diff --git a/README.rst b/README.rst
index 04333fb40ab4d998b348e9fb509cb5f8f5d720ce..d45309c78dcb28f7f19556f1644235ca59e99287 100644
--- a/README.rst
+++ b/README.rst
@@ -44,6 +44,10 @@ tools:
* `CppLint `_
- Checks C++ code against Google's style guide
+* `credentialscheck
+ `_
+ – A tool to find sensitive credentials that may have been inadvertently committed
+
* `flake8 `_
- A wrapper around several Python code quality tools
diff --git a/bot/README.rst b/bot/README.rst
index 63905a728fd3f91831c4f31d78819f2a77c00aa1..873b0b7a1871b8e43950c6f0f8ea50851f188597 100644
--- a/bot/README.rst
+++ b/bot/README.rst
@@ -38,6 +38,10 @@ following tools:
* `CppLint `_
- Checks C++ code against Google's style guide
+* `credentialscheck
+ `_
+ – A tool to find sensitive credentials that may have been inadvertently committed
+
* `flake8 `_
- A wrapper around several Python code quality tools
diff --git a/bot/reviewbot/tools/credentials_check.py b/bot/reviewbot/tools/credentials_check.py
new file mode 100644
index 0000000000000000000000000000000000000000..d5b51ea53b018ff07799b78c07cae907ff7a5de9
--- /dev/null
+++ b/bot/reviewbot/tools/credentials_check.py
@@ -0,0 +1,92 @@
+"""Review Bot tool to check for credentials."""
+
+from __future__ import unicode_literals
+
+import re
+
+import six
+
+from reviewbot.tools import Tool
+
+
+credential_patterns = {
+ 'AWS_KEY': (
+ br'(?:AWS_KEY|AWS_ACCESS_KEY|AWS_ACCESS_KEY_ID)\s*=\s*(?P'
+ br'["\']?)[A-Z0-9]{20}(?P=quote)'
+ ),
+ 'AWS_SECRET_KEY': (
+ br'(?:AWS_SECRET_KEY)\s*=\s*(?P["\']?)[A-Za-z0-9/+=]{40}'
+ br'(?P=quote)'
+ ),
+}
+
+credential_file_types = {
+ 'id_dsa',
+ 'id_ecdsa',
+ 'id_rsa',
+ 'key',
+ 'p12',
+ 'pem',
+ 'ppk',
+}
+
+
+class CredentialsCheckTool(Tool):
+ """Review Bot tool to check for credentials."""
+
+ name = 'Credentials Check'
+ version = '1.0'
+ description = ('Checks the code for AWS credentials, private keys, and '
+ 'files that should not be included (id_rsa, .ppk etc)')
+ options = [
+ {
+ 'name': 'sensitive_files',
+ 'field_type': 'django.forms.CharField',
+ 'default': '',
+ 'field_options': {
+ 'label': 'Sensitive file types',
+ 'help_text': ('A comma-separated list of file names and '
+ 'extensions you want Review Bot to label as '
+ 'issues e.g., pem, key, id_rsa.'),
+ 'required': False,
+ },
+ },
+ ]
+
+ def __init__(self):
+ """Initialize the tool."""
+ super(CredentialsCheckTool, self).__init__()
+ self.compiled_re = {
+ name: re.compile(pattern)
+ for name, pattern in six.iteritems(credential_patterns)
+ }
+
+ def handle_file(self, f, settings):
+ """Perform a review of a single file.
+
+ Args:
+ f (reviewbot.processing.review.File):
+ The file to process.
+
+ settings (dict):
+ Tool-specific settings.
+ """
+ unsafe_file_types = credential_file_types.union(
+ set(settings['sensitive_files'].split(',')))
+
+ # split() is used here instead of os.path.splitext because then we
+ # don't need to maintain separate extensions and file names sets and
+ # their corresponding options fields.
+ file_type = f.dest_file.lower().split('.')[-1]
+
+ if file_type in unsafe_file_types:
+ f.comment('Including this file is a potential security risk', 1,
+ issue=True)
+ else:
+ lines = f.patched_file_contents.split('\n')
+
+ for line_number, line in enumerate(lines, 1):
+ for risk_name, pattern in six.iteritems(self.compiled_re):
+ if re.search(pattern, line):
+ f.comment('Potential security risk [%s]' % risk_name,
+ line_number, issue=True)
diff --git a/bot/setup.py b/bot/setup.py
index 658a20649ac369cfc3c33bac234146971df5819e..3c4037158c3b66ab6d3821e4dc3b9b54f0ebf385 100755
--- a/bot/setup.py
+++ b/bot/setup.py
@@ -30,6 +30,7 @@ setup(
'clang = reviewbot.tools.clang:ClangTool',
'cppcheck = reviewbot.tools.cppcheck:CPPCheckTool',
'cpplint = reviewbot.tools.cpplint:CPPLintTool',
+ 'credentialscheck = reviewbot.tools.credentials_check:CredentialsCheckTool',
'doc8 = reviewbot.tools.doc8:Doc8Tool',
'flake8 = reviewbot.tools.flake8:Flake8Tool',
'jshint = reviewbot.tools.jshint:JSHintTool',
@@ -43,6 +44,7 @@ setup(
'appdirs',
'celery>=3.0,<4.0',
'RBTools>=0.7.10',
+ 'six>=1.8.0',
],
extras_require={
'all': [
diff --git a/docs/reviewbot/tools/credentialscheck.rst b/docs/reviewbot/tools/credentialscheck.rst
new file mode 100644
index 0000000000000000000000000000000000000000..f6ee889878c3eb1b0c08173e325bb3c709d8aeef
--- /dev/null
+++ b/docs/reviewbot/tools/credentialscheck.rst
@@ -0,0 +1,16 @@
+.. _tool-credentialscheck:
+
+==============
+Credentials Check
+==============
+
+This tool will look for credentials that should not have been included in the
+commit and raise issues if it finds them. Improper credentials can include
+things such as AWS keys hardcoded in source or private key files.
+
+
+Installation
+============
+
+This tool is built into Review Bot. There is no separate installation step
+required.
diff --git a/docs/reviewbot/tools/index.rst b/docs/reviewbot/tools/index.rst
index 9f3721a291e735c01ee177fa22a9854b6abbcef2..add6e8a3c4a0ce7c9c5896b4c1a7d991b806c000 100644
--- a/docs/reviewbot/tools/index.rst
+++ b/docs/reviewbot/tools/index.rst
@@ -12,6 +12,7 @@ Review Bot Tools
clang
cppcheck
cpplint
+ credentialscheck
doc8
flake8
jshint
diff --git a/extension/README.rst b/extension/README.rst
index aee190be4eaf548774365c802504bc3b0aa4bfa3..9b21d120e4dd666a4b73e7c7e53e0d536180f178 100644
--- a/extension/README.rst
+++ b/extension/README.rst
@@ -37,6 +37,10 @@ following tools:
* `CppLint `_
- Checks C++ code against Google's style guide
+* `credentialscheck
+ `_
+ – A tool to find sensitive credentials that may have been inadvertently committed
+
* `flake8 `_
- A wrapper around several Python code quality tools