Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

feat: citi hackathon code submission #798

Closed
wants to merge 0 commits into from

Conversation

Psingle20
Copy link

@Psingle20 Psingle20 commented Nov 14, 2024

**The code has been moved to #810 **

This PR can be considered as a submission for the FinOS CitiHackathon.
Team members:


This PR solves issue #745 #788 #796 #797 #765

GITPROXY PLUGINS

We have worked on the following features :

  • Sensitive Data Detection ( in files like .json, .xlsx, .csv )
  • Check EXIF Metadata from Images ( .jpg, .jpeg, .tiff )
  • Detection of AI/ML usage (incl. weights, models etc.)
  • Vulnerability Detection using GitLeaks
  • Detection of Non-Standard Cryptography Usage

Some Modifications for the Gitleaks and Non-Standard Cryptography Usage are required.

Sensitive Data Detection ( in files like .json, .xlsx, .csv )

Features:
This solves issue #745

    "diff": {
      "block": {
        "literals": [],
        "patterns": [],
        "providers": {},
        "proxyFileTypes": [".csv", ".xlsx", ".log", ".json"]
      }
    },

Check EXIF Metadata from Images ( .jpg, .jpeg, .tiff )

Features:
This solves issue #796

    "diff": {
      "block": {
        "literals": [],
        "patterns": [],
        "providers": {},
        "proxyFileTypes": [".jpg", ".jpeg", ".tiff"]
      }
    },

Detection of AI/ML usage (incl. weights, models etc.)

Features:
This solves issue #788

    "aiMlUsage": {
          "enabled": true,
          "blockPatterns": ["modelWeights", "largeDatasets", "aiLibraries", "configKeys", "aiFunctions"]
    }

Vulnerability Detection using GitLeaks

Features:
This solves issue #797

    "checkForSecrets": {
      "enabled": false
    },
  • A detailed report will be generated gitleaks_reports.json
  • Some modifications / minor changes might be required for this to be merged.

Detection of Non-Standard Cryptography Usage

This solves issue #765

Features:

Copy link

netlify bot commented Nov 14, 2024

Deploy Preview for endearing-brigadeiros-63f9d0 canceled.

Name Link
🔨 Latest commit 50ccb18
🔍 Latest deploy log https://app.netlify.com/sites/endearing-brigadeiros-63f9d0/deploys/6746ee2a88ce7f0008651de5

@Psingle20 Psingle20 changed the title Citi Hackathon code Submission feat: citi hackathon code submission Nov 14, 2024
@Psingle20
Copy link
Author

@JamieSlome this PR can be considered as the official submission for Hackathon. It contains all the feature me and my team members have worked on . Please review it and let us know if any changes are required.

@rgmz
Copy link
Contributor

rgmz commented Nov 23, 2024

* We have used GitLeaks to detect vulnerabilities in the codebase.

Gitleaks detects secrets + and any other configured pattern. It doesn't detect vulnerabilities per se.

Features: This solves issue #765

This looks like a typo. The linked issue is "Detect the usage of Non-Standard Cryptography Implementation".

gitleaks.toml Outdated
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Are these rules created for this PR or copied from somewhere? Gitleaks has a number of features, such as keywords, entropy, and allowlist(s) that improve performance and effectiveness.

Copy link
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

these rules are specifically for this PR
we were trying to use it for scanning directories for secrets like AWS access Key which user may write in the code files.
That feature is still in progress as we have written in the comment above as well. Some changes are required.

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

these rules are specifically for this PR

What's the rationale for doing so versus using Gitleaks' default config?

src/proxy/processors/push-action/checkForSecrets Outdated Show resolved Hide resolved
@@ -0,0 +1,3 @@
// File containing sensitive AWS Access Key
const secret = 'AKIAIOSFODNN8EXAMPLE'; // Example AWS access key
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This actually shouldn't be flagged because it's obviously false positive. The default Gitleaks aws-access-token rule explicitly ignores results that end in EXAMPLE.

https://github.com/gitleaks/gitleaks/blob/7f77987d91c590e021d9fa2b3c0e57c4a4376147/config/gitleaks.toml#L168-L171

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
Projects
None yet
Development

Successfully merging this pull request may close these issues.

2 participants