Introducing Varunastra, an innovative tool designed to enhance the security of Docker environments. Named after The Varunastra (वरुणास्त्र), it is the water weapon according to the Indian scriptures, incepted by Varuna, god of hydrosphere. Varunastra is engineered to detect and help mitigate vulnerabilities in Docker, ensuring robust security across all Docker containers and images.
- Secret Scanning: Reduces the risk of sensitive data leaks.
- Asset Extraction: Retrieves assets such as domain/subdomains and urls from Docker images for bug bounty hunters.
- Customizable Solution: Define regex patterns and blacklists to meet specific needs.
- Dependency Checks: Automates assessments for quicker threat identification.
Supported Lock Files
| Language | File |
|---|---|
| Ruby | Gemfile.lock |
| Javascript | package-lock.json, yarn.lock |
Supported Registry
| Registry | Scopes |
|---|---|
| DockerHub | Public |
| AWS ECR | Public |
| Google GCR | Public |
| Github GHCR | Public |
The data directory contains the default configuration files used by the tool for secret scanning.
🔧 config.yaml This is the default configuration file that controls which files and directories are included or excluded during secret scanning. It follows this structure:
# Configuration file for excluding known-safe paths from secret scanning.
regex_files:
path: "~/.config/varunastra/regexes.json"
# Path to an external JSON file containing additional regex patterns.
# This may be interpreted relative to the user's home directory.
blacklisted_patterns:
- pattern: "(.*/)?__pycache__"
# Skips scanning "__pycache__" directories, which contain non-sensitive Python bytecode.
whitelisted_patterns:
- pattern: "(.*/)?app"
# Ensures the "/app" directory is always scanned, even if it matches a blacklisted pattern.
This file allows users to define:
- Regex file path for additional scanning rules
- Blacklisted patterns: directories or files to ignore to reduce false positives
- Whitelisted patterns: directories or files that must always be scanned, even if blacklisted
📄 regexes.json This file contains the default regular expressions used for secret scanning. It follows a simple structure:
{
"Pattern": "the actual Go-compatible regex"
}Each entry defines a regex pattern that the scanner will run during scans. This allows for easy extension and customization of what the tool considers a secret.
You can install Varunastra using Go.
To install Varunastra using Go, run the following command:
go install github.com/redhuntlabs/Varunastra/cmd/varunastra@latestUsage: varunastra --target=STRING [flags]
Varunastra is a tool designed to detect and assist in mitigating vulnerabilities within Docker images.
- For images hosted on Docker Hub, simply provide the repository name (e.g., `datadog/agent`).
- For images from AWS or GCP, include the full registry URL (e.g., `public.ecr.aws/hashicorp/vault`).
If no tag is specified in the repository URL, the tool will automatically choose a tag from the available options for scanning.
Note: Domains are resolved via DNS queries, while URLs are extracted using regular expressions without resolution.
Flags:
-h, --help Show context-sensitive help.
--target=STRING Target repos
--scans=STRING Comma-separated scans (secrets,vuln,assets). By default all scans are true if not specified any.
--all Enable scanning for all tags.
--output=STRING Save JSON output to a file
varunastra --target devangsolankii/secrets --scans "secrets,vuln,assets"2024/11/04 12:29:37 Checking if config file exist
2024/11/04 12:29:39 Starting Scan for Tag: devangsolankii/secrets:v1.2
2024/11/04 12:29:39 Scanning Layer: sha256:51edc9808576655e8f3a0ce89e6d4d84eeba742af3376fc01d4522ecff379072
2024/11/04 12:29:39 Scanning Layer: sha256:59ee42d02ee5edca29b89e9d18b5bedd9400da38e1dcc0da4f22eaf19d24983b
2024/11/04 12:29:39 Scanning Layer: sha256:7d98d813d54f6207a57721008a4081378343ad8f1b2db66c121406019171805b
2024/11/04 12:29:39 Scanning Layer: sha256:da802df85c965baeca9d39869f9e2cbb3dc844d4627f413bfbb2f2c3d6055988
2024/11/04 12:29:39 Scanning Layer: sha256:e3d8693bad2fd07287529dd2f1bc71d431ed97f061cc8440707f144165fa8afc
2024/11/04 12:29:39 Scanning Layer: sha256:7aadc5092c3b7a865666b14bef3d4d038282b19b124542f1a158c98ea8c1ed1b
2024/11/04 12:29:39 Scanning Layer: sha256:eb173c1dbe92b367644a53adf5c004908921fa91460c054f2746046e481603fb
2024/11/04 12:29:39 Scanning Layer: sha256:d1d2216adb3bcbe1bb6f32f18f4b3a58350c5e2e7810728a488f405a444534ea
2024/11/04 12:29:39 Scanning Layer: sha256:f110c757afc5699d6587a989cc741d88e170d259506ecd3b6d9d0169c2dd1a47
2024/11/04 12:29:39 Scanning Layer: sha256:ad1c7cfc347f5c86fc2678b58f6a8fb6c6003471405760532fc3240b9eb1b343
2024/11/04 12:29:40
2024/11/04 12:29:40 Secrets found -> Type: Google API Key | Secret: AIzaSy0c3965368a6b10f7640dbda46abfdca98 | On Path: history:13
2024/11/04 12:29:40
2024/11/04 12:29:40 Secrets found -> Type: Google API Key | Secret: AIzaSy0c3965368a6b10f7640dbda46abfdca98 | On Path: history:18
2024/11/04 12:29:40 Scanning Layer: sha256:225e4516f59838f6d9e50e417461a30cce68d46786ee91df26e3c11e1eeb4948
2024/11/04 12:29:40 Scanning Layer: sha256:758f280dcc0fda3ba816ff06ff816511657120ea934adb600f3493c865a470cd
2024/11/04 12:29:40 Scanning Layer: sha256:4d5d29abf42d13611191d85daa10cc50bf2bde22d7bfd4f3de5447a5d888f14b
2024/11/04 12:29:40
2024/11/04 12:29:40 Secrets found -> Type: Password in URL | Secret: https://admmin:[email protected]:9000/" | On Path: app/app.js
2024/11/04 12:29:40
2024/11/04 12:29:40 Secrets found -> Type: PGP private key block | Secret: -----BEGIN PGP PRIVATE KEY BLOCK----- | On Path: etc/ImageMagick-6/mime.xml
2024/11/04 12:29:41
2024/11/04 12:29:41 Secrets found -> Type: AWS Access Key | Secret: ABIAK52LPFORPRUCRC22 | On Path: app/.env
2024/11/04 12:31:13 Scanning completed.
[
{
"target": "devangsolankii/secrets:v1.2",
"secrets": [
{
"issue": "Secret Leaked in Docker Layer sha256:758f280dcc0fda3ba816ff06ff816511657120ea934adb600f3493c865a470cd",
"asset": "app/.env",
"type": "AWS Access Key",
"secret": "ABIAK52LPFORPRUCRC22"
},
{
"issue": "Secret Leaked in Docker History history:13",
"asset": "history:13",
"type": "Google API Key",
"secret": "AIzaSy0c3965368a6b10f7640dbda46abfdca98"
},
{
"issue": "Secret Leaked in Docker History history:18",
"asset": "history:18",
"type": "Google API Key",
"secret": "AIzaSy0c3965368a6b10f7640dbda46abfdca98"
},
{
"issue": "Secret Leaked in Docker Layer sha256:ad1c7cfc347f5c86fc2678b58f6a8fb6c6003471405760532fc3240b9eb1b343",
"asset": "etc/ImageMagick-6/mime.xml",
"type": "PGP private key block",
"secret": "-----BEGIN PGP PRIVATE KEY BLOCK-----"
},
{
"issue": "Secret Leaked in Docker Layer sha256:225e4516f59838f6d9e50e417461a30cce68d46786ee91df26e3c11e1eeb4948",
"asset": "app/app.js",
"type": "Password in URL",
"secret": "https://admmin:[email protected]:9000/\"\n"
}
],
"vulnerabilities": null,
"assets": {
"assets": [],
"urls": []
}
}
]
To know more about our Attack Surface Management platform, check out NVADR.