security-tools

Currently, Trivy traverses all paths and looks for all Gemfile.lock in a container image. However, the image sometimes has only Gemfile.lock and doesn't install gems listed in the Gemfile.lock. I think a gem should have *.gemspec file if it is installed. e.g. rake.gemspec has the information about rake.

To avoid false positives from Gemfile.lock, we are probably able to take advantage of `*

Gitleaks is missing quite a few rules for the Microsoft ecosystem, including Visual Studio, Azure and Azure DevOps.

Microsoft used to have a competing product called credscan, but it was recently deprecated in favor of the GitHub Security offerings.

I've ported most of the rules from credscan to the gitleaks format and put them in a repo here:
https://github.com/jessehouwing/gitleaks-azur

Hi & welcome to Scapy's github ! This page lists issues that you can try to fix if you want to start contributing to Scapy.

This list includes wishes and things added by the maintainers based on the issues that we get, but also issues marked with TODO or XXX that already exist in Scapy's code base (layers). If you want to contribute to the project you might just take care one of the bugs.

RustScan has an accessible mode, rustscan --accessible which should promise not to have any weird ASCII text in it.

Write CI that runs RustScan with --accessible a few times, with different flags / options and check the terminal output to see if it contains one of these:

1. [!]
2. [~]
3. [>]
4. | {}

If any of these characters appear in any of the tests, fail the CI. E

We need Vagrant docs, you can find it here https://github.com/NullArray/AutoSploit/tree/dev-beta/Vagrant

Describe the bug
In the docs found here:
https://bandit.readthedocs.io/en/latest/plugins/index.html#complete-test-plugin-listing

B109 and B111 show a description instead of a plugin name. This looks inconsistent since all the other plugin names are listed. I believe this is a result of a recent change to remove these deprecated plugins.

To Reproduce

1. Navigate to https://bandit

Description

If a user using an OIDC provisioner has the email configured as myUser@domain.com, and the user signs as myuser@domain.com, step-ca will return an error because the principals passed by the cli do not match the expected ones:

# client
step ssh login --force --provisioner "Office 365" myuser@domain.com

# server
authority.SignSSH: ssh certificate principals does not

Is there a way to skip the nmap scan and go straight to the attacking routes? In case i already know the target list is full of open rtsp port IPs.