Docker Images
A prebuilt multiplatform Docker image for this release is available for x86_64 and ARM64 architectures:
docker pull ghcr.io/praetorian-inc/noseyparker:v0.19.0
Additionally, a prebuilt Alpine-based image is also available for x86_64 and ARM64 architectures:
docker pull ghcr.io/praetorian-inc/noseyparker-alpine:v0.19.0
Additions
-
The
scan
andgithub repos list
commands offer a new--github-repo-type={all,source,fork}
option to select a subset of repositories (#204). -
A category mechanism is now provided for rules (#208). Each rule can have zero or more freeform text categories assigned to it. The existing rules have been updated with category information with the following meanings:
secret
: the rule detects things that are in fact secretsidentifier
: the rule detects things that are not secrets but could be used to enumerate additional resources (e.g., S3 bucket names)hashed
: the rule detects hashed payloads (e.g., bcrypt hashes)test
: the rule detects test deployment-specific payloads (e.g., stripe test keys)api
: the rule detects payloads used for API accessgeneric
: the rule is a "generic" one rather than one that detects a specific type of payload (e.g., username/password pairs)fuzzy
: the rule pattern requires matching of non-payload surrounding context
The category information is included in output in the
rules list
command.
Changes
-
The
scan
andgithub repos list
commands now only consider non-forked repositories by default (#204). This behavior can be reverted to the previous behavior using the--github-repo-type=all
option. -
The Alpine-based Docker image has been updated to use the
alpine:latest
base image instead ofalpine:3.18
(#201). -
The "Blynk Organization" rules have been refined (#208). The two "Blynk Organization Client ID" and two "Blynk Organization Client Secret" variations have been subsumed by two new
Blynk Organization Client Credential
rules. These new rules combine the client ID and client secret into single findings instead of reporting them as two separate findings as previous. -
Several rules have been renamed (#208):
AWS S3 Bucket (subdomain style)
->AWS S3 Bucket
AWS S3 Bucket (path style)
->AWS S3 Bucket
Blynk Organization Access Token (URL first)
->Blynk Organization Access Token
.Blynk Organization Access Token (URL last)
->Blynk Organization Access Token
.Generic Password (double quoted)
->Generic Password
Generic Password (single quoted)
->Generic Password
Generic Username and Password (quoted)
->Generic Username and Password
Generic Username and Password (unquoted)
->Generic Username and Password
Google Cloud Storage Bucket (path style)
->Google Cloud Storage Bucket
Google Cloud Storage Bucket (subdomain style)
->Google Cloud Storage Bucket
Google OAuth Client Secret (prefixed)
->Google OAuth Client Secret
New Relic License Key (non-suffixed)
->New Relic License Key
particle.io Access Token (URL first)
->particle.io Access Token
particle.io Access Token (URL last)
->particle.io Access Token
Note that although several rules share the same name now, they all still have distinct IDs.
-
The default set of patterns for the existing gitignore-style path-based exclusion mechanism (
scan --ignore=GITIGNORE_FILE
) has been expanded (#209). The new patterns cover test files from things like vendored Python, Node.js, and Go packages. -
The gitignore-style path-based exclusion patterns (
scan --ignore=GITIGNORE_FILE
) now also apply to content found within Git history, and not just paths on the filesystem (#209). When a blob is found in Git history with at least 1 associated pathname, if all of the associated pathnames match the ignore rules, the blob is not scanned. -
The Rust version required to build has been bumped from 1.76 to 1.77. This is necessary to support C-string literals in the
rusqlite
crate.