How to Ignore Tokens in Repositories with Radar

In this tutorial, you’ll learn how to use our GitHub repository scanning product, Radar, to easily blacklist results you don’t want to include in your scans for credentials & secrets.

This post assumes you have familiarity with Nightfall Radar for scanning GitHub repositories and have an account. If not, get started here: radar.nightfall.ai

Blacklisting is the concept of curating a list of objects to either avoid or ignore. In the context of Radar, items on the blacklist will be ignored when displaying scan results for a repository. For example, let’s say there is a test API key in your repository that you do not want to get flagged by Radar – you can add it to the blacklist. Or there’s a vendor directory in your repo that would only yield false positives – you can add it to the blacklist. The blacklist applies on a global, account level and will affect all subsequent scans for all repos.

Blacklisting can be performed on two Key Types (specified by the key_type parameter below): individual tokens (where the Key Type is api_key) or on an entire file/directory level (where the Key Type is subpath). As an example of api_key blacklisting, you could ignore the token “test_api_key” individually. As an example of subpath blacklisting, you could specify that the file “test_keys.py” is ignored completely. The inputs for a subpath start at the root of the repo and can be a specific file, blob, or directory.

  • File path: /path/to/file/to/ignore.py
  • Directory path: /path/to/some/test/directory/*

This tutorial includes a public repo so you can follow along:
https://github.com/nightfalldlp/blacklist_tutorial

1. Say you have a GitHub repo that looks like this below. There is one subdirectory named sub_dir with two files in it: sample.py and sample.rb.

2. When you scan the repo, both files come back with sensitive findings like so.

3. Let’s say you know that the token in sample.rb is for test purposes only and you therefore decide to blacklist that token with a POST request to prevent it from showing up on future scans.

In this case, since you are blacklisting a particular token (“dbd1b2a5bd84476280caaff641f9d209”), you specify the key_type as api_key as opposed to subpath.

Sample request:

curl -X POST https://radar.nightfall.ai/api/v1/blacklist \
-u RADAR_API_KEY: \
-d ‘blacklist=[“TOKEN_TO_BLACKLIST”]’ \
-d ‘key_type=subpath’

A successful response should look like:

{ 
 "status": "Success",
 "message": "Key(s) added successfully." 
}

4. You can verify that the token has been successfully blacklisted with a GET request like so:

curl -X GET https://radar.nightfall.ai/api/v1/blacklist \
-u RADAR_API_KEY: \
-d ‘blacklist=[“TOKEN_TO_BLACKLIST”]’ \
-d ‘key_type=api_key’

A successful response should look like:

{    
  "status": "Success",    
  "blacklist": [    
   "dbd1b2a5bd84476280caaff641f9d209"    
  ]    
}    

Note that you must again specify api_key or subpath when for the key_type during GET and DELETE requests.

5. You run the scan again, and see that sample.rb no longer has any sensitive findings, sample.py does still show up, however.

6. You actually know that everything in this subdirectory is safe and for testing only, so you blacklist all of its contents by entering the file path from the root of the repo. 

The * character may be used to denote all files or subpaths that fall under a particular root file path (“/sub_dir/*”). In this case you specify the key_type as subpath as opposed to api_key.

(Note: Adding a directory path or file name to your blacklist will apply across all repos scanned. Additionally, assuming credentials in a testing directory are safe is a common way that production credentials are leaked.) 

Sample request:

curl -X POST https://radar/nightfall.ai/api/v1/blacklist \
-u RADAR_API_KEY: \
-d 'blacklist=["SUBPATH_TO_BLACKLIST"]' \
-d 'key_type=subpath'

If you instead specifically wanted to blacklist the sample.py file, you would enter “/sub_dir/sample.py” as the subpath blacklist object.

7. Now when you run your Radar scan, no sensitive results will appear at all.

8. If you’ve made a mistake and realize that sample.py actually might contain a sensitive token, you can remove the subdirectory from your blacklist with a DELETE request as follows:

curl -X DELETE https://radar/nightfall.ai/api/v1/blacklist \
-u RADAR_API_KEY: \
-d 'blacklist=["SUBPATH_TO_UNBLACKLIST"]' \
-d 'key_type=subpath'

9. The deletion can be verified with another GET request.

curl -X GET https://radar/nightfall.ai/api/v1/blacklist \
-u RADAR_API_KEY: -d 'key_type=subpath'

Sample response:

{
 "status": "Success",
 "blacklist": [
   ] 
}

Congrats! You’re now equipped with the ability to ignore tokens from your results to improve accuracy and efficiency. Please let us know if you have any questions or feedback via email at support@nightfall.ai.

Download Premium WordPress Themes Free
Free Download WordPress Themes
Download Premium WordPress Themes Free
Free Download WordPress Themes
ZG93bmxvYWQgbHluZGEgY291cnNlIGZyZWU=
download coolpad firmware
Premium WordPress Themes Download
udemy paid course free download
Share this post: