CatchIT open-sourcing announcement from Goldman Sachs

4 views
Skip to first unread message

Bhattacharjee, Aniruddha

unread,
Sep 13, 2021, 5:47:18 AM9/13/21
to anno...@finos.org, Maurizio Pillitu

CatchIT Secret Scanner

We are proud to announce that Goldman Sachs developed tool called CatchIT has been released as open-source and we request your engagement to contribute to the tool to make it better. CatchIT-Secret scanner detects sensitive information in source-code with a strong emphasis on the low execution time, CI/CD integration, high customization and minimizing false positive rates. CatchIT is a simple yet powerful framework that helps developers and organizations to mitigate the risk to credentials leakage, which further minimize disruption to developer experience. It can be embedded as an  ad-hoc job in the CI/CD pipeline, as a python zip app or as a Docker image and thus eliminates the need to deploy or maintain a dedicated server. It is a regex-based scanner that leverages linux commands grep and find to search for pre-defined regular expressions. CatchIT uses entropy (of the identified findings) and confidence (of a specific regular expression) to further prioritise results and classify them into distinct categories. CatchIT scans for sensitive code, passwords, AWS account IDs, GCP keys as well as sensitive files such as KEY, PEM files among others. It provides results in JSON format. Currently it contains the following  regular expressions to identify secrets and files:

Secrets:

AWS-ID

PASSWORD

PASSWORD-ARGUMENT

PASSWORD-URL

GCP-API-KEY

JWT

 

Files:

RSA_KEYS

SSH_KEYS_DIR

SSH_KEYS_DIR2

SSH_AUTH_KEYS

PEM

KEY

KEYTAB

CRT-CER

Your feedback, issues and contributions are more than welcome. You can checkout out the project here: https://github.com/finos/CatchIT and more information about contributing to the project can be found here: https://github.com/finos/CatchIT/blob/main/CONTRIBUTING.md. We will be eagerly waiting to listen from you!

 

Thanks to the FINOS community for a warm welcome!

 

Gunwant

Aniruddha

Anish



Your Personal Data: We may collect and process information about you that may be subject to data protection laws. For more information about how we use and disclose your personal data, how we protect your information, our legal basis to use your information, your rights and who you can contact, please refer to: www.gs.com/privacy-notices
Reply all
Reply to author
Forward
0 new messages