Community Blog

Community Blog

CatchIT SECRET SCANNER Contributed to FINOS by Goldman Sachs

October 13, 2021
FINOS and the CatchIT project team (as well as their newly formed OSPO) from Goldman Sachs are excited to announce that CatchIT Secret Scanner has been successfully contributed to FINOS, and can be found at this GitHub repository: https://github.com/finos/CatchIT.
 
The project can also be found on the FINOS Landscape here: https://landscape.finos.org/

FINOS-catchit-secret-scanner-contribution-gs

 

CatchIT Secret Scanner

We are proud to announce that the Goldman Sachs developed tool called CatchIT has been released as open-source and the team is requesting your engagement to contribute to the tool to make it better. 

CatchIT-Secret scanner detects sensitive information in source-code with a strong emphasis on low execution time, CI/CD integration, high customization and minimizing false positive rates. CatchIT is a simple yet powerful framework that helps developers and organizations to mitigate the risk to credentials leakage, which further minimizes disruption to developer experience. It can be embedded as an ad-hoc job in the CI/CD pipeline, as a python zip app, or as a Docker image, and thus eliminates the need to deploy or maintain a dedicated server. It is a regex-based scanner that leverages linux commands grep and find to search for pre-defined regular expressions.

CatchIT uses entropy (of the identified findings) and confidence (of a specific regular expression) to further prioritize results and classify them into distinct categories. CatchIT scans for sensitive code, passwords, AWS account IDs, GCP keys as well as sensitive files such as KEY, PEM files among others. It provides results in JSON format.

Currently it contains the following regular expressions to identify secrets and files:

Secrets:

AWS-ID

PASSWORD

PASSWORD-ARGUMENT

PASSWORD-URL

GCP-API-KEY

JWT

Files:

RSA_KEYS

SSH_KEYS_DIR

SSH_KEYS_DIR2

SSH_AUTH_KEYS

PEM

KEY

KEYTAB

CRT-CER

 

Learn more about the project at https://github.com/finos/CatchIT. 

Find more information about contributing at https://github.com/finos/CatchIT/blob/main/CONTRIBUTING.md.

Your feedback, issues, and contributions are very welcome (and requested)!

 

 

Interested in this FINOS open source project, or any of our other projects? Click the link below to see how to get involved in the FINOS Community.

Get Involved

 

This Week at FINOS Blog - See what is happening at FINOS each week.

FINOS Landscape - See our landscape of FINOS open source and open standard projects.

Community Calendar - Scroll through the calendar to find a meeting to join.

FINOS Slack Channels - The FINOS Slack provides our Community another public channel to discuss work in FINOS and open source in finance more generally.

Project Status Dashboard - See a live snapshot of our community contributors and activity.

Events - Check out our upcoming events or email marketing@finos.org if you'd like to partner with us or have an event idea.

FINOS Virtual "Meetups" Videos & Slides - See replays of our virtual "meetups" based around the FINOS Community and Projects since we can't all be in the same room right now.

FINOS Open Source in Finance Podcasts - Listen and subscribe to the first open source in fintech and banking podcasts for deeper dives on our virtual "meetup" and other topics.