Skip to content

salesforce/lobster-pot

Lobster Pot

Deploy

Purpose

The purpose of this software is to be a framework for scanning all code pushed into one or more Github Organisations and report any findings into a Slack channel. The common application is to search for secrets.

Demo

demo slack

Origins

It has been originally created by Etienne Stalmans and has been modularized and extended by the PaaS Security Team.

It is actively used in various Github organisations under the Salesforce Enterprise plan.

It has been primarily designed to run on Heroku, but can be used on any platform that supports 12factor apps.

Monitoring of a GitHub Org

The app receives push event notifications from GitHub. Each push is reviewed and the commits within are scanned for possible secrets (such as passwords, AWS secret keys, API tokens).
When the scanning reveals findings, the application posts a message to a defined slack channel with the relevant details and triggers a manual review.
Those findings are also stored in the database for stats and reporting purposes.

Data Flow Diagram

Components

Backend

The backend is written in Go, and is running on Heroku or any platform that supports 12factor apps. The detailed configuration is documented in the docs/configuration folder.

Github Apps

A Github App is installed in each organisation that is monitored. It provides organisation level webhooks to send all push events to our app. The specific configuration can be found here.

Slack Apps

A Slack app is installed in each Slack workspace in order to send notifications to the workspace. The specific configuration can be found here.

Setup

See the docs/configuration folder for the specifics.

At least one github organization and one slack app must be configured for the app to start properly.

Naming

Naming is hard. We needed to have an image of something that is waiting for secrets to be trapped, and discovered, and as a result, "Lobster Pot" came to mind.

About

Scans every git push to your Github organisations to find unwanted secrets.

Topics

Resources

License

Code of conduct

Security policy

Stars

Watchers

Forks

Languages