Skip to main content

find

Descriptionโ€‹

Looks through analysis reports to show package versions matching your search criteria.

Use this command to target specific types of security issues and check if rl-secure detected them while analyzing any of your files.

Multiple search terms can be used at the same time, separated by commas. In this case, the search results show matches for any of the provided search terms, not for all search terms combined.

You can limit the scope of your search by specifying the project, package, or version with --purl. Otherwise, the find command looks for your search terms across the entire package store.

The find command can search for the following:

  • CVE by ID or name - to show package versions matching a specific CVE. Provide it as a full or partial CVE ID (e.g. CVE-2021-44228, CVE-2017-57*) or public vulnerability name (e.g. Log4Shell, Spectre).
  • Policy ID - to show package versions where a specific policy was triggered during analysis. Provide it as a full or partial ReversingLabs Spectra Assure policy ID (e.g. SQ30104, TH15*).
  • Behavior ID - to show software behaviors detected in files across projects, packages, and package versions. Provide it as a full or partial behavior ID (e.g. BH13302, BH19*). Software behavior IDs and their descriptions are available in the analysis reports and in the reference documentation, so you can copy them directly from there.
  • malware - to show package versions where any malicious code was detected. Provide it as a plain keyword (malware). You can combine it with options to filter out suspicious (--no-suspect) and riskware (--no-riskware) detections.
  • secrets - to show package versions where any leaked sensitive information was detected. Provide it as a plain keyword (secrets). You can also use the --service option to search for secrets related to a specific service.

Usageโ€‹

rl-secure find <csv-list> [<purl>] [<rl-store>]

rl-secure find --term=<csv-list> --purl=[<purl>] --rl-store=[<rl-store>]

Optionsโ€‹

OptionDescription
--termRequired. One or more comma-separated search terms to look for in the package store. Search terms are always required, but --term itself may be omitted. Supported search term values are: CVE ID, CVE name, policy ID, behavior ID, malware, secrets. Partial matching is supported for CVE IDs, behavior IDs and policy IDs.
-p, --purlPackage URL of the project or package which you want to search for the specified term(s). Must be in the format [pkg:type/]<project>[/<package>[@<version>]]. If omitted, the whole package store is searched.
--no-colorDo not output color to terminal or log.
--return-statusSet command return status to fail if any items are found.
-h, --helpDisplay usage information and exit.
-s, --rl-store ย  ย  ย  ย Path to an initialized package store which you want to search for the specified term(s). If you don't specify the path, the current directory is used.

Issue filtering optionsโ€‹

Must be used with policy ID as the search term to produce meaningful output.

OptionDescription
--min-priorityShow issues with priority greater than or equal to min. Specify the min value as an integer.
--max-priorityShow issues with priority lower than or equal to max. Specify the max value as an integer.
--blockers, --level-blockersShow issues that are preventing migration to the specified SAFE level. Specify the level as an integer value from 1 to 5. For example, --blockers=4 indicates if there is anything blocking the upgrade to SAFE level 4.

CVE optionsโ€‹

Must be used with CVE ID or CVE name to produce meaningful output.

OptionDescription
--exploit, --exploitableApplies only to CVEs. Show only CVEs that are being exploited in the wild.
--mandate, --with-mandateApplies only to CVEs. Show only CVEs that have a patching mandate.
--min-scoreApplies only to CVEs. Show CVEs with CVSS score greater that or equal to min. Specify the min value as a double.
--max-scoreApplies only to CVEs. Show CVEs with CVSS score lower than or equal to max. Specify the max value as a double.

Malware optionsโ€‹

Must be used with the malware search keyword to produce meaningful output.

OptionDescription
--no-riskwareApplies only to malware. Exclude showing Potentially Unwanted Applications (PUA).
--no-suspectApplies only to malware. Exclude showing suspicious detections.

Secrets optionsโ€‹

Must be used with the secrets search keyword to produce meaningful output.

OptionDescription
--evidence,
--with-evidence
Applies only to secrets. When used, the command output includes detailed evidence information for detected secrets. For text-based files, the output shows the exact line number where the secret was detected. The exposure status can be one of the following: Exposed, Suppressed, Unknown.

Exposed indicates when the secret was first recorded in the ReversingLabs cloud, and that it is newer than the configured leak threshold. The threshold is used to define the age after which secrets are no longer considered active (usually according to organization password policies).

Suppressed indicates when the secret was first recorded in the in the ReversingLabs cloud, and that it is older than the configured leak threshold. It is assumed the secrets older than the threshold have been rotated or revoked in the meantime. Therefore, they're no longer considered exposed.

Unknown indicates the secret has no records in the ReversingLabs cloud, and it's therefore not possible to calculate how long it has been exposed.
--endpoints,
--with-endpoints
Can only be used together with --evidence. Shows the liveness status for a verified secret per endpoint.
--exposedApplies only to secrets. Show only secrets with known exposures in the cloud.
--serviceApplies only to secrets. When used, the command output shows only secrets that affect specific services. To specify the services, list one or more supported secrets as comma-separated values.

Alternatively, list one or more of the following keywords to show only services that belong to the specified category: ssh, pgp, network.

Multi-word service names should be provided in quotes (e.g. --service="Google OAuth credentials"). Case-insensitive and partial name matching are supported for all service names.

Supported secretsโ€‹

Secrets are grouped by type and sorted by service name in A-Z order.

Private keys
DER
DNSSECKey
MicrosoftKEY
NetscapeNET
PEMKey
PGPPrivKey
Embedded private keys
BCrypt Private Key Blob
DER DSA Private Key
DER EC Private Key
DER PKCS12 Private Key
DER PKCS8 Private Key
DER RSA Private Key
DNSSEC Private Key
Microsoft PVK
MS Private Key Blob
PEM DSA Private Key
PEM Dynamsoft Private Key
PEM EC Private Key
PEM Nebula Private Key
PEM OpenVPN Static Key
PEM PGP Private Key Block
PEM PKCS12 Private Key
PEM PKCS8 Private Key
PEM Private Key
PEM RSA Private Key
PEM RSA-PSS Private Key
PEM SILC Private Key
PEM TSS Private Key
PEM TSS Private Key Blob
Private SSH keys
OpenSSHKeyLegacy
PuTTyPPK
SSHKeyPEM
Embedded private SSH keys
Legacy SSH1 SSH Private Key
PEM OpenSSH SSH Private Key
PEM SSHCOM SSH Private Key
PuTTy User Key File
Embedded private PGP keys
PEM PGP Private Key Block
Embedded encrypted private keys
DER PKCS12 Encrypted Private Key 
DER PKCS5 Encrypted Private Key
DER PKCS8 Encrypted Private Key
DER SGC Encrypted Private Key
Microsoft Encrypted PVK
PEM DSA Encrypted Private Key
PEM EC Encrypted Private Key
PEM Encrypted Private Key
PEM IBC Encrypted Private Key
PEM PKCS12 Encrypted Private Key
PEM PKCS8 Encrypted Private Key
PEM RSA Encrypted Private Key
PEM RSA-PSS Encrypted Private Key
PEM Tendermint Encrypted Private Key
Embedded encrypted private SSH keys
Legacy SSH1 SSH Encrypted Private Key
PEM NetSarang SSH Encrypted Private Key
PEM OpenSSH SSH Encrypted Private Key
PEM OpenSSH SSH Encrypted Private Key
PEM SSHCOM SSH Encrypted Private Key
PEM SSHTools SSH Encrypted Private Key
PEM Van-Dyke SSH Encrypted Private Key
PuTTy Encrypted User Key File
Web service access credentials
Akamai EdgeGrid credentials
Alibaba Cloud credentials
Amazon LWA credentials
AWS long-term credentials
AWS temporary credentials
Basic Access credentials
DingTalk credentials
Duo credentials
GitHub credentials
Google OAuth credentials
OAuth token credentials
PayPal credentials
PubNub credentials
Salesforce credentials
Shopify credentials
Square credentials
Zoho credentials
Web service access tokens
Adobe JWT Access Token
Adobe Refresh Token
Adobe Service Token
Alven Service Password
Amazon ECR authorization token
Amazon LWA Access Token
Amazon LWA Refresh Token
Amazon LWA Submission Token
Amazon MWS Authentication Token
Asana Legacy Personal Access Token
Asana Personal Access Token
Atlassian API access token
Atlassian JWT
Atlassian personal access token
AWS CodeArtifact authorization token
Azure Cache for Redis access key
Azure connection string with an exposed secret
Chief personal access token
Chief team access token
Clojars deploy token
Connection string with an exposed secret
Contentful PAT
Databricks PAT
DigitalOcean OAuth access token
DigitalOcean OAuth refresh token
DigitalOcean PAT
Discord bot token
Docker PAT
Doppler audit token
Doppler CLI token
Doppler PAT
Doppler SCIM token
Doppler service token
Dropbox short-lived access token
Dynatrace access token
Dynatrace ActiveGate token
Facebook long-lived access token
Facebook short-lived access token
Figma PAT
Frame IO developer token
Github fine-grained PAT
Github OAuth access token
Github PAT
Github refresh token
Github S2S access token
Github U2S access token
Gitlab PAT
Gitlab Pipeline Trigger Token
Google OAuth token
Grafana Cloud API access token
Grafana Service Account Token
Graph CMS Token
HashiCorp root key
HashiCorp service token
HashiCorp v1 batch token
HashiCorp v2 batch token
Hubspot Personal Access Token
Intercom access token
Ionic Personal Access Token
JFrog Access Token
JFrog reference token
JWT Generic
LaunchDarkly API access token
LINE long-lived access token
Linear OAuth access token
Livestorm token
LocalStack Auth Token
Mapbox Secret Access Token
Mercado pago access token
Mercado pago refresh token
Mollie access token
NPM OAuth access token
Ory personal access token
PayPal/Braintree access token
Plaid development access token
Plaid production access token
Planetscale database password
Planetscale OAuth token
Planetscale service token
Pulumi access token
PyPI access token
Rancher bearer token
RFC6750 Token
Salesforce access token
Salesforce refresh token
SendInBlue SMTP production token
Shopify CLI authorization token
Shopify Custom App access token
Shopify legacy Private App access token
Shopify partner API access token
Shopify Public App access token
Shopify token
Shutterstock expiring OAuth token
Shutterstock non-expiring OAuth token
Shutterstock OAuth refresh token
Slack bot access token
Slack legacy token
Slack user access token
Slack workspace access token
Slack workspace refresh token
Square access token
Supabase Service Key
SWT Generic
Teamwork v2 personal access token
Telegram bot token
Twilio JWT
Typeform personal access token
Wakatime OAuth Access Token
Wakatime OAuth Refresh Token
WePay production access token
Yandex v1 IAM cookie
Yandex v1 IAM token
Zoho access or refresh token
Web service API keys
Adafruit IO API key
Apideck API key
Apify API key
ChecIO Commerce.js API key
Checkout.com API key
ClickUp API key
Close API key
Cloudflare origin CA key
Courier production 'draft' key
Courier production 'publish' key
Defined API Key
DevCycle Client API Key
DevCycle Mobile API Key
DevCycle Server API Key
Duffel API access token
EasyPost production API key
Engage API key
Finage API Key
Firebase Cloud Messaging API key
Fleetbase live API Key
Flutterwave secret API key
Google Cloud API Key
Google Gemini API key
Hearland API key
Hubspot API Key
Imagekit API Key
Linear API key
MailChimp API key
MailGun API key
Mollie API Key
Moneywave API key
NewRelic APM license key
NewRelic deprecated Admin key
NewRelic deprecated REST API key
NewRelic Ingest Browser key
NewRelic Insight Insert key
NewRelic Insight Query key
NewRelic mobile API token
NewRelic Pixie integration API key
NewRelic Service key
NewRelic Synthetics Private Location key
NewRelic User key
Notion integration key or secret
NuGet API key
Octopus Deploy API token
Onfido live API token
OpenAI API Key
PayStack live secret API key
PostHog personal API key
Postman API key
Postman Collection API Key
Prefect v1 API Key
Prefect v1 Service Key
Prefect v2 API Key
Prefect v2 Service Key
Radar secret API Key
RapidAPI API key
RazorPay API key
ReadMe API Key
redirect.pizza API Key
RubyGems API key
Samsara API v2 key
Scrapfly API Key
Segment config API Key
Segment public API Key
SendGrid API key
SendInBlue API v3 key
Shippo live API token
StackHawk API key
Stripe secret API key
Telnyx API v2 key
Terraform API token
Trend Micro Cloud One API key
Twilio API key
Ubidots API key
Wakatime Secret API Key
Wallet Balance API Key
WorkOS production API key
Yandex Cloud API key
Yandex Dictionary API key
Yandex Predictor API key
Yandex Translate API key
Zillow user ID
Zuplo consumer API Key
Webhook service access tokens
Courier webhook signing secret
Openpay secret key or Clearbit webhook signing key
Outlook / Teams webhook
Private webhook
Slack service incoming webhook
Slack workflow incoming webhook
Stripe webhook signing secret

Examplesโ€‹

Find behaviors in a projectโ€‹

This example shows how to look for specific software behaviors in a project. This is achieved by specifying behavior IDs as search terms.

In this example, we have already analyzed multiple package versions in the same project. The analysis report for one of the package versions shows some uncommon behaviors. We want to check if those behaviors have been detected anywhere else in the project.

Behavior prevalence

A behavior is considered uncommon in the context of its community (e.g. npm or PyPI) if it was rarely found by ReversingLabs in other software components from that community. For example, the BH19536 behavior ("Enumerates registry keys.") is considered uncommon for the npm community based on statistics from the ReversingLabs analysis of npm packages. However, the same behavior may be considered common - or the opposite, anomalous - in other communities. Always carefully consider the context when looking into software behaviors.

This information on how common a behavior is within a community is called behavior prevalence. ReversingLabs regularly collects and analyzes packages from popular package management repositories. Statistics from those analysis efforts are used to calculate behavior prevalence within each community. This means that prevalence information is not available for all types of software supported by Spectra Assure, but only for select software communities.

We've copied behavior IDs of two uncommon behaviors from the analysis report of a package version:

  • BH15182 ("Contains potentially obfuscated code or data.")
  • BH16188 ("Sends commands through FTP.")

In this example, we're providing full behavior IDs as search terms for the find command. The output shows that one of the behaviors has been detected in two different package versions in the project.

The command expects the package store to exist in the current directory. Use the -s option to provide an alternative path to the package store.

rl-secure find BH15182,BH16188 pkg:rl/my-project

Find SAFE Levels upgrade blockers in a projectโ€‹

This example shows how to use the --blockers option to find issues in a project that prevent your software from reaching a higher level of maturity.

In this example, we have previously enabled the SAFE Levels feature for this specific project and set the scan level to 1 (the lowest security level). That means we want all package versions in the project to pass level 1.

After scanning the packages at level 1, we want to find out if it's possible to upgrade to level 2. To do this, we're looking for all software quality issues (with SQ* as the search term) that are blocking the upgrade to level 2.

The output of this example shows two different types of issues. The first issue is already failing at level 1 and needs to be fixed to progress to level 2. The second issue is passing at level 1, but it will fail when we upgrade to level 2.

rl-secure find SQ* pkg:rl/my-project --blockers=2

Search for specific secrets with evidenceโ€‹

This example looks for packages with any sensitive information related to GitHub services. The command searches the whole package store. This is achieved by omitting the package URL; in other words, by not specifying any project or package.

We're using the --service option with the secrets keyword to make the search more specific. Using "GitHub" as the service name will return only those packages that contain GitHub-related secrets. You can narrow down the search results even more by providing the exact secret types (e.g. "Github OAuth access token") from the list of supported secrets.

We're also using the --evidence option to include more information about each detected secret. Specifically, the output will show us:

  • how long the secret has been exposed (if that information is available). Note that some secrets in this example have the Unknown exposure status, which indicates they have not been recorded in the ReversingLabs cloud at the time of analysis
  • where the secret is located within each detected file
  • live secret validation status, if the liveness check is supported for the service and/or secret type

The command expects the package store to exist in the current directory. Use the -s option to provide an alternative path to the package store.

rl-secure find secrets --service=GitHub --evidence

Find active and exposed secrets in a projectโ€‹

This example checks if any package versions in a specific project contain active and exposed secrets. This is achieved by specifying the project name in the package URL and using the secrets search keyword.

We're using the --service option with the secrets keyword to narrow down the search. Using "Github PAT" as the service name will return only those packages that contain the specific secret type.

We're also using the --evidence option to include more information about each detected secret. Specifically, the output will show us how long the secret has been exposed (if that information is available) and where the secret is located within each detected file.

Adding the --endpoints option displays the liveness status of every detected secret on each service endpoint. The time when the liveness check was last performed is displayed next to the liveness status. This allows you to pinpoint the secrets that are still used on specific services and can therefore be exploited.

The command expects the package store to exist in the current directory. Use the -s option to provide an alternative path to the package store.

rl-secure find secrets --service="Github PAT" --with-evidence --with-endpoints pkg:rl/my-project

Find packages with recent CVEsโ€‹

This example searches for packages with any CVEs discovered recently (in a specific year) or with a specific CVE.

The command searches the whole package store. This is achieved by omitting the package URL; in other words, by not specifying any project or package.

The command expects the package store to exist in the current directory. Use the -s option to provide an alternative path to the package store.

rl-secure find CVE-2023*,CVE-2021-44228

Check if any versions triggered a policyโ€‹

This example looks for versions of a specific package that have triggered a policy during analysis. This is achieved by specifying the package name in the package URL, and the exact policy ID as the search term.

For TH policies, the triggered behavior ID and its description is shown under the Root Cause part of the CLI output.

The command expects the package store to exist in the current directory. Use the -s option to provide an alternative path to the package store.

rl-secure find TH18102 pkg:rl/apache/solr

Find package versions with malwareโ€‹

This example checks if any package versions in a specific project triggered a malware detection during analysis. This is achieved by specifying the project name in the package URL.

The command expects the package store to exist in the current directory. Use the -s option to provide an alternative path to the package store.

rl-secure find malware pkg:rl/my-project