{ "info": { "author": "Ryan Lane", "author_email": "rlane@lyft.com", "bugtrack_url": null, "classifiers": [], "description": "# bandit-high-entropy-string\n\nA bandit plugin that looks for high entropy hardcoded strings (secrets).\n\nThis plugin exposes four new tests:\n\n1. *high\\_entropy\\_assign*: Checks for secrets in assignment statements: `target = 'candidate'`\n2. *high\\_entropy\\_funcarg*: Checks for secrets in function arguments: `caller('candidate', target='candidate'):`\n3. *high\\_entropy\\_funcdef*: Checks for secrets in function definitions: `def caller('candidate', target='candidate'):`\n4. *high\\_entropy\\_iter*: Checks for secrets in iterables (lists, tuples, dicts): `['candidate',\n'candidate'] or ('candidate', 'candidate') or {'target': 'candidate'}`\n\n## Installation\n\nFirst you'll need to install bandit (note that in bandit-high-entropy-string\nversion 2.0 and higher you'll need to run bandit version 1.0 or higher):\n\n```bash\nvirtualenv venv\nsource venv/bin/activate\npip install bandit\n```\n\nThen you can install the plugin:\n\n```bash\npip install bandit-high-entropy-string\n```\n\n## Configuration\n\nIn your bandit.yaml config file, add the tests for inclusion:\n\n```yaml\n# Backwards compatible configuration for using profiles (only needed if you\n# were previously using profiles and need to keep compatibility)\nprofiles:\n Secrets:\n include:\n - high_entropy_assign\n - high_entropy_funcarg\n - high_entropy_funcdef\n - high_entropy_iter\n\n# Test inclusion for newer versions of bandit\ntests:\n # high_entropy_funcdef\n - BHES100\n # high_entropy_funcarg\n - BHES101\n # high_entropy_iter\n - BHES102\n # high_entropy_assign\n - BHES103\n```\n\nYou can also add extra configuration for each test (in the same config file):\n\n```\n# Configuration for each test (can be configured for each of the four tests)\n\nhigh_entropy_assign:\n # Regex patterns to completely ignore for this test\n patterns_to_ignore:\n - 'public_key_.*'\n # Regex patterns to lower confidence for\n entropy_patterns_to_discount\n - 'maybe_public_key_.*'\n```\n\n## Running the tests\n\nTo run the tests, call bandit against your code base, specifying the profile:\n\n```\n$ bandit -r ./myapplication\n```\n\n## Contributing\n\n### Code of conduct\n\nThis project is governed by [Lyft's code of\nconduct](https://github.com/lyft/code-of-conduct).\nAll contributors and participants agree to abide by its terms.\n\n### Sign the Contributor License Agreement (CLA)\n\nWe require a CLA for code contributions, so before we can accept a pull request\nwe need to have a signed CLA. Please [visit our CLA\nservice](https://oss.lyft.com/cla)\nfollow the instructions to sign the CLA.\n\n### How it works and how to help\n\nThe plugin captures portions of the AST, generates Candidate objects and sends\nthem into the _report function. If a Candidate object's confidence is greater\nthan 0, it's reported. We nudge the confidence and severity based on criterea:\n\n1. Flags (ENTROPY_PATTERNS_TO_FLAG). Any Candidate that matches any regex in this\n list is automatically flagged as confidence/severity 3/3. If there's secret\n patterns you know conclusively are secrets, add them here.\n2. Discounts (ENTROPY_PATTERNS_TO_DISCOUNT). Any Candidate that matches a regex in\n this list is discounted. If the Candidate matches multiple regexes in this\n list, it may be discounted further. This discount is used in the confidence\n calculation.\n3. Secret hints (LOW_SECRET_HINTS, HIGH_SECRET_HINTS). If any target or caller\n matches a regex in these lists then it will be used as a hint that a\n Candidate is a secret. This hint is used in the confidence and severity\n calculations. LOW_SECRET_HINTS leads to a lower confidence increase and\n HIGH_SECRET_HINTS leads to a higher confidence increase.\n4. Safe functions (SAFE_FUNCTION_HINTS). Any Candidate that has a caller that\n matches any string in this list will will be discounted. This is used in the\n confidence calculation.\n5. Entropy. If a Candidate's confidence level can be more accurately gauged by\n a strings level of entropy, we calculate it and if the string has high\n entropy its confidence level is increased. This calculation is avoided if\n possible, as it's relatively expensive.\n\nThe concept is to eliminate noise while more easily identifying Candidates that\nmay be secrets. Some help we'd love to have:\n\n1. Help with the discount regex list. The regexes in the list often match too\n much and there aren't enough that match common python strings.\n2. Help with the safe functions list (and the way we match the safe functions).\n There's a lot of python functions that rarely include secrets but often\n contain high entropy strings. We currently don't identify these function\n calls very well, which leads to higher noise.\n3. Add and improve string captures. We're not currently capturing all available strings\n in the AST and for some string captures we aren't capturing them as\n efficiently as we could. For instance with dicts, we capture info like:\n {'target': 'candidate'}, but don't capture: {'target': 'target': 'candidate'},\n which could lead to better categorization.\n\nFeel free to submit issues and pull requests for anything else you think would be useful\nas well.", "description_content_type": null, "docs_url": null, "download_url": "", "downloads": { "last_day": -1, "last_month": -1, "last_week": -1 }, "home_page": "", "keywords": "", "license": "Apache-2", "maintainer": "", "maintainer_email": "", "name": "bandit-high-entropy-string", "package_url": "https://pypi.org/project/bandit-high-entropy-string/", "platform": "UNKNOWN", "project_url": "https://pypi.org/project/bandit-high-entropy-string/", "project_urls": null, "release_url": "https://pypi.org/project/bandit-high-entropy-string/2.1.2/", "requires_dist": null, "requires_python": "", "summary": "A bandit plugin to check for strings that have high entropy (possible hardcoded secrets).", "version": "2.1.2" }, "last_serial": 2969891, "releases": { "2.0.0": [ { "comment_text": "", "digests": { "md5": "6943143ef2e5c182bb404f449303ac21", "sha256": "681018e93766f93338879208aecf56999e2676e384c3427ebfa2168a25bdb43c" }, "downloads": -1, "filename": "bandit-high-entropy-string-2.0.0.tar.gz", "has_sig": false, "md5_digest": "6943143ef2e5c182bb404f449303ac21", "packagetype": "sdist", "python_version": "source", "requires_python": null, "size": 15750, "upload_time": "2016-06-28T01:01:05", "url": "https://files.pythonhosted.org/packages/9e/15/24629ef93441fa6b8e9f741e6e9f4f068408a13abb46411b1e8df8f51679/bandit-high-entropy-string-2.0.0.tar.gz" } ], "2.0.1": [ { "comment_text": "", "digests": { "md5": "c16d774c9e50342399633ecbc8b50918", "sha256": "ec40967c98162f54266d37d46229c690b8a644b0c20486de4f52eb87f1161b80" }, "downloads": -1, "filename": "bandit-high-entropy-string-2.0.1.tar.gz", "has_sig": false, "md5_digest": "c16d774c9e50342399633ecbc8b50918", "packagetype": "sdist", "python_version": "source", "requires_python": null, "size": 15800, "upload_time": "2016-06-28T01:21:59", "url": "https://files.pythonhosted.org/packages/54/e6/0f160ef0cfde1c51e9c05eeda5bb9fb8294fad63033565cbe6a1378fa143/bandit-high-entropy-string-2.0.1.tar.gz" } ], "2.0.2": [ { "comment_text": "", "digests": { "md5": "27c458bdd15e2e0ed283705bd8071d6f", "sha256": "73a68744162bcb7886347cec0a1263a98fc9e3cdf1d8b7f2a40713b0d45c8674" }, "downloads": -1, "filename": "bandit-high-entropy-string-2.0.2.tar.gz", "has_sig": false, "md5_digest": "27c458bdd15e2e0ed283705bd8071d6f", "packagetype": "sdist", "python_version": "source", "requires_python": null, "size": 15860, "upload_time": "2016-07-12T00:37:07", "url": "https://files.pythonhosted.org/packages/14/fb/5794aaac632d347acd4f3f270a31cdc681067254b1acc0dec097ed09fc95/bandit-high-entropy-string-2.0.2.tar.gz" } ], "2.0.3": [ { "comment_text": "", "digests": { "md5": "d617eedb5c5db1ffe36b29ca7305a13b", "sha256": "fc455fdf105e2b6ec800fc99a2e62078395c447c039f91b980575b2f547945f5" }, "downloads": -1, "filename": "bandit-high-entropy-string-2.0.3.tar.gz", "has_sig": false, "md5_digest": "d617eedb5c5db1ffe36b29ca7305a13b", "packagetype": "sdist", "python_version": "source", "requires_python": null, "size": 15975, "upload_time": "2016-10-20T01:25:44", "url": "https://files.pythonhosted.org/packages/16/cc/05b4cb2805629bf72333f44c973ef97f71b3cc5a807b28d12e8712f40e39/bandit-high-entropy-string-2.0.3.tar.gz" } ], "2.0.4": [ { "comment_text": "", "digests": { "md5": "060fc4dfebf5d4abb7c37ea93fdc28d5", "sha256": "249269f64d457f736dbf17e348df98b89fdb4b8557fb77a6cb72a32c7f1a2417" }, "downloads": -1, "filename": "bandit-high-entropy-string-2.0.4.tar.gz", "has_sig": false, "md5_digest": "060fc4dfebf5d4abb7c37ea93fdc28d5", "packagetype": "sdist", "python_version": "source", "requires_python": null, "size": 16004, "upload_time": "2016-10-21T00:01:22", "url": "https://files.pythonhosted.org/packages/b5/c5/699890efb11a4d134032475979bd8414f6b5566f2a8c49cdd8c7376e0397/bandit-high-entropy-string-2.0.4.tar.gz" } ], "2.0.5": [ { "comment_text": "", "digests": { "md5": "14d0aa2a01827edf8b9c58e71f14d628", "sha256": "66b8cbecbc10ed153046288e56a1e52929db580cc6c73a341f9b58b0c5b4bef5" }, "downloads": -1, "filename": "bandit-high-entropy-string-2.0.5.tar.gz", "has_sig": false, "md5_digest": "14d0aa2a01827edf8b9c58e71f14d628", "packagetype": "sdist", "python_version": "source", "requires_python": null, "size": 16040, "upload_time": "2016-11-17T00:47:02", "url": "https://files.pythonhosted.org/packages/5d/47/bd8b36efeb793b4b92bf4ad73e8676151fa0202c1f2654d1b628a126f6d5/bandit-high-entropy-string-2.0.5.tar.gz" } ], "2.0.6": [ { "comment_text": "", "digests": { "md5": "33b625d0726fb6a061c6e19cb80cea61", "sha256": "bac54a31fcd4cbc853e75d17fcc8e1d238220df26ee3d163c9425572cf7c2c6b" }, "downloads": -1, "filename": "bandit-high-entropy-string-2.0.6.tar.gz", "has_sig": false, "md5_digest": "33b625d0726fb6a061c6e19cb80cea61", "packagetype": "sdist", "python_version": "source", "requires_python": null, "size": 16098, "upload_time": "2016-12-09T00:25:54", "url": "https://files.pythonhosted.org/packages/2a/a7/83c2bca90ca71a395aa3162bc55ab9e05d0d859f7768fef4f2a77bcf0ccd/bandit-high-entropy-string-2.0.6.tar.gz" } ], "2.1.0": [ { "comment_text": "", "digests": { "md5": "4ee4460fcd5d9d8fc3bb8f84b8facbd8", "sha256": "8fc6ad6d57c92ac15655c1302b3aaea79901d8a3fe76b51b31c7ef0f08368a20" }, "downloads": -1, "filename": "bandit-high-entropy-string-2.1.0.tar.gz", "has_sig": false, "md5_digest": "4ee4460fcd5d9d8fc3bb8f84b8facbd8", "packagetype": "sdist", "python_version": "source", "requires_python": null, "size": 13734, "upload_time": "2017-06-22T18:23:27", "url": "https://files.pythonhosted.org/packages/6a/b9/84af40a186e5c6262af1c082aa66fe4c1018b51a09c103b3e83174a7d393/bandit-high-entropy-string-2.1.0.tar.gz" } ], "2.1.1": [ { "comment_text": "", "digests": { "md5": "eb841f1bd56093d22df3726f75d21572", "sha256": "dbc0a4e3e58615c6efa9bc616a57c9e15c4f0b07bd949a2024926d32d8994908" }, "downloads": -1, "filename": "bandit-high-entropy-string-2.1.1.tar.gz", "has_sig": false, "md5_digest": "eb841f1bd56093d22df3726f75d21572", "packagetype": "sdist", "python_version": "source", "requires_python": null, "size": 11856, "upload_time": "2017-06-22T18:43:59", "url": "https://files.pythonhosted.org/packages/60/31/dcb743a9a6d58c9d5ef505e095df5b8689f3ec60d7e33ad97b30fd5ff7e8/bandit-high-entropy-string-2.1.1.tar.gz" } ], "2.1.2": [ { "comment_text": "", "digests": { "md5": "dc4b266531bdfc8e9ad0ef07ce42aed7", "sha256": "5029877167b9f65f0c14954ba29fd6fd548cfee2989b2c8b98a2350aa955a50e" }, "downloads": -1, "filename": "bandit-high-entropy-string-2.1.2.tar.gz", "has_sig": false, "md5_digest": "dc4b266531bdfc8e9ad0ef07ce42aed7", "packagetype": "sdist", "python_version": "source", "requires_python": null, "size": 13739, "upload_time": "2017-06-22T20:15:03", "url": "https://files.pythonhosted.org/packages/01/f3/25696f7f96fd027edfb1fc68a16e3ed3157027a7d39ced0d46ecca293505/bandit-high-entropy-string-2.1.2.tar.gz" } ] }, "urls": [ { "comment_text": "", "digests": { "md5": "dc4b266531bdfc8e9ad0ef07ce42aed7", "sha256": "5029877167b9f65f0c14954ba29fd6fd548cfee2989b2c8b98a2350aa955a50e" }, "downloads": -1, "filename": "bandit-high-entropy-string-2.1.2.tar.gz", "has_sig": false, "md5_digest": "dc4b266531bdfc8e9ad0ef07ce42aed7", "packagetype": "sdist", "python_version": "source", "requires_python": null, "size": 13739, "upload_time": "2017-06-22T20:15:03", "url": "https://files.pythonhosted.org/packages/01/f3/25696f7f96fd027edfb1fc68a16e3ed3157027a7d39ced0d46ecca293505/bandit-high-entropy-string-2.1.2.tar.gz" } ] }