Whispers: A Powerful Static Code Analysis Tool for Credential Detection

“My little birds are everywhere, even in the North, they whisper to me the strangest stories.” – Lord Varys

Meet Whispers, an advanced static code analysis tool meticulously designed to parse various common data formats, unveiling hardcoded credentials, and identifying potentially hazardous functions. Whispers seamlessly integrates into both the command-line interface (CLI) and your Continuous Integration/Continuous Deployment (CI/CD) pipeline.

Key Features

Whispers excels in detecting:

• Passwords
• API tokens
• AWS keys
• Private keys
• Hashed credentials
• Authentication tokens
• Dangerous functions
• Sensitive files

Supported Formats

Whispers is a structured text parser supporting widely used formats like:

• YAML
• JSON
• XML
• .npmrc
• .pypirc
• .htpasswd
• .properties
• pip.conf
• conf/ini
• Dockerfile
• Dockercfg
• Shell scripts
• Python3 (parsed as ASTs)

Installation

You can easily install Whispers from either PyPI or GitHub:

# From PyPI
pip install whispers


# From GitHub
git clone https://github.com/Skyscanner/whispers
cd whispers
make install

Usage

Whispers provides flexible usage options:

CLI Usage:

whispers --help
whispers --info
whispers source/code/fileOrDir
whispers --config config.yml source/code/fileOrDir
whispers --output /tmp/secrets.yml source/code/fileOrDir
whispers --rules aws-id,aws-secret source/code/fileOrDir
whispers --severity BLOCKER,CRITICAL source/code/fileOrDir
whispers --exitcode 7 source/code/fileOrDir

Python Usage:

from whispers.cli import parse_args
from whispers.core import runsrc = "http://www.kitploit.com/2021/11/tests/fixtures"
configfile = "whispers/config.yml"
args = parse_args(["-c", configfile, src])
for secret in run(args):
print(secret)

Configuration

Whispers offers extensive configuration options. The config.yml file allows you to include/exclude results based on file path, key, or value. You can tweak detection by adapting the default configuration or creating a custom one.

# Example config.yml structure
include:
files:
- "**/*.yml"
exclude:
files:
- "**/test/**/*"
- "**/tests/**/*"
keys:
- ^foo
values:
- bar$
rules:
starks:
message: Whispers from the North
severity: CRITICAL
value:
regex: (Aria|Ned) Stark
ignorecase: True

Custom Rules

Whispers is designed for easy expansion with new rules. Custom rules can be defined in the main config file under rules or added to the whispers/rules directory.

# Custom rule example in config.yml
rule-id:
description: Values formatted like AWS Session Token
message: AWS Session Token
severity: BLOCKER
key:
regex: (aws.?session.?token)?
ignorecase: True
value:
regex: ^(?=.*[a-z])(?=.*[A-Z])[A-Za-z0-9+/]{270,450}$
ignorecase: False
minlen: 270
isBase64: True
isAscii: False
isUri: False
similar:0.35

Plugins

Whispers’ parsing functionality is implemented via plugins, with each plugin class featuring a pairs() method that runs through files and returns key-value pairs to be checked with rules.

# Example plugin class
class PluginName:
def pairs(self, file):
yield "key", "value"

Download Link: Skyscanner/whispers

Explore the vast capabilities of Whispers and fortify your code against potential security threats.