Enrich secret patterns and able to skip files during scans

sebastian93921 · sebastian93921 · commit 1783400255e3 · 2024-10-04T09:36:22.000+08:00
diff --git a/README.md b/README.md
@@ -10,6 +10,7 @@ OOTT suits for pentesters and for code reviewing
 ./oott -localscan # Current directory
 ./oott -localscan -lp /tmp/
 ```
+Feel free to contribute the `secretpatterns.json` file to enrich the secret scanning capability
 
 ## Sub-domain scanning
 ```
diff --git a/cli/emailscan.go b/cli/emailscan.go
@@ -30,7 +30,7 @@ func StartEmailScan(domain string) []emails.EmailDetails {
 	}
 	helper.InfoPrintln("<========================================================================================")
 	helper.InfoPrintln("If you agree the uses of modules, press Enter to continue...")
-	fmt.Scanln()
+	_, _ = fmt.Scanln()
 
 	var emailLists []emails.EmailDetails
 	emailMap := make(map[string]string)
diff --git a/cli/root.go b/cli/root.go
@@ -59,6 +59,7 @@ func Start() {
 
 	// Util
 	flag.BoolVar(&lib.Config.LocalScanOnly, "localscan", false, "Perform local scanning only.")
+	flag.BoolVar(&lib.Config.LocalScanOnly, "l", false, "Perform local scanning only. (shorthand)")
 	flag.StringVar(&lib.Config.LocalScanPath, "lp", ".", "Local scanning path.")
 
 	flag.Parse()
diff --git a/cli/secretscan.go b/cli/secretscan.go
@@ -28,7 +28,7 @@ func StartSecretScan(domain string) []secrets.SecretDetails {
 	}
 	helper.InfoPrintln("<========================================================================================")
 	helper.InfoPrintln("If you agree the uses of modules, press Enter to continue...")
-	fmt.Scanln()
+	_, _ = fmt.Scanln()
 
 	var secretsLists []secrets.SecretDetails
 	for _, ss := range secretsScanner {
diff --git a/cli/subdomainscan.go b/cli/subdomainscan.go
@@ -42,7 +42,7 @@ func StartSubDomainScan(domain string) []subdomains.SubDomainDetails {
 	}
 	helper.InfoPrintln("<========================================================================================")
 	helper.InfoPrintln("If you agree the uses of modules, press Enter to continue...")
-	fmt.Scanln()
+	_, _ = fmt.Scanln()
 
 	var subdomainLists []subdomains.SubDomainDetails
 	for _, sf := range subdomainScanResults {
diff --git a/cli/webscan.go b/cli/webscan.go
@@ -47,7 +47,7 @@ func StartWebScan(domains []string) []webscans.WebsiteDetails {
 	}
 	helper.InfoPrintln("<========================================================================================")
 	helper.InfoPrintln("If you agree the uses of modules, press Enter to continue...")
-	fmt.Scanln()
+	_, _ = fmt.Scanln()
 
 	var websiteResults []webscans.WebsiteDetails
 	for _, sf := range webscanners {
diff --git a/common/github.go b/common/github.go
@@ -31,7 +31,7 @@ func SearchGithubRepoByKeyword(keywords string) []GithubRepo {
 		helper.ErrorPrintln("[!] No personal access token provided. Process can not be proceed...")
 		helper.ErrorPrintln("[!] Please go to https://github.com/settings/tokens to create one, no any permission needed.")
 		helper.ErrorPrintln("Press Enter to continue...")
-		fmt.Scanln()
+		_, _ = fmt.Scanln()
 		return nil
 	}
 
diff --git a/defaults/secretpatterns.json b/defaults/secretpatterns.json
@@ -44,8 +44,12 @@
     "HockeyApp": "(?i)hockey.{0,50}(\\\"|'|`)?[0-9a-f]{32}(\\\"|'|`)?",
     "Username and password in URI": "([\\w+]{1,24})(://)([^$<]{1})([^\\s\";]{1,}):([^$<]{1})([^\\s\";/]{1,})@[-a-zA-Z0-9@:%._\\+~#=]{1,256}\\.[a-zA-Z0-9()]{1,24}([^\\s]+)",
     "Password in file": "(?i)(?:password|pwd|passwd|pass)\\s*=\\s*(?:\"([^\"]+)\"|'([^']+)')",
+    "Password in URL": "[a-zA-Z]{3,10}://[^/\\s:@]{3,50}:[^/\\s:@]{3,50}@.{1,100}",
     "NuGet API Key": "oy2[a-z0-9]{43}",
+    "Base64 Encoded RSA Private Key": "LS0tLS1CRUdJTiBSU0EgUFJJVkFURSBLRVktLS0t[%a-zA-Z0-9+\/]+={0,2}",
     "OpenWeather API Key": "(?i)appid=(\\\"|'|`)?[0-9a-f]{32}(\\\"|'|`)?",
+    "JFrog API Key": "AKCp8[a-zA-Z0-9]{68}",
     "StackHawk API Key": "hawk\\.[0-9A-Za-z\\-_]{20}\\.[0-9A-Za-z\\-_]{20}",
-    "OpenAI API Key": "api_key=(\"|'|`)([a-zA-Z0-9-]{32,})(\"|'|`)"
+    "OpenAI API Key": "api_key=(\"|'|`)([a-zA-Z0-9-]{32,})(\"|'|`)",
+    "Azure Open AI API Key": "[a|A][z|Z][u|U][r|R][e|E]_[o|O][p|P][e|E][n|N][a|A][i|I].+[k|K][e|E][y|Y].+['\"\\s][a-z0-9]{32}['\"\\s]"
 }
diff --git a/go.mod b/go.mod
@@ -1,20 +1,194 @@
 module oott
 
-go 1.20
+go 1.22.1
 
 require (
+	4d63.com/gocheckcompilerdirectives v1.2.1 // indirect
+	4d63.com/gochecknoglobals v0.2.1 // indirect
+	github.com/4meepo/tagalign v1.3.4 // indirect
+	github.com/Abirdcfly/dupword v0.1.1 // indirect
+	github.com/Antonboom/errname v0.1.13 // indirect
+	github.com/Antonboom/nilnil v0.1.9 // indirect
+	github.com/Antonboom/testifylint v1.4.3 // indirect
+	github.com/BurntSushi/toml v1.4.1-0.20240526193622-a339e1f7089c // indirect
+	github.com/Crocmagnon/fatcontext v0.5.2 // indirect
+	github.com/Djarvur/go-err113 v0.0.0-20210108212216-aea10b59be24 // indirect
+	github.com/GaijinEntertainment/go-exhaustruct/v3 v3.3.0 // indirect
+	github.com/Masterminds/semver/v3 v3.3.0 // indirect
+	github.com/OpenPeeDeeP/depguard/v2 v2.2.0 // indirect
 	github.com/PuerkitoBio/goquery v1.8.1 // indirect
+	github.com/alecthomas/go-check-sumtype v0.1.4 // indirect
+	github.com/alexkohler/nakedret/v2 v2.0.4 // indirect
+	github.com/alexkohler/prealloc v1.0.0 // indirect
+	github.com/alingse/asasalint v0.0.11 // indirect
 	github.com/andybalholm/cascadia v1.3.1 // indirect
+	github.com/ashanbrown/forbidigo v1.6.0 // indirect
+	github.com/ashanbrown/makezero v1.1.1 // indirect
+	github.com/beorn7/perks v1.0.1 // indirect
+	github.com/bkielbasa/cyclop v1.2.1 // indirect
+	github.com/blizzy78/varnamelen v0.8.0 // indirect
+	github.com/bombsimon/wsl/v4 v4.4.1 // indirect
+	github.com/breml/bidichk v0.2.7 // indirect
+	github.com/breml/errchkjson v0.3.6 // indirect
+	github.com/butuzov/ireturn v0.3.0 // indirect
+	github.com/butuzov/mirror v1.2.0 // indirect
+	github.com/catenacyber/perfsprint v0.7.1 // indirect
+	github.com/ccojocar/zxcvbn-go v1.0.2 // indirect
+	github.com/cespare/xxhash/v2 v2.1.2 // indirect
+	github.com/charithe/durationcheck v0.0.10 // indirect
+	github.com/chavacava/garif v0.1.0 // indirect
+	github.com/ckaznocha/intrange v0.2.0 // indirect
+	github.com/curioswitch/go-reassign v0.2.0 // indirect
+	github.com/daixiang0/gci v0.13.5 // indirect
 	github.com/dave/dst v0.27.3 // indirect
+	github.com/davecgh/go-spew v1.1.1 // indirect
+	github.com/denis-tingaikin/go-header v0.5.0 // indirect
 	github.com/ditashi/jsbeautifier-go v0.0.0-20141206144643-2520a8026a9c // indirect
-	github.com/fatih/color v1.15.0 // indirect
+	github.com/ettle/strcase v0.2.0 // indirect
+	github.com/fatih/color v1.17.0 // indirect
+	github.com/fatih/structtag v1.2.0 // indirect
+	github.com/firefart/nonamedreturns v1.0.5 // indirect
+	github.com/fsnotify/fsnotify v1.5.4 // indirect
+	github.com/fzipp/gocyclo v0.6.0 // indirect
+	github.com/ghostiam/protogetter v0.3.6 // indirect
+	github.com/go-critic/go-critic v0.11.4 // indirect
+	github.com/go-toolsmith/astcast v1.1.0 // indirect
+	github.com/go-toolsmith/astcopy v1.1.0 // indirect
+	github.com/go-toolsmith/astequal v1.2.0 // indirect
+	github.com/go-toolsmith/astfmt v1.1.0 // indirect
+	github.com/go-toolsmith/astp v1.1.0 // indirect
+	github.com/go-toolsmith/strparse v1.1.0 // indirect
+	github.com/go-toolsmith/typep v1.1.0 // indirect
+	github.com/go-viper/mapstructure/v2 v2.1.0 // indirect
+	github.com/go-xmlfmt/xmlfmt v1.1.2 // indirect
+	github.com/gobwas/glob v0.2.3 // indirect
+	github.com/gofrs/flock v0.12.1 // indirect
+	github.com/golang/protobuf v1.5.3 // indirect
+	github.com/golangci/dupl v0.0.0-20180902072040-3e9179ac440a // indirect
+	github.com/golangci/gofmt v0.0.0-20240816233607-d8596aa466a9 // indirect
+	github.com/golangci/golangci-lint v1.61.0 // indirect
+	github.com/golangci/misspell v0.6.0 // indirect
+	github.com/golangci/modinfo v0.3.4 // indirect
+	github.com/golangci/plugin-module-register v0.1.1 // indirect
+	github.com/golangci/revgrep v0.5.3 // indirect
+	github.com/golangci/unconvert v0.0.0-20240309020433-c5143eacb3ed // indirect
+	github.com/google/go-cmp v0.6.0 // indirect
+	github.com/gordonklaus/ineffassign v0.1.0 // indirect
+	github.com/gostaticanalysis/analysisutil v0.7.1 // indirect
+	github.com/gostaticanalysis/comment v1.4.2 // indirect
+	github.com/gostaticanalysis/forcetypeassert v0.1.0 // indirect
+	github.com/gostaticanalysis/nilerr v0.1.1 // indirect
+	github.com/hashicorp/go-version v1.7.0 // indirect
+	github.com/hashicorp/hcl v1.0.0 // indirect
+	github.com/hexops/gotextdiff v1.0.3 // indirect
+	github.com/inconshreveable/mousetrap v1.1.0 // indirect
+	github.com/jgautheron/goconst v1.7.1 // indirect
+	github.com/jingyugao/rowserrcheck v1.1.1 // indirect
+	github.com/jirfag/go-printf-func-name v0.0.0-20200119135958-7558a9eaa5af // indirect
+	github.com/jjti/go-spancheck v0.6.2 // indirect
+	github.com/julz/importas v0.1.0 // indirect
+	github.com/karamaru-alpha/copyloopvar v1.1.0 // indirect
+	github.com/kisielk/errcheck v1.7.0 // indirect
+	github.com/kkHAIKE/contextcheck v1.1.5 // indirect
+	github.com/kulti/thelper v0.6.3 // indirect
+	github.com/kunwardeep/paralleltest v1.0.10 // indirect
+	github.com/kyoh86/exportloopref v0.1.11 // indirect
+	github.com/lasiar/canonicalheader v1.1.1 // indirect
+	github.com/ldez/gomoddirectives v0.2.4 // indirect
+	github.com/ldez/tagliatelle v0.5.0 // indirect
+	github.com/leonklingele/grouper v1.1.2 // indirect
+	github.com/lufeee/execinquery v1.2.1 // indirect
+	github.com/macabu/inamedparam v0.1.3 // indirect
+	github.com/magiconair/properties v1.8.6 // indirect
+	github.com/maratori/testableexamples v1.0.0 // indirect
+	github.com/maratori/testpackage v1.1.1 // indirect
+	github.com/matoous/godox v0.0.0-20230222163458-006bad1f9d26 // indirect
 	github.com/mattn/go-colorable v0.1.13 // indirect
-	github.com/mattn/go-isatty v0.0.17 // indirect
+	github.com/mattn/go-isatty v0.0.20 // indirect
+	github.com/mattn/go-runewidth v0.0.9 // indirect
+	github.com/matttproud/golang_protobuf_extensions v1.0.1 // indirect
+	github.com/mgechev/revive v1.3.9 // indirect
+	github.com/mitchellh/go-homedir v1.1.0 // indirect
+	github.com/mitchellh/mapstructure v1.5.0 // indirect
+	github.com/moricho/tparallel v0.3.2 // indirect
+	github.com/nakabonne/nestif v0.3.1 // indirect
+	github.com/nishanths/exhaustive v0.12.0 // indirect
+	github.com/nishanths/predeclared v0.2.2 // indirect
+	github.com/nunnatsa/ginkgolinter v0.16.2 // indirect
+	github.com/olekukonko/tablewriter v0.0.5 // indirect
+	github.com/pelletier/go-toml v1.9.5 // indirect
+	github.com/pelletier/go-toml/v2 v2.2.3 // indirect
+	github.com/pmezard/go-difflib v1.0.0 // indirect
+	github.com/polyfloyd/go-errorlint v1.6.0 // indirect
+	github.com/prometheus/client_golang v1.12.1 // indirect
+	github.com/prometheus/client_model v0.2.0 // indirect
+	github.com/prometheus/common v0.32.1 // indirect
+	github.com/prometheus/procfs v0.7.3 // indirect
+	github.com/quasilyte/go-ruleguard v0.4.3-0.20240823090925-0fe6f58b47b1 // indirect
+	github.com/quasilyte/go-ruleguard/dsl v0.3.22 // indirect
+	github.com/quasilyte/gogrep v0.5.0 // indirect
+	github.com/quasilyte/regex/syntax v0.0.0-20210819130434-b3f0c404a727 // indirect
+	github.com/quasilyte/stdinfo v0.0.0-20220114132959-f7386bf02567 // indirect
+	github.com/ryancurrah/gomodguard v1.3.5 // indirect
+	github.com/ryanrolds/sqlclosecheck v0.5.1 // indirect
+	github.com/sanposhiho/wastedassign/v2 v2.0.7 // indirect
+	github.com/santhosh-tekuri/jsonschema/v5 v5.3.1 // indirect
+	github.com/sashamelentyev/interfacebloat v1.1.0 // indirect
+	github.com/sashamelentyev/usestdlibvars v1.27.0 // indirect
+	github.com/securego/gosec/v2 v2.21.2 // indirect
 	github.com/sergi/go-diff v1.3.1 // indirect
+	github.com/shazow/go-diff v0.0.0-20160112020656-b6b7b6733b8c // indirect
+	github.com/sirupsen/logrus v1.9.3 // indirect
+	github.com/sivchari/containedctx v1.0.3 // indirect
+	github.com/sivchari/tenv v1.10.0 // indirect
+	github.com/sonatard/noctx v0.0.2 // indirect
+	github.com/sourcegraph/go-diff v0.7.0 // indirect
+	github.com/spf13/afero v1.11.0 // indirect
+	github.com/spf13/cast v1.5.0 // indirect
+	github.com/spf13/cobra v1.8.1 // indirect
+	github.com/spf13/jwalterweatherman v1.1.0 // indirect
+	github.com/spf13/pflag v1.0.5 // indirect
+	github.com/spf13/viper v1.12.0 // indirect
+	github.com/ssgreg/nlreturn/v2 v2.2.1 // indirect
+	github.com/stbenjam/no-sprintf-host-port v0.1.1 // indirect
+	github.com/stretchr/objx v0.5.2 // indirect
+	github.com/stretchr/testify v1.9.0 // indirect
+	github.com/subosito/gotenv v1.4.1 // indirect
+	github.com/tdakkota/asciicheck v0.2.0 // indirect
+	github.com/tetafro/godot v1.4.17 // indirect
+	github.com/timakin/bodyclose v0.0.0-20230421092635-574207250966 // indirect
+	github.com/timonwong/loggercheck v0.9.4 // indirect
+	github.com/tomarrell/wrapcheck/v2 v2.9.0 // indirect
+	github.com/tommy-muehle/go-mnd/v2 v2.5.1 // indirect
+	github.com/ultraware/funlen v0.1.0 // indirect
+	github.com/ultraware/whitespace v0.1.1 // indirect
+	github.com/uudashr/gocognit v1.1.3 // indirect
+	github.com/xen0n/gosmopolitan v1.2.2 // indirect
+	github.com/yagipy/maintidx v1.0.0 // indirect
+	github.com/yeya24/promlinter v0.3.0 // indirect
+	github.com/ykadowak/zerologlint v0.1.5 // indirect
 	github.com/yosssi/gohtml v0.0.0-20201013000340-ee4748c638f4 // indirect
-	golang.org/x/mod v0.7.0 // indirect
-	golang.org/x/net v0.18.0 // indirect
-	golang.org/x/sys v0.14.0 // indirect
-	golang.org/x/time v0.3.0 // indirect
-	golang.org/x/tools v0.3.0 // indirect
+	gitlab.com/bosi/decorder v0.4.2 // indirect
+	go-simpler.org/musttag v0.12.2 // indirect
+	go-simpler.org/sloglint v0.7.2 // indirect
+	go.uber.org/atomic v1.7.0 // indirect
+	go.uber.org/automaxprocs v1.5.3 // indirect
+	go.uber.org/multierr v1.6.0 // indirect
+	go.uber.org/zap v1.24.0 // indirect
+	golang.org/x/exp v0.0.0-20240904232852-e7e105dedf7e // indirect
+	golang.org/x/exp/typeparams v0.0.0-20240314144324-c7f7c6466f7f // indirect
+	golang.org/x/mod v0.21.0 // indirect
+	golang.org/x/net v0.28.0 // indirect
+	golang.org/x/sync v0.8.0 // indirect
+	golang.org/x/sys v0.25.0 // indirect
+	golang.org/x/text v0.18.0 // indirect
+	golang.org/x/time v0.6.0 // indirect
+	golang.org/x/tools v0.24.0 // indirect
+	google.golang.org/protobuf v1.34.2 // indirect
+	gopkg.in/ini.v1 v1.67.0 // indirect
+	gopkg.in/yaml.v2 v2.4.0 // indirect
+	gopkg.in/yaml.v3 v3.0.1 // indirect
+	honnef.co/go/tools v0.5.1 // indirect
+	mvdan.cc/gofumpt v0.7.0 // indirect
+	mvdan.cc/unparam v0.0.0-20240528143540-8a5130ca722f // indirect
 )
diff --git a/go.sum b/go.sum
diff --git a/localscan/localsecrets.go b/localscan/localsecrets.go
diff --git a/subdomains/massdns.go b/subdomains/massdns.go

Original file line number	Diff line number	Diff line change
`@@ -30,7 +30,7 @@ func StartEmailScan(domain string) []emails.EmailDetails {`
`30`	`30`	`}`
`31`	`31`	`helper.InfoPrintln("<========================================================================================")`
`32`	`32`	`helper.InfoPrintln("If you agree the uses of modules, press Enter to continue...")`
`33`		`- fmt.Scanln()`
	`33`	`+ _, _ = fmt.Scanln()`
`34`	`34`
`35`	`35`	`var emailLists []emails.EmailDetails`
`36`	`36`	`emailMap := make(map[string]string)`
Original file line number	Diff line number	Diff line change
`@@ -28,7 +28,7 @@ func StartSecretScan(domain string) []secrets.SecretDetails {`
`28`	`28`	`}`
`29`	`29`	`helper.InfoPrintln("<========================================================================================")`
`30`	`30`	`helper.InfoPrintln("If you agree the uses of modules, press Enter to continue...")`
`31`		`- fmt.Scanln()`
	`31`	`+ _, _ = fmt.Scanln()`
`32`	`32`
`33`	`33`	`var secretsLists []secrets.SecretDetails`
`34`	`34`	`for _, ss := range secretsScanner {`
Original file line number	Diff line number	Diff line change
`@@ -42,7 +42,7 @@ func StartSubDomainScan(domain string) []subdomains.SubDomainDetails {`
`42`	`42`	`}`
`43`	`43`	`helper.InfoPrintln("<========================================================================================")`
`44`	`44`	`helper.InfoPrintln("If you agree the uses of modules, press Enter to continue...")`
`45`		`- fmt.Scanln()`
	`45`	`+ _, _ = fmt.Scanln()`
`46`	`46`
`47`	`47`	`var subdomainLists []subdomains.SubDomainDetails`
`48`	`48`	`for _, sf := range subdomainScanResults {`
Original file line number	Diff line number	Diff line change
`@@ -47,7 +47,7 @@ func StartWebScan(domains []string) []webscans.WebsiteDetails {`
`47`	`47`	`}`
`48`	`48`	`helper.InfoPrintln("<========================================================================================")`
`49`	`49`	`helper.InfoPrintln("If you agree the uses of modules, press Enter to continue...")`
`50`		`- fmt.Scanln()`
	`50`	`+ _, _ = fmt.Scanln()`
`51`	`51`
`52`	`52`	`var websiteResults []webscans.WebsiteDetails`
`53`	`53`	`for _, sf := range webscanners {`
Original file line number	Diff line number	Diff line change
`@@ -31,7 +31,7 @@ func SearchGithubRepoByKeyword(keywords string) []GithubRepo {`
`31`	`31`	`helper.ErrorPrintln("[!] No personal access token provided. Process can not be proceed...")`
`32`	`32`	`helper.ErrorPrintln("[!] Please go to https://github.com/settings/tokens to create one, no any permission needed.")`
`33`	`33`	`helper.ErrorPrintln("Press Enter to continue...")`
`34`		`- fmt.Scanln()`
	`34`	`+ _, _ = fmt.Scanln()`
`35`	`35`	`return nil`
`36`	`36`	`}`
`37`	`37`