Skip to content

PlaytikaOSS/Leaktopus

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

128 Commits
.github/workflows
.github/workflows
 
 
docs/backend/enhance_potential_leak_source_use_case
docs/backend/enhance_potential_leak_source_use_case
 
 
elasticsearch
elasticsearch
 
 
extensions
extensions
 
 
kibana
kibana
 
 
leaktopus_backend
leaktopus_backend
 
 
leaktopus_frontend
leaktopus_frontend
 
 
logos
logos
 
 
logstash
logstash
 
 
scripts
scripts
 
 
.dockerignore
.dockerignore
 
 
.env.example
.env.example
 
 
.gitignore
.gitignore
 
 
CONTRIBUTING.md
CONTRIBUTING.md
 
 
LICENSE
LICENSE
 
 
README.md
README.md
 
 
SECURITY.md
SECURITY.md
 
 
docker-compose.dev.yml
docker-compose.dev.yml
 
 
docker-compose.override.example.yml
docker-compose.override.example.yml
 
 
docker-compose.yml
docker-compose.yml
 
 
pytest.ini
pytest.ini
 
 

Repository files navigation

💦Leaktopus🐙

Keep your source code under control.

Based on the Code C.A.I.N framework:

🐦 Canarytokens

🔎 Automated Inspection

💣 Neutralization

License

Key Features

  • Plug&Play - one line installation with Docker.

  • Scan various sources containing a set of keywords, e.g. ORGANIZATION-NAME.com.

    Currently supports:

    • GitHub
      • Repositories
      • Gists (coming soon)
    • Paste sites (e.g., PasteBin) (coming soon)

  • Filter results with a built-in heuristic engine.

  • Enhance results with IOLs (Indicators Of Leak):

    • Secrets in the found sources (including Git repos commits history):
    • URIs (Including indication of your organization's domains)
    • Emails (Including indication of your organization's email addresses)
    • Contributors
    • Sensitive keywords (e.g., canary token, internal domains)

  • Allows to ignore public sources, (e.g., "junk" repositories by web crawlers).

  • OOTB ignore list of common "junk" sources.

  • Acknowledge a leak, and only get notified if the source has been modified since the previous scan.

  • Built-in ELK to search for data in leaks (including full index of Git repositories with IOLs).

  • Notify on new leaks

    • MS Teams Webhook.
    • Slack Bot.
    • Cortex XSOAR® (by Palo Alto Networks) Integration (WIP).

Technology Stack

  • Fully Dockerized.
  • API-first Python Flask backend.
  • Decoupled Vue.js (3.x) frontend.
  • SQLite DB.
  • Async tasks with Celery + Redis queues.

Prerequisites

  • Docker-Compose

Installation

  • Clone the repository
  • Create a local .env file 
    cd Leaktopus
cp .env.example .env
  • Edit .env according to your local setup (see the internal comments).
  • Run Leaktopus 
    docker-compose up -d
  • Initiate the installation sequence by accessing the installation API. Just open http://{LEAKTOPUS_HOST}:8000/api/install in your browser.
  • Check that the API is up and running at http://{LEAKTOPUS_HOST}:8000/up
  • The UI should be available at http://{LEAKTOPUS_HOST}:8080

Using Github App

In addition to the basic personal access token option, Leaktopus supports Github App authentication. Using Github App is recommended due to the increased rate limits.

  1. To use Github App authentication, you need to create a Github App and install it on your organization/account. See Github's documentation for more details.

  2. After creating the app, you need to set the following environment variables:

    • GITHUB_USE_APP=True
    • GITHUB_APP_ID
    • GITHUB_INSTALLATION_ID - The installation id can be found in your app installation.
    • GITHUB_APP_PRIVATE_KEY_PATH (defaults to /app/private-key.pem)

  3. Mount the private key file to the container (see docker-compose.yml for an example). ./leaktopus_backend/private-key.pem:/app/private-key.pem

* Note that GITHUB_ACCESS_TOKEN will be ignored if GITHUB_USE_APP is set to True.

Updating Leaktopus

If you wish to update your Leaktopus version (pulling a newer version), just follow the next steps.

  • Pull the latest version. 
    git pull
  • Rebuild Docker images (data won't be deleted). 
    # Force image recreation
docker-compose up --force-recreate --build
  • Run the DB update by calling its API (should be required after some updates). http://{LEAKTOPUS_HOST}/api/updatedb

Results Filtering Heuristic Engine

The built-in heuristic engine is filtering the search results to reduce false positives by:

  • Content:
    • More than X emails containing non-organizational domains.
    • More than X URIs containing non-organizational domains.
  • Metadata:
    • More than X stars.
    • More than X forks.
  • Sources ignore list.

API Documentation

OpenAPI documentation is available in http://{LEAKTOPUS_HOST}:8000/apidocs.

Leaktopus Services

Service Port Mandatory/Optional
Backend (API) 8000 Mandatory
Backend (Worker) N/A Mandatory
Redis 6379 Mandatory
Frontend 8080 Optional
Elasticsearch 9200 Optional
Logstash 5000 Optional
Kibana 5601 Optional

The above can be customized by using a custom docker-compose.yml file.

Security Notes

As for now, Leaktopus does not provide any authentication mechanism. Make sure that you are not exposing it to the world, and doing your best to restrict access to your Leaktopus instance(s).

Contributing

Contributions are very welcomed.

Please follow our contribution guidelines and documentation.

About

No description, website, or topics provided.

Resources

Readme

License

AGPL-3.0 license

Security policy

Security policy
Activity
Custom properties

Stars

30 stars

Watchers

5 watching

Forks

11 forks
Report repository

Releases

No releases published

Packages

No packages published

Contributors 5

Languages