How to Ignore Tokens in Repositories with Radar

In this tutorial, you’ll learn how to use our GitHub repository scanning product, Radar, to easily ignore results you don’t want to include in your scans for credentials & secrets.

This post assumes you have familiarity with Nightfall Radar for scanning GitHub repositories and have an account. If not, get started here: radar.nightfall.ai

In the context of Radar, items on an allow list will be ignored when displaying scan results for a repository. For example, let’s say there is a test API key in your repository that you do not want to get flagged by Radar – you can add it to the allow list. Or there’s a vendor directory in your repo that would only yield false positives – you can add it to the allow list. The allow list applies on a global, account level and will affect all subsequent scans for all repos.

Allowing can be performed on two Key Types (specified by the key_type parameter below): individual tokens (where the Key Type is api_key) or on an entire file/directory level (where the Key Type is subpath). As an example you could allow the api_key  “test_api_key”  individually. You could additionally ignore a subpath by allowing a file within your directory like “test_keys.py” . The inputs for a subpath start at the root of the repo and can be a specific file, blob, or directory.

  • File path: /path/to/file/to/ignore.py
  • Directory path: /path/to/some/test/directory/*

This tutorial includes a public repo so you can follow along:
https://radar.nightfall.ai/docs#allowlist

1. Say you have a GitHub repo that looks like this below. There is one subdirectory named sub_dir with two files in it: sample.py and sample.rb.

2. When you scan the repo, both files come back with sensitive findings like so.

3. Let’s say you know that the token in sample.rb is for test purposes only and you therefore decide to allow that token with a POST request to prevent it from showing up on future scans.

In this case, since you are allowing a particular token (“dbd1b2a5bd84476280caaff641f9d209”), you specify the key_type as api_key as opposed to subpath.

Sample request:

curl -X POST https://radar.nightfall.ai/api/v1/allowlist \
-u RADAR_API_KEY: \
-d ‘allowlist=[“TOKEN_TO_ALLOWLIST”]’ \
-d ‘key_type=subpath’

A successful response should look like:

{ 
 "status": "Success",
 "message": "Key(s) added successfully." 
}

4. You can verify that the token has been successfully allowed with a GET request like so:

curl -X GET https://radar.nightfall.ai/api/v1/allowlist \
-u RADAR_API_KEY: \
-d ‘allowlist=[“TOKEN_TO_ALLOWLIST”]’ \
-d ‘key_type=api_key’

A successful response should look like:

{    
  "status": "Success",    
  "allowlist": [    
   "dbd1b2a5bd84476280caaff641f9d209"    
  ]    
}    

Note that you must again specify api_key or subpath when for the key_type during GET and DELETE requests.

5. You run the scan again, and see that sample.rb no longer has any sensitive findings, sample.py does still show up, however.

6. You actually know that everything in this subdirectory is safe and for testing only, so you allow all of its contents by entering the file path from the root of the repo. 

The * character may be used to denote all files or subpaths that fall under a particular root file path (“/sub_dir/*”). In this case you specify the key_type as subpath as opposed to api_key.

(Note: Adding a directory path or file name to your allow list will apply across all repos scanned. Additionally, assuming credentials in a testing directory are safe is a common way that production credentials are leaked.) 

Sample request:

curl -X POST https://radar/nightfall.ai/api/v1/allowlist \
-u RADAR_API_KEY: \
-d 'allowlist=["SUBPATH_TO_ALLOWLIST"]' \
-d 'key_type=subpath'

If you instead specifically wanted to allow the sample.py file, you would enter “/sub_dir/sample.py” as the subpath allow list object.

7. Now when you run your Radar scan, no sensitive results will appear at all.

8. If you’ve made a mistake and realize that sample.py actually might contain a sensitive token, you can remove the subdirectory from your allow list with a DELETE request as follows:

curl -X DELETE https://radar/nightfall.ai/api/v1/allowlist \
-u RADAR_API_KEY: \
-d 'allowlist=["SUBPATH_TO_UNALLOWLIST"]' \
-d 'key_type=subpath'

9. The deletion can be verified with another GET request.

curl -X GET https://radar/nightfall.ai/api/v1/allowlist \
-u RADAR_API_KEY: -d 'key_type=subpath'

Sample response:

{
 "status": "Success",
 "allowlist": [
   ] 
}

Congrats! You’re now equipped with the ability to ignore tokens from your results to improve accuracy and efficiency. Please let us know if you have any questions or feedback via email at support@nightfall.ai.

Free Download WordPress Themes
Premium WordPress Themes Download
Download WordPress Themes Free
Download WordPress Themes
free download udemy paid course
download lava firmware
Download Nulled WordPress Themes
udemy paid course free download
Share this post: