“My little birds are everywhere, even in the North, they whisper to me the strangest stories.” – Lord Varys
Meet Whispers, an advanced static code analysis tool meticulously designed to parse various common data formats, unveiling hardcoded credentials, and identifying potentially hazardous functions. Whispers seamlessly integrates into both the command-line interface (CLI) and your Continuous Integration/Continuous Deployment (CI/CD) pipeline.
Key Features
Whispers excels in detecting:
Passwords
API tokens
AWS keys
Private keys
Hashed credentials
Authentication tokens
Dangerous functions
Sensitive files
Supported Formats
Whispers is a structured text parser supporting widely used formats like:
YAML
JSON
XML
.npmrc
.pypirc
.htpasswd
.properties
pip.conf
conf/ini
Dockerfile
Dockercfg
Shell scripts
Python3 (parsed as ASTs)
Installation
You can easily install Whispers from either PyPI or GitHub:
# From PyPI
pip install whispers
# From GitHub
git clone https://github.com/Skyscanner/whispers
cd whispers
make install
Usage
Whispers provides flexible usage options:
CLI Usage:
whispers –help
whispers –info
whispers source/code/fileOrDir
whispers –config config.yml source/code/fileOrDir
whispers –output /tmp/secrets.yml source/code/fileOrDir
whispers –rules aws-id,aws-secret source/code/fileOrDir
whispers –severity BLOCKER,CRITICAL source/code/fileOrDir
whispers –exitcode 7 source/code/fileOrDir
Python Usage:
from whispers.cli import parse_args
from whispers.core import runsrc = “http://www.kitploit.com/2021/11/tests/fixtures”
configfile = “whispers/config.yml”
args = parse_args([“-c”, configfile, src])
for secret in run(args):
print(secret)
Configuration
Whispers offers extensive configuration options. The config.yml file allows you to include/exclude results based on file path, key, or value. You can tweak detection by adapting the default configuration or creating a custom one.
# Example config.yml structure
include:
files:
– “**/*.yml”
exclude:
files:
– “**/test/**/*”
– “**/tests/**/*”
keys:
– ^foo
values:
– bar$
rules:
starks:
message: Whispers from the North
severity: CRITICAL
value:
regex: (Aria|Ned) Stark
ignorecase: True
Custom Rules
Whispers is designed for easy expansion with new rules. Custom rules can be defined in the main config file under rules or added to the whispers/rules directory.
# Custom rule example in config.yml
rule-id:
description: Values formatted like AWS Session Token
message: AWS Session Token
severity: BLOCKER
key:
regex: (aws.?session.?token)?
ignorecase: True
value:
regex: ^(?=.*[a-z])(?=.*[A-Z])[A-Za-z0-9+/]{270,450}$
ignorecase: False
minlen: 270
isBase64: True
isAscii: False
isUri: False
similar:0.35
Plugins
Whispers’ parsing functionality is implemented via plugins, with each plugin class featuring a pairs() method that runs through files and returns key-value pairs to be checked with rules.
# Example plugin class
class PluginName:
def pairs(self, file):
yield “key”, “value”
Download Link: Skyscanner/whispers
Explore the vast capabilities of Whispers and fortify your code against potential security threats.
