The purpose of this software is to be a framework for scanning all code pushed into one or more Github Organisations and report any findings into a Slack channel. The common application is to search for secrets.
It has been originally created by Etienne Stalmans and has been modularized and extended by the PaaS Security Team.
It is actively used in various Github organisations under the Salesforce Enterprise plan.
It has been primarily designed to run on Heroku, but can be used on any platform that supports 12factor apps.
The app receives push event notifications from GitHub. Each push is reviewed and the commits within are scanned for possible secrets (such as passwords, AWS secret keys, API tokens).
When the scanning reveals findings, the application posts a message to a defined slack channel with the relevant details and triggers a manual review.
Those findings are also stored in the database for stats and reporting purposes.
The backend is written in Go, and is running on Heroku or any platform that supports 12factor apps. The detailed configuration is documented in the docs/configuration folder.
A Github App is installed in each organisation that is monitored. It provides organisation level webhooks to send all push events to our app. The specific configuration can be found here.
A Slack app is installed in each Slack workspace in order to send notifications to the workspace. The specific configuration can be found here.
See the docs/configuration folder for the specifics.
At least one github organization and one slack app must be configured for the app to start properly.
Naming is hard. We needed to have an image of something that is waiting for secrets to be trapped, and discovered, and as a result, "Lobster Pot" came to mind.