IAM Key Scanner

The IAM Key Scanner is a GoLang script that scans a Git repository for potential AWS IAM keys. It helps identify hardcoded access key IDs and secret access keys, which could pose security risks if leaked.

Getting Started

Prerequisites

• GoLang (1.13 or above)
• Git (command-line tool)

Installation

1. Clone the repository:

   git clone https://github.com/tarang-singhal/IAM-Scanner.git

2. Change to the repository directory:

   cd your-repo

3. Execute the GoLang script with the repository URL as the argument:

   go run main.go <git repository url>

Usage

1. Provide the Git repository URL as the command-line argument when running the script or enter it manually in the code.
2. The script will clone the repository (if not already cloned) and perform the IAM key scan.
3. Valid IAM credentials found will be displayed in the console.

Functions

The IAM Key Scanner includes the following functions:

main

The main function serves as the entry point of the application. It orchestrates the execution flow by invoking various functions to scan the Git repository for embedded AWS IAM keys and check their validity.

Here is a breakdown of the steps performed in the main function:

1. Parsing Command-Line Arguments: The repository URL is retrieved from the command-line arguments using os.Args[1].

2. Cloning the Repository: The CloneRepository function is called to clone the repository from the provided URL. It returns the path to the cloned repository directory. If the repository is already cloned, it skips the cloning process.

3. Scanning the Repository: The scanRepository function is called, passing the repository path as an argument. This function scans the repository for potential AWS IAM keys by analyzing the commits and changed files.

4. Checking and Printing Valid Credentials: The checkAndPrintValidKeys function is called, passing the found IAM Ids and keys as arguments. It checks the validity of each pair of IAM Ids and keys by invoking the CheckAccessKeysValidity function. If a pair is valid, it prints the details of the valid credentials.

The main function acts as the driver of the application, coordinating the execution of the various functions to accomplish the goal of identifying and validating embedded AWS IAM keys in the Git repository.

CloneRepository(repositoryURL string) (string, error)

This function clones the repository from the given URL. It takes the repository URL as input and returns the cloned repository's name and any error encountered during the cloning process.

Detailed Explanation:

1. The CloneRepository function calls the getRepositoryName function to get the name of the repository.

2. It checks if the repository directory already exists. If not, it proceeds with cloning.

3. The function executes a Git command to clone the repository using the provided URL and repository name.

4. If the cloning process encounters an error, the function logs the error and returns an error message.

5. If the cloning process is successful, the function logs a success message and returns the cloned repository's name.

scanRepository(repositoryName string) (foundIds, foundKeys []MatchCase)

This function is the main scanning function that performs the IAM key scan on the repository. It takes the repository directory name as input and returns two slices: foundIds and foundKeys. These slices contain the identified potential IAM IDs and keys, respectively.

Detailed Explanation:

1. The scanRepository function starts by creating two empty slices, foundIds and foundKeys, to store the identified IAM IDs and keys, respectively.

2. It retrieves a list of commit IDs for the given repository using the GetCommitIds function.

3. The function concurrently processes each commit ID using goroutines and the filterPotentialIAMKeys function.

4. Inside the filterPotentialIAMKeys function, the script executes Git commands to obtain the list of changed files for the commit.

5. For each changed file, it retrieves the file content using another Git command.

6. The function applies regular expressions to match potential IAM IDs and keys within the file content.

7. If a match is found, it creates a MatchCase struct containing the line number, match value, file path, and commit ID, and appends it to the corresponding slice (foundIds for IAM IDs or foundKeys for IAM keys).

8. Once all commits have been processed, the scanRepository function returns the foundIds and foundKeys slices.

The scanRepository function is responsible for coordinating the scanning process, identifying potential IAM credentials, and storing them for further processing or display.

checkAndPrintValidKeys(foundIds, foundKeys []MatchCase) Function

The checkAndPrintValidKeys function is responsible for checking the validity of potential key pairs and printing the ones that are valid. It takes two arguments: foundIds and foundKeys, which are slices containing instances of the MatchCase struct.

The function uses a sync.WaitGroup to synchronize the goroutines that check the validity of each key pair. For each ID-key pair, a goroutine is created to asynchronously check the validity. The sync.WaitGroup is used to wait for all goroutines to finish before proceeding.

Within each goroutine, the CheckAccessKeysValidity function from the utility package is called to check the validity of the ID-key pair. If the key pair is valid, a formatted output is printed, indicating the secret ID, secret key, file path, line number, and commit ID.

Here's a breakdown of the function's steps:

1. Create a sync.WaitGroup to synchronize the goroutines.
2. Iterate over each found ID and key pair.
3. For each pair, create a goroutine to asynchronously check the validity.
4. In each goroutine, call the CheckAccessKeysValidity function to check the validity.
5. If the key pair is valid, print the details on the console.
6. Wait for all goroutines to finish using wg.Wait().
7. Print an empty line for formatting.

The checkAndPrintValidKeys function plays a crucial role in identifying and highlighting valid IAM key pairs that have potentially been embedded in the repository, helping in the detection of valid credentials and potential security risks.

filterPotentialIAMKeys(commitId string, repositoryName string, wg *sync.WaitGroup, secretKeys chan<- *[]MatchCase, secretTokens chan<- *[]MatchCase)

This function filters the potential IAM keys in a particular commit. It takes the commit ID, repository name, a wait group, and two channels as input and does not return any value.

Detailed Explanation:

1. The function receives the commit ID, repository name, a wait group (wg), and two channels (secretKeys and secretTokens) as parameters.

2. It executes a Git command to get all the changed files of the commit.

3. The function splits the output to obtain a list of changed files.

4. For each changed file, it executes a Git command to get the content of the file.

5. The function applies regular expression patterns to match AWS secret

access keys and secret tokens within the file content.

6. If a match is found, it creates a MatchCase struct containing the line number, match value, file path, and commit ID.

7. It sends the MatchCase struct to the corresponding channel (secretKeys for IAM keys or secretTokens for IAM tokens).

8. Once all files have been processed, the function signals the wait group that it has completed.

GetCommitIds(repositoryName string) []string

This function retrieves all commit IDs of the repository. It takes the repository name as input and returns a slice of commit IDs.

Detailed Explanation:

1. The GetCommitIds function executes a Git command to retrieve all commit IDs of the given repository.

2. It captures the command output and splits it into individual commit IDs.

3. The function trims any surrounding quotes from each commit ID.

4. It returns the resulting slice of commit IDs.

getRepositoryName(repositoryURL string) string

This function extracts the name of the cloned repository from the repository URL. It takes the repository URL as input and returns the repository name.

Detailed Explanation:

1. The getRepositoryName function splits the repository URL by slashes to obtain its parts.

2. It retrieves the last part of the URL, which should be the repository name.

3. If the repository name has the ".git" extension, it trims the extension from the name.

4. The function returns the formatted repository name.

CheckAccessKeysValidity(accessKey, secretKey string) (bool, error)

This function checks the validity of an IAM key by making a basic API call. It takes an access key and secret key as input and returns a boolean indicating the key's validity and any error encountered during the process.

Detailed Explanation:

1. The CheckAccessKeysValidity function creates an AWS session using the provided access key and secret key.

2. It creates a Security Token Service (STS) client using the AWS session.

3. The function makes an API call to GetCallerIdentity to check the validity of the provided IAM key.

4. If the API call encounters an "AccessDenied" or "InvalidClientTokenId" error, it indicates that the key is invalid and returns false.

5. If any other error occurs, the function returns an error message.

6. If no error occurs during the API call, the function indicates that the key is valid and returns true.

PrettyPrint(v interface{}) string

This function formats and pretty prints a given value as a JSON string. It takes an interface value as input and returns the formatted JSON string.

Detailed Explanation:

1. The PrettyPrint function marshals the input value into a JSON string with indentation.

2. If the marshaling process encounters an error, the function returns the error message.

3. If the marshaling process is successful, the function returns the formatted JSON string.

Sample Output

   go run main.go https://github.com/abhishek-pingsafe/Devops-Node

2023/06/19 14:02:04 Repository cloned successfully! -  fetchedRepos/Devops-Node

All CommitIds -  [
  "67975c9f71b84901729ccac14162318ec7d5b89d",
  "a24771e4678261b3b9ceb3e222eb02539b3d9d05",
  "94006ad4c1b6432702d0f663e17e2af9f35e91d9",
  "373b38356967cd38d9b70e3840e41bed0736c21c",
  "d01c9b4c5fe063be55102f30187c6bc45ef7e024"
]

Checking Commit Id -  67975c9f71b84901729ccac14162318ec7d5b89d
Checking Commit Id -  a24771e4678261b3b9ceb3e222eb02539b3d9d05
Checking Commit Id -  94006ad4c1b6432702d0f663e17e2af9f35e91d9
Checking Commit Id -  373b38356967cd38d9b70e3840e41bed0736c21c
Checking Commit Id -  d01c9b4c5fe063be55102f30187c6bc45ef7e024

Scanning file - .config, for commitId - 67975c9f71b84901729ccac14162318ec7d5b89d 

Scanning file - app.js, for commitId - 373b38356967cd38d9b70e3840e41bed0736c21c 

Scanning file - leak.js, for commitId - 94006ad4c1b6432702d0f663e17e2af9f35e91d9 

Scanning file - app.js, for commitId - a24771e4678261b3b9ceb3e222eb02539b3d9d05 

Scanning file - leak.js, for commitId - a24771e4678261b3b9ceb3e222eb02539b3d9d05 

Checking potential keys ->  AKIAUMNA5JFAU5RDXHEG j3JgkGbF3f7PLALLViCB+mw1W9plkfneqvAFT2B2
Checking potential keys ->  AKIAUMNA5JFA62FXEE4F WCCgBZuC19LCJOFlkBgKFoeqYoWzR+7SzfHD04M3
Checking potential keys ->  AKIA57VFSPPO3QT5WAXG C32AzNrF6ZCZs8fqS82UXisHrrimjB98SDpQ6d5A
Checking potential keys ->  AKIAUMNA5JFA62FXEE4F j3JgkGbF3f7PLALLViCB+mw1W9plkfneqvAFT2B2
Checking potential keys ->  AKIA57VFSPPO3QT5WAXG 7k+ptP9Ud9KuwV0Ren28YGxpx5hEMjm6IK4ay8US
Checking potential keys ->  AKIAUMNA5JFA62FXEE4F C32AzNrF6ZCZs8fqS82UXisHrrimjB98SDpQ6d5A
Checking potential keys ->  AKIA57VFSPPO3QT5WAXG WCCgBZuC19LCJOFlkBgKFoeqYoWzR+7SzfHD04M3
Checking potential keys ->  AKIAUMNA5JFAU5RDXHEG C32AzNrF6ZCZs8fqS82UXisHrrimjB98SDpQ6d5A
Checking potential keys ->  AKIAUMNA5JFAU5RDXHEG WCCgBZuC19LCJOFlkBgKFoeqYoWzR+7SzfHD04M3
Checking potential keys ->  AKIAUMNA5JFAU5RDXHEG 7k+ptP9Ud9KuwV0Ren28YGxpx5hEMjm6IK4ay8US
Checking potential keys ->  AKIA57VFSPPO3QT5WAXG 7k+ptP9Ud9KuwV0Ren28YGxpx5hEMjm6IK4ay8US
Checking potential keys ->  AKIAUMNA5JFA62FXEE4F 7k+ptP9Ud9KuwV0Ren28YGxpx5hEMjm6IK4ay8US
Checking potential keys ->  AKIAUMNA5JFAXO65BXNJ WCCgBZuC19LCJOFlkBgKFoeqYoWzR+7SzfHD04M3
Checking potential keys ->  AKIAUMNA5JFAXO65BXNJ j3JgkGbF3f7PLALLViCB+mw1W9plkfneqvAFT2B2
Checking potential keys ->  AKIAUMNA5JFAXO65BXNJ C32AzNrF6ZCZs8fqS82UXisHrrimjB98SDpQ6d5A
Checking potential keys ->  AKIAUMNA5JFAXO65BXNJ 7k+ptP9Ud9KuwV0Ren28YGxpx5hEMjm6IK4ay8US
Checking potential keys ->  AKIA57VFSPPO3QT5WAXG C32AzNrF6ZCZs8fqS82UXisHrrimjB98SDpQ6d5A
Checking potential keys ->  AKIA57VFSPPO3QT5WAXG j3JgkGbF3f7PLALLViCB+mw1W9plkfneqvAFT2B2
Checking potential keys ->  AKIA57VFSPPO3QT5WAXG 7k+ptP9Ud9KuwV0Ren28YGxpx5hEMjm6IK4ay8US
Checking potential keys ->  AKIA57VFSPPO3QT5WAXG j3JgkGbF3f7PLALLViCB+mw1W9plkfneqvAFT2B2
Checking potential keys ->  AKIA57VFSPPO3QT5WAXG 7k+ptP9Ud9KuwV0Ren28YGxpx5hEMjm6IK4ay8US
Checking potential keys ->  AKIAUMNA5JFAXO65BXNJ 7k+ptP9Ud9KuwV0Ren28YGxpx5hEMjm6IK4ay8US
Checking potential keys ->  AKIAUMNA5JFA62FXEE4F 7k+ptP9Ud9KuwV0Ren28YGxpx5hEMjm6IK4ay8US
Checking potential keys ->  AKIA57VFSPPO3QT5WAXG WCCgBZuC19LCJOFlkBgKFoeqYoWzR+7SzfHD04M3
Checking potential keys ->  AKIAUMNA5JFAU5RDXHEG 7k+ptP9Ud9KuwV0Ren28YGxpx5hEMjm6IK4ay8US
------------------------------------------------------
Valid crdentials found
SecretId - AKIAUMNA5JFAXO65BXNJ, filePath - .config, lineNumber - 1, commitId - 67975c9f71b84901729ccac14162318ec7d5b89d 
SecretKey - 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, filePath - .config, lineNumber - 2, commitId - 67975c9f71b84901729ccac14162318ec7d5b89d 
------------------------------------------------------
------------------------------------------------------
Valid crdentials found
SecretId - AKIAUMNA5JFAU5RDXHEG, filePath - leak.js, lineNumber - 6, commitId - a24771e4678261b3b9ceb3e222eb02539b3d9d05 
SecretKey - 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, filePath - leak.js, lineNumber - 7, commitId - a24771e4678261b3b9ceb3e222eb02539b3d9d05 
------------------------------------------------------