November 19, 2021

Announcing CatchIT - Source Code Secret Scanner

Nima Darivandpour, Gunwant Singh, Aniruddha Bhattacharjee - Tech Risk Advisory

CatchIT Motivation

The repercussions of poorly managed code security and leakage of sensitive data in code call for the creation of precautionary tools. Data secrets are fundamental to productivity in collaborative and complex software development cycles. But if handled improperly, they can put one's entire infrastructure at risk. Researchers have found that thousands of secrets are leaked every day. Hackers have also realized that these secrets are a treasure trove for their efforts, as they can frequently unlock systems upstream and downstream from the code itself. 

CatchIT scanner is a security software developed by Tech Risk Advisory at Goldman Sachs and aimed at detecting sensitive information that is harmfully exposed in code repositories. If someone checks a secret with a known pattern into a public or private repository, CatchIT catches the secret as it is checked in, and enables one to mitigate the impact of the leak. Repository maintainers are notified about any commits that contain a secret, and they can quickly view all detected secrets. CatchIT was recently open sourced and contributed to FINOS (Fintech Open Source Foundation).

At Goldman Sachs, not only do we leverage existing open source software, but we are also devoted to open sourcing projects that originate within our firm. Our Open Source Program Office (OSPO) and developer community work closely to advance our open source contributions.

Overview

CatchIT scanner detects sensitive information in source code with a strong emphasis on low execution time, CI/CD integration, high customization and minimizing false positive rates. CatchIT is a simple yet powerful framework that helps developers and organizations mitigate the risk of credentials leaking, which further minimizes disruption to the developer experience. It can be embedded as an ad hoc job in the CI/CD pipeline, as a python zip application or as a Docker image and thus eliminates the need to deploy or maintain a dedicated server. It is a regex-based scanner that leverages Linux commands such as “grep” and “find” to search for pre-defined regular expressions. In addition to its pattern-based mechanism, CatchIT uses the entropy of the identified findings and a confidence factor, per regular expression, to further prioritize results and classify them into distinct categories. CatchIT scans for sensitive code, passwords, AWS account IDs, GCP keys as well as sensitive files such as KEY and PEM files among others. Furthermore, it provides results in JSON format. Currently, the tool contains regular expressions in two categories to identify the following secrets and files:

  • Code Scanning Regexes: AWS-ID, PASSWORD, PASSWORD-ARGUMENT, PASSWORD-URL, GCP-API-KEY, JWT
  • File Scanning Regexes: RSA_KEYS, SSH_KEYS_DIR, SSH_KEYS_DIR2, SSH_AUTH_KEYS, PEM, KEY, KEYTAB, CRT-CER

We will continue to improve and expand our regular expression based ruleset to accommodate new secrets introduced in different cloud-based and on-premises environments.

Use and Contribute

We believe that collaboration is one of the key factors in securing supply chains and this inspired us to share CatchIT with the community as open source.

We encourage developers and businesses to explore and utilize CatchIT as a risk mitigation component within their Software Development Life Cycle. Your feedback, issues and contributions are more than welcome. You can explore the CatchIT code base on GitHub, in which there is the project issue backlog, as well as more information about contributing to CatchIT. You can read more about the FINOS Contribution and Contributor License Agreement requirements on the community section of the FINOS GitHub.

We look forward to hearing from you!

See https://www.gs.com/disclaimer/global_email for important risk disclosures, conflicts of interest, and other terms and conditions relating to this blog and your reliance on information contained in it.

Solutions
Curated DataData Management Security MasterData AnalyticsPlotTool ProPortfolio AnalyticsGS QuantTransaction BankingGS DAP®
Docs
Data ServicesPricing & Risk ServicesIndex ServicesHedging ServicesPortfolio ServicesContent ServicesRIA CustodyCommission ManagerTransaction BankingGS SelectGS QuantPlotTool Pro
Learn More
BlogOpen SourceData Partnersdatonomy™CareersAbout Goldman Sachs
Goldman Sachs DeveloperPrivacy and CookiesGS Terms & ConditionsRegulatory DisclosuresSecurity
GS DAP® is owned and operated by Goldman Sachs. This site is for informational purposes only and does not constitute an offer to provide, or the solicitation of an offer to provide access to or use of GS DAP®. Any subsequent commitment by Goldman Sachs to provide access to and / or use of GS DAP® would be subject to various conditions, including, amongst others, (i) satisfactory determination and legal review of the structure of any potential product or activity, (ii) receipt of all internal and external approvals (including potentially regulatory approvals); (iii) execution of any relevant documentation in a form satisfactory to Goldman Sachs; and (iv) completion of any relevant system / technology / platform build or adaptation required or desired to support the structure of any potential product or activity. All GS DAP® features may not be available in certain jurisdictions. Not all features of GS DAP® will apply to all use cases. Use of terms (e.g., "account") on GS DAP® are for convenience only and does not imply any regulatory or legal status by such term.
Certain solutions and Institutional Services described herein are provided via our Marquee platform. The Marquee platform is for institutional and professional clients only. This site is for informational purposes only and does not constitute an offer to provide the Marquee platform services described, nor an offer to sell, or the solicitation of an offer to buy, any security. Some of the services and products described herein may not be available in certain jurisdictions or to certain types of clients. Please contact your Goldman Sachs sales representative with any questions. Any data or market information presented on the site is solely for illustrative purposes. There is no representation that any transaction can or could have been effected on such terms or at such prices. Please see https://www.goldmansachs.com/disclaimer/sec-div-disclaimers-for-electronic-comms.html for additional information.
Transaction Banking services are offered by Goldman Sachs Bank USA (“GS Bank”). GS Bank is a New York State chartered bank, a member of the Federal Reserve System and a Member FDIC.
Mosaic is a service mark of Goldman Sachs & Co. LLC. This service is made available in the United States by Goldman Sachs & Co. LLC and outside of the United States by Goldman Sachs International, or its local affiliates in accordance with applicable law and regulations. Goldman Sachs International and Goldman Sachs & Co. LLC are the distributors of the Goldman Sachs Funds. Depending upon the jurisdiction in which you are located, transactions in non-Goldman Sachs money market funds are affected by either Goldman Sachs & Co. LLC, a member of FINRA, SIPC and NYSE, or Goldman Sachs International. For additional information contact your Goldman Sachs representative. Goldman Sachs & Co. LLC, Goldman Sachs International, Goldman Sachs Liquidity Solutions, Goldman Sachs Asset Management, L.P., and the Goldman Sachs funds available through Goldman Sachs Liquidity Solutions and other affiliated entities, are under the common control of the Goldman Sachs Group, Inc.
© 2024 Goldman Sachs. All rights reserved.