A GitHub App built with [Probot](https://github.com/probot/probot) that Infisical secret engine
## Setup
```sh
# Install dependencies
npm install
# Run the bot
npm start
```
## Docker
```sh
# 1. Build container
docker build -t secret-engine .
# 2. Start container
docker run -e APP_ID=<app-id> -e PRIVATE_KEY=<pem-value> secret-engine
```
## Contributing
If you have suggestions for how secret-engine could be improved, or want to report a bug, open an issue! We'd love all and any contributions.
For more, check out the [Contributing Guide](CONTRIBUTING.md).
## License
[ISC](LICENSE) © 2023 Maidul Islam

134
secret-engine/app.yml
View File

@ -1,134 +0,0 @@
# This is a GitHub App Manifest. These settings will be used by default when
# initially configuring your GitHub App.
#
# NOTE: changing this file will not update your GitHub App settings.
# You must visit github.com/settings/apps/your-app-name to edit them.
#
# Read more about configuring your GitHub App:
# https://probot.github.io/docs/development/#configuring-a-github-app
#
# Read more about GitHub App Manifests:
# https://developer.github.com/apps/building-github-apps/creating-github-apps-from-a-manifest/
# The list of events the GitHub App subscribes to.
# Uncomment the event names below to enable them.
default_events:
- check_run
# - check_suite
# - commit_comment
# - create
# - delete
# - deployment
# - deployment_status
# - fork
# - gollum
# - issue_comment
# - issues
- push
# - label
# - milestone
# - member
# - membership
# - org_block
# - organization
# - page_build
# - project
# - project_card
# - project_column
# - public
- pull_request
# - pull_request_review
# - pull_request_review_comment
# - release
# - repository
# - repository_import
# - status
# - team
# - team_add
# - watch
# The set of permissions needed by the GitHub App. The format of the object uses
# the permission name for the key (for example, issues) and the access type for
# the value (for example, write).
# Valid values are `read`, `write`, and `none`
default_permissions:
# Repository creation, deletion, settings, teams, and collaborators.
# https://developer.github.com/v3/apps/permissions/#permission-on-administration
# administration: read
# Checks on code.
# https://developer.github.com/v3/apps/permissions/#permission-on-checks
checks: write
# Repository contents, commits, branches, downloads, releases, and merges.
# https://developer.github.com/v3/apps/permissions/#permission-on-contents
contents: read
# Deployments and deployment statuses.
# https://developer.github.com/v3/apps/permissions/#permission-on-deployments
# deployments: read
# Issues and related comments, assignees, labels, and milestones.
# https://developer.github.com/v3/apps/permissions/#permission-on-issues
issues: write
# Search repositories, list collaborators, and access repository metadata.
# https://developer.github.com/v3/apps/permissions/#metadata-permissions
metadata: read
# Retrieve Pages statuses, configuration, and builds, as well as create new builds.
# https://developer.github.com/v3/apps/permissions/#permission-on-pages
# pages: read
# Pull requests and related comments, assignees, labels, milestones, and merges.
# https://developer.github.com/v3/apps/permissions/#permission-on-pull-requests
pull_requests: write
# Manage the post-receive hooks for a repository.
# https://developer.github.com/v3/apps/permissions/#permission-on-repository-hooks
# repository_hooks: read
# Manage repository projects, columns, and cards.
# https://developer.github.com/v3/apps/permissions/#permission-on-repository-projects
# repository_projects: read
# Retrieve security vulnerability alerts.
# https://developer.github.com/v4/object/repositoryvulnerabilityalert/
# vulnerability_alerts: read
# Commit statuses.
# https://developer.github.com/v3/apps/permissions/#permission-on-statuses
# statuses: read
# Organization members and teams.
# https://developer.github.com/v3/apps/permissions/#permission-on-members
# members: read
# View and manage users blocked by the organization.
# https://developer.github.com/v3/apps/permissions/#permission-on-organization-user-blocking
# organization_user_blocking: read
# Manage organization projects, columns, and cards.
# https://developer.github.com/v3/apps/permissions/#permission-on-organization-projects
# organization_projects: read
# Manage team discussions and related comments.
# https://developer.github.com/v3/apps/permissions/#permission-on-team-discussions
# team_discussions: read
# Manage the post-receive hooks for an organization.
# https://developer.github.com/v3/apps/permissions/#permission-on-organization-hooks
# organization_hooks: read
# Get notified of, and update, content references.
# https://developer.github.com/v3/apps/permissions/
# organization_administration: read
# The name of the GitHub App. Defaults to the name specified in package.json
name: Infisical Radar
# The homepage of your GitHub App.
url: https://infisical.com/radar
# A description of the GitHub App.
description: Scan your commits for leaked secrets
# Set to true when your GitHub App is available to the public or false when it is only accessible to the owner of the app.
# Default: true
# public: false

9
secret-engine/jest.config.js
View File

@ -1,9 +0,0 @@
module.exports = {
roots: ["<rootDir>/src/", "<rootDir>/test/"],
transform: {
"^.+\\.tsx?$": "ts-jest",
},
testRegex: "(/__tests__/.*|\\.(test|spec))\\.[tj]sx?$",
moduleFileExtensions: ["ts", "tsx", "js", "jsx", "json", "node"],
testEnvironment: "node",
};

14650
secret-engine/package-lock.json generated
View File

File diff suppressed because it is too large Load Diff

44
secret-engine/package.json
View File

@ -1,44 +0,0 @@
{
"name": "secret-engine",
"version": "1.0.0",
"private": true,
"description": "Infisical secret engine",
"author": "Maidul Islam",
"license": "ISC",
"homepage": "https://github.com//",
"keywords": [
"probot",
"github",
"probot-app"
],
"scripts": {
"build": "tsc && cp -R ./src/templates ./lib",
"dev": "npm run build && probot run ./lib/index.js",
"start:dev": "nodemon -e ts,yml --watch './**/*.ts' --exec npm run dev",
"start:prod": "probot run ./lib/index.js",
"test": "jest"
},
"dependencies": {
"handlebars": "^4.7.7",
"mongoose": "^7.3.1",
"nodemailer": "^6.9.3",
"probot": "^12.2.4",
"ts-node": "^10.9.1"
},
"devDependencies": {
"@types/jest": "^29.0.0",
"@types/node": "^18.0.0",
"@typescript-eslint/eslint-plugin": "^5.61.0",
"@typescript-eslint/parser": "^5.61.0",
"eslint": "^8.44.0",
"jest": "^29.0.0",
"nock": "^13.0.5",
"nodemon": "^2.0.22",
"smee-client": "^1.2.2",
"ts-jest": "^29.0.0",
"typescript": "^4.1.3"
},
"engines": {
"node": ">= 10.13.0"
}
}

45
secret-engine/src/helper/nodemailer.ts
View File

@ -1,45 +0,0 @@
import fs from "fs";
import path from "path";
import handlebars from "handlebars";
import nodemailer from "nodemailer";
let smtpTransporter: nodemailer.Transporter;
/**
* @param {Object} obj
* @param {String} obj.template - email template to use from /templates folder (e.g. testEmail.handlebars)
* @param {String[]} obj.subjectLine - email subject line
* @param {String[]} obj.recipients - email addresses of people to send email to
* @param {Object} obj.substitutions - object containing template substitutions
*/
export const sendMail = async ({
template,
subjectLine,
recipients,
substitutions,
}: {
template: string;
subjectLine: string;
recipients: string[];
substitutions: any;
}) => {
const smtpConfigured = process.env.SMTP_HOST == "" || process.env.SMTP_HOST == undefined ? false : true
if (smtpConfigured) {
const html = fs.readFileSync(
path.resolve(__dirname, "../templates/" + template),
"utf8"
);
const temp = handlebars.compile(html);
const htmlToSend = temp(substitutions);
await smtpTransporter.sendMail({
from: `"${process.env.SMTP_FROM_NAME}" <${process.env.SMTP_FROM_ADDRESS}>`,
to: recipients.join(", "),
subject: subjectLine,
html: htmlToSend,
});
}
};
export const setTransporter = (transporter: nodemailer.Transporter) => {
smtpTransporter = transporter;
};

284
secret-engine/src/index.ts
View File

@ -1,284 +0,0 @@
import { Probot } from "probot";
import { exec } from "child_process";
import { writeFile, readFile, rm, mkdir, } from "fs";
import { tmpdir } from "os";
import { join } from "path"
import mongoose from "mongoose";
import GitRisks, { STATUS_RESOLVED_FALSE_POSITIVE } from "./models/gitRisks";
import GitAppOrganizationInstallation from "./models/gitAppOrganizationInstallation";
import { sendMail, setTransporter } from "./helper/nodemailer";
import { initSmtp } from "./service/smtp";
import MembershipOrg, { ADMIN, OWNER } from "./models/membershipOrg";
import User from "./models/user";
type SecretMatch = {
Description: string;
StartLine: number;
EndLine: number;
StartColumn: number;
EndColumn: number;
Match: string;
Secret: string;
File: string;
SymlinkFile: string;
Commit: string;
Entropy: number;
Author: string;
Email: string;
Date: string;
Message: string;
Tags: string[];
RuleID: string;
Fingerprint: string;
};
export const GithubSecretScanningApp = async (app: Probot) => {
// connect to DB
initDatabase()
setTransporter(await initSmtp());
app.on("installation.created", async (context) => {
const { payload } = context;
// console.log("payload==>", payload.installation.repository_selection)
})
app.on("installation.deleted", async (context) => {
const { payload } = context;
const { installation, repositories } = payload;
if (installation.repository_selection == "all") {
await GitRisks.deleteMany({ installationId: installation.id })
await GitAppOrganizationInstallation.deleteOne({ installationId: installation.id })
} else {
for (const repository of repositories) {
await GitRisks.deleteMany({ repositoryId: repository.id })
}
}
})
app.on("push", async (context) => {
const { payload } = context;
const { commits, repository, installation, pusher } = payload;
const [owner, repo] = repository.full_name.split('/');
console.log(payload)
const installationLinkToOrgExists = await GitAppOrganizationInstallation.findOne({ installationId: installation.id }).lean()
if (!installationLinkToOrgExists) {
return
}
const allFindingsByFingerprint: { [key: string]: SecretMatch; } = {}
for (const commit of commits) {
for (const filepath of [...commit.added, ...commit.modified]) {
try {
const fileContentsResponse = await context.octokit.repos.getContent({
owner,
repo,
path: filepath,
});
const data: any = fileContentsResponse.data;
const fileContent = Buffer.from(data.content, 'base64').toString();
const findings = await scanContentAndGetFindings(`\n${fileContent}`) // to count lines correctly
for (const finding of findings) {
const fingerPrint = `${commit.id}:${filepath}:${finding.RuleID}:${finding.StartLine}`
finding.Fingerprint = fingerPrint
finding.Commit = commit.id
finding.File = filepath
finding.Author = commit.author.name
finding.Email = commit.author.email
allFindingsByFingerprint[fingerPrint] = finding
}
} catch (error) {
console.error(`Error fetching content for ${filepath}`, error);
}
}
}
// change to update
const noneFalsePositiveFindings = {}
for (const key in allFindingsByFingerprint) {
const risk = await GitRisks.findOneAndUpdate({ fingerprint: allFindingsByFingerprint[key].Fingerprint },
{
...convertKeysToLowercase(allFindingsByFingerprint[key]),
installationId: installation.id,
organization: installationLinkToOrgExists.organizationId,
repositoryFullName: repository.full_name,
repositoryId: repository.id
}, {
upsert: true
}).lean()
if (risk.status != STATUS_RESOLVED_FALSE_POSITIVE) {
noneFalsePositiveFindings[key] = { ...convertKeysToLowercase(allFindingsByFingerprint[key]) }
}
}
// get emails of admins
const adminsOfWork = await MembershipOrg.find({
organization: installationLinkToOrgExists.organizationId,
$or: [
{ role: OWNER },
{ role: ADMIN }
]
}).lean()
const userEmails = await User.find({
_id: {
$in: [adminsOfWork.map(orgMembership => orgMembership.user)]
}
}).select("email").lean()
const adminOrOwnerEmails = userEmails.map(userObject => userObject.email)
// TODO
// don't notify if the risk is marked as false positive
await sendMail({
template: "secretLeakIncident.handlebars",
subjectLine: `Incident alert: leaked secrets found in Github repository ${repository.full_name}`,
recipients: [pusher.email, ...adminOrOwnerEmails],
substitutions: {
numberOfSecrets: Object.keys(allFindingsByFingerprint).length,
pusher_email: pusher.email,
pusher_name: pusher.name
}
});
});
app.on(['pull_request.opened', 'pull_request.synchronize'], async (context) => {
const { payload } = context;
const { pull_request } = payload
if (false) {
const check = {
owner: pull_request.head.repo.owner.login,
repo: pull_request.head.repo.name,
name: 'Secret Detection',
head_sha: pull_request.head.sha,
status: 'completed',
conclusion: 'failure',
output: {
title: `X Secrets detected`,
summary: 'We detected potential leaked secret(s) in your pull request.',
},
};
return context.octokit.checks.create(check);
}
});
};
async function scanContentAndGetFindings(textContent: string): Promise<SecretMatch[]> {
const tempFolder = await createTempFolder();
const filePath = join(tempFolder, "content.txt");
const findingsPath = join(tempFolder, "findings.json");
try {
await writeTextToFile(filePath, textContent);
await runInfisicalScan(filePath, findingsPath);
const findingsData = await readFindingsFile(findingsPath);
return JSON.parse(findingsData);
} finally {
await deleteTempFolder(tempFolder);
}
}
function createTempFolder(): Promise<string> {
return new Promise((resolve, reject) => {
const tempDir = tmpdir()
const tempFolderName = Math.random().toString(36).substring(2);
const tempFolderPath = join(tempDir, tempFolderName);
mkdir(tempFolderPath, (err: any) => {
if (err) {
reject(err);
} else {
resolve(tempFolderPath);
}
});
});
}
function writeTextToFile(filePath: string, content: string): Promise<void> {
return new Promise((resolve, reject) => {
writeFile(filePath, content, (err) => {
if (err) {
reject(err);
} else {
resolve();
}
});
});
}
function runInfisicalScan(inputPath: string, outputPath: string): Promise<void> {
return new Promise((resolve, reject) => {
const command = `cat "${inputPath}" | infisical scan --exit-code=77 --pipe -r "${outputPath}"`;
exec(command, (error) => {
if (error && error.code != 77) {
reject(error);
} else {
resolve();
}
});
});
}
function readFindingsFile(filePath: string): Promise<string> {
return new Promise((resolve, reject) => {
readFile(filePath, "utf8", (err, data) => {
if (err) {
reject(err);
} else {
resolve(data);
}
});
});
}
function deleteTempFolder(folderPath: string): Promise<void> {
return new Promise((resolve, reject) => {
rm(folderPath, { recursive: true }, (err) => {
if (err) {
reject(err);
} else {
resolve();
}
});
});
}
const initDatabase = async () => {
try {
await mongoose.connect(process.env.MONGO_URL);
// allow empty strings to pass the required validator
mongoose.Schema.Types.String.checkRequired(v => typeof v === "string");
console.log("Database connection established");
} catch (err) {
console.log(`Unable to establish Database connection due to the error.\n${err}`);
}
return mongoose.connection;
}
function convertKeysToLowercase<T>(obj: T): T {
const convertedObj = {} as T;
for (const key in obj) {
if (Object.prototype.hasOwnProperty.call(obj, key)) {
const lowercaseKey = key.charAt(0).toLowerCase() + key.slice(1);
convertedObj[lowercaseKey] = obj[key];
}
}
return convertedObj;
}

31
secret-engine/src/models/gitAppOrganizationInstallation.ts
View File

@ -1,31 +0,0 @@
import { Schema, model } from "mongoose";
type Installation = {
installationId: string
organizationId: string
user: Schema.Types.ObjectId
};
const gitAppOrganizationInstallation = new Schema<Installation>({
installationId: {
type: String,
required: true,
unique: true
},
organizationId: {
type: String,
required: true,
unique: true
},
user: {
type: Schema.Types.ObjectId,
ref: "User",
required: true,
}
});
const GitAppOrganizationInstallation = model<Installation>("git_app_organization_installation", gitAppOrganizationInstallation);
export default GitAppOrganizationInstallation;

147
secret-engine/src/models/gitRisks.ts
View File

@ -1,147 +0,0 @@
import { Schema, model } from "mongoose";
export const STATUS_RESOLVED_FALSE_POSITIVE = 'RESOLVED_FALSE_POSITIVE';
export const STATUS_RESOLVED_REVOKED = 'RESOLVED_REVOKED';
export const STATUS_RESOLVED_NOT_REVOKED = 'RESOLVED_NOT_REVOKED';
export const STATUS_UNRESOLVED = 'UNRESOLVED';
export type GitRisks = {
id: string;
description: string;
startLine: string;
endLine: string;
startColumn: string;
endColumn: string;
match: string;
secret: string;
file: string;
symlinkFile: string;
commit: string;
entropy: string;
author: string;
email: string;
date: string;
message: string;
tags: string[];
ruleID: string;
fingerprint: string;
isFalsePositive: boolean; // New field for marking risks as false positives
isResolved: boolean; // New field for marking risks as resolved
riskOwner: string | null; // New field for setting a risk owner (nullable string)
installationId: string,
repositoryId: string,
repositoryLink: string
repositoryFullName: string
status: string
pusher: {
name: string,
email: string
},
organization: Schema.Types.ObjectId,
}
const gitRisks = new Schema<GitRisks>({
id: {
type: String,
},
description: {
type: String,
},
startLine: {
type: String,
},
endLine: {
type: String,
},
startColumn: {
type: String,
},
endColumn: {
type: String,
},
file: {
type: String,
},
symlinkFile: {
type: String,
},
commit: {
type: String,
},
entropy: {
type: String,
},
author: {
type: String,
},
email: {
type: String,
},
date: {
type: String,
},
message: {
type: String,
},
tags: {
type: [String],
},
ruleID: {
type: String,
},
fingerprint: {
type: String,
unique: true
},
isFalsePositive: {
type: Boolean,
default: false
},
isResolved: {
type: Boolean,
default: false
},
riskOwner: {
type: String,
default: null
},
installationId: {
type: String,
require: true
},
repositoryId: {
type: String
},
repositoryLink: {
type: String
},
repositoryFullName: {
type: String
},
pusher: {
name: {
type: String
},
email: {
type: String
},
},
organization: {
type: Schema.Types.ObjectId,
ref: "Organization",
},
status: {
type: String,
enum: [
STATUS_RESOLVED_FALSE_POSITIVE,
STATUS_RESOLVED_REVOKED,
STATUS_RESOLVED_NOT_REVOKED,
STATUS_UNRESOLVED
],
default: STATUS_UNRESOLVED
}
}, { timestamps: true });
const GitRisks = model<GitRisks>("GitRisks", gitRisks);
export default GitRisks;

56
secret-engine/src/models/membershipOrg.ts
View File

@ -1,56 +0,0 @@
import { Document, Schema, Types, model } from "mongoose";
// membership roles
export const OWNER = "owner";
export const ADMIN = "admin";
export const MEMBER = "member";
// membership statuses
export const INVITED = "invited";
// -- organization
export const ACCEPTED = "accepted";
export interface IMembershipOrg extends Document {
_id: Types.ObjectId;
user: Types.ObjectId;
inviteEmail: string;
organization: Types.ObjectId;
role: "owner" | "admin" | "member";
status: "invited" | "accepted";
}
const membershipOrgSchema = new Schema(
{
user: {
type: Schema.Types.ObjectId,
ref: "User",
},
inviteEmail: {
type: String,
},
organization: {
type: Schema.Types.ObjectId,
ref: "Organization",
},
role: {
type: String,
enum: [OWNER, ADMIN, MEMBER],
required: true,
},
status: {
type: String,
enum: [INVITED, ACCEPTED],
required: true,
},
},
{
timestamps: true,
}
);
const MembershipOrg = model<IMembershipOrg>(
"MembershipOrg",
membershipOrgSchema
);
export default MembershipOrg;

116
secret-engine/src/models/user.ts
View File

@ -1,116 +0,0 @@
import { Document, Schema, Types, model } from "mongoose";
export enum AuthProvider {
GOOGLE = "google",
}
export interface IUser extends Document {
_id: Types.ObjectId;
authId?: string;
authProvider?: AuthProvider;
email: string;
firstName?: string;
lastName?: string;
encryptionVersion: number;
protectedKey: string;
protectedKeyIV: string;
protectedKeyTag: string;
publicKey?: string;
encryptedPrivateKey?: string;
iv?: string;
tag?: string;
salt?: string;
verifier?: string;
isMfaEnabled: boolean;
mfaMethods: boolean;
devices: {
ip: string;
userAgent: string;
}[];
}
const userSchema = new Schema<IUser>(
{
authId: {
type: String,
},
authProvider: {
type: String,
enum: AuthProvider,
},
email: {
type: String,
required: true,
unique: true,
},
firstName: {
type: String,
},
lastName: {
type: String,
},
encryptionVersion: {
type: Number,
select: false,
default: 1, // to resolve backward-compatibility issues
},
protectedKey: { // introduced as part of encryption version 2
type: String,
select: false,
},
protectedKeyIV: { // introduced as part of encryption version 2
type: String,
select: false,
},
protectedKeyTag: { // introduced as part of encryption version 2
type: String,
select: false,
},
publicKey: {
type: String,
select: false,
},
encryptedPrivateKey: {
type: String,
select: false,
},
iv: { // iv of [encryptedPrivateKey]
type: String,
select: false,
},
tag: { // tag of [encryptedPrivateKey]
type: String,
select: false,
},
salt: {
type: String,
select: false,
},
verifier: {
type: String,
select: false,
},
isMfaEnabled: {
type: Boolean,
default: false,
},
mfaMethods: [{
type: String,
}],
devices: {
type: [{
ip: String,
userAgent: String,
}],
default: [],
select: false,
},
},
{
timestamps: true,
}
);
const User = model<IUser>("User", userSchema);
export default User;

77
secret-engine/src/service/smtp.ts
View File

@ -1,77 +0,0 @@
import nodemailer from "nodemailer";
import SMTPConnection from "nodemailer/lib/smtp-connection";
export const SMTP_HOST_SENDGRID = "smtp.sendgrid.net";
export const SMTP_HOST_MAILGUN = "smtp.mailgun.org";
export const SMTP_HOST_SOCKETLABS = "smtp.socketlabs.com";
export const SMTP_HOST_ZOHOMAIL = "smtp.zoho.com";
export const SMTP_HOST_GMAIL = "smtp.gmail.com";
export const initSmtp = async () => {
const mailOpts: SMTPConnection.Options = {
host: process.env.SMTP_HOST,
port: process.env.SMTP_PORT,
};
if ((process.env.SMTP_USERNAME) && (process.env.SMTP_PASSWORD)) {
mailOpts.auth = {
user: process.env.SMTP_USERNAME,
pass: process.env.SMTP_PASSWORD,
};
}
if ((process.env.SMTP_SECURE) ? (process.env.SMTP_SECURE) : false) {
switch (process.env.SMTP_HOST) {
case SMTP_HOST_SENDGRID:
mailOpts.requireTLS = true;
break;
case SMTP_HOST_MAILGUN:
mailOpts.requireTLS = true;
mailOpts.tls = {
ciphers: "TLSv1.2",
}
break;
case SMTP_HOST_SOCKETLABS:
mailOpts.requireTLS = true;
mailOpts.tls = {
ciphers: "TLSv1.2",
}
break;
case SMTP_HOST_ZOHOMAIL:
mailOpts.requireTLS = true;
mailOpts.tls = {
ciphers: "TLSv1.2",
}
break;
case SMTP_HOST_GMAIL:
mailOpts.requireTLS = true;
mailOpts.tls = {
ciphers: "TLSv1.2",
}
break;
default:
if ((process.env.SMTP_HOST).includes("amazonaws.com")) {
mailOpts.tls = {
ciphers: "TLSv1.2",
}
} else {
mailOpts.secure = true;
}
break;
}
}
const transporter = nodemailer.createTransport(mailOpts);
transporter
.verify()
.then((err) => {
console.log("SMTP - Successfully connected")
})
.catch(async (err) => {
console.log(
`SMTP - Failed to connect to ${process.env.SMTP_HOST}:${process.env.SMTP_PORT} \n\t${err}`
);
});
return transporter;
};

19
secret-engine/src/templates/secretLeakIncident.handlebars
View File

@ -1,19 +0,0 @@
<!DOCTYPE html>
<html>
<head>
<meta charset="utf-8">
<meta http-equiv="x-ua-compatible" content="ie=edge">
<title>Incident alert: secret leaked</title>
</head>
<body>
<h3>Infisical has uncovered {{numberOfSecrets}} secret(s) from your recent push</h3>
<p><a href="https://app.infisical.com/secret-scanning"><strong>View leaked secrets</strong></a></p>
<p>One or more secret leaks have been detected in a recent commit pushed by {{pusher_name}} ({{pusher_email}}). If
the secrets are test secrets, please mark them as false positives in the <a
href="https://app.infisical.com/">Infisical dashboard</a>.
Otherwise, please rotate the secrets immediately.</p>
</body>
</html>

71
secret-engine/tsconfig.json
View File

@ -1,71 +0,0 @@
{
"compilerOptions": {
/* Basic Options */
"incremental": true /* Enable incremental compilation */,
"target": "es5" /* Specify ECMAScript target version: 'ES3' (default), 'ES5', 'ES2015', 'ES2016', 'ES2017', 'ES2018', 'ES2019' or 'ESNEXT'. */,
"module": "commonjs" /* Specify module code generation: 'none', 'commonjs', 'amd', 'system', 'umd', 'es2015', or 'ESNext'. */,
"lib": [
"es2015",
"es2017"
] /* Specify library files to be included in the compilation. */,
"allowJs": true /* Allow javascript files to be compiled. */,
"checkJs": true /* Report errors in .js files. */,
// "jsx": "preserve", /* Specify JSX code generation: 'preserve', 'react-native', or 'react'. */
"declaration": true /* Generates corresponding '.d.ts' file. */,
// "declarationMap": true, /* Generates a sourcemap for each corresponding '.d.ts' file. */
"sourceMap": true /* Generates corresponding '.map' file. */,
// "outFile": "./", /* Concatenate and emit output to single file. */
"outDir": "./lib" /* Redirect output structure to the directory. */,
// "rootDir": "./", /* Specify the root directory of input files. Use to control the output directory structure with --outDir. */
// "composite": true, /* Enable project compilation */
// "tsBuildInfoFile": "./" /* Specify file to store incremental compilation information */,
// "removeComments": true, /* Do not emit comments to output. */
// "noEmit": true, /* Do not emit outputs. */
// "importHelpers": true, /* Import emit helpers from 'tslib'. */
// "downlevelIteration": true, /* Provide full support for iterables in 'for-of', spread, and destructuring when targeting 'ES5' or 'ES3'. */
// "isolatedModules": true, /* Transpile each file as a separate module (similar to 'ts.transpileModule'). */
/* Strict Type-Checking Options */
"strict": false /* Enable all strict type-checking options. */,
// "noImplicitAny": true, /* Raise error on expressions and declarations with an implied 'any' type. */
// "strictNullChecks": true, /* Enable strict null checks. */
// "strictFunctionTypes": true, /* Enable strict checking of function types. */
// "strictBindCallApply": true, /* Enable strict 'bind', 'call', and 'apply' methods on functions. */
// "strictPropertyInitialization": true, /* Enable strict checking of property initialization in classes. */
// "noImplicitThis": true, /* Raise error on 'this' expressions with an implied 'any' type. */
// "alwaysStrict": true, /* Parse in strict mode and emit "use strict" for each source file. */
/* Additional Checks */
"noUnusedLocals": false /* Report errors on unused locals. */,
"noUnusedParameters": false /* Report errors on unused parameters. */,
"noImplicitReturns": true /* Report error when not all code paths in function return a value. */,
"noFallthroughCasesInSwitch": true /* Report errors for fallthrough cases in switch statement. */,
/* Module Resolution Options */
"moduleResolution": "node" /* Specify module resolution strategy: 'node' (Node.js) or 'classic' (TypeScript pre-1.6). */,
// "baseUrl": "./src" /* Base directory to resolve non-absolute module names. */,
// "paths": {}, /* A series of entries which re-map imports to lookup locations relative to the 'baseUrl'. */
// "rootDirs": [], /* List of root folders whose combined content represents the structure of the project at runtime. */
// "typeRoots": [], /* List of folders to include type definitions from. */
// "types": [], /* Type declaration files to be included in compilation. */
// "allowSyntheticDefaultImports": true, /* Allow default imports from modules with no default export. This does not affect code emit, just type checking. */
"esModuleInterop": true /* Enables emit interoperability between CommonJS and ES Modules via creation of namespace objects for all imports. Implies 'allowSyntheticDefaultImports'. */,
// "preserveSymlinks": true, /* Do not resolve the real path of symlinks. */
// "allowUmdGlobalAccess": true, /* Allow accessing UMD globals from modules. */
/* Source Map Options */
"sourceRoot": "src", /* Specify the location where debugger should locate TypeScript files instead of source locations. */
// "mapRoot": "", /* Specify the location where debugger should locate map files instead of generated locations. */
// "inlineSourceMap": true, /* Emit a single file with source maps instead of having a separate file. */
// "inlineSources": true, /* Emit the source alongside the sourcemaps within a single file; requires '--inlineSourceMap' or '--sourceMap' to be set. */
/* Experimental Options */
// "experimentalDecorators": true, /* Enables experimental support for ES7 decorators. */
// "emitDecoratorMetadata": true, /* Enables experimental support for emitting type metadata for decorators. */
/* Advanced Options */
"forceConsistentCasingInFileNames": true /* Disallow inconsistently-cased references to the same file. */,
"resolveJsonModule": true,
"pretty": false,
"skipLibCheck": true
},
"include": [
"src/**/*",
"src/templates/**/*"
],
// "compileOnSave": false
}