[update] entropy check

checks.go

@@ -1,10 +1,13 @@
 package main
 
 import (
-	_ "fmt"
+	"fmt"
+	"github.com/nbutton23/zxcvbn-go"
 	"strings"
 )
 
+// check each line of a diff and see if there are any potential
+// secrets
 func checkRegex(diff string) ([]string, bool) {
 	var match string
 	var results []string
@@ -26,3 +29,19 @@ func checkRegex(diff string) ([]string, bool) {
 	}
 	return results, secretsPresent
 }
+
+// checkEntropy determines whether target contains enough
+// entropy for a hash
+func checkEntropy(target string) bool {
+	index := assignRegex.FindStringIndex(target)
+	if len(index) == 0 {
+		return false
+	}
+	target = strings.Trim(target[index[1]:len(target)], " ")
+	entropy := zxcvbn.PasswordStrength(target, nil).Entropy
+	// tune this/make option
+	if entropy > 70 {
+		return true
+	}
+	return false
+}

checks_test.go

@@ -10,6 +10,7 @@ func TestCheckRegex(t *testing.T) {
 	checks := map[string]bool{
 		"github.com":                                     false,
 		"github.com/user/":                               false,
+		"github.com/user -- Sys":                         false,
 		"github_api_client = \"sample key\"":             true,
 		"aws=\"afewafewafewafewaf\"":                     true,
 		"aws\"afewafewafewafewaf\"":                      false,
@@ -25,3 +26,21 @@ func TestCheckRegex(t *testing.T) {
 		}
 	}
 }
+
+func TestEntropy(t *testing.T) {
+	var enoughEntropy bool
+	checks := map[string]bool{
+		"heroku_client_secret = settings.HEROKU_CLIENT": false,
+		"heroku_client_secret = conf.heroku":            false,
+		"reddit_secret = settings.REDDIT_API":           false,
+		"reddit_api_secret = \"Fwe4fa431FgklreF\"":      true,
+		"aws_secret= \"AKIAIMNOJVGFDXXXE4OA\"":          true,
+	}
+	for k, v := range checks {
+		enoughEntropy = checkEntropy(k)
+		if v != enoughEntropy {
+			t.Errorf("checkEntropy failed for %s. Expected %t, got %t", k, v, enoughEntropy)
+		}
+	}
+
+}

main.go

@@ -2,7 +2,7 @@ package main
 
 import (
 	"bytes"
-	_ "fmt"
+	"fmt"
 	"log"
 	"os"
 	"os/exec"
@@ -23,19 +23,21 @@ type Repo struct {
 var cache map[string]bool
 var appRoot string
 var regexes map[string]*regexp.Regexp
+var assignRegex *regexp.Regexp
 
 func init() {
 	appRoot, _ = os.Getwd()
 	cache = make(map[string]bool)
 	regexes = map[string]*regexp.Regexp{
-		"github":   regexp.MustCompile(`[g|G][i|I][t|T][h|H][u|U][b|B].*[=|:=|:|<-].*\w+.*`),
-		"aws":      regexp.MustCompile(`[a|A][w|W][s|S].*[=|:=|:|<-].*\w+.*`),
-		"heroku":   regexp.MustCompile(`[h|H][e|E][r|R][o|O][k|K][u|U].*[=|:=|:|<-].*\w+.*`),
-		"facebook": regexp.MustCompile(`[f|F][a|A][c|C][e|E][b|B][o|O][o|O][k|K].*[=|:=|:|<-].*\w+.*`),
-		"twitter":  regexp.MustCompile(`[t|T][w|W][i|I][t|T][t|T][e|E][r|R].*[=|:=|:|<-].*\w+.*`),
-		"reddit":   regexp.MustCompile(`[r|R][e|E][d|D][d|D][i|I][t|T].*[=|:=|:|<-].*\w+.*`),
-		"twilio":   regexp.MustCompile(`[t|T][w|W][i|I][l|L][i|I][o|O].*[=|:=|:|<-].*\w+.*`),
+		"github":   regexp.MustCompile(`[g|G][i|I][t|T][h|H][u|U][b|B].*(=|:|:=|<-).*\w+.*`),
+		"aws":      regexp.MustCompile(`[a|A][w|W][s|S].*(=|:=|:|<-).*\w+.*`),
+		"heroku":   regexp.MustCompile(`[h|H][e|E][r|R][o|O][k|K][u|U].*(=|:=|:|<-).*\w+.*`),
+		"facebook": regexp.MustCompile(`[f|F][a|A][c|C][e|E][b|B][o|O][o|O][k|K].*(=|:=|:|<-).*\w+.*`),
+		"twitter":  regexp.MustCompile(`[t|T][w|W][i|I][t|T][t|T][e|E][r|R].*(=|:=|:|<-).*\w+.*`),
+		"reddit":   regexp.MustCompile(`[r|R][e|E][d|D][d|D][i|I][t|T].*(=|:=|:|<-).*\w+.*`),
+		"twilio":   regexp.MustCompile(`[t|T][w|W][i|I][l|L][i|I][o|O].*(=|:=|:|<-).*\w+.*`),
 	}
+	assignRegex = regexp.MustCompile(`(=|:|:=|<-)`)
 }
 
 func main() {
@@ -123,5 +125,5 @@ func diff(commit1 string, commit2 string) {
 		log.Fatalf("error retrieving commits %v\n", err)
 	}
 	cache[commit1+commit2] = true
-	checkRegex(string(out))
+	fmt.Println(checkRegex(string(out)))
 }