Skip to content

Comments

Added new git-repo-scanner options (rate limit, activity filter)#327

Merged
rfelber merged 9 commits intomainfrom
git-repo-rate-limit
Apr 12, 2021
Merged

Added new git-repo-scanner options (rate limit, activity filter)#327
rfelber merged 9 commits intomainfrom
git-repo-rate-limit

Conversation

@rfelber
Copy link
Member

@rfelber rfelber commented Mar 13, 2021
edited
Loading

Description

Implements a new rate limit configuration

Implements #325

This PR if applied adds a new rate limit configuration to the git-repo-scanner to obey the GitHub and GitLeaks server rate limits. By default this setting is true.

Example

Works for GitHub and Gitlab:

--obey-rate-limit: True to obey the rate limit of the GitHub server (default), otherwise False
  • For unauthenticated requests, the rate limit allows for up to 60 requests per hour. Unauthenticated requests are associated with the originating IP address, and not the user making requests.
    • With --obey-rate-limit=True the scanner will hit the GitHub API every 60 seconds at max (3600s / 60 requests per hour = 60s seconds delay between two request).
  • OAuth applications authorized by a user share the same quota of 5,000 requests per hour when they authenticate with different tokens owned by the same user.
    • With --obey-rate-limit=True the scanner will hit the GitHub API every 0,7 seconds at max (3600s / 5000 requests per hour = 0,7s seconds delay between two request).

Implements a new git repository filter based on latest activity

Implements #320

Example

Works for GitHub and Gitlab:

--activity-since-duration: Return git repo findings with repo activity (e.g. commits) more recent than a specific date expresed by an duration (now + duration). A duration string is a possibly signed sequence of decimal numbers, each
                               with optional fraction and a unit suffix, such as '1h' or '2h45m'. Valid time units are 'm', 'h', 'd', 'w'.
--activity-until-duration: Return git repo findings with repo activity (e.g. commits) older than a specific date expresed by an duration (now + duration). A duration string is a possibly signed sequence of decimal numbers, each with
                               optional fraction and a unit suffix, such as '1h' or '2h45m'. Valid time units are 'm', 'h', 'd', 'w'.

Testing

If you want to test this PR please reference the following docker image: docker pull securecodebox/scanner-git-repo-scanner:git-repo-rate-limit

image:
  # image.repository -- Container Image to run the scan
  repository: docker.io/securecodebox/scanner-git-repo-scanner
  # image.tag -- defaults to the charts version
  tag: git-repo-rate-limit

Example HelmChart Install

You can use the following command to install and test this PR in your environment. For more general informations please check the scanner documentation : https://docs.securecodebox.io/docs/scanners/git-repo-scanner

# Optional: Add the secureCodeBox Helm Repo
helm repo add secureCodeBox https://charts.securecodebox.io
# Install HelmChart (use -n to configure another namespace)
helm upgrade --install git-repo-scanner secureCodeBox/git-repo-scanner \
  --set="image.repository=docker.io/securecodebox/scanner-git-repo-scanner" \
  --set="image.tag=git-repo-rate-limit"

Checklist

  • Test your changes as thoroughly as possible before you commit them. Preferably, automate your test by unit/integration tests.
  • Make sure npm test runs for the whole project.
  • Cleanup the code to make codeclimate happy

@rfelber rfelber added enhancement New feature or request scanner Implement or update a security scanner labels Mar 13, 2021
@rfelber rfelber self-assigned this Mar 13, 2021
@rfelber rfelber changed the title Added a new rate limit configuration Added a new git-repo-scanner configuration options Mar 14, 2021
This was linked to issues Mar 14, 2021
⚙️ Extend the git-repo-scanner with an activity filter #320
Closed
🐞 The git_repo_scanner triggers an abuse detection mechanism at GitHub for large organisations #325
Closed
@rfelber rfelber marked this pull request as draft March 14, 2021 10:42
@rfelber rfelber mentioned this pull request Mar 19, 2021
Closed
@rfelber rfelber added this to the v2.6.0 milestone Mar 19, 2021
@rfelber rfelber changed the title Added a new git-repo-scanner configuration options Added new git-repo-scanner configuration options (rate limit, activity filter) Mar 20, 2021
@rfelber rfelber changed the title Added new git-repo-scanner configuration options (rate limit, activity filter) Added new git-repo-scanner options (rate limit, activity filter) Mar 20, 2021
@rfelber
Copy link
Member Author

rfelber commented Mar 20, 2021

This PR already works (on my machine 😆) as expected 🎉

But adding the functionality in a hurry 🏃🏻‍♂️ results in a bit messy python code 🙄 The codebase must be refactored and we should introduce a more appropriate python class based implementation:

  • GitHub Class
  • GitLab Class

This would also introduce new possibilities to integrate even more features in the git-repo-scanner like a signed commit checker for example 😉

@paulschmelzer paulschmelzer mentioned this pull request Apr 8, 2021
Merged
3 tasks
@rfelber rfelber merged commit 2e927cc into main Apr 12, 2021
@rfelber rfelber deleted the git-repo-rate-limit branch April 12, 2021 09:25
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

@rfelber rfelber

@twwd twwd

@paulschmelzer paulschmelzer

Labels

enhancement New feature or request scanner Implement or update a security scanner

Projects

None yet

Milestone

v2.6.0

3 participants

@rfelber @twwd @paulschmelzer