CatchIT Secret Scanner
We are proud to announce that Goldman Sachs developed tool called CatchIT has been released as open-source and we request your engagement to contribute to the tool to make it better. CatchIT-Secret scanner detects sensitive information in source-code with a strong emphasis on the low execution time, CI/CD integration, high customization and minimizing false positive rates. CatchIT is a simple yet powerful framework that helps developers and organizations to mitigate the risk to credentials leakage, which further minimize disruption to developer experience. It can be embedded as an ad-hoc job in the CI/CD pipeline, as a python zip app or as a Docker image and thus eliminates the need to deploy or maintain a dedicated server. It is a regex-based scanner that leverages linux commands grep and find to search for pre-defined regular expressions. CatchIT uses entropy (of the identified findings) and confidence (of a specific regular expression) to further prioritise results and classify them into distinct categories. CatchIT scans for sensitive code, passwords, AWS account IDs, GCP keys as well as sensitive files such as KEY, PEM files among others. It provides results in JSON format. Currently it contains the following regular expressions to identify secrets and files:
Secrets:
AWS-ID
PASSWORD
PASSWORD-ARGUMENT
PASSWORD-URL
GCP-API-KEY
JWT
Files:
RSA_KEYS
SSH_KEYS_DIR
SSH_KEYS_DIR2
SSH_AUTH_KEYS
PEM
KEY
KEYTAB
CRT-CER
Your feedback, issues and contributions are more than welcome. You can checkout out the project here: https://github.com/finos/CatchIT and more information about contributing to the project can be found here: https://github.com/finos/CatchIT/blob/main/CONTRIBUTING.md. We will be eagerly waiting to listen from you!
Thanks to the FINOS community for a warm welcome!
Gunwant
Aniruddha
Anish