praetorian-inc/noseyparker v0.19.0

Nosey Parker v0.19.0

on GitHub

Docker Images

A prebuilt multiplatform Docker image for this release is available for x86_64 and ARM64 architectures:

docker pull ghcr.io/praetorian-inc/noseyparker:v0.19.0

Additionally, a prebuilt Alpine-based image is also available for x86_64 and ARM64 architectures:

docker pull ghcr.io/praetorian-inc/noseyparker-alpine:v0.19.0

Additions

• The scan and github repos list commands offer a new --github-repo-type={all,source,fork} option to select a subset of repositories (#204).

• A category mechanism is now provided for rules (#208). Each rule can have zero or more freeform text categories assigned to it. The existing rules have been updated with category information with the following meanings:

  • secret: the rule detects things that are in fact secrets
  • identifier: the rule detects things that are not secrets but could be used to enumerate additional resources (e.g., S3 bucket names)
  • hashed: the rule detects hashed payloads (e.g., bcrypt hashes)
  • test: the rule detects test deployment-specific payloads (e.g., stripe test keys)
  • api: the rule detects payloads used for API access
  • generic: the rule is a "generic" one rather than one that detects a specific type of payload (e.g., username/password pairs)
  • fuzzy: the rule pattern requires matching of non-payload surrounding context

  The category information is included in output in the rules list command.

Changes

• The scan and github repos list commands now only consider non-forked repositories by default (#204). This behavior can be reverted to the previous behavior using the --github-repo-type=all option.

• The Alpine-based Docker image has been updated to use the alpine:latest base image instead of alpine:3.18 (#201).

• The "Blynk Organization" rules have been refined (#208). The two "Blynk Organization Client ID" and two "Blynk Organization Client Secret" variations have been subsumed by two new Blynk Organization Client Credential rules. These new rules combine the client ID and client secret into single findings instead of reporting them as two separate findings as previous.

• Several rules have been renamed (#208):

  • AWS S3 Bucket (subdomain style) -> AWS S3 Bucket
  • AWS S3 Bucket (path style) -> AWS S3 Bucket
  • Blynk Organization Access Token (URL first) -> Blynk Organization Access Token.
  • Blynk Organization Access Token (URL last) -> Blynk Organization Access Token.
  • Generic Password (double quoted) -> Generic Password
  • Generic Password (single quoted) -> Generic Password
  • Generic Username and Password (quoted) -> Generic Username and Password
  • Generic Username and Password (unquoted) -> Generic Username and Password
  • Google Cloud Storage Bucket (path style) -> Google Cloud Storage Bucket
  • Google Cloud Storage Bucket (subdomain style) -> Google Cloud Storage Bucket
  • Google OAuth Client Secret (prefixed) -> Google OAuth Client Secret
  • New Relic License Key (non-suffixed) -> New Relic License Key
  • particle.io Access Token (URL first) -> particle.io Access Token
  • particle.io Access Token (URL last) -> particle.io Access Token

  Note that although several rules share the same name now, they all still have distinct IDs.

• The default set of patterns for the existing gitignore-style path-based exclusion mechanism (scan --ignore=GITIGNORE_FILE) has been expanded (#209). The new patterns cover test files from things like vendored Python, Node.js, and Go packages.

• The gitignore-style path-based exclusion patterns (scan --ignore=GITIGNORE_FILE) now also apply to content found within Git history, and not just paths on the filesystem (#209). When a blob is found in Git history with at least 1 associated pathname, if all of the associated pathnames match the ignore rules, the blob is not scanned.

• The Rust version required to build has been bumped from 1.76 to 1.77. This is necessary to support C-string literals in the rusqlite crate.