Add detection for sensitive config values in Compose files (#1038)

commit111 · nullfunc · lionello · web-flow · commit b5279a14155d · 2025-03-04T17:03:37.000-08:00
* draft config detector

* add transformers (may be broken)

* fixed scanner to use detectors

* move into its own function

* added tests for config detector

* revise fn to return a list of types

* make the keyword and high entropy detectors work

* add go mod

* comments for config detector function

* run config detect on env vars in compose file in CLI

* add compose tests

* edit dx message

* edit description of function

* add aws and github detectors

* improve dx message

* fix nil check for value

* update vendorhash

* Delete .vscode/launch.json

* add comments for threshold

* remove package main comment

* fix comma

* added back the json transformer for url_password detector

* Apply suggestions from code review

Co-authored-by: Lio李歐 &lt;lionello@users.noreply.github.com&gt;

* use fmt to wrap errors instead of errors.New()

* fix compose warnings test data

* change name to sensitive (to not trigger the keyword detector)

* make test become subtests

* use logical expression instead of json to create config

---------

Co-authored-by: Eric Liu &lt;eric.liu@defang.io&gt;
Co-authored-by: Lio李歐 &lt;lionello@users.noreply.github.com&gt;
diff --git a/pkgs/defang/cli.nix b/pkgs/defang/cli.nix
@@ -7,7 +7,7 @@ buildGoModule {
   pname = "defang-cli";
   version = "git";
   src = ../../src;
-  vendorHash = "sha256-of8K2h3gYoOdxHmBDXKiRfm35YeVE5R4WOy0pcSim4c=";
+  vendorHash = "sha256-tLjXqnA8zkLtJrchO/FpIjimtC5YzW/0f7mL6RJLnSQ=";
 
   subPackages = [ "cmd/cli" ];
 
diff --git a/src/go.mod b/src/go.mod
@@ -11,6 +11,7 @@ require (
 	cloud.google.com/go/secretmanager v1.14.2
 	cloud.google.com/go/storage v1.46.0
 	github.com/AlecAivazis/survey/v2 v2.3.7
+	github.com/DefangLabs/secret-detector v0.0.0-20250108223530-c2b44d4c1f8f
 	github.com/aws/aws-sdk-go-v2 v1.32.6
 	github.com/aws/aws-sdk-go-v2/config v1.26.6
 	github.com/aws/aws-sdk-go-v2/service/cloudformation v1.42.6
@@ -74,11 +75,15 @@ require (
 	github.com/envoyproxy/go-control-plane v0.13.0 // indirect
 	github.com/envoyproxy/protoc-gen-validate v1.1.0 // indirect
 	github.com/go-viper/mapstructure/v2 v2.0.0 // indirect
+	github.com/golang-jwt/jwt v3.2.2+incompatible // indirect
 	github.com/golang/groupcache v0.0.0-20210331224755-41bb18bfe9da // indirect
 	github.com/google/go-querystring v1.1.0 // indirect
 	github.com/google/s2a-go v0.1.8 // indirect
 	github.com/googleapis/enterprise-certificate-proxy v0.3.4 // indirect
+	github.com/hashicorp/errwrap v1.0.0 // indirect
 	github.com/hashicorp/go-cleanhttp v0.5.2 // indirect
+	github.com/hashicorp/go-multierror v1.1.1 // indirect
+	github.com/inhies/go-bytesize v0.0.0-20220417184213-4913239db9cf // indirect
 	github.com/lucasb-eyer/go-colorful v1.2.0 // indirect
 	github.com/mattn/go-runewidth v0.0.14 // indirect
 	github.com/morikuni/aec v1.0.0 // indirect
@@ -95,6 +100,7 @@ require (
 	google.golang.org/genproto/googleapis/api v0.0.0-20241021214115-324edc3d5d38 // indirect
 	google.golang.org/genproto/googleapis/rpc v0.0.0-20241021214115-324edc3d5d38 // indirect
 	google.golang.org/grpc/stats/opentelemetry v0.0.0-20240907200651-3ffb98b2c93a // indirect
+	gopkg.in/ini.v1 v1.66.2 // indirect
 	gopkg.in/yaml.v2 v2.4.0 // indirect
 )
 
diff --git a/src/go.sum b/src/go.sum
@@ -34,6 +34,8 @@ github.com/AlecAivazis/survey/v2 v2.3.7/go.mod h1:xUTIdE4KCOIjsBAE1JYsUPoCqYdZ1r
 github.com/Azure/go-ansiterm v0.0.0-20210617225240-d185dfc1b5a1 h1:UQHMgLO+TxOElx5B5HZ4hJQsoJ/PvUvKRhJHDQXO8P8=
 github.com/Azure/go-ansiterm v0.0.0-20210617225240-d185dfc1b5a1/go.mod h1:xomTg63KZ2rFqZQzSB4Vz2SUXa1BpHTVz9L5PTmPC4E=
 github.com/BurntSushi/toml v0.3.1/go.mod h1:xHWCNGjB5oqiDr8zfno3MHue2Ht5sIBksp03qcyfWMU=
+github.com/DefangLabs/secret-detector v0.0.0-20250108223530-c2b44d4c1f8f h1:RTbUqLhPxejgK92ifVdMTIW9H23QLlscy8QXPDTfaL4=
+github.com/DefangLabs/secret-detector v0.0.0-20250108223530-c2b44d4c1f8f/go.mod h1:2UjtD/G/Sy2FxoHpxKnzHTXMpRURecwYal8HgbxcvkY=
 github.com/GoogleCloudPlatform/opentelemetry-operations-go/detectors/gcp v1.24.1 h1:pB2F2JKCj1Znmp2rwxxt1J0Fg0wezTMgWYk5Mpbi1kg=
 github.com/GoogleCloudPlatform/opentelemetry-operations-go/detectors/gcp v1.24.1/go.mod h1:itPGVDKf9cC/ov4MdvJ2QZ0khw4bfoo9jzwTJlaxy2k=
 github.com/GoogleCloudPlatform/opentelemetry-operations-go/exporter/metric v0.48.1 h1:UQ0AhxogsIRZDkElkblfnwjc3IaltCm2HUMvezQaL7s=
@@ -159,6 +161,8 @@ github.com/go-viper/mapstructure/v2 v2.0.0 h1:dhn8MZ1gZ0mzeodTG3jt5Vj/o87xZKuNAp
 github.com/go-viper/mapstructure/v2 v2.0.0/go.mod h1:oJDH3BJKyqBA2TXFhDsKDGDTlndYOZ6rGS0BRZIxGhM=
 github.com/gogo/protobuf v1.3.2 h1:Ov1cvc58UF3b5XjBnZv7+opcTcQFZebYjWzi34vdm4Q=
 github.com/gogo/protobuf v1.3.2/go.mod h1:P1XiOD3dCwIKUDQYPy72D8LYyHL2YPYrpS2s69NZV8Q=
+github.com/golang-jwt/jwt v3.2.2+incompatible h1:IfV12K8xAKAnZqdXVzCZ+TOjboZ2keLg81eXfW3O+oY=
+github.com/golang-jwt/jwt v3.2.2+incompatible/go.mod h1:8pz2t5EyA70fFQQSrl6XZXzqecmYZeUEB8OUGHkxJ+I=
 github.com/golang/glog v0.0.0-20160126235308-23def4e6c14b/go.mod h1:SBH7ygxi8pfUlaOkMMuAQtPIUF8ecWP5IEl/CR7VP2Q=
 github.com/golang/groupcache v0.0.0-20200121045136-8c9f03a8e57e/go.mod h1:cIg4eruTrX1D+g88fzRXU5OdNfaM+9IcxsU14FzY7Hc=
 github.com/golang/groupcache v0.0.0-20210331224755-41bb18bfe9da h1:oI5xCqsCo564l8iNU+DwB5epxmsaqB+rhGL0m5jtYqE=
@@ -203,10 +207,14 @@ github.com/gorilla/websocket v1.5.0 h1:PPwGk2jz7EePpoHN/+ClbZu8SPxiqlu12wZP/3sWm
 github.com/gorilla/websocket v1.5.0/go.mod h1:YR8l580nyteQvAITg2hZ9XVh4b55+EU/adAjf1fMHhE=
 github.com/grpc-ecosystem/grpc-gateway/v2 v2.16.0 h1:YBftPWNWd4WwGqtY2yeZL2ef8rHAxPBD8KFhJpmcqms=
 github.com/grpc-ecosystem/grpc-gateway/v2 v2.16.0/go.mod h1:YN5jB8ie0yfIUg6VvR9Kz84aCaG7AsGZnLjhHbUqwPg=
+github.com/hashicorp/errwrap v1.0.0 h1:hLrqtEDnRye3+sgx6z4qVLNuviH3MR5aQ0ykNJa/UYA=
+github.com/hashicorp/errwrap v1.0.0/go.mod h1:YH+1FKiLXxHSkmPseP+kNlulaMuP3n2brvKWEqk/Jc4=
 github.com/hashicorp/go-cleanhttp v0.5.2 h1:035FKYIWjmULyFRBKPs8TBQoi0x6d9G4xc9neXJWAZQ=
 github.com/hashicorp/go-cleanhttp v0.5.2/go.mod h1:kO/YDlP8L1346E6Sodw+PrpBSV4/SoxCXGY6BqNFT48=
 github.com/hashicorp/go-hclog v1.6.3 h1:Qr2kF+eVWjTiYmU7Y31tYlP1h0q/X3Nl3tPGdaB11/k=
 github.com/hashicorp/go-hclog v1.6.3/go.mod h1:W4Qnvbt70Wk/zYJryRzDRU/4r0kIg0PVHBcfoyhpF5M=
+github.com/hashicorp/go-multierror v1.1.1 h1:H5DkEtf6CXdFp0N0Em5UCwQpXMWke8IA0+lD48awMYo=
+github.com/hashicorp/go-multierror v1.1.1/go.mod h1:iw975J/qwKPdAO1clOe2L8331t/9/fmwbPZ6JB6eMoM=
 github.com/hashicorp/go-retryablehttp v0.7.7 h1:C8hUCYzor8PIfXHa4UrZkU4VvK8o9ISHxT2Q8+VepXU=
 github.com/hashicorp/go-retryablehttp v0.7.7/go.mod h1:pkQpWZeYWskR+D1tR2O5OcBFOxfA7DoAO6xtkuQnHTk=
 github.com/hexops/gotextdiff v1.0.3 h1:gitA9+qJrrTCsiCl7+kh75nPqQt1cx4ZkudSTLoUqJM=
@@ -215,6 +223,8 @@ github.com/hinshun/vt10x v0.0.0-20220119200601-820417d04eec h1:qv2VnGeEQHchGaZ/u
 github.com/hinshun/vt10x v0.0.0-20220119200601-820417d04eec/go.mod h1:Q48J4R4DvxnHolD5P8pOtXigYlRuPLGl6moFx3ulM68=
 github.com/inconshreveable/mousetrap v1.1.0 h1:wN+x4NVGpMsO7ErUn/mUI3vEoE6Jt13X2s0bqwp9tc8=
 github.com/inconshreveable/mousetrap v1.1.0/go.mod h1:vpF70FUmC8bwa3OWnCshd2FqLfsEA9PFc4w1p2J65bw=
+github.com/inhies/go-bytesize v0.0.0-20220417184213-4913239db9cf h1:FtEj8sfIcaaBfAKrE1Cwb61YDtYq9JxChK1c7AKce7s=
+github.com/inhies/go-bytesize v0.0.0-20220417184213-4913239db9cf/go.mod h1:yrqSXGoD/4EKfF26AOGzscPOgTTJcyAwM2rpixWT+t4=
 github.com/jmespath/go-jmespath v0.4.0 h1:BEgLn5cpjn8UN1mAw4NjwDrS35OdebyEtFe+9YPoQUg=
 github.com/jmespath/go-jmespath v0.4.0/go.mod h1:T8mJZnbsbmF+m6zOOFylbeCJqk5+pHWvzYPziyZiYoo=
 github.com/jmespath/go-jmespath/internal/testify v1.5.1 h1:shLQSRRSCCPj3f2gpwzGwWFoC7ycTf1rcQZHOlsJ6N8=
@@ -450,6 +460,8 @@ google.golang.org/protobuf v1.35.1/go.mod h1:9fA7Ob0pmnwhb644+1+CVWFRbNajQ6iRojt
 gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
 gopkg.in/check.v1 v1.0.0-20201130134442-10cb98267c6c h1:Hei/4ADfdWqJk1ZMxUNpqntNwaWcugrBjAiHlqqRiVk=
 gopkg.in/check.v1 v1.0.0-20201130134442-10cb98267c6c/go.mod h1:JHkPIbrfpd72SG/EVd6muEfDQjcINNoR0C8j2r3qZ4Q=
+gopkg.in/ini.v1 v1.66.2 h1:XfR1dOYubytKy4Shzc2LHrrGhU0lDCfDGG1yLPmpgsI=
+gopkg.in/ini.v1 v1.66.2/go.mod h1:pNLf8WUiyNEtQjuu5G5vTm06TEv9tsIgeAvK8hOrP4k=
 gopkg.in/yaml.v2 v2.2.8/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI=
 gopkg.in/yaml.v2 v2.4.0 h1:D8xgwECY7CYvx+Y2n4sBz93Jn9JRvxdiyyo8CTfuKaY=
 gopkg.in/yaml.v2 v2.4.0/go.mod h1:RDklbk79AGWmwhnvt/jBztapEOGDOx6ZbXqjP6csGnQ=
diff --git a/src/pkg/cli/compose/config_detector.go b/src/pkg/cli/compose/config_detector.go
@@ -0,0 +1,42 @@
+package compose
+
+import (
+	"fmt"
+
+	"github.com/DefangLabs/secret-detector/pkg/scanner"
+)
+
+// assume that the input is a key-value pair string
+func detectConfig(input string) (detectorTypes []string, err error) {
+	// Detectors check for certain formats in a string to determine if it contains a secret.
+	// Some detectors allow additional configuration options, such as:
+	// 		keyword: key contains a keyword (e.g. KEY, PASSWORD, SECRET, TOKEN, etc.)
+	// 		high_entropy_string: calculated high entropy (randomness) in a string
+	// These detectors require an entropy threshold value (0 = low entropy, 4+ = very high entropy).
+
+	// create a custom scanner config
+	cfg := scanner.NewConfigWithDefaults()
+	cfg.Transformers = []string{"json"}
+	cfg.DetectorConfigs["keyword"] = []string{"3"}
+	cfg.DetectorConfigs["high_entropy_string"] = []string{"3"}
+
+	// create a scanner from scanner config
+	scannerClient, err := scanner.NewScannerFromConfig(cfg)
+	if err != nil {
+		return nil, fmt.Errorf("Failed to make a config detector: %w", err)
+	}
+
+	// scan the input
+	ds, err := scannerClient.Scan(input)
+	if err != nil {
+		return nil, fmt.Errorf("Failed to scan input: %w", err)
+	}
+
+	// return a list of detector types
+	list := []string{}
+	for _, d := range ds {
+		list = append(list, d.Type)
+	}
+
+	return list, nil
+}
diff --git a/src/pkg/cli/compose/config_detector_test.go b/src/pkg/cli/compose/config_detector_test.go
@@ -0,0 +1,46 @@
+package compose
+
+import "testing"
+
+func TestDetectConfig(t *testing.T) {
+	tests := []struct {
+		input          string
+		expectedOutput []string
+	}{
+		{"", nil},
+		{"not a secret", nil},
+		{"https://user:p455w0rd@example.com", []string{"URL with password"}},
+		{"LINK: https://user:p455w0rd@example.com, LINK: https://user:p845w0rd@example.com", []string{"URL with password", "URL with password"}},
+		{"api-key=50m34p1k3y", []string{"Keyword Detector"}},
+		{"1234567890abcdef", []string{"High entropy string"}},
+		{"ghp_aBcDeFgHiJkLmNoPqRsTuVwXyZ1234567890", []string{"Github authentication"}},
+		{"AROA1234567890ABCDEF", []string{"AWS Client ID"}},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.input, func(t *testing.T) {
+			ds, err := detectConfig(tt.input)
+
+			//check for error
+			if err != nil {
+				if len(tt.expectedOutput) > 0 && tt.expectedOutput[0] != "" {
+					t.Errorf("Error: %v", err)
+				}
+				return
+			}
+
+			// check for length of the output
+			if len(ds) != len(tt.expectedOutput) {
+				t.Errorf("Expected %d detector types, but got %d", len(tt.expectedOutput), len(ds))
+				return
+			}
+
+			// check for the output values
+			for i, d := range ds {
+				if d != tt.expectedOutput[i] {
+					t.Errorf("Expected detector type %s, but got %s", tt.expectedOutput[i], d)
+				}
+			}
+		})
+	}
+}
diff --git a/src/pkg/cli/compose/validation.go b/src/pkg/cli/compose/validation.go
@@ -194,6 +194,27 @@ func validateService(svccfg *composeTypes.ServiceConfig, project *composeTypes.P
 			term.Warnf("unsupported secret %q: not marked external:true", secret.Source) // TODO: support secrets from environment/file
 		}
 	}
+
+	// check for compose file environment variables that may be sensitive
+	for key, value := range svccfg.Environment {
+		if value != nil {
+			// format input as a key-value pair string
+			input := key + "=" + *value
+
+			// call detectConfig to check for sensitive information
+			ds, err := detectConfig(input)
+			if err != nil {
+				return fmt.Errorf("service %q: %w", svccfg.Name, err)
+			}
+
+			// show warning if sensitive information is detected
+			if len(ds) > 0 {
+				term.Warnf("service %q: environment %q may contain sensitive information; consider using 'defang config set %s' to securely store this value", svccfg.Name, key, key)
+				term.Debugf("service %q: environment %q may contain detected secrets of type: %q", svccfg.Name, key, ds)
+			}
+		}
+	}
+
 	err := validatePorts(svccfg.Ports)
 	if err != nil {
 		return err
diff --git a/src/testdata/configdetection/compose.yaml b/src/testdata/configdetection/compose.yaml
@@ -0,0 +1,10 @@
+services:
+  configdetection:
+    image: alpine
+    environment:
+      - API_KEY=50m34p1k3y # keyword detector
+      - AWS_CLIENT_ID=AROA1234567890ABCDEF # aws_client_id detector
+      - GH_PAT=ghp_aBcDeFgHiJkLmNoPqRsTuVwXyZ1234567890 # github detector
+      - HIGH_ENTROPY_STRING=1234567890abcdef # high_entropy_string detector
+      - MY_URL=https://user:p455w0rd@example.com # url_password detector
+      - NOT_SENSITIVE=notsensitive
diff --git a/src/testdata/configdetection/compose.yaml.fixup b/src/testdata/configdetection/compose.yaml.fixup
@@ -0,0 +1,18 @@
+{
+  "configdetection": {
+    "command": null,
+    "entrypoint": null,
+    "environment": {
+      "API_KEY": "50m34p1k3y",
+      "AWS_CLIENT_ID": "AROA1234567890ABCDEF",
+      "GH_PAT": "ghp_aBcDeFgHiJkLmNoPqRsTuVwXyZ1234567890",
+      "HIGH_ENTROPY_STRING": "1234567890abcdef",
+      "MY_URL": "https://user:p455w0rd@example.com",
+      "NOT_SENSITIVE": "notsensitive"
+    },
+    "image": "alpine",
+    "networks": {
+      "default": null
+    }
+  }
+}
diff --git a/src/testdata/configdetection/compose.yaml.golden b/src/testdata/configdetection/compose.yaml.golden
@@ -0,0 +1,16 @@
+name: configdetection
+services:
+  configdetection:
+    environment:
+      API_KEY: 50m34p1k3y
+      AWS_CLIENT_ID: AROA1234567890ABCDEF
+      GH_PAT: ghp_aBcDeFgHiJkLmNoPqRsTuVwXyZ1234567890
+      HIGH_ENTROPY_STRING: 1234567890abcdef
+      MY_URL: https://user:p455w0rd@example.com
+      NOT_SENSITIVE: notsensitive
+    image: alpine
+    networks:
+      default: null
+networks:
+  default:
+    name: configdetection_default
diff --git a/src/testdata/configdetection/compose.yaml.warnings b/src/testdata/configdetection/compose.yaml.warnings
@@ -0,0 +1,6 @@
+ ! service "configdetection": environment "API_KEY" may contain sensitive information; consider using 'defang config set API_KEY' to securely store this value
+ ! service "configdetection": environment "AWS_CLIENT_ID" may contain sensitive information; consider using 'defang config set AWS_CLIENT_ID' to securely store this value
+ ! service "configdetection": environment "GH_PAT" may contain sensitive information; consider using 'defang config set GH_PAT' to securely store this value
+ ! service "configdetection": environment "HIGH_ENTROPY_STRING" may contain sensitive information; consider using 'defang config set HIGH_ENTROPY_STRING' to securely store this value
+ ! service "configdetection": environment "MY_URL" may contain sensitive information; consider using 'defang config set MY_URL' to securely store this value
+ ! service "configdetection": missing memory reservation; using provider-specific defaults. Specify deploy.resources.reservations.memory to avoid out-of-memory errors
