Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

EICAR-like test string to always trigger tartufo and that can't be skipped #187

Open
pmevzek-godaddy opened this issue Apr 23, 2021 · 0 comments
Open

EICAR-like test string to always trigger tartufo and that can't be skipped #187

pmevzek-godaddy opened this issue Apr 23, 2021 · 0 comments
Labels
enhancement New feature or request

Comments

@pmevzek-godaddy
Copy link

Feature Request

Is your feature request related to a problem? Please describe.

It is not related to a problem but just an idea, that will allow to always make sure tartufo works and does detect what it is expected for it to detect. Sometimes, by using wrong arguments or call or things like that we could believe tartufo was running as expected but instead did something else, unexpected, and hence we may thing secrets are correctly scanned for but in fact they were not.

Describe the solution you'd like

I was thinking about something similar to EICAR test file for Anti-Virus softwares.
A specific signature (for example even one of the SHA version of the EICAR test string) that will always match,
there is no command line option that allows it to be skipped.
Which means if we put a file with this string, we know 100% that tartufo needs to find it, and if it doesn't it means
it has been run with invalid parameters (like excluding some files, etc.)

This would allow to write an "always positive" test to make sure things work.

As done for EICAR test file (" According to EICAR's specification, the antivirus detects the test file only if it starts with the 68-byte test string and is not more than 128 bytes long." from Wikipedia) with those kind of safeguards it will be safe to have this string in other files, and it can be excluded with normal file base or signature based exclusions. But no exclusions would ever be allowing this string to not be flagged as a secret.

The output would still need to be a success (like in the case of "no secret") but either a specific return code or specific structure in output, to identify specific case of "EICAR"-like string having been found (as obviously expected by the user running this tartufo scan).

Describe alternatives you've considered

One can of course do the same by putting any random string and running tartufo on it.
However with appropriate flags/configuration that string can be skipped. The idea of this feature request is to have a specific string that will always trigger tartufo and that can't be skipped in any way.

Teachability, Documentation, Adoption, Migration Strategy

Small change in code needed as well as documentation.
@pmevzek-godaddy pmevzek-godaddy added the enhancement New feature or request label Apr 23, 2021
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
enhancement New feature or request
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@pmevzek-godaddy