CatchIT Secret Scanner
We are proud to announce that the Goldman Sachs developed tool called CatchIT has been released as open-source and the team is requesting your engagement to contribute to the tool to make it better.
CatchIT-Secret scanner detects sensitive information in source-code with a strong emphasis on low execution time, CI/CD integration, high customization and minimizing false positive rates. CatchIT is a simple yet powerful framework that helps developers and organizations to mitigate the risk to credentials leakage, which further minimizes disruption to developer experience. It can be embedded as an ad-hoc job in the CI/CD pipeline, as a python zip app, or as a Docker image, and thus eliminates the need to deploy or maintain a dedicated server. It is a regex-based scanner that leverages linux commands grep and find to search for pre-defined regular expressions.
CatchIT uses entropy (of the identified findings) and confidence (of a specific regular expression) to further prioritize results and classify them into distinct categories. CatchIT scans for sensitive code, passwords, AWS account IDs, GCP keys as well as sensitive files such as KEY, PEM files among others. It provides results in JSON format.
Currently it contains the following regular expressions to identify secrets and files:
Secrets:
AWS-ID
PASSWORD
PASSWORD-ARGUMENT
PASSWORD-URL
GCP-API-KEY
JWT
Files:
RSA_KEYS
SSH_KEYS_DIR
SSH_KEYS_DIR2
SSH_AUTH_KEYS
PEM
KEY
KEYTAB
CRT-CER
Learn more about the project at https://github.com/finos/CatchIT.
Find more information about contributing at https://github.com/finos/CatchIT/blob/main/CONTRIBUTING.md.
Your feedback, issues, and contributions are very welcome (and requested)!
Interested in this FINOS open source project, or any of our other projects? Click the link below to see how to get involved in the FINOS Community.
This Week at FINOS Blog - See what is happening at FINOS each week.
FINOS Landscape - See our landscape of FINOS open source and open standard projects.
Community Calendar - Scroll through the calendar to find a meeting to join.
FINOS Slack Channels - The FINOS Slack provides our Community another public channel to discuss work in FINOS and open source in finance more generally.
Project Status Dashboard - See a live snapshot of our community contributors and activity.
Events - Check out our upcoming events or email marketing@finos.org if you'd like to partner with us or have an event idea.
FINOS Virtual "Meetups" Videos & Slides - See replays of our virtual "meetups" based around the FINOS Community and Projects since we can't all be in the same room right now.
FINOS Open Source in Finance Podcasts - Listen and subscribe to the first open source in fintech and banking podcasts for deeper dives on our virtual "meetup" and other topics.