Skip to content

redhuntlabs/Varunastra

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

16 Commits
.gitignore
.gitignore
 
 
Readme.md
Readme.md
 
 
go.mod
go.mod
 
 
go.sum
go.sum
 
 
main.go
main.go
 
 

Repository files navigation

varunastra logo

Installation Usage

Varunastra: Securing the Depths of Docker

Introducing Varunastra, an innovative tool designed to enhance the security of Docker environments. Named after The Varunastra (वरुणास्त्र), it is the water weapon according to the Indian scriptures, incepted by Varuna, god of hydrosphere. Varunastra is engineered to detect and help mitigate vulnerabilities in Docker, ensuring robust security across all Docker containers and images.

Key Features

  • Secret Scanning: Reduces the risk of sensitive data leaks.
  • Asset Extraction: Retrieves assets such as domain/subdomains and urls from Docker images for bug bounty hunters.
  • Customizable Solution: Define regex patterns and blacklists to meet specific needs.
  • Dependency Checks: Automates assessments for quicker threat identification.

Supported Lock Files

Language File
Ruby Gemfile.lock
Javascript package-lock.json
yarn.lock

Installation Guide for Varunastra

  1. Clone the Repository Open your terminal and run the following command to clone the repository:
git clone https://github.com/redhuntlabs/Varunastra/
  1. Navigate to the Project Directory Change to the directory of the cloned repository:
cd Varunastra
  1. Build the Project Use the go build command to compile the project:
go build

Usage

Usage: varunastra --target=STRING [flags]

Flags:
  -h, --help             Show context-sensitive help.
      --target=STRING    Target string
      --scans=STRING     Comma-separated scans (secrets,vuln,assets)
      --all              Enable scanning for all tags
      --output=STRING    Save JSON output to a file

Example

varunastra --target devangsolankii/secrets --scans "secrets,vuln,assets"
2024/11/04 12:29:37 Checking if config file exist
2024/11/04 12:29:39 Starting Scan for Tag: devangsolankii/secrets:v1.2
2024/11/04 12:29:39 Scanning Layer: sha256:51edc9808576655e8f3a0ce89e6d4d84eeba742af3376fc01d4522ecff379072
2024/11/04 12:29:39 Scanning Layer: sha256:59ee42d02ee5edca29b89e9d18b5bedd9400da38e1dcc0da4f22eaf19d24983b
2024/11/04 12:29:39 Scanning Layer: sha256:7d98d813d54f6207a57721008a4081378343ad8f1b2db66c121406019171805b
2024/11/04 12:29:39 Scanning Layer: sha256:da802df85c965baeca9d39869f9e2cbb3dc844d4627f413bfbb2f2c3d6055988
2024/11/04 12:29:39 Scanning Layer: sha256:e3d8693bad2fd07287529dd2f1bc71d431ed97f061cc8440707f144165fa8afc
2024/11/04 12:29:39 Scanning Layer: sha256:7aadc5092c3b7a865666b14bef3d4d038282b19b124542f1a158c98ea8c1ed1b
2024/11/04 12:29:39 Scanning Layer: sha256:eb173c1dbe92b367644a53adf5c004908921fa91460c054f2746046e481603fb
2024/11/04 12:29:39 Scanning Layer: sha256:d1d2216adb3bcbe1bb6f32f18f4b3a58350c5e2e7810728a488f405a444534ea
2024/11/04 12:29:39 Scanning Layer: sha256:f110c757afc5699d6587a989cc741d88e170d259506ecd3b6d9d0169c2dd1a47
2024/11/04 12:29:39 Scanning Layer: sha256:ad1c7cfc347f5c86fc2678b58f6a8fb6c6003471405760532fc3240b9eb1b343
2024/11/04 12:29:40
2024/11/04 12:29:40 Secrets found -> Type: Google API Key | Secret: AIzaSy0c3965368a6b10f7640dbda46abfdca98 | On Path: history:13
2024/11/04 12:29:40
2024/11/04 12:29:40 Secrets found -> Type: Google API Key | Secret: AIzaSy0c3965368a6b10f7640dbda46abfdca98 | On Path: history:18
2024/11/04 12:29:40 Scanning Layer: sha256:225e4516f59838f6d9e50e417461a30cce68d46786ee91df26e3c11e1eeb4948
2024/11/04 12:29:40 Scanning Layer: sha256:758f280dcc0fda3ba816ff06ff816511657120ea934adb600f3493c865a470cd
2024/11/04 12:29:40 Scanning Layer: sha256:4d5d29abf42d13611191d85daa10cc50bf2bde22d7bfd4f3de5447a5d888f14b
2024/11/04 12:29:40
2024/11/04 12:29:40 Secrets found -> Type: Password in URL | Secret: https://admmin:[email protected]:9000/" | On Path: app/app.js
2024/11/04 12:29:40
2024/11/04 12:29:40 Secrets found -> Type: PGP private key block | Secret: -----BEGIN PGP PRIVATE KEY BLOCK----- | On Path: etc/ImageMagick-6/mime.xml
2024/11/04 12:29:41
2024/11/04 12:29:41 Secrets found -> Type: AWS Access Key | Secret: ABIAK52LPFORPRUCRC22 | On Path: app/.env
2024/11/04 12:31:13 Scanning completed.
[
  {
    "target": "devangsolankii/secrets:v1.2",
    "secrets": [
      {
        "issue": "Secret Leaked in Docker Layer sha256:758f280dcc0fda3ba816ff06ff816511657120ea934adb600f3493c865a470cd",
        "asset": "app/.env",
        "type": "AWS Access Key",
        "secret": "ABIAK52LPFORPRUCRC22"
      },
      {
        "issue": "Secret Leaked in Docker History history:13",
        "asset": "history:13",
        "type": "Google API Key",
        "secret": "AIzaSy0c3965368a6b10f7640dbda46abfdca98"
      },
      {
        "issue": "Secret Leaked in Docker History history:18",
        "asset": "history:18",
        "type": "Google API Key",
        "secret": "AIzaSy0c3965368a6b10f7640dbda46abfdca98"
      },
      {
        "issue": "Secret Leaked in Docker Layer sha256:ad1c7cfc347f5c86fc2678b58f6a8fb6c6003471405760532fc3240b9eb1b343",
        "asset": "etc/ImageMagick-6/mime.xml",
        "type": "PGP private key block",
        "secret": "-----BEGIN PGP PRIVATE KEY BLOCK-----"
      },
      {
        "issue": "Secret Leaked in Docker Layer sha256:225e4516f59838f6d9e50e417461a30cce68d46786ee91df26e3c11e1eeb4948",
        "asset": "app/app.js",
        "type": "Password in URL",
        "secret": "https://admmin:[email protected]:9000/\"\n"
      }
    ],
    "vulnerabilities": null,
    "assets": {
      "assets": [],
      "urls": []
    }
  }
]

Buy Me A Coffee

About

No description, website, or topics provided.

Resources

Readme
Activity
Custom properties

Stars

3 stars

Watchers

1 watching

Forks

1 fork
Report repository

Releases 2

Release v0.7 - Beta Testing Latest
Nov 4, 2024
+ 1 release

Packages

No packages published

Languages