-
Notifications
You must be signed in to change notification settings - Fork 1.7k
/
engine.go
1328 lines (1137 loc) · 45.1 KB
/
engine.go
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
582
583
584
585
586
587
588
589
590
591
592
593
594
595
596
597
598
599
600
601
602
603
604
605
606
607
608
609
610
611
612
613
614
615
616
617
618
619
620
621
622
623
624
625
626
627
628
629
630
631
632
633
634
635
636
637
638
639
640
641
642
643
644
645
646
647
648
649
650
651
652
653
654
655
656
657
658
659
660
661
662
663
664
665
666
667
668
669
670
671
672
673
674
675
676
677
678
679
680
681
682
683
684
685
686
687
688
689
690
691
692
693
694
695
696
697
698
699
700
701
702
703
704
705
706
707
708
709
710
711
712
713
714
715
716
717
718
719
720
721
722
723
724
725
726
727
728
729
730
731
732
733
734
735
736
737
738
739
740
741
742
743
744
745
746
747
748
749
750
751
752
753
754
755
756
757
758
759
760
761
762
763
764
765
766
767
768
769
770
771
772
773
774
775
776
777
778
779
780
781
782
783
784
785
786
787
788
789
790
791
792
793
794
795
796
797
798
799
800
801
802
803
804
805
806
807
808
809
810
811
812
813
814
815
816
817
818
819
820
821
822
823
824
825
826
827
828
829
830
831
832
833
834
835
836
837
838
839
840
841
842
843
844
845
846
847
848
849
850
851
852
853
854
855
856
857
858
859
860
861
862
863
864
865
866
867
868
869
870
871
872
873
874
875
876
877
878
879
880
881
882
883
884
885
886
887
888
889
890
891
892
893
894
895
896
897
898
899
900
901
902
903
904
905
906
907
908
909
910
911
912
913
914
915
916
917
918
919
920
921
922
923
924
925
926
927
928
929
930
931
932
933
934
935
936
937
938
939
940
941
942
943
944
945
946
947
948
949
950
951
952
953
954
955
956
957
958
959
960
961
962
963
964
965
966
967
968
969
970
971
972
973
974
975
976
977
978
979
980
981
982
983
984
985
986
987
988
989
990
991
992
993
994
995
996
997
998
999
1000
package engine
import (
"bytes"
"errors"
"fmt"
"runtime"
"strconv"
"sync"
"sync/atomic"
"time"
"github.com/adrg/strutil"
"github.com/adrg/strutil/metrics"
lru "github.com/hashicorp/golang-lru/v2"
"google.golang.org/protobuf/proto"
"github.com/trufflesecurity/trufflehog/v3/pkg/common"
"github.com/trufflesecurity/trufflehog/v3/pkg/config"
"github.com/trufflesecurity/trufflehog/v3/pkg/context"
"github.com/trufflesecurity/trufflehog/v3/pkg/decoders"
"github.com/trufflesecurity/trufflehog/v3/pkg/detectors"
"github.com/trufflesecurity/trufflehog/v3/pkg/engine/ahocorasick"
"github.com/trufflesecurity/trufflehog/v3/pkg/giturl"
"github.com/trufflesecurity/trufflehog/v3/pkg/output"
"github.com/trufflesecurity/trufflehog/v3/pkg/pb/detectorspb"
"github.com/trufflesecurity/trufflehog/v3/pkg/pb/source_metadatapb"
"github.com/trufflesecurity/trufflehog/v3/pkg/pb/sourcespb"
"github.com/trufflesecurity/trufflehog/v3/pkg/sources"
)
const detectionTimeout = 10 * time.Second
var errOverlap = errors.New(
"More than one detector has found this result. For your safety, verification has been disabled." +
"You can override this behavior by using the --allow-verification-overlap flag.",
)
// Metrics for the scan engine for external consumption.
type Metrics struct {
BytesScanned uint64
ChunksScanned uint64
VerifiedSecretsFound uint64
UnverifiedSecretsFound uint64
AvgDetectorTime map[string]time.Duration
scanStartTime time.Time
ScanDuration time.Duration
}
// runtimeMetrics for the scan engine for internal use by the engine.
type runtimeMetrics struct {
mu sync.RWMutex
Metrics
detectorAvgTime sync.Map
}
// getScanDuration returns the duration of the scan.
// If the scan is still running, it returns the time since the scan started.
func (m *Metrics) getScanDuration() time.Duration {
if m.ScanDuration == 0 {
return time.Since(m.scanStartTime)
}
return m.ScanDuration
}
// ResultsDispatcher is an interface for dispatching findings of detected results.
// Implementations can vary from printing results to the console to sending results to an external system.
type ResultsDispatcher interface {
Dispatch(ctx context.Context, result detectors.ResultWithMetadata) error
}
// Printer is used to format found results and output them to the user. Ex JSON, plain text, etc.
// Please note printer implementations SHOULD BE thread safe.
type Printer interface {
Print(ctx context.Context, r *detectors.ResultWithMetadata) error
}
// PrinterDispatcher wraps an existing Printer implementation and adapts it to the ResultsDispatcher interface.
type PrinterDispatcher struct{ printer Printer }
// NewPrinterDispatcher creates a new PrinterDispatcher instance with the provided Printer.
func NewPrinterDispatcher(printer Printer) *PrinterDispatcher { return &PrinterDispatcher{printer} }
// Dispatch sends the result to the printer.
func (p *PrinterDispatcher) Dispatch(ctx context.Context, result detectors.ResultWithMetadata) error {
return p.printer.Print(ctx, &result)
}
// Config used to configure the engine.
type Config struct {
// Number of concurrent scanner workers,
// also serves as a multiplier for other worker types (e.g., detector workers, notifier workers)
Concurrency int
Decoders []decoders.Decoder
Detectors []detectors.Detector
DetectorVerificationOverrides map[config.DetectorID]bool
IncludeDetectors string
ExcludeDetectors string
CustomVerifiersOnly bool
VerifierEndpoints map[string]string
// Verify determines whether the scanner will verify candidate secrets.
Verify bool
// Defines which results will be notified by the engine
// (e.g., verified, unverified, unknown)
Results map[string]struct{}
LogFilteredUnverified bool
// FilterEntropy filters out unverified results using Shannon entropy.
FilterEntropy float64
// FilterUnverified sets the filterUnverified flag on the engine. If set to
// true, the engine will only return the first unverified result for a chunk for a detector.
FilterUnverified bool
ShouldScanEntireChunk bool
Dispatcher ResultsDispatcher
// SourceManager is used to manage the sources and units.
// TODO (ahrav): Update this comment, i'm dumb and don't really know what else it does.
SourceManager *sources.SourceManager
// PrintAvgDetectorTime sets the printAvgDetectorTime flag on the engine. If set to
// true, the engine will print the average time taken by each detector.
// This option allows us to measure the time taken for each detector ONLY if
// the engine is configured to print the results.
// Calculating the average time taken by each detector is an expensive operation
// and should be avoided unless specified by the user.
PrintAvgDetectorTime bool
// VerificationOverlap determines whether the scanner will attempt to verify candidate secrets
// that have been detected by multiple detectors.
// By default, it is set to true.
VerificationOverlap bool
// DetectorWorkerMultiplier is used to determine the number of detector workers to spawn.
DetectorWorkerMultiplier int
// NotificationWorkerMultiplier is used to determine the number of notification workers to spawn.
NotificationWorkerMultiplier int
// VerificationOverlapWorkerMultiplier is used to determine the number of verification overlap workers to spawn.
VerificationOverlapWorkerMultiplier int
}
// Engine represents the core scanning engine responsible for detecting secrets in input data.
// It manages the lifecycle of the scanning process, including initialization, worker management,
// and result notification. The engine is designed to be flexible and configurable, allowing for
// customization through various options and configurations.
type Engine struct {
// CLI flags.
concurrency int
decoders []decoders.Decoder
detectors []detectors.Detector
// Any detectors configured to override sources' verification flags
detectorVerificationOverrides map[config.DetectorID]bool
// filterUnverified is used to reduce the number of unverified results.
// If there are multiple unverified results for the same chunk for the same detector,
// only the first one will be kept.
filterUnverified bool
// entropyFilter is used to filter out unverified results using Shannon entropy.
filterEntropy float64
notifyVerifiedResults bool
notifyUnverifiedResults bool
notifyUnknownResults bool
retainFalsePositives bool
verificationOverlap bool
printAvgDetectorTime bool
// By default, the engine will only scan a subset of the chunk if a detector matches the chunk.
// If this flag is set to true, the engine will scan the entire chunk.
scanEntireChunk bool
// ahoCorasickHandler manages the Aho-Corasick trie and related keyword lookups.
ahoCorasickCore *ahocorasick.Core
// Engine synchronization primitives.
sourceManager *sources.SourceManager
results chan detectors.ResultWithMetadata
detectableChunksChan chan detectableChunk
verificationOverlapChunksChan chan verificationOverlapChunk
workersWg sync.WaitGroup
verificationOverlapWg sync.WaitGroup
wgDetectorWorkers sync.WaitGroup
WgNotifier sync.WaitGroup
// Runtime information.
metrics runtimeMetrics
// numFoundResults is used to keep track of the number of results found.
numFoundResults uint32
// ResultsDispatcher is used to send results.
dispatcher ResultsDispatcher
// dedupeCache is used to deduplicate results by comparing the
// detector type, raw result, and source metadata
dedupeCache *lru.Cache[string, detectorspb.DecoderType]
// verify determines whether the scanner will attempt to verify candidate secrets.
verify bool
// Note: bad hack only used for testing.
verificationOverlapTracker *verificationOverlapTracker
// detectorWorkerMultiplier is used to calculate the number of detector workers.
detectorWorkerMultiplier int
// notificationWorkerMultiplier is used to calculate the number of notification workers.
notificationWorkerMultiplier int
// verificationOverlapWorkerMultiplier is used to calculate the number of verification overlap workers.
verificationOverlapWorkerMultiplier int
}
// NewEngine creates a new Engine instance with the provided configuration.
func NewEngine(ctx context.Context, cfg *Config) (*Engine, error) {
engine := &Engine{
concurrency: cfg.Concurrency,
decoders: cfg.Decoders,
detectors: cfg.Detectors,
dispatcher: cfg.Dispatcher,
verify: cfg.Verify,
filterUnverified: cfg.FilterUnverified,
filterEntropy: cfg.FilterEntropy,
printAvgDetectorTime: cfg.PrintAvgDetectorTime,
retainFalsePositives: cfg.LogFilteredUnverified,
verificationOverlap: cfg.VerificationOverlap,
sourceManager: cfg.SourceManager,
scanEntireChunk: cfg.ShouldScanEntireChunk,
detectorVerificationOverrides: cfg.DetectorVerificationOverrides,
detectorWorkerMultiplier: cfg.DetectorWorkerMultiplier,
notificationWorkerMultiplier: cfg.NotificationWorkerMultiplier,
verificationOverlapWorkerMultiplier: cfg.VerificationOverlapWorkerMultiplier,
}
if engine.sourceManager == nil {
return nil, fmt.Errorf("source manager is required")
}
engine.setDefaults(ctx)
// Build include and exclude detector sets for filtering on engine initialization.
includeDetectorSet, excludeDetectorSet, err := buildDetectorSets(cfg)
if err != nil {
return nil, err
}
// Apply include/exclude filters.
var filters []func(detectors.Detector) bool
if len(includeDetectorSet) > 0 {
filters = append(filters, func(d detectors.Detector) bool {
_, ok := getWithDetectorID(d, includeDetectorSet)
return ok
})
}
if len(excludeDetectorSet) > 0 {
filters = append(filters, func(d detectors.Detector) bool {
_, ok := getWithDetectorID(d, excludeDetectorSet)
return !ok
})
}
// Apply custom verifier endpoints to detectors that support it.
detectorsWithCustomVerifierEndpoints, err := parseCustomVerifierEndpoints(cfg.VerifierEndpoints)
if err != nil {
return nil, err
}
if len(detectorsWithCustomVerifierEndpoints) > 0 {
filters = append(filters, func(d detectors.Detector) bool {
urls, ok := getWithDetectorID(d, detectorsWithCustomVerifierEndpoints)
if !ok {
return true
}
customizer, ok := d.(detectors.EndpointCustomizer)
if !ok {
return false
}
if cfg.CustomVerifiersOnly && len(urls) > 0 {
customizer.UseCloudEndpoint(false)
customizer.UseFoundEndpoints(false)
}
if err := customizer.SetConfiguredEndpoints(urls...); err != nil {
return false
}
return true
})
}
engine.applyFilters(filters...)
if results := cfg.Results; len(results) > 0 {
_, ok := results["verified"]
engine.notifyVerifiedResults = ok
_, ok = results["unknown"]
engine.notifyUnknownResults = ok
_, ok = results["unverified"]
engine.notifyUnverifiedResults = ok
if _, ok = results["filtered_unverified"]; ok {
engine.retainFalsePositives = ok
engine.notifyUnverifiedResults = ok
}
}
if err := engine.initialize(ctx); err != nil {
return nil, err
}
return engine, nil
}
// setDefaults ensures that if specific engine properties aren't provided,
// they're set to reasonable default values. It makes the engine robust to
// incomplete configuration.
func (e *Engine) setDefaults(ctx context.Context) {
if e.concurrency == 0 {
numCPU := runtime.NumCPU()
ctx.Logger().Info("No concurrency specified, defaulting to max", "cpu", numCPU)
e.concurrency = numCPU
}
if e.detectorWorkerMultiplier < 1 {
// bound by net i/o so it's higher than other workers
e.detectorWorkerMultiplier = 8
}
if e.notificationWorkerMultiplier < 1 {
e.notificationWorkerMultiplier = 1
}
if e.verificationOverlapWorkerMultiplier < 1 {
e.verificationOverlapWorkerMultiplier = 1
}
// Default decoders handle common encoding formats.
if len(e.decoders) == 0 {
e.decoders = decoders.DefaultDecoders()
}
// Only use the default detectors if none are provided.
if len(e.detectors) == 0 {
e.detectors = DefaultDetectors()
}
if e.dispatcher == nil {
e.dispatcher = NewPrinterDispatcher(new(output.PlainPrinter))
}
e.notifyVerifiedResults = true
e.notifyUnverifiedResults = true
e.notifyUnknownResults = true
ctx.Logger().V(4).Info("default engine options set")
}
func buildDetectorSets(cfg *Config) (map[config.DetectorID]struct{}, map[config.DetectorID]struct{}, error) {
includeList, err := config.ParseDetectors(cfg.IncludeDetectors)
if err != nil {
return nil, nil, fmt.Errorf("invalid include list detector configuration: %w", err)
}
excludeList, err := config.ParseDetectors(cfg.ExcludeDetectors)
if err != nil {
return nil, nil, fmt.Errorf("invalid exclude list detector configuration: %w", err)
}
includeDetectorSet := detectorTypeToSet(includeList)
excludeDetectorSet := detectorTypeToSet(excludeList)
// Verify that all the user-provided detectors support the optional
// detector features.
if id, err := verifyDetectorsAreVersioner(includeDetectorSet); err != nil {
return nil, nil, fmt.Errorf("invalid include list detector configuration id %v: %w", id, err)
}
if id, err := verifyDetectorsAreVersioner(excludeDetectorSet); err != nil {
return nil, nil, fmt.Errorf("invalid exclude list detector configuration id %v: %w", id, err)
}
return includeDetectorSet, excludeDetectorSet, nil
}
func parseCustomVerifierEndpoints(endpoints map[string]string) (map[config.DetectorID][]string, error) {
if len(endpoints) == 0 {
return nil, nil
}
customVerifierEndpoints, err := config.ParseVerifierEndpoints(endpoints)
if err != nil {
return nil, fmt.Errorf("invalid verifier detector configuration: %w", err)
}
if id, err := verifyDetectorsAreVersioner(customVerifierEndpoints); err != nil {
return nil, fmt.Errorf("invalid verifier detector configuration id %v: %w", id, err)
}
// Extra check for endpoint customization.
isEndpointCustomizer := DefaultDetectorTypesImplementing[detectors.EndpointCustomizer]()
for id := range customVerifierEndpoints {
if _, ok := isEndpointCustomizer[id.ID]; !ok {
return nil, fmt.Errorf("endpoint provided but detector does not support endpoint customization: %w", err)
}
}
return customVerifierEndpoints, nil
}
// detectorTypeToSet is a helper function to convert a slice of detector IDs into a set.
func detectorTypeToSet(detectors []config.DetectorID) map[config.DetectorID]struct{} {
out := make(map[config.DetectorID]struct{}, len(detectors))
for _, d := range detectors {
out[d] = struct{}{}
}
return out
}
// getWithDetectorID is a helper function to get a value from a map using a
// detector's ID. This function behaves like a normal map lookup, with an extra
// step of checking for the non-specific version of a detector.
func getWithDetectorID[T any](d detectors.Detector, data map[config.DetectorID]T) (T, bool) {
key := config.GetDetectorID(d)
// Check if the specific ID is provided.
if t, ok := data[key]; ok || key.Version == 0 {
return t, ok
}
// Check if the generic type is provided without a version.
// This means "all" versions of a type.
key.Version = 0
t, ok := data[key]
return t, ok
}
// verifyDetectorsAreVersioner checks all keys in a provided map to verify the
// provided type is actually a Versioner.
func verifyDetectorsAreVersioner[T any](data map[config.DetectorID]T) (config.DetectorID, error) {
isVersioner := DefaultDetectorTypesImplementing[detectors.Versioner]()
for id := range data {
if id.Version == 0 {
// Version not provided.
continue
}
if _, ok := isVersioner[id.ID]; ok {
// Version provided for a Versioner detector.
continue
}
// Version provided on a non-Versioner detector.
return id, fmt.Errorf("version provided but detector does not have a version")
}
return config.DetectorID{}, nil
}
// applyFilters applies a variable number of filters to the detectors.
func (e *Engine) applyFilters(filters ...func(detectors.Detector) bool) {
for _, filter := range filters {
e.detectors = filterDetectors(filter, e.detectors)
}
}
func filterDetectors(filterFunc func(detectors.Detector) bool, input []detectors.Detector) []detectors.Detector {
var out []detectors.Detector
for _, detector := range input {
if filterFunc(detector) {
out = append(out, detector)
}
}
return out
}
// initialize prepares the engine's internal structures. The LRU cache optimizes
// deduplication efforts, allowing the engine to quickly check if a chunk has
// been processed before, thereby saving computational overhead.
func (e *Engine) initialize(ctx context.Context) error {
// TODO (ahrav): Determine the optimal cache size.
const cacheSize = 512 // number of entries in the LRU cache
cache, err := lru.New[string, detectorspb.DecoderType](cacheSize)
if err != nil {
return fmt.Errorf("failed to initialize LRU cache: %w", err)
}
const (
// detectableChunksChanMultiplier is set to accommodate a high number of concurrent worker goroutines.
// This multiplier ensures that the detectableChunksChan channel has sufficient buffer capacity
// to hold messages from multiple worker groups (detector workers/ verificationOverlap workers) without blocking.
// A large buffer helps accommodate for the fact workers are producing data at a faster rate
// than it can be consumed.
detectableChunksChanMultiplier = 50
// verificationOverlapChunksChanMultiplier uses a smaller buffer compared to detectableChunksChanMultiplier.
// This reflects the anticipated lower volume of data that needs re-verification.
// The buffer size is a trade-off between memory usage and the need to prevent blocking.
verificationOverlapChunksChanMultiplier = 25
resultsChanMultiplier = detectableChunksChanMultiplier
)
// Channels are used for communication between different parts of the engine,
// ensuring that data flows smoothly without race conditions.
// The buffer sizes for these channels are set to multiples of defaultChannelBuffer,
// considering the expected concurrency and workload in the system.
e.detectableChunksChan = make(chan detectableChunk, defaultChannelBuffer*detectableChunksChanMultiplier)
e.verificationOverlapChunksChan = make(
chan verificationOverlapChunk, defaultChannelBuffer*verificationOverlapChunksChanMultiplier,
)
e.results = make(chan detectors.ResultWithMetadata, defaultChannelBuffer*resultsChanMultiplier)
e.dedupeCache = cache
ctx.Logger().V(4).Info("engine initialized")
// Configure the EntireChunkSpanCalculator if the engine is set to scan the entire chunk.
var ahoCOptions []ahocorasick.CoreOption
if e.scanEntireChunk {
ahoCOptions = append(ahoCOptions, ahocorasick.WithSpanCalculator(new(ahocorasick.EntireChunkSpanCalculator)))
}
ctx.Logger().V(4).Info("setting up aho-corasick core")
e.ahoCorasickCore = ahocorasick.NewAhoCorasickCore(e.detectors, ahoCOptions...)
ctx.Logger().V(4).Info("set up aho-corasick core")
return nil
}
type verificationOverlapTracker struct {
verificationOverlapDuplicateCount int
mu sync.Mutex
}
func (r *verificationOverlapTracker) increment() {
r.mu.Lock()
r.verificationOverlapDuplicateCount++
r.mu.Unlock()
}
const ignoreTag = "trufflehog:ignore"
// HasFoundResults returns true if any results are found.
func (e *Engine) HasFoundResults() bool {
return atomic.LoadUint32(&e.numFoundResults) > 0
}
// GetMetrics returns a copy of Metrics.
// It's safe for concurrent use, and the caller can't modify the original data.
func (e *Engine) GetMetrics() Metrics {
e.metrics.mu.RLock()
defer e.metrics.mu.RUnlock()
result := e.metrics.Metrics
result.AvgDetectorTime = make(map[string]time.Duration, len(e.metrics.AvgDetectorTime))
for detectorName, durations := range e.DetectorAvgTime() {
var total time.Duration
for _, d := range durations {
total += d
}
avgDuration := total / time.Duration(len(durations))
result.AvgDetectorTime[detectorName] = avgDuration
}
result.ScanDuration = e.metrics.getScanDuration()
return result
}
// GetDetectorsMetrics returns a copy of the average time taken by each detector.
func (e *Engine) GetDetectorsMetrics() map[string]time.Duration {
e.metrics.mu.RLock()
defer e.metrics.mu.RUnlock()
result := make(map[string]time.Duration, len(DefaultDetectors()))
for detectorName, durations := range e.DetectorAvgTime() {
var total time.Duration
for _, d := range durations {
total += d
}
avgDuration := total / time.Duration(len(durations))
result[detectorName] = avgDuration
}
return result
}
// DetectorAvgTime returns the average time taken by each detector.
func (e *Engine) DetectorAvgTime() map[string][]time.Duration {
logger := context.Background().Logger()
avgTime := map[string][]time.Duration{}
e.metrics.detectorAvgTime.Range(func(k, v any) bool {
key, ok := k.(string)
if !ok {
logger.Info("expected detectorAvgTime key to be a string")
return true
}
value, ok := v.([]time.Duration)
if !ok {
logger.Info("expected detectorAvgTime value to be []time.Duration")
return true
}
avgTime[key] = value
return true
})
return avgTime
}
// Start initializes and activates the engine's processing pipeline.
// It sets up various default configurations, prepares lookup structures for
// detectors, and kickstarts all necessary workers. Once started, the engine
// begins processing input data to identify secrets.
func (e *Engine) Start(ctx context.Context) {
e.metrics = runtimeMetrics{Metrics: Metrics{scanStartTime: time.Now()}}
e.sanityChecks(ctx)
e.startWorkers(ctx)
}
var defaultChannelBuffer = runtime.NumCPU()
// Sanity check detectors for duplicate configuration. Only log in case
// a detector has been configured in a way that isn't represented by
// the DetectorID (type and version).
func (e *Engine) sanityChecks(ctx context.Context) {
seenDetectors := make(map[config.DetectorID]struct{}, len(e.detectors))
for _, det := range e.detectors {
id := config.GetDetectorID(det)
if _, ok := seenDetectors[id]; ok && id.ID != detectorspb.DetectorType_CustomRegex {
ctx.Logger().Info("possible duplicate detector configured", "detector", id)
}
seenDetectors[id] = struct{}{}
}
}
// startWorkers initiates all necessary workers. Workers handle processing of
// chunks concurrently. Separating the initialization of different types of
// workers helps in scalability and makes it easier to diagnose issues.
func (e *Engine) startWorkers(ctx context.Context) {
// Scanner workers process input data and extract chunks for detectors.
e.startScannerWorkers(ctx)
// Detector workers apply keyword matching, regexes and API calls to detect secrets in chunks.
e.startDetectorWorkers(ctx)
// verificationOverlap workers handle verification of chunks that have been detected by multiple detectors.
// They ensure that verification is disabled for any secrets that have been detected by multiple detectors.
e.startVerificationOverlapWorkers(ctx)
// ResultsDispatcher workers communicate detected issues to the user or any downstream systems.
// We want 1/4th of the notifier workers as the number of scanner workers.
e.startNotifierWorkers(ctx)
}
func (e *Engine) startScannerWorkers(ctx context.Context) {
ctx.Logger().V(2).Info("starting scanner workers", "count", e.concurrency)
for worker := uint64(0); worker < uint64(e.concurrency); worker++ {
e.workersWg.Add(1)
go func() {
ctx := context.WithValue(ctx, "scanner_worker_id", common.RandomID(5))
defer common.Recover(ctx)
defer e.workersWg.Done()
e.scannerWorker(ctx)
}()
}
}
func (e *Engine) startDetectorWorkers(ctx context.Context) {
numWorkers := e.concurrency * e.detectorWorkerMultiplier
ctx.Logger().V(2).Info("starting detector workers", "count", numWorkers)
for worker := 0; worker < numWorkers; worker++ {
e.wgDetectorWorkers.Add(1)
go func() {
ctx := context.WithValue(ctx, "detector_worker_id", common.RandomID(5))
defer common.Recover(ctx)
defer e.wgDetectorWorkers.Done()
e.detectorWorker(ctx)
}()
}
}
func (e *Engine) startVerificationOverlapWorkers(ctx context.Context) {
numWorkers := e.concurrency * e.verificationOverlapWorkerMultiplier
ctx.Logger().V(2).Info("starting verificationOverlap workers", "count", numWorkers)
for worker := 0; worker < numWorkers; worker++ {
e.verificationOverlapWg.Add(1)
go func() {
ctx := context.WithValue(ctx, "verification_overlap_worker_id", common.RandomID(5))
defer common.Recover(ctx)
defer e.verificationOverlapWg.Done()
e.verificationOverlapWorker(ctx)
}()
}
}
func (e *Engine) startNotifierWorkers(ctx context.Context) {
numWorkers := e.notificationWorkerMultiplier * e.concurrency
ctx.Logger().V(2).Info("starting notifier workers", "count", numWorkers)
for worker := 0; worker < numWorkers; worker++ {
e.WgNotifier.Add(1)
go func() {
ctx := context.WithValue(ctx, "notifier_worker_id", common.RandomID(5))
defer common.Recover(ctx)
defer e.WgNotifier.Done()
e.notifierWorker(ctx)
}()
}
}
// Finish waits for running sources to complete and workers to finish scanning
// chunks before closing their respective channels. Once Finish is called, no
// more sources may be scanned by the engine.
func (e *Engine) Finish(ctx context.Context) error {
defer common.RecoverWithExit(ctx)
// Wait for the sources to finish putting chunks onto the chunks channel.
err := e.sourceManager.Wait()
e.workersWg.Wait() // Wait for the workers to finish scanning chunks.
close(e.verificationOverlapChunksChan)
e.verificationOverlapWg.Wait()
close(e.detectableChunksChan)
e.wgDetectorWorkers.Wait() // Wait for the detector workers to finish detecting chunks.
close(e.results) // Detector workers are done, close the results channel and call it a day.
e.WgNotifier.Wait() // Wait for the notifier workers to finish notifying results.
e.metrics.ScanDuration = time.Since(e.metrics.scanStartTime)
return err
}
func (e *Engine) ChunksChan() <-chan *sources.Chunk {
return e.sourceManager.Chunks()
}
func (e *Engine) ResultsChan() chan detectors.ResultWithMetadata {
return e.results
}
// ScanChunk injects a chunk into the output stream of chunks to be scanned.
// This method should rarely be used. TODO(THOG-1577): Remove when dependencies
// no longer rely on this functionality.
func (e *Engine) ScanChunk(chunk *sources.Chunk) {
e.sourceManager.ScanChunk(chunk)
}
// detectableChunk is a decoded chunk that is ready to be scanned by its detector.
type detectableChunk struct {
detector *ahocorasick.DetectorMatch
chunk sources.Chunk
decoder detectorspb.DecoderType
wgDoneFn func()
}
// verificationOverlapChunk is a decoded chunk that has multiple detectors that match it.
// It will be initially processed with verification disabled, and then reprocessed with verification
// enabled if the same secret was not found by multiple detectors.
type verificationOverlapChunk struct {
chunk sources.Chunk
decoder detectorspb.DecoderType
detectors []*ahocorasick.DetectorMatch
verificationOverlapWgDoneFn func()
}
func (e *Engine) scannerWorker(ctx context.Context) {
var wgDetect sync.WaitGroup
var wgVerificationOverlap sync.WaitGroup
for chunk := range e.ChunksChan() {
startTime := time.Now()
sourceVerify := chunk.Verify
for _, decoder := range e.decoders {
decodeStart := time.Now()
decoded := decoder.FromChunk(chunk)
decodeTime := time.Since(decodeStart).Microseconds()
decodeLatency.WithLabelValues(decoder.Type().String(), chunk.SourceName).Observe(float64(decodeTime))
if decoded == nil {
ctx.Logger().V(4).Info("decoder not applicable for chunk", "decoder", decoder.Type().String(), "chunk", chunk)
continue
}
matchingDetectors := e.ahoCorasickCore.FindDetectorMatches(decoded.Chunk.Data)
if len(matchingDetectors) > 1 && !e.verificationOverlap {
wgVerificationOverlap.Add(1)
e.verificationOverlapChunksChan <- verificationOverlapChunk{
chunk: *decoded.Chunk,
detectors: matchingDetectors,
decoder: decoded.DecoderType,
verificationOverlapWgDoneFn: wgVerificationOverlap.Done,
}
continue
}
for _, detector := range matchingDetectors {
decoded.Chunk.Verify = e.shouldVerifyChunk(sourceVerify, detector, e.detectorVerificationOverrides)
wgDetect.Add(1)
e.detectableChunksChan <- detectableChunk{
chunk: *decoded.Chunk,
detector: detector,
decoder: decoded.DecoderType,
wgDoneFn: wgDetect.Done,
}
}
}
dataSize := float64(len(chunk.Data))
scanBytesPerChunk.Observe(dataSize)
jobBytesScanned.WithLabelValues(
strconv.Itoa(int(chunk.JobID)),
chunk.SourceType.String(),
chunk.SourceName,
).Add(dataSize)
chunksScannedLatency.Observe(float64(time.Since(startTime).Microseconds()))
jobChunksScanned.WithLabelValues(
strconv.Itoa(int(chunk.JobID)),
chunk.SourceType.String(),
chunk.SourceName,
).Inc()
atomic.AddUint64(&e.metrics.ChunksScanned, 1)
atomic.AddUint64(&e.metrics.BytesScanned, uint64(dataSize))
}
wgVerificationOverlap.Wait()
wgDetect.Wait()
ctx.Logger().V(4).Info("finished scanning chunks")
}
func (e *Engine) shouldVerifyChunk(
sourceVerify bool,
detector detectors.Detector,
detectorVerificationOverrides map[config.DetectorID]bool,
) bool {
// The verify flag takes precedence over the detector's verification flag.
if !e.verify {
return false
}
detectorId := config.DetectorID{ID: detector.Type(), Version: 0}
if v, ok := detector.(detectors.Versioner); ok {
detectorId.Version = v.Version()
}
if detectorVerify, ok := detectorVerificationOverrides[detectorId]; ok {
return detectorVerify
}
// If the user is running with a detector verification override that does not specify a particular detector version,
// then its override map entry will have version 0. We should check for that too, but if the detector being checked
// doesn't have any version information then its version is 0, so we've already done the check, and we don't need to
// do it a second time.
if detectorId.Version != 0 {
detectorId.Version = 0
if detectorVerify, ok := detectorVerificationOverrides[detectorId]; ok {
return detectorVerify
}
}
return sourceVerify
}
// chunkSecretKey ties secrets to the specific detector that found them. This allows identifying identical
// credentials extracted by multiple different detectors processing the same chunk. Or duplicates found
// by the same detector in the chunk. Exact matches on lookup indicate a duplicate secret for a detector
// in that chunk - which is expected and not malicious. Those intra-detector dupes are still verified.
type chunkSecretKey struct {
secret string
detectorKey ahocorasick.DetectorKey
}
func likelyDuplicate(ctx context.Context, val chunkSecretKey, dupes map[chunkSecretKey]struct{}) bool {
const similarityThreshold = 0.9
valStr := val.secret
for dupeKey := range dupes {
dupe := dupeKey.secret
// Avoid comparing strings of vastly different lengths.
if len(dupe)*10 < len(valStr)*9 || len(dupe)*10 > len(valStr)*11 {
continue
}
// If the detector type is the same, we don't need to compare the strings.
// These are not duplicates, and should be verified.
if val.detectorKey.Type() == dupeKey.detectorKey.Type() {
continue
}
if valStr == dupe {
ctx.Logger().V(2).Info(
"found exact duplicate",
)
return true
}
similarity := strutil.Similarity(valStr, dupe, metrics.NewLevenshtein())
// close enough
if similarity > similarityThreshold {
ctx.Logger().V(2).Info(
"found similar duplicate",
)
return true
}
}
return false
}
func (e *Engine) verificationOverlapWorker(ctx context.Context) {
var wgDetect sync.WaitGroup
// Reuse the same map and slice to avoid allocations.
const avgSecretsPerDetector = 8
detectorKeysWithResults := make(map[ahocorasick.DetectorKey]*ahocorasick.DetectorMatch, avgSecretsPerDetector)
chunkSecrets := make(map[chunkSecretKey]struct{}, avgSecretsPerDetector)
for chunk := range e.verificationOverlapChunksChan {
for _, detector := range chunk.detectors {
isFalsePositive := detectors.GetFalsePositiveCheck(detector.Detector)
// DO NOT VERIFY at this stage of the pipeline.
matchedBytes := detector.Matches()
for _, match := range matchedBytes {
ctx, cancel := context.WithTimeout(ctx, time.Second*2)
results, err := detector.FromData(ctx, false, match)
cancel()
if err != nil {
ctx.Logger().V(2).Error(
err, "error finding results in chunk during verification overlap",
"detector", detector.Key.Type().String(),
)
}
if len(results) == 0 {
continue
}
if _, ok := detectorKeysWithResults[detector.Key]; !ok {
detectorKeysWithResults[detector.Key] = detector
}
// If results filtration eliminates a rotated secret, then that rotation will never be reported. This
// problem can theoretically occur for any scan, but we've only actually seen it in practice during
// targeted scans. (The reason for this discrepancy is unclear.) The simplest fix is therefore to
// disable filtration for targeted scans, but if you're here because this problem surfaced for a
// non-targeted scan then we'll have to solve it correctly.
if chunk.chunk.SecretID == 0 {
results = e.filterResults(ctx, detector, results)
}
for _, res := range results {
var val []byte
if res.RawV2 != nil {
val = res.RawV2
} else {
val = res.Raw
}
// Use levenstein distance to determine if the secret is likely the same.
// Ex:
// - postman api key: PMAK-qnwfsLyRSyfCwfpHaQP1UzDhrgpWvHjbYzjpRCMshjt417zWcrzyHUArs7r
// - malicious detector "api key": qnwfsLyRSyfCwfpHaQP1UzDhrgpWvHjbYzjpRCMshjt417zWcrzyHUArs7r
key := chunkSecretKey{secret: string(val), detectorKey: detector.Key}
if _, ok := chunkSecrets[key]; ok {
continue
}
if likelyDuplicate(ctx, key, chunkSecrets) {
// This indicates that the same secret was found by multiple detectors.
// We should NOT VERIFY this chunk's data.
if e.verificationOverlapTracker != nil {
e.verificationOverlapTracker.increment()
}
res.SetVerificationError(errOverlap)
e.processResult(
ctx,
detectableChunk{
chunk: chunk.chunk,
detector: detector,
decoder: chunk.decoder,
wgDoneFn: wgDetect.Done,
},
res,
isFalsePositive,
)
// Remove the detector key from the list of detector keys with results.
// This is to ensure that the chunk is not reprocessed with verification enabled
// for this detector.
delete(detectorKeysWithResults, detector.Key)
}
chunkSecrets[key] = struct{}{}
}
}
}
for _, detector := range detectorKeysWithResults {
wgDetect.Add(1)
chunk.chunk.Verify = e.shouldVerifyChunk(chunk.chunk.Verify, detector, e.detectorVerificationOverrides)
e.detectableChunksChan <- detectableChunk{
chunk: chunk.chunk,