create a secrets detection testbed branch with revoked credentials

[commjoen]

Steps to take:

• List secrets present in this issue
• Create a link to this issue in the web interface Experiment bed readme update: add instructions related to #201 #250
• Implement keys below in a separate branch with a script to generate a container from it which can be scanned
• Add master merging script for the .github/scripts/docker-create-and-push.sh

Keys that can be added:

• Azure
• AWS
• GCP
• Git credentials :SSH key
• Git credentials: developer token
• private key RSA key & private ECC key
• GPG keychain (armored and notarmored)
• AES keys
• Slack callback
• kubeconfig
• QR-code (will be hard to represent a secret which is detactable other than through entropy,skipping it)
• BasicAuth
• gradle credentials
• mvn credentials
• NPM
• Firebase push notification keys (android/ios)
• OTP Seed
• segment.io access keys
• Vault root token & unseal keys
• Any JWT Token
• Gitlab PAT
• Gpg armoured export private and public keys
• Azure devops access token
• onepassword emergency kit, 1password-credentials.json and accesstokens
• keybase paperkey
• IBM-cloud?
• Nomad credentials (wait till Nomad support #299 happens)
• Spring boot Session token
• Slack access tokens:bottoken & usertoken, applevel token & config token (requested..pending)
• Braze API-keys (requested)
• Lastpass integration/api-key
• Confidant key
• Docker hub access token
• Vagrant cloud access token
• confluence/jira secrets
• AWS instance profile
• add dockerconfig (https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/)
• secrets above with encodings (base64, Hex encoding)
• Database connection strings
• OIDC token

which other secret would you like to add? please comment

[commjoen]

Current secrets stored in the repo/docker/k8s/cloud:

1. 5 Random human rememberable passwords in Git & Docker container
2. 1 file containing a secret base64 encoded in Docker
3. 1 random passwords in Java code with higher entropy (not used)
4. 3 AWS keypairs in git history
5. 3 secrets in TF state (requires cloud installation)
6. 1 human readable secret in k8s/secret, 1 in k8s/configmap (requires k8s/cloud installation)
7. 1 root token for vault after deployment of vault(requires vault&k8s/cloud installation)
8. 1 root token and unseal keys comitted (git show 6c4715c)
9. 1 random value generated after startup
10. 1 secret in github action
11. 1 AES key
12. multiple ciphertexts (6)
13. 1 human readable secret in pw manager file(keepass)
14. 5 canarytoken-urls in container&code
15. multiple secrets in java testing code (of which some used in the actual app)
16. secrets in cross-compiled C binaries (2 secrets/binary for 3 binaries)
17. 1 client credential
18. 2 weak password hashes (md5/sha1)
19. 3 hardcoded passwords in binaries (C/C++/Golang)

In https://github.com/commjoen/wrongsecrets/tree/experiment-bed :

1. 1 Azure dotifle
2. 1 Azure Devops access token
3. 1 AES key
4. 1 basic auth enriched curl script
5. 1 Callback url for Slack (invalidated)
6. 1 Docker hub access token
7. 1 ECC keypair
8. 1 Firebase project config
9. 1 gCP service account access key export (blocked/disabled)
10. github dev token (revoked)
11. gitlab access/email/feed tokens (revoked)
12. github access key(ssh)/1 SSH key pair (RSA-4096)
13. 1 gpg armored gpg exported private/public key
14. 1 gpg binary private/secret keyring
15. 1 kubeconfig (canarytoken)
16. jwt.io generated jwt token with rs256 required keys
17. Keybase paperkey
18. Maven and Gradle auth setup (not working)
19. NPM credentials (not working)
20. 1 OTP seed
21. 1 1Password emergency kit, JWT, and credentials file
22. 1RSA keypair
23. segment.io token
24. 1 Slack callback
25. 1 Vagrant access token
26. 2 slack tokens

[commjoen]

@bendehaan , what would be a good place to dump the other secrets for benchmarking? i guess we have to spread it a bit...

[commjoen]

Asked Slack via twitter for possible canarytokens...