betterleaks/betterleaks v1.3.0

on GitHub

What's New

S3 Source

You can scan S3 and other S3 compatible object stores with the betterleaks s3 command:

betterleaks s3 <url> [flags]

# Scan an AWS bucket
betterleaks s3 https://my-bucket.s3.us-east-1.amazonaws.com/logs/

# AWS shorthand (region auto-probed)
betterleaks s3 s3://my-bucket/logs/

# Enumerate and scan all buckets in the account
# (requires s3:ListAllMyBuckets on the credentials)
betterleaks s3 'https://s3.us-east-1.amazonaws.com/*'

# Enumerate buckets matching a glob, scan a shared prefix in each
# (same permission requirement as above)
betterleaks s3 'https://s3.us-east-1.amazonaws.com/prod-*/logs/'

# Scan a public bucket without credentials
# (the bucket policy must grant anonymous s3:ListBucket, not just s3:GetObject)
betterleaks s3 --anonymous https://<public-bucket>.s3.<region>.amazonaws.com/

# Scan a single Cloudflare R2 bucket
betterleaks s3 https://my-bucket.acct123.r2.cloudflarestorage.com/

# Enumerate all R2 buckets in an account
# (requires an admin-scoped R2 API token, not a bucket-scoped one)
betterleaks s3 'https://acct123.r2.cloudflarestorage.com/*'

# Scan a MinIO bucket
betterleaks s3 --region=us-east-1 http://localhost:9000/mybucket

Flags:
      --access-key string      AWS access key (overrides AWS_ACCESS_KEY_ID)
      --anonymous              do not sign requests; ignore AWS_* env vars and --access-key/--secret-key
  -h, --help                   help for s3
      --max-object-size int    objects larger than this many bytes are skipped (0 = 250 MiB default)
      --region string          AWS region (required for some non-AWS endpoints; auto-probed for AWS)
      --secret-key string      AWS secret key (overrides AWS_SECRET_ACCESS_KEY)
      --session-token string   AWS session token (overrides AWS_SESSION_TOKEN)
      --workers int            concurrent object fetches (0 = 16 default)

New CEL Bindings/Results

We added a needs validation status to signal "hey something interesting is here but needs manual validation". The finding map that was available in filter CEL environments is now available in validate CEL environments. Gotta have consistency. Added a couple new functions:

• obfuscate - mix up secrets in a way that respects character classes and provider prefixes
• env load env variables in validate environments (must pass --validation-env-var={var name you want to expose})

Changelog

• Consistent cel vars by @zricethezav in #118
• fix: log JSON parse error in HTTP response handler by @PachkaKofe04 in #111
• Fix archive misidentification issue by @bplaxco in #119
• Archive continue on err by @bplaxco in #121
• expose some context for filtering/validation by @zricethezav in #130
• obfuscate secret by @zricethezav in #131
• Feat/validation env vars by @zricethezav in #132
• Feat/needs validation status by @zricethezav in #133
• fix: Remove stray comma from nytimes identifier by @PachkaKofe04 in #127
• Feat/s3 source by @zricethezav in #122
• switch to gha releases via tag pushes by @zricethezav in #142

New Contributors

• @PachkaKofe04 made their first contribution in #111

Full Changelog: v1.2.0...v1.3.0