|
|
|
#!/usr/bin/env bash
|
|
|
|
# shellcheck disable=SC2230
|
|
|
|
# vim:ts=4:sts=4:sw=4:et
|
|
|
|
#
|
|
|
|
# Author: Hari Sekhon
|
|
|
|
# Date: 2019-10-18 13:57:12 +0100 (Fri, 18 Oct 2019)
|
|
|
|
#
|
|
|
|
# https://github.com/harisekhon/bash-tools
|
|
|
|
#
|
|
|
|
# License: see accompanying Hari Sekhon LICENSE file
|
|
|
|
#
|
|
|
|
# If you're using my code you're welcome to connect with me on LinkedIn and optionally send me feedback
|
|
|
|
#
|
|
|
|
# https://www.linkedin.com/in/harisekhon
|
|
|
|
#
|
|
|
|
|
|
|
|
set -euo pipefail
|
|
|
|
[ -n "${DEBUG:-}" ] && set -x
|
|
|
|
srcdir="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )"
|
|
|
|
|
|
|
|
# shellcheck source=lib/utils.sh
|
|
|
|
. "$srcdir/lib/utils.sh"
|
|
|
|
|
|
|
|
section "AWS Git credentials scan"
|
|
|
|
|
|
|
|
start_time="$(start_timer)"
|
|
|
|
|
|
|
|
location="${1:-.}"
|
|
|
|
|
|
|
|
if [ "$location" = . ]; then
|
|
|
|
:
|
|
|
|
elif [ -d "$location" ]; then
|
|
|
|
cd "$location"
|
|
|
|
else
|
|
|
|
cd "$(dirname "$location")"
|
|
|
|
fi
|
|
|
|
|
|
|
|
# $(pwd) more reliable than $PWD
|
|
|
|
echo "checking $(pwd)"
|
|
|
|
echo
|
|
|
|
|
|
|
|
if [ -f .gitallowed ]; then
|
|
|
|
gitallowed=.gitallowed
|
|
|
|
else
|
|
|
|
gitallowed=/dev/null
|
|
|
|
fi
|
|
|
|
|
|
|
|
if git grep \
|
|
|
|
-e 'AWS_ACCESS_KEY.*=' \
|
|
|
|
-e 'AWS_SECRET_KEY.*=' \
|
|
|
|
-e 'AWS_SESSION_TOKEN.*=' \
|
|
|
|
-e 'aws_access_key_id.*=' \
|
|
|
|
-e 'aws_secret_access_key.*=' \
|
|
|
|
-e 'aws_session_token.*=' |
|
|
|
|
grep -v -e '\.bash\.d/aws.sh:' \
|
|
|
|
-e "${0##*/}:" |
|
|
|
|
grep -v -f "$gitallowed" |
|
|
|
|
grep .; then
|
|
|
|
echo
|
|
|
|
echo "DANGER: potential AWS credentials found in Git!!"
|
|
|
|
exit 1
|
|
|
|
fi
|
|
|
|
|
|
|
|
time_taken "$start_time"
|
|
|
|
section2 "OK: no AWS credentials found in Git"
|
|
|
|
echo
|