Primary Use Case

This tool is designed for security and compliance teams who need to discover and audit sensitive data residing at-rest in various data silos such as cloud backups or exports from platforms like Salesforce or Jira. It helps organizations identify sensitive information to reduce data exposure risks and support compliance auditing.

Key Features

Scans local directories, backups, and exports for sensitive data using Nightfall's DLP APIs

Supports scanning data from popular cloud services like Salesforce, Jira, Confluence, and more

Runs a local webhook server to receive and process sensitive data findings

Outputs comprehensive sensitive data reports in CSV format

Allows customization via Nightfall detection rule UUIDs

Provides integration with ngrok for secure webhook tunneling

Enables auditing of at-rest data for compliance and risk assessment

Insights & Recommendations

Users must have a Nightfall account and appropriate admin access to generate backups or exports of their data silos. The tool relies on a local webhook server and ngrok for receiving scan results, so network configuration and security of the webhook endpoint should be carefully managed. The detection rule UUID is optional but can be customized to tailor sensitive data detection. Results are output in CSV format for easy auditing.

Installation

Create a cloud backup or export of the systems you wish to scan and extract it locally
Install dependencies with: pip install -r requirements.txt
Create a local ngrok tunnel pointing to your webhook server: ./ngrok http 8000
Set environment variables for NIGHTFALL_API_KEY, NIGHTFALL_SIGNING_SECRET, NIGHTFALL_DETECTION_RULE_UUID (optional), NIGHTFALL_SERVER_URL, and SCAN_DIRECTORY_PATH

Usage

./ngrok http 8000

Starts a local ngrok tunnel to expose the webhook server for receiving Nightfall scan results

export NIGHTFALL_API_KEY=<your_key_here>

Sets the Nightfall API key environment variable for authentication

export NIGHTFALL_SIGNING_SECRET=<your_secret_here>

Sets the Nightfall signing secret environment variable for webhook verification

export NIGHTFALL_DETECTION_RULE_UUID=<your_uuid_here>

Optionally sets a custom detection rule UUID to specify what sensitive data to detect

export NIGHTFALL_SERVER_URL=https://<your_subdomain_here>.ngrok.io

Sets the webhook server URL that Nightfall will send scan results to

export SCAN_DIRECTORY_PATH='/path/to/your/export/'

Specifies the local directory path containing the extracted backup or export to scan

gunicorn app:app

Starts the local webhook server to receive scan results from Nightfall

python scanner.py

Initiates the scan of the specified directory using Nightfall's DLP APIs

Smart Usage Notes

Integrate scanning into regular backup workflows to ensure continuous sensitive data discovery and compliance auditing.Leverage webhook outputs to automate alerting and remediation workflows in SIEM or SOAR platforms.Customize Nightfall detection rules to tailor sensitive data identification to organizational risk profiles and compliance requirements.Use findings reports to drive data minimization and encryption strategies, reducing attack surface related to data at-rest.Combine with endpoint DLP and network monitoring tools for comprehensive data security posture management.

OpenSec Atlas

sensitive-data-scanner

About This Tool

Primary Use Case

Key Features

Insights & Recommendations

Installation

Usage

Smart Usage Notes

Security Capability Profile

Tags

You Might Also Like