MCPcopy Index your code
hub / github.com/SpectralOps/keyscope

github.com/SpectralOps/keyscope @v1.4.2

Chat with this repo
repository ↗ · DeepWiki ↗ · release v1.4.2 ↗ · + Follow
35 symbols 51 edges 11 files 8 documented · 23%
What it actually does AI analysis from the code graph — generated when you open this
loading…
README

:white_check_mark: Automate your key and secret validation workflows

:cowboy_hat_face: Over 30 different providers

:robot: Export to JSON, audit via CSV


:key: Keyscope

Keyscope is a key and secret workflow (validation, invalidation, etc.) tool built in Rust, powered by service_policy_kit.

Current workflows supported:

  • Validation

🦀 Why Rust?

  • With Rust, "If it compiles, it works." and also, it compiles to many platforms.
  • Rust is fast, has no VM, or unnecessary cruft (typically 5-8mb binaries with LOTS of code and libraries).
  • Multi purpose, safe, and generalistic - makes for healthy and expressive mission critical code. Adding code or abstraction doesn't increase bloat, doesn't hurt performance, doesn't increase chance for bugs in a radical way (less edge cases).
  • Amazing package manager: Cargo. Productive installing and running of tasks and examples.
  • Rust is getting headlines in the security community as the go-to language for security tools. Equally interesting is offensive security + Rust here and here.

:rocket: Quick Start

Grab a release from releases, or install via Homebrew:

brew tap spectralops/tap && brew install keyscope

Using keyscope

You can try out validating a key for a provider, say, Github (assuming the key is in the GITHUB_TOKEN environment variable):

$ keyscope validate github $GITHUB_TOKEN

You can see which other providers are supported by running:

$ keyscope validate --list

  .
  :
  .

twilio:validation
keyscope validate twilio -p twilio_1 -p twilio_2

twitter:validation
keyscope validate twitter -p twitter_1

zendesk:validation
keyscope validate zendesk -p zendesk_1 -p zendesk_2

Total 44 providers available.
$

And what parameters are required for a certain provider by running (say, stripe):

$ keyscope requirements stripe

provider stripe requires:
 - param: p1
   desc: stripe key
$

Finally the general structure of the validate command is:

$ keyscope validate PROVIDER -p PARAM1 -p PARAM2 .. -p PARAM_N

:white_check_mark: Validation: key should be active

You can validate a specific provider like so:

$ keyscope validate twilio -p $TWILIO_KEY

With the general pattern of:

$ keyscope validate PROVIDER -p PARAM1 -p PARAM2 ...

The number of keys/params would change based on authentication type:

  • Bearer - usually just a single key (token)
  • Basic Auth - usually 2 keys: user, password
  • OAuth - usually 2 keys: client_id, client_secret
  • And others.

Each provider in Keyscope will tell you what it requires using requirements:

$ keyscope requirements twilio

You'll get a report:

$ keyscope --verbose validate stripe -p $STRIPE_KEY

✔ stripe:validation: ok 766ms

Ran 1 interactions with 1 checks in 766ms

Success: 1
Failure: 0
  Error: 0
Skipped: 0

And an executable exit code that reflects success/failure.

You can use the --verbose flag to see API responses:

$ keyscope --verbose validate stripe -p $STRIPE_KEY

✗ stripe:validation: failed 413ms
      status_code: 200 != 401 Unauthorized

Ran 1 interactions with 1 checks in 413ms

Success: 0
Failure: 1
  Error: 0
Skipped: 0

In this case the exit code is 1 (failure).

:x: Validation: key should be inactive

When you are validating keys that are supposed to be inactive, you can use the flip flag. In this mode, a failed API access is a good thing, and the exit code will reflect that.

$ keyscope --flip validate stripe -p $STRIPE_KEY

✔ stripe:validation: ok 766ms

Ran 1 interactions with 1 checks in 766ms

In this case, the key is active - which is bad for us. Using --flip, the exit code will be 1 (failure).

:runner: Setting up a validation job

Audit active keys

You can set up a CI job (or other form of scheduled job you like) to perform an audit, by reading all parameters from a dedicated CSV file like so:

$ keyscope validate --csv-in report.csv

The format of the CSV that you need to prepare should include a header line and look like this:

provider,key1,key2,key3
twilio,tw-key1,,,

You can specify as many key columns as you like, as long as you provide an empty value for providers which don't have that many keys, and all rows contain the same amount of cells.

Audit inactive keys

If you have a dump of keys from your vault that are stale have expiry and should have been rotated, you want to test that they are all stale:

$ keyscope --flip validate --csv-in my-key-audit.csv

:link: Supported providers

We're always adding new providers, keep a link to this list or watch this repo to get updated.

We use our service_policy_kit library to specify interactions with services and their policies, if you find a service not in this list feel free to open an issue or contribute back.

**tester** Tester: valid key validation `tester_1` - hookbin ID (https://hookb.in) `tester_2` - fake key to put as a query param
keyscope validate tester -p TESTER_1 -p TESTER_2
**infura** infura API key validation `infura_1` - infura API key
keyscope validate infura -p INFURA_1
**covalenthq** Covalent: valid key validation `covalenthq_1` - covalent token
keyscope validate covalenthq -p COVALENTHQ_1
**asana** Asana: valid token validation `asana_1` - asana token
keyscope validate asana -p ASANA_1
**bitly** Bit.ly: valid access token validation `bitly_1` - bit.ly token
keyscope validate bitly -p BITLY_1
**ipstack** ipstack access key validation `ipstack_1` - ipstack access key
keyscope validate ipstack -p IPSTACK_1
**localytics** Localytics: valid API credentials validation `localytics_1` - localytics user `localytics_2` - localytics key
keyscope validate localytics -p LOCALYTICS_1 -p LOCALYTICS_2
**algolia** Algolia: valid API credentials validation `algolia_1` - algolia application ID `algolia_2` - algolia index `algolia_3` - algolia API key
keyscope validate algolia -p ALGOLIA_1 -p ALGOLIA_2 -p ALGOLIA_3
**branchio** branch.io: valid API credentials validation `branchio_1` - branch.io key `branchio_2` - branch.io secret
keyscope validate branchio -p BRANCHIO_1 -p BRANCHIO_2
**browserstack** browserstack: valid API credentials validation `browserstack_1` - browserstack key `browserstack_2` - browserstack secret
keyscope validate browserstack -p BROWSERSTACK_1 -p BROWSERSTACK_2
**buildkite** Buildkite: valid token validation `buildkite_1` - buildkite token
keyscope validate buildkite -p BUILDKITE_1
**datadog** datadog: valid API credentials validation `datadog_1` - datadog API key
keyscope validate datadog -p DATADOG_1
**github** github: valid API credentials validation `github_1` - github token
keyscope validate github -p GITHUB_1
**github-ent** Github Enterprise: valid API token validation `github-ent_1` - github enterprise instance (without http) `github-ent_2` - github token
keyscope validate github-ent -p GITHUB-ENT_1 -p GITHUB-ENT_2
**dropbox** dropbox: valid API credentials validation `dropbox_1` - dropbox token
keyscope validate dropbox -p DROPBOX_1
**gitlab** gitlab: valid API credentials validation `gitlab_1` - gitlab token
keyscope validate gitlab -p GITLAB_1
**heroku** heroku: valid API credentials validation `heroku_1` - heroku token
keyscope validate heroku -p HEROKU_1
**mailchimp** mailchimp: valid API credentials validation `mailchimp_1` - mailchimp datacenter ID `mailchimp_2` - mailchimp key
keyscope validate mailchimp -p MAILCHIMP_1 -p MAILCHIMP_2
**mailgun** mailgun: valid API credentials validation `mailgun_1` - mailgun key
keyscope validate mailgun -p MAILGUN_1
**pagerduty** pagerduty: valid API credentials validation `pagerduty_1` - pagerduty token
keyscope validate pagerduty -p PAGERDUTY_1
**circleci** circleci: valid API credentials validation `circleci_1` - circleci key
keyscope validate circleci -p CIRCLECI_1
**facebook-access-token** facebook: valid API token validation `facebook-access-token_1` - facebook token
keyscope validate facebook-access-token -p FACEBOOK-ACCESS-TOKEN_1
**salesforce** salesforce: valid API credentials validation `salesforce_1` - salesforce instance name `salesforce_2` - salesforce token
keyscope validate salesforce -p SALESFORCE_1 -p SALESFORCE_2
**jumpcloud** jumpcloud: valid API credentials validation `jumpcloud_1` - jumpcloud key
keyscope validate jumpcloud -p JUMPCLOUD_1
**saucelabs-us** saucelabs-us: valid API credentials validation `saucelabs-us_1` - saucelabs user `saucelabs-us_2` - saucelabs key
keyscope validate saucelabs-us -p SAUCELABS-US_1 -p SAUCELABS-US_2
**saucelabs-eu** saucelabs-eu: valid API credentials validation `saucelabs-eu_1` - saucelabs user `saucelabs-eu_2` - saucelabs key
keyscope validate saucelabs-eu -p SAUCELABS-EU_1 -p SAUCELABS-EU_2
**sendgrid** sendgrid: valid API credentials validation `sendgrid_1` - sendgrid key
keyscope validate sendgrid -p SENDGRID_1
**slack** slack: valid API credentials validation `slack_1` - slack key
keyscope validate slack -p SLACK_1
**slack-webhook** slack-webook: valid API credentials validation `slack-webhook_1` - slack webhook
keyscope validate slack-webhook -p SLACK-WEBHOOK_1
**stripe** stripe: valid API credentials validation `stripe_1` - stripe key
keyscope validate stripe -p STRIPE_1
**travisci** travisci: valid API credentials validation `travisci_1` - travisci domain, choose 'org' or 'com' `travisci_2` - travisci key
keyscope validate travisci -p TRAVISCI_1 -p TRAVISCI_2
**twilio** twilio: valid API credentials validation `twilio_1` - twilio account sid `twilio_2` - twilio token
keyscope validate twilio -p TWILIO_1 -p TWILIO_2
**twitter** twitter: valid API credentials validation `twitter_1` - twitter API token
keyscope validate twitter -p TWITTER_1
**zendesk** zendesk: valid API credentials validation `zendesk_1` - zendesk domain `zendesk_2` - zendesk key
keyscope validate zendesk -p ZENDESK_1 -p ZENDESK_2
**firebase** firebase: valid API credentials validation `firebase_1` - firebase API key `firebase_2`

Extension points exported contracts — how you extend this code

ProviderTrait (Interface)
(no doc)
keyscope/src/providers.rs

Core symbols most depended-on inside this repo

name
called by 4
keyscope/src/providers.rs
get_providers
called by 2
keyscope/src/config.rs
key_validate_with_opts
called by 2
keyscope/src/providers.rs
provider_not_found
called by 2
keyscope/src/bin/cli/out.rs
config
called by 1
keyscope/src/providers.rs
get_validation_request_params
called by 1
keyscope/src/providers.rs
is_valid_params_for_key_validate
called by 1
keyscope/src/providers.rs
key_validate
called by 1
keyscope/src/providers.rs

Shape

Method 16
Function 9
Class 6
Enum 3
Interface 1

Languages

Rust100%

Modules by API surface

keyscope/src/providers.rs11 symbols
keyscope/src/bin/cli/exit.rs6 symbols
keyscope/src/config.rs5 symbols
keyscope/src/bin/cli/out.rs5 symbols
keyscope/src/bin/cli/cmd.rs3 symbols
keyscope/src/bin/keyscope.rs2 symbols
keyscope/tests/cli_tests.rs1 symbols
keyscope/src/errors.rs1 symbols
keyscope/examples/validate.rs1 symbols

For agents

$ claude mcp add keyscope \
  -- python -m otcore.mcp_server <graph>

⬇ download graph artifact