¶ Whispers
https://github.com/Skyscanner/whispers
Whispers is a static code analysis tool designed for parsing various common data formats in search of hardcoded credentials and dangerous functions. Whispers can run in the CLI or you can integrate it in your CI/CD pipeline.
¶ Detects
-
Passwords
-
API tokens
-
AWS keys
-
Private keys
-
Hashed credentials
-
Authentication tokens
-
Dangerous functions
-
Sensitive files
¶ Findings Examples
¶ Supported Formats
The following commonly used formats are currently supported:
-
YAML
-
JSON
-
XML
-
.npmrc
-
.pypirc
-
.htpasswd
-
.properties
-
pip.conf
-
conf / ini
-
Dockerfile
-
Dockercfg
-
Shell scripts
-
Python3
The following language files are parsed as text, and checked for common variable declaration and assignment patterns:
-
JavaScript
-
Java
-
Go
-
PHP
¶ Special Formats
-
AWS credentials files
-
JDBC connection strings
-
Jenkins config files
-
SpringFramework Beans config files
-
Java Properties files
-
Dockercfg private registry auth files
-
Github tokens