Skip to main content

find

Descriptionโ€‹

Looks through analysis reports to show package versions matching your search criteria.

Use this command to target specific types of security issues and check if rl-secure detected them while analyzing any of your files.

Multiple search terms can be used at the same time, separated by commas. In this case, the search results show matches for any of the provided search terms, not for all search terms combined.

You can limit the scope of your search by specifying the project, package, or version with --purl. Otherwise, the find command looks for your search terms across the entire package store.

The find command can search for the following:

  • CVE by ID or name - to show package versions matching a specific CVE. Provide it as a full or partial CVE ID (e.g. CVE-2021-44228, CVE-2017-57*) or public vulnerability name (e.g. Log4Shell, Spectre).
  • Policy ID - to show package versions where a specific policy was triggered during analysis. Provide it as a full or partial ReversingLabs Spectra Assure policy ID (e.g. SQ30104, TH15*).
  • Behavior ID - to show software behaviors detected in files across projects, packages, and package versions. Provide it as a full or partial behavior ID (e.g. BH13302, BH19*). Software behavior IDs and their descriptions are available in the analysis reports, so you can copy them directly from there.
  • malware - to show package versions where any malicious code was detected. Provide it as a plain keyword (malware). You can combine it with options to filter out suspicious (--no-suspect) and riskware (--no-riskware) detections.
  • secrets - to show package versions where any leaked sensitive information was detected. Provide it as a plain keyword (secrets). You can also use the --service option to search for secrets related to a specific service.

Usageโ€‹

rl-secure find <csv-list> [<purl>] [<rl-store>]

rl-secure find --term=<csv-list> --purl=[<purl>] --rl-store=[<rl-store>]

Optionsโ€‹

OptionDescription
--termRequired. One or more comma-separated search terms to look for in the package store. Search terms are always required, but --term itself may be omitted. Supported search term values are: CVE ID, CVE name, policy ID, behavior ID, malware, secrets. Partial matching is supported for CVE IDs, behavior IDs and policy IDs.
-p, --purlPackage URL of the project or package which you want to search for the specified term(s). Must be in the format [pkg:type/]<project>[/<package>[@<version>]]. If omitted, the whole package store is searched.
--no-colorDo not output color to terminal or log.
--return-statusSet command return status to fail if any items are found.
-h, --helpDisplay usage information and exit.
-s, --rl-store ย  ย  ย  ย Path to an initialized package store which you want to search for the specified term(s). If you don't specify the path, the current directory is used.

Issue filtering optionsโ€‹

Must be used with policy ID as the search term to produce meaningful output.

OptionDescription
--min-priorityShow issues with priority greater than or equal to min. Specify the min value as an integer.
--max-priorityShow issues with priority lower than or equal to max. Specify the max value as an integer.
--blockers, --level-blockersShow issues that are preventing migration to the specified RL level. Specify the level as an integer value from 1 to 5. For example, --blockers=4 indicates if there is anything blocking the upgrade to RL level 4.

CVE optionsโ€‹

Must be used with CVE ID or CVE name to produce meaningful output.

OptionDescription
--exploit, --exploitableApplies only to CVEs. Show only CVEs that are being exploited in the wild.
--mandate, --with-mandateApplies only to CVEs. Show only CVEs that have a patching mandate.
--min-scoreApplies only to CVEs. Show CVEs with CVSS score greater that or equal to min. Specify the min value as a double.
--max-scoreApplies only to CVEs. Show CVEs with CVSS score lower than or equal to max. Specify the max value as a double.

Malware optionsโ€‹

Must be used with the malware search keyword to produce meaningful output.

OptionDescription
--no-riskwareApplies only to malware. Exclude showing Potentially Unwanted Applications (PUA).
--no-suspectApplies only to malware. Exclude showing suspicious detections.

Secrets optionsโ€‹

Must be used with the secrets search keyword to produce meaningful output.

OptionDescription
--evidence,
--with-evidence		Applies only to secrets. When used, the command output includes detailed evidence information for detected secrets. For text-based files, the output shows the exact line number where the secret was detected. The exposure status can be one of the following: Exposed, Suppressed, Unknown.

Exposed indicates when the secret was first recorded in the ReversingLabs cloud, and that it is newer than the configured leak threshold. The threshold is used to define the age after which secrets are no longer considered active (usually according to organization password policies).

Suppressed indicates when the secret was first recorded in the in the ReversingLabs cloud, and that it is older than the configured leak threshold. It is assumed the secrets older than the threshold have been rotated or revoked in the meantime. Therefore, they're no longer considered exposed.

Unknown indicates the secret has no records in the ReversingLabs cloud, and it's therefore not possible to calculate how long it has been exposed.
--endpoints,
--with-endpoints		Can only be used together with --evidence. Shows the liveness status for a verified secret per endpoint.
--exposedApplies only to secrets. Show only secrets with known exposures in the cloud.
--serviceApplies only to secrets. When used, the command output shows only secrets that affect specific services. To specify the services, list one or more supported secrets as comma-separated values.

Alternatively, list one or more of the following keywords to show only services that belong to the specified category: ssh, pgp, network.

Multi-word service names should be provided in quotes (e.g. --service="Google OAuth credentials"). Case-insensitive and partial name matching are supported for all service names.

Supported secretsโ€‹

Private keys
DER
DNSSECKey 
MicrosoftKEY 
NetscapeNET 
PEMKey 
PGPPrivKey
Embedded private keys
PEM Private Key           
PEM PKCS8 Private Key    
PEM PKCS12 Private Key
PEM RSA Private Key       
PEM RSA-PSS Private Key  
PEM DSA Private Key
PEM EC Private Key        
PEM Nebula Private Key   
PEM TSS Private Key
PEM SILC Private Key      
PEM OpenVPN Static Key   
PEM Dynamsoft Private Key
PEM PGP Private Key Block 
PEM TSS Private Key Blob 
DER PKCS8 Private Key
DER PKCS12 Private Key    
DER RSA Private Key      
DER DSA Private Key
DER EC Private Key        
DNSSEC Private Key       
Microsoft PVK
MS Private Key Blob       
BCrypt Private Key Blob
Private SSH keys
SSHKeyPEM
OpenSSHKeyLegacy
PuTTyPPK
Embedded private SSH keys
PEM OpenSSH SSH Private Key
PEM SSHCOM SSH Private Key
PuTTy User Key File
Legacy SSH1 SSH Private Key
Embedded private PGP keys
PEM PGP Private Key Block
Embedded encrypted private keys
PEM Encrypted Private Key        
PEM PKCS8 Encrypted Private Key
PEM PKCS12 Encrypted Private Key 
PEM Tendermint Encrypted Private Key
PEM RSA Encrypted Private Key    
PEM RSA-PSS Encrypted Private Key
PEM DSA Encrypted Private Key    
PEM EC Encrypted Private Key
PEM IBC Encrypted Private Key    
DER SGC Encrypted Private Key
DER PKCS5 Encrypted Private Key  
DER PKCS8 Encrypted Private Key
DER PKCS12 Encrypted Private Key 
Microsoft Encrypted PVK
Embedded encrypted private SSH keys
PEM OpenSSH SSH Encrypted Private Key
PEM SSHCOM SSH Encrypted Private Key
PEM SSHTools SSH Encrypted Private Key
PEM Van-Dyke SSH Encrypted Private Key
PEM NetSarang SSH Encrypted Private Key 
PEM OpenSSH SSH Encrypted Private Key
PuTTy Encrypted User Key File          
Legacy SSH1 SSH Encrypted Private Key
Web service access credentials
AWS long-term credentials
AWS temporary credentials 
Google OAuth credentials
Square credentials
DingTalk credentials
Zoho credentials
Duo credentials
PayPal credentials 
OAuth token credentials
Basic Access credentials
Akamai EdgeGrid credentials
Alibaba Cloud credentials 
PubNub credentials
Shopify credentials 
Salesforce credentials
Web service access tokens
Amazon ECR authorization token
AWS CodeArtifact authorization token 
Twilio JWT
Adobe JWT Access Token
Adobe Refresh Token
Adobe Service Token
JFrog Access Token
Graph CMS Token
Supabase Service Key
Livestorm token
JWT Generic
SWT Generic
RFC6750 Token
Amazon MWS Authentication Token
Facebook short-lived access token
Facebook long-lived access token
Square access token
Slack bot access token
Slack user access token
Slack workspace access token
Slack workspace refresh token
Slack legacy token
PayPal/Braintree access token
Google OAuth token
Zoho access or refresh token
Github PAT
Github OAuth access token
Github refresh token
Github S2S access token
Github U2S access token
Github fine-grained PAT
Gitlab PAT
NPM OAuth access token
PyPI access token
Clojars deploy token
Contentful PAT
Databricks PAT
Doppler PAT
Doppler service token
Doppler CLI token
Doppler SCIM token
Doppler audit token
Dropbox short-lived access token
Dynatrace access token
Dynatrace ActiveGate token
Figma PAT
Frame IO developer token
Intercom access token
JFrog reference token
Planetscale service token
Planetscale OAuth token
SendInBlue SMTP production token
Shopify token
Shopify Public App access token
Shopify Custom App access token
Shopify legacy Private App access token
Shopify CLI authorization token
Shopify partner API access token
Plaid development access token
Plaid production access token
Pulumi access token
Salesforce access token
Salesforce refresh token
WePay production access token
Linear OAuth access token
LINE long-lived access token
Rancher bearer token
LaunchDarkly API access token
Discord bot token
DigitalOcean PAT
DigitalOcean OAuth access token
DigitalOcean OAuth refresh token
Mapbox Secret Access Token
Ory personal access token
Typeform personal access token
Telegram bot token
Yandex v1 IAM token
Yandex v1 IAM cookie
Shutterstock non-expiring OAuth token
Shutterstock expiring OAuth token
Shutterstock OAuth refresh token
Teamwork v2 personal access token
HashiCorp root key
HashiCorp service token
HashiCorp v1 batch token
HashiCorp v2 batch token
Mollie access token
Chief personal access token
Chief team access token
Mercado pago access token
Mercado pago refresh token
Connection string with an exposed secret
Azure connection string with an exposed secret
Planetscale database password
Azure Cache for Redis access key
Web service API keys
Stripe secret API key
Engage API key
RazorPay API key
SendGrid API key
StackHawk API key
MailGun API key
MailChimp API key
NuGet API key
Twilio API key
Google Cloud API Key
Adafruit IO API key
Apideck API key
Apify API key
ChecIO Commerce.js API key
Checkout.com API key
ClickUp API key
EasyPost production API key
Flutterwave secret API key
Linear API key
PostHog personal API key
Postman API key
Samsara API v2 key
SendInBlue API v3 key
RapidAPI API key
RubyGems API key
Telnyx API v2 key
Ubidots API key
Trend Micro Cloud One API key
Yandex Predictor API key
Yandex Translate API key
Yandex Dictionary API key
Yandex Cloud API key
Firebase Cloud Messaging API key
Hearland API key
NewRelic deprecated REST API key
NewRelic deprecated Admin key
NewRelic User key
NewRelic Insight Insert key
NewRelic Insight Query key
NewRelic Synthetics Private Location key
NewRelic Ingest Browser key
NewRelic APM license key
NewRelic Service key
NewRelic mobile API token
NewRelic Pixie integration API key
Courier production 'publish' key
Courier production 'draft' key
Duffel API access token
Cloudflare origin CA key
Terraform API token
Octopus Deploy API token
Onfido live API token
Shippo live API token
PayStack live secret API key
Zillow user ID
Moneywave API key
WorkOS production API key
Close API key
OpenAI API Key
Finage API Key
Fleetbase live API Key
Prefect v1 API Key
Prefect v1 Service Key
Prefect v2 API Key
Prefect v2 Service Key
ReadMe API Key
Mollie API Key
DevCycle Client API Key
DevCycle Mobile API Key
DevCycle Server API Key
Scrapfly API Key
Segment public API Key
Segment config API Key
Zuplo consumer API Key
redirect.pizza API Key
Imagekit API Key
Wallet Balance API Key
Radar secret API Key
Notion integration key or secret
Webhook service access tokens
Private webhook 
Slack service incoming webhook
Slack workflow incoming webhook
Openpay secret key or Clearbit webhook signing key
Outlook / Teams webhook
Stripe webhook signing secret 
Courier webhook signing secret

Examplesโ€‹

Find behaviors in a projectโ€‹

This example shows how to look for specific software behaviors in a project. This is achieved by specifying behavior IDs as search terms.

In this example, we have already analyzed multiple package versions in the same project. The analysis report for one of the package versions shows some uncommon behaviors. We want to check if those behaviors have been detected anywhere else in the project.

Behavior prevalence

A behavior is considered uncommon in the context of its community (e.g. npm or PyPI) if it was rarely found by ReversingLabs in other software components from that community. For example, the BH19536 behavior ("Enumerates registry keys.") is considered uncommon for the npm community based on statistics from the ReversingLabs analysis of npm packages. However, the same behavior may be considered common - or the opposite, anomalous - in other communities. Always carefully consider the context when looking into software behaviors.

This information on how common a behavior is within a community is called behavior prevalence. ReversingLabs regularly collects and analyzes packages from popular package management repositories. Statistics from those analysis efforts are used to calculate behavior prevalence within each community. This means that prevalence information is not available for all types of software supported by Spectra Assure, but only for select software communities.

We've copied behavior IDs of two uncommon behaviors from the analysis report of a package version:

  • BH15182 ("Contains potentially obfuscated code or data.")
  • BH16188 ("Sends commands through FTP.")

In this example, we're providing full behavior IDs as search terms for the find command. The output shows that one of the behaviors has been detected in two different package versions in the project.

The command expects the package store to exist in the current directory. Use the -s option to provide an alternative path to the package store.

rl-secure find BH15182,BH16188 pkg:rl/my-project

Find RL-Levels upgrade blockers in a projectโ€‹

This example shows how to use the --blockers option to find issues in a project that prevent your software from reaching a higher level of maturity.

In this example, we have previously enabled the RL-Levels feature for this specific project and set the scan level to 1 (the lowest security level). That means we want all package versions in the project to pass level 1.

After scanning the packages at level 1, we want to find out if it's possible to upgrade to level 2. To do this, we're looking for all software quality issues (with SQ* as the search term) that are blocking the upgrade to level 2.

The output of this example shows two different types of issues. The first issue is already failing at level 1 and needs to be fixed to progress to level 2. The second issue is passing at level 1, but it will fail when we upgrade to level 2. 

rl-secure find SQ* pkg:rl/my-project --blockers=2

Search for specific secrets with evidenceโ€‹

This example looks for packages with any sensitive information related to GitHub services. The command searches the whole package store. This is achieved by omitting the package URL; in other words, by not specifying any project or package.

We're using the --service option with the secrets keyword to make the search more specific. Using "GitHub" as the service name will return only those packages that contain GitHub-related secrets. You can narrow down the search results even more by providing the exact secret types (e.g. "Github OAuth access token") from the list of supported secrets.

We're also using the --evidence option to include more information about each detected secret. Specifically, the output will show us:

  • how long the secret has been exposed (if that information is available). Note that some secrets in this example have the Unknown exposure status, which indicates they have not been recorded in the ReversingLabs cloud at the time of analysis
  • where the secret is located within each detected file
  • live secret validation status, if the liveness check is supported for the service and/or secret type

The command expects the package store to exist in the current directory. Use the -s option to provide an alternative path to the package store.

rl-secure find secrets --service=GitHub --evidence

Find active and exposed secrets in a projectโ€‹

This example checks if any package versions in a specific project contain active and exposed secrets. This is achieved by specifying the project name in the package URL and using the secrets search keyword.

We're using the --service option with the secrets keyword to narrow down the search. Using "Github PAT" as the service name will return only those packages that contain the specific secret type.

We're also using the --evidence option to include more information about each detected secret. Specifically, the output will show us how long the secret has been exposed (if that information is available) and where the secret is located within each detected file.

Adding the --endpoints option displays the liveness status of every detected secret on each service endpoint. The time when the liveness check was last performed is displayed next to the liveness status. This allows you to pinpoint the secrets that are still used on specific services and can therefore be exploited.

The command expects the package store to exist in the current directory. Use the -s option to provide an alternative path to the package store.

rl-secure find secrets --service="Github PAT" --with-evidence --with-endpoints pkg:rl/my-project

Find packages with recent CVEsโ€‹

This example searches for packages with any CVEs discovered recently (in a specific year) or with a specific CVE.

The command searches the whole package store. This is achieved by omitting the package URL; in other words, by not specifying any project or package.

The command expects the package store to exist in the current directory. Use the -s option to provide an alternative path to the package store.

rl-secure find CVE-2023*,CVE-2021-44228

Check if any versions triggered a policyโ€‹

This example looks for versions of a specific package that have triggered a policy during analysis. This is achieved by specifying the package name in the package URL, and the exact policy ID as the search term.

For TH policies, the triggered behavior ID and its description is shown under the Root Cause part of the CLI output.

The command expects the package store to exist in the current directory. Use the -s option to provide an alternative path to the package store.

rl-secure find TH18102 pkg:rl/apache/solr

Find package versions with malwareโ€‹

This example checks if any package versions in a specific project triggered a malware detection during analysis. This is achieved by specifying the project name in the package URL.

The command expects the package store to exist in the current directory. Use the -s option to provide an alternative path to the package store.

rl-secure find malware pkg:rl/my-project