Initial commit.

.babelrc

@@ -0,0 +1,3 @@
+{
+  "presets": ["es2015"]
+}

.config.json.example

@@ -0,0 +1,3 @@
+{
+  "SlackURL": "<SLACK_INCOMING_WEBHOOK_URL_HERE>"
+}

.eslintignore

@@ -0,0 +1 @@
+dist/*

.eslintrc

@@ -0,0 +1,28 @@
+{
+  "env": {
+    "es6": true,
+    "node": true
+  },
+  "extends": [
+    "eslint:recommended",
+    "airbnb-base"
+  ],
+  "parser": "babel-eslint",
+  "parserOptions": {
+    "ecmaVersion": 6
+  },
+  "plugins": [
+      "import"
+  ],
+  "rules": {
+    "comma-dangle": ["error", "never"],
+    "global-require": "off",
+    "import/no-dynamic-require": "off",
+    "import/no-extraneous-dependencies": ["error", {"devDependencies": ["config/webpack.js"]}],
+    "no-bitwise": "off",
+    "no-console": "off",
+    "no-param-reassign": "off",
+    "no-plusplus": "off",
+    "strict": "off"
+  }
+}

.gitignore

@@ -0,0 +1,10 @@
+logs
+*.log
+npm-debug.log*
+pids
+*.pid
+*.seed
+node_modules
+.npm
+.node_repl_history
+TODO

.nvmrc

@@ -0,0 +1 @@
+4

LICENSE

@@ -0,0 +1,21 @@
+MIT License
+
+Copyright (c) 2017 Auth0, Inc. <[email protected]> (https://auth0.com)
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+SOFTWARE.

README.md

@@ -0,0 +1,165 @@
+<div align="center">
+	<img src="https://cdn.auth0.com/styleguide/latest/lib/logos/img/logo-grey.png" alt="auth0" width="90px"/>
+    <br/><br/>
+    <p><strong>Repo-supervisor</strong> is a serverless tool that detects secrets and passwords in your pull requests - on file at a time.</p>
+</div>
+
+## Command line mode
+
+To start using tool without setting up webhooks etc. you can start scanning local directories right after downloading the source code:
+
+```bash
+npm run build
+npm run cli ./src/
+```
+
+## Setup
+
+The recommended way is to clone this repository, install required dependencies and run script to deploy a script on the webtask.io platform.
+
+```bash
+ git clone [email protected]:auth0/repo-supervisor.git
+ cd repo-supervisor
+
+ npm install
+ GITHUB_TOKEN=<token> JWT_SECRET=<secret> npm deploy
+```
+
+After script was deployed it will return a URL address to your webtask which then you can use to setup a webhook.
+
+_If you want to deploy webtask with profile different than a standard one you should set env. variable called `WT_PROFILE=myprofile` just before or right after `GITHUB_TOKEN` variable._
+
+## Webhook
+
+Installing webhook is easy and there is no difference to other webhooks provided by i.e. Zapier or IFTTT.
+
+Before installing a webhook you need to build and install this tool. As a result `npm deploy` should return the URL address to your deployed webtask. Point your **Payload URL** to webtask url and you're ready to go.
+
+<div style="text-align:center"><img src="docs/webhook.setup.png"/></div>
+
+> Which events would you like to trigger this webhook?
+
+- [x] Let me select individual events.
+- [x] Pull request
+
+## Requirements
+
+After installing all required packages with `npm` the one additional tool is `wt-cli` to communicate with [webtask.io](https://webtask.io).
+
+If you don't have an account then create a new one, **it's free**. All details related to `wt-cli` are available in the [documentation](https://webtask.io/docs/wt-cli).
+
+Installation process:
+
+```bash
+npm install -g wt-cli
+```
+
+## Introduction
+
+It happens sometimes that you can commit secrets or passwords to your repository by accident. The recommended best practice is not commit the secrets, that's obvious. But not always that obvious when you have a big merge waiting to be reviewed.
+
+This tool allows you to setup a `webhook` that waits for the Pull Requests and scans all interesting files to check for leaked secrets. Every time PR is updated it rescans latest changes and generates a report.
+
+<div style="text-align:center"><img src="docs/report.preview.png"/></div>
+
+Both acknowledge and rejection actions are triggering Slack notification which allows to whether improve or fix secrets detection rules.
+
+**Acknowledge** report (YES): Approve that report as valid, detected strings are actual secrets.
+
+**Reject** report (NO): Reject report, detected secrets are not credentials but only object identifiers, messages or other not related strings. It will help to improve the false-positives ratio.
+
+
+## Security checks
+
+Tool is easily extendable by adding new filter and parsers for a specific format, for now we support `json` and `js` parsing.
+
+- **Entropy Meter** - measures the level of entropy for extracted strings. The higher the entropy the higher probability of detecting a secret/password.
+
+## Testing
+
+Testing this tool is super easy without a need to install the actual source code on the webtask platform.
+
+1\. Start local wt-cli server
+
+```bash
+ cd repo-supervisor
+ GITHUB_TOKEN=<github_token> JWT_SECRET=<random_secret> npm start
+```
+
+It will trigger the built-in server and listen by default at `localhost` on port `7070` if not changed (env: `PORT`, `HOST`).
+
+2\. Run local `ngrok` tunnel
+
+```bash
+ngrok http 7070
+```
+
+Output:
+
+```bash
+Session Status                online
+Region                        United States (us)
+Web Interface                 http://127.0.0.1:4040
+Forwarding                    http://b1942011.ngrok.io -> localhost:7070
+Forwarding                    https://b1942011.ngrok.io -> localhost:7070
+```
+
+3\. Setup webhook URL so it points to `ngrok` URL.
+
+[Ngrok](https://ngrok.com/) is a really useful tool, it allows you to inspect **every** request send to your ngrok's endpoint so you can verify data in/out.
+
+
+## Dependencies
+
+All required dependencies are enforced in specific versions on the webtask.io platform by using metadata setting.
+
+```bash
+--meta wt-node-dependencies=$(./bin/get.wt.deps.sh)
+```
+
+_get.wt.deps.sh_ script returns a list of dependencies extracted from `package.json` file.
+
+```bash
+→ ./bin/get.wt.deps.sh
+{"acorn":"4.0.11","bluebird":"3.4.7","github":"8.2.1","handlebars":"4.0.6","handlebars-loader":"1.4.0","jsonwebtoken":"7.3.0","lodash":"4.17.4"}
+```
+
+Without the enforcement policy it would break the installation since older version of libraries are not compatible with current code.
+
+## What is Auth0?
+
+Auth0 helps you to:
+
+* Add authentication with [multiple authentication sources](https://docs.auth0.com/identityproviders),
+either social like **Google, Facebook, Microsoft Account, LinkedIn, GitHub, Twitter, Box, Salesforce,
+amont others**, or enterprise identity systems like **Windows Azure AD, Google Apps, Active Directory,
+ADFS or any SAML Identity Provider**.
+* Add authentication through more traditional
+**[username/password databases](https://docs.auth0.com/mysql-connection-tutorial)**.
+* Add support for **[linking different user accounts](https://docs.auth0.com/link-accounts)** with
+the same user.
+* Support for generating signed [Json Web Tokens](https://docs.auth0.com/jwt) to call your APIs and
+**flow the user identity** securely.
+* Analytics of how, when and where users are logging in.
+* Pull data from other sources and add it to the user profile, through
+[JavaScript rules](https://docs.auth0.com/rules).
+
+## Create a free account in Auth0
+
+1. Go to [Auth0](https://auth0.com) and click Sign Up.
+2. Use Google, GitHub or Microsoft Account to login.
+
+## Issue Reporting
+
+If you have found a bug or if you have a feature request, please report them at this repository
+issues section. Please do not report security vulnerabilities on the public GitHub issue tracker.
+The [Responsible Disclosure Program](https://auth0.com/whitehat) details the procedure for
+disclosing security issues.
+
+## Author
+
+[Auth0](https://auth0.com)
+
+## License
+
+This project is licensed under the MIT license. See the [LICENSE](LICENSE) file for more info.

bin/get.wt.deps.sh

@@ -0,0 +1,21 @@
+#!/bin/bash
+JQ_BIN=$(which jq)
+PCKG_FILE="package.json"
+
+if [ ! -e "$JQ_BIN" ]; then
+  echo -e \
+       "ERROR:\n" \
+       "You need to install jq dependency (JSON tool)\n" \
+       "OSX:   brew install jq\n" \
+       "Linux: apt-get install jq"
+  exit 1
+fi
+
+if [ ! -e "$PCKG_FILE" ]; then
+  echo -e \
+       "ERROR:\n" \
+       "package.json not found"
+  exit 2
+fi
+
+printf $(cat "$PCKG_FILE" | "$JQ_BIN" -r '.dependencies | tostring' | awk '{ gsub("\\^|~","",$1); print $1 }')

bin/webpack

@@ -0,0 +1 @@
+../node_modules/.bin/webpack

bin/wt

@@ -0,0 +1 @@
+../node_modules/.bin/wt

config/filters.json

@@ -0,0 +1,25 @@
+[
+  {
+    "ext": ".js",
+    "filters": ["entropy.meter/index.js"],
+    "parser": {
+      "module": "tokenizer/js/index.js",
+      "config": {
+        "allowReturnOutsideFunction": true,
+        "allowImportExportEverywhere": true,
+        "allowHashBang": true
+      }
+    }
+  },
+  {
+    "ext": ".json",
+    "filters": ["entropy.meter/index.js"],
+    "parser": {
+      "module": "tokenizer/json/index.js",
+      "config": {
+        "checkObjectKeys": true,
+        "checkObjectValues": true
+      }
+    }
+  }
+]

config/filters/entropy.meter.json

@@ -0,0 +1,25 @@
+{
+  "errors": {
+    "general": "The entropy level for strings is too high. It may be a result of passwords or secrets stored in your files. Check files listed together with highlighted strings. Migrate any detected secrets."
+  },
+  "preFilters": [
+    "authentication.urls.js",
+    "css.selectors.js",
+    "email.addresses.js",
+    "local.paths.js",
+    "min.length.js",
+    "multiple.words.js",
+    "object.keys.identifiers.js",
+    "skip.prefixes.js"
+  ],
+  "options": {
+    "entropyPrecision": 4,
+    "maxAllowedEntropy": 4,
+    "preFilters": {
+      "skipPrefixes": [
+        "test-", "foobar-"
+      ],
+      "minStringLength": 15
+    }
+  }
+}

config/main.json

@@ -0,0 +1,15 @@
+{
+  "name": "Supervisor",
+  "pullRequests": {
+    "allowedActions": ["opened", "synchronize"],
+    "allowedExtensions": [".js", ".json"],
+    "excludedPaths": ["^test"],
+    "updateGithubStatus": true
+  },
+  "runTriggers": true,
+  "statusMessages": {
+    "error": "Security issues detected, check report for details.",
+    "pending": "We are scanning, please wait...",
+    "success": "No security issues were found, well done!"
+  }
+}

config/webpack.js

@@ -0,0 +1,51 @@
+const nodeExternals = require('webpack-node-externals');
+const path = require('path');
+const webpack = require('webpack');
+
+const distPath = path.join(__dirname, '../dist');
+
+module.exports = {
+  entry: {
+    cli: './src/cli.js',
+    webtask: './src/index.js'
+  },
+  output: {
+    path: distPath,
+    filename: '[name].js',
+    libraryTarget: 'commonjs2'
+  },
+  target: 'async-node',
+  externals: [nodeExternals()],
+  resolve: {
+    alias: {
+      filters: path.resolve(__dirname, '../src/filters'),
+      parser: path.resolve(__dirname, '../src/parser')
+    }
+  },
+  module: {
+    loaders: [
+      { test: /\.json$/, loader: 'json-loader' },
+      { test: /\.handlebars$/,
+        loader: `handlebars-loader?helperDirs[]=${__dirname}/../src/render/templates/helpers` },
+      { test: /\.js$/, exclude: /node_modules/, loader: 'babel-loader' }
+    ]
+  },
+  plugins: [
+    new webpack.optimize.UglifyJsPlugin({
+      output: {
+        comments: false // remove comments
+      },
+      compress: {
+        unused: true,
+        dead_code: true, // big one--strip code that will never execute
+        warnings: false, // good for prod apps so users can't peek behind curtain
+        drop_debugger: true,
+        conditionals: true,
+        evaluate: true,
+        drop_console: false, // strips console statements
+        sequences: true,
+        booleans: true
+      }
+    })
+  ]
+};