Nosey Parker v0.16.0
Docker Images
A prebuilt multiplatform Docker image for this release is available for x86_64 and ARM64 architectures:
docker pull ghcr.io/praetorian-inc/noseyparker:v0.16.0
Additionally, a prebuilt Alpine-based image is also available for x86_64 and ARM64 architectures:
docker pull ghcr.io/praetorian-inc/noseyparker-alpine:v0.16.0
Additions
-
The
scan
command now supports a new--copy-blobs={all,matching,none}
parameter. When specified asmatching
, a copy of each encountered blob that has matches will be saved to the datastore'sblobs
directory. When specified asall
, a copy of each encountered blob will be saved. The default value isnone
. This mechanism exists to aid in ad-hoc downstream investigation. Copied blobs are not used elsewhere in Nosey Parker at this point. -
A new advanced global command-line parameter has been exposed:
--sqlite-cache-size=SIZE
to control thepragma cache_size
value used in sqlite database connections
-
The datastore now contains two additional tables for to represent freeform comments and accept/reject status associated with findings. These additional tables are not currently populated in the open-source version of Nosey Parker. The
report
command now emits finding status and comment if populated. Note: the datastore format is not settled and is subject to change. -
A new "ruleset" mechanism has been added. A ruleset is a named collection of rules that can be selected as a group. The new
--ruleset=NAME
parameter toscan
can be used to enable alternative rulesets. Three built-in rulesets are provided (default
,np.assets
andnp.hashes
); the special ruleset nameall
enables all known rules. See the built-in rulesets atcrates/noseyparker/data/default/builtin/rulesets
for an example for writing your own. -
The default collection of rules has been pruned down to further emphasize signal-to-noise. Only rules that detect secret things are included in the default collection. Rules that detect other things, such as cloud assets, application IDs, or public keys, are not included in this set. Instead, those are in the
np.assets
ruleset, which is not enabled by default. No rules have been removed from Nosey Parker; rather, the defaults have been adjusted to support the most common use case (secrets detection). -
Additional checks have been added to the
rules check
command:- Each regex rule must have at least one capture group
- Each ruleset must have a globally-unique ID
- A ruleset's included rules must resolve to actual rules
- A ruleset should not include duplicate rules
-
A new
rules list
command is available, which lists available rules and rulesets. This command can emit its output in human-oriented format or in JSON format. -
New rules have been added:
- Dependency-Track API Key (Thank you @tpat13!)
- Password Hash (sha256crypt)
- Password Hash (sha512crypt)
- Password Hash (Cisco IOS PBKDF2 with SHA256)
- React App Username
- React App Password
-
A new global
--quiet
/-q
option has been added, which suppresses non-error feedback messages and disables progress bars (#97).
Fixes
-
Command-line parameters that can meaningfully accept negative numbers can now be specified without having to use
--PARAMETER=NEGATIVE_VALUE
syntax; a space can now separate the paraemter and the value. -
Fixed three rules that were missing capture groups:
- Age Recipient (X25519 public key)
- Age Identity (X22519 secret key)
- crates.io API Key
Due to nuanced details of how scanning is performed, rules without capture groups will never produce reported matches. An additional check was added to the
rules check
command and a couple assertions were added that should help prevent this type of error in the future. -
Fixed several rules:
- Amazon MWS Auth Token: the capture group was smaller than it should have been
- Microsoft Teams Webhook: changed 3 capture groups to 1; full URL is now included
- Slack Webhook: full URL is now included
-
The LICENSE, README.md, and CHANGELOG.md files are now included in prebuilt binary releases.
-
ANSI formatting sequences are now no longer included by default by the
report
command when the output is redirected to a file using the-o
/--outfile
parameter (#55). -
The
scan
command should no longer emit warnings likeFailed to decode entry in tree
. These warnings were due to a bug in the Git object parsing code in thegix
dependency, which was fixed upstream.
Changes
-
The
rules check
command invocation now behaves differently. It now no longer requires input paths to be specified. It will check the built-in rules for problems, and if additional paths are specified, will check those rules as well. This change was made so that thescan
,rules check
, andrules list
invocations have consistent interfaces. -
The default path-based ignore rules in Nosey Parker now ignore
packed-refs
files from Git repositories. -
Several rules have been changed:
- The
Slack
rule (idnp.slack.1
) has been removed, as it was redundant withSlack Token
. Slack Token
has been split intoSlack Bot Token
,Slack Legacy Bot Token
,Slack User Token
, andSlack App Token
.CodeClimate
was enhanced to detect additional cases and was renamed toCodeClimate Reporter ID
.md5crypt Hash
(idnp.md5.1
) has been renamed toPassword Hash (md5crypt)
and re-identified asnp.pwhash.1
.bcrypt Hash
(idnp.bcrypt.1
) has been renamed toPassword Hash (bcrypt)
and re-identified asnp.pwhash.2
.
- The
-
Log messages are written to stderr instead of stdout (#97).