Aaron’s protects data in custom applications built on ServiceNow with the Developer Platform – Watch the story.

Tutorial 3 min read

How to Ignore Tokens in Repositories with Radar

by isaacmadan Published Mar 27, 2020

In this tutorial, you’ll learn how to use our GitHub repository scanning product, Radar, to easily ignore results you don’t want to include in your scans for credentials & secrets.

This post assumes you have familiarity with Nightfall Radar for scanning GitHub repositories and have an account. If not, get started here: radar.nightfall.ai

In the context of Radar, items on an allow list will be ignored when displaying scan results for a repository. For example, let’s say there is a test API key in your repository that you do not want to get flagged by Radar – you can add it to the allow list. Or there’s a vendor directory in your repo that would only yield false positives – you can add it to the allow list. The allow list applies on a global, account level and will affect all subsequent scans for all repos.

Allowing can be performed on two Key Types (specified by the key_type parameter below): individual tokens (where the Key Type is api_key) or on an entire file/directory level (where the Key Type is subpath). As an example you could allow the api_key  “test_api_key”  individually. You could additionally ignore a subpath by allowing a file within your directory like “test_keys.py” . The inputs for a subpath start at the root of the repo and can be a specific file, blob, or directory.

  • File path: /path/to/file/to/ignore.py
  • Directory path: /path/to/some/test/directory/*

This tutorial includes a public repo so you can follow along:
https://radar.nightfall.ai/docs#allowlist

1. Say you have a GitHub repo that looks like this below. There is one subdirectory named sub_dir with two files in it: sample.py and sample.rb.

2. When you scan the repo, both files come back with sensitive findings like so.

3. Let’s say you know that the token in sample.rb is for test purposes only and you therefore decide to allow that token with a POST request to prevent it from showing up on future scans.

In this case, since you are allowing a particular token (“dbd1b2a5bd84476280caaff641f9d209”), you specify the key_type as api_key as opposed to subpath.

Sample request:

curl -X POST https://radar.nightfall.ai/api/v1/allowlist \
-u RADAR_API_KEY: \
-d ‘allowlist=[“TOKEN_TO_ALLOWLIST”]’ \
-d ‘key_type=subpath’

A successful response should look like:

{ 
 "status": "Success",
 "message": "Key(s) added successfully." 
}

4. You can verify that the token has been successfully allowed with a GET request like so:

curl -X GET https://radar.nightfall.ai/api/v1/allowlist \
-u RADAR_API_KEY: \
-d ‘allowlist=[“TOKEN_TO_ALLOWLIST”]’ \
-d ‘key_type=api_key’

A successful response should look like:

{    
  "status": "Success",    
  "allowlist": [    
   "dbd1b2a5bd84476280caaff641f9d209"    
  ]    
}    

Note that you must again specify api_key or subpath when for the key_type during GET and DELETE requests.

5. You run the scan again, and see that sample.rb no longer has any sensitive findings, sample.py does still show up, however.

6. You actually know that everything in this subdirectory is safe and for testing only, so you allow all of its contents by entering the file path from the root of the repo. 

The * character may be used to denote all files or subpaths that fall under a particular root file path (“/sub_dir/*”). In this case you specify the key_type as subpath as opposed to api_key.

(Note: Adding a directory path or file name to your allow list will apply across all repos scanned. Additionally, assuming credentials in a testing directory are safe is a common way that production credentials are leaked.) 

Sample request:

curl -X POST https://radar/nightfall.ai/api/v1/allowlist \
-u RADAR_API_KEY: \
-d 'allowlist=["SUBPATH_TO_ALLOWLIST"]' \
-d 'key_type=subpath'

If you instead specifically wanted to allow the sample.py file, you would enter “/sub_dir/sample.py” as the subpath allow list object.

7. Now when you run your Radar scan, no sensitive results will appear at all.

8. If you’ve made a mistake and realize that sample.py actually might contain a sensitive token, you can remove the subdirectory from your allow list with a DELETE request as follows:

curl -X DELETE https://radar/nightfall.ai/api/v1/allowlist \
-u RADAR_API_KEY: \
-d 'allowlist=["SUBPATH_TO_UNALLOWLIST"]' \
-d 'key_type=subpath'

9. The deletion can be verified with another GET request.

curl -X GET https://radar/nightfall.ai/api/v1/allowlist \
-u RADAR_API_KEY: -d 'key_type=subpath'

Sample response:

{
 "status": "Success",
 "allowlist": [
   ] 
}

Congrats! You’re now equipped with the ability to ignore tokens from your results to improve accuracy and efficiency. Please let us know if you have any questions or feedback via email at support@nightfall.ai.

Subscribe to our newsletter

Receive our latest content and updates

Nightfall logo icon

About Nightfall

Nightfall is the industry’s first cloud-native DLP platform that discovers, classifies, and protects data via machine learning. Nightfall is designed to work with popular SaaS applications like Slack, Google Drive, GitHub, Confluence, Jira, and many more via our Developer Platform. You can schedule a demo with us below to see the Nightfall platform in action.

 

Schedule a Demo

Select a time that works for you below for 30 minutes. Once confirmed, you’ll receive a calendar invite with a Zoom link. If you don’t see a suitable time, please reach out to us via email at sales@nightfall.ai.

call to action

Ready to get started?

Schedule a demo