mirror of
https://github.com/lunchcat/sif.git
synced 2026-07-03 19:34:53 -07:00
45f5302e1f
modules/recon/aws-credentials-exposure.yaml flags exposed .aws/credentials, .s3cfg and .boto files on the access and secret key markers, and extracts the AKIA/ASIA access key id. modules/recon/npmrc-exposure.yaml flags a .npmrc only when it carries an auth token or password, not a bare registry config, and extracts the registry the token belongs to. modules/recon/docker-config-exposure.yaml flags .docker/config.json and the legacy .dockercfg on the base64 auth field, and extracts the registry host. each module ands a negative matcher on the usual html markers so a 200 page that merely names a key is not a hit, the same guard the env exposure module uses. internal/modules/credential_exposure_test.go drives the three modules end to end through ExecuteHTTPModule and asserts the leak alongside the near misses a strict review wants pinned: an html doc that only names a key, a plain 200 body, a 404, and a jwt shaped docker auth value, none of which may match. verify: go test ./internal/modules, each matcher, guard and extractor proven to bite (break -> red, restore -> green).