Releases: praetorian-inc/noseyparker
Nosey Parker v0.12.0
A prebuilt Docker image for this release is available for x86_64 architectures:
docker pull ghcr.io/praetorian-inc/noseyparker:v0.12.0
Additions
-
The
scancommand can now be given Git https URLs, GitHub usernames, and GitHub organization names as inputs, and will enumerate, clone, and scan as appropriate (#14). -
Nosey Parker now has rudimentary support for enumerating repositories from GitHub users and organizations (#15). The new
github repos listcommand uses the GitHub REST API to enumerate repositories belonging to one or more users or organizations. An optional GitHub Personal Access Token can be provided via theNP_GITHUB_TOKENenvironment variable. -
Nosey Parker now has an optional
rule_profilingcrate feature that causes performance-related statistics to be collected and reported when scanning. This feature imposes some performance cost and is only useful to rule authors, and so is disabled by default. -
Many new rules have been added:
- Adobe OAuth Client Secret
- Age Identity (X22519 secret key)
- Age Recipient (X25519 public key)
- crates.io API Key
- DigitalOcean Application Access Token
- DigitalOcean Personal Access Token
- DigitalOcean Refresh Token
- Figma Personal Access Token
- GitLab Personal Access Token
- GitLab Pipeline Trigger Token
- GitLab Runner Registration Token
- Google OAuth Client Secret (prefixed)
- New Relic API Service Key
- New Relic Admin API Key
- New Relic Insights Insert Key
- New Relic Insights Query Key
- New Relic License Key
- New Relic License Key (non-suffixed)
- New Relic Pixie API Key
- New Relic Pixie Deploy Key
- New Relic REST API Key
- NPM Access Token (fine-grained)
- OpenAI API Key
- Segment Public API Token
- Shopify Access Token (Custom App)
- Shopify Access Token (Legacy Private App)
- Shopify Access Token (Public App)
- Shopify App Secret
- Shopify Domain
- RubyGems API Key
- Telegram Bot Token
These rules match token formats that are well-specified fixed-length strings with notable prefixes or suffixes, and so should produce very few false positives.
-
Several existing rules were modified to improve signal-to-noise:
- Azure Connection String
- Credentials in ODBC Connection String
- PyPI Upload Token
-
The
reportcommand now offers rudimentary SARIF support (#4). Thanks you @Coruscant11!
Changes
-
Several default rules have been revised to improve performance of the matching engine and to produce fewer false positives. In particular, several rules previously had avoided using a trailing
\banchor after secret content which could include a literal-character, due to a matching discrepancy between Hyperscan and Rust'sregexlibrary. These have been revised to use a more complicated but functional anchoring pattern. -
The
JSON Web Token (base64url-encoded)rule has been changed to only produce a single match group instead of three. -
The
Google Client Secretrule has been improved to detect additional occurrences and has been renamed toGoogle OAuth Client Secret. -
Blobs are now deduplicated at enumeration time when first enumerating a Git repository, rather than only at scan time. This results in more accurate progress bars.
-
When scanning, Git repositories are now opened twice: once at input enumeration time, and once at scanning time. This drastically reduces the amount of memory required to scan a large number of Git repositories.
Fixes
- When scanning, the datastore is now explicitly excluded from filesystem enumeration. This ensures that files used internally for Nosey Parker's operation are not inadvertently scanned (#32).
Contributors
Assets 2
Nosey Parker v0.11.0
This is the first released version of Nosey Parker. Its scan, summarize, and report commands are functional. It is able to scan files, directories, and the complete history of Git repositories at several hundred megabytes per second per core. It comes with 58 rules.
A prebuilt Docker image for this release is available for x86_64 architectures:
docker pull ghcr.io/praetorian-inc/noseyparker:v0.11.0