From 32675ba0d888ad99b12d9a6bd912a8ca3cb73db0 Mon Sep 17 00:00:00 2001 From: AMF Date: Wed, 17 Jul 2024 16:42:08 +0600 Subject: [PATCH 01/13] initial test commit From e654e2c91fc27c89df73d8280e952a9c52adc0b6 Mon Sep 17 00:00:00 2001 From: afdesk Date: Thu, 18 Jul 2024 12:02:41 +0600 Subject: [PATCH 02/13] test: add wrapped aws secret --- pkg/fanal/secret/scanner_test.go | 6 ++++++ pkg/fanal/secret/testdata/wrapped-aws-secret.txt | 1 + 2 files changed, 7 insertions(+) create mode 100644 pkg/fanal/secret/testdata/wrapped-aws-secret.txt diff --git a/pkg/fanal/secret/scanner_test.go b/pkg/fanal/secret/scanner_test.go index 04f1f08fc1b2..9d7bf160b0ac 100644 --- a/pkg/fanal/secret/scanner_test.go +++ b/pkg/fanal/secret/scanner_test.go @@ -958,6 +958,12 @@ func TestSecretScanner(t *testing.T) { inputFilePath: filepath.Join("testdata", "invalid-aws-secrets.txt"), want: types.Secret{}, }, + { + name: "secret inside another word", + configPath: filepath.Join("testdata", "skip-test.yaml"), + inputFilePath: "testdata/wrapped-aws-secret.txt", + want: types.Secret{}, + }, { name: "asymmetric file", configPath: filepath.Join("testdata", "skip-test.yaml"), diff --git a/pkg/fanal/secret/testdata/wrapped-aws-secret.txt b/pkg/fanal/secret/testdata/wrapped-aws-secret.txt new file mode 100644 index 000000000000..2ee68677545a --- /dev/null +++ b/pkg/fanal/secret/testdata/wrapped-aws-secret.txt @@ -0,0 +1 @@ +DISPID_ICANVASRENDERINGCONTEXT2D_CANVAS DISPID_CANVASRENDERCONTEXT2D \ No newline at end of file From 7258829a79dc8a18eb09be993ffeaa05419bda32 Mon Sep 17 00:00:00 2001 From: afdesk Date: Thu, 18 Jul 2024 13:32:47 +0600 Subject: [PATCH 03/13] fix: update regex for aws --- pkg/fanal/secret/builtin-rules.go | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/pkg/fanal/secret/builtin-rules.go b/pkg/fanal/secret/builtin-rules.go index 6d0c0eacfdcd..fd565432d671 100644 --- a/pkg/fanal/secret/builtin-rules.go +++ b/pkg/fanal/secret/builtin-rules.go @@ -78,6 +78,7 @@ const ( connect = `\s*(:|=>|=)?\s*` startSecret = `(^|\s+)` endSecret = `[.,]?(\s+|$)` + startWord = "([^0-9a-zA-Z]|^)" aws = `aws_?` ) @@ -98,7 +99,7 @@ var builtinRules = []Rule{ Category: CategoryAWS, Severity: "CRITICAL", Title: "AWS Access Key ID", - Regex: MustCompile(fmt.Sprintf(`%s(?P(A3T[A-Z0-9]|AKIA|AGPA|AIDA|AROA|AIPA|ANPA|ANVA|ASIA)[A-Z0-9]{16})%s%s`, quote, quote, endSecret)), + Regex: MustCompile(fmt.Sprintf(`%s(?P(A3T[A-Z0-9]|AKIA|AGPA|AIDA|AROA|AIPA|ANPA|ANVA|ASIA)[A-Z0-9]{16})%s%s`, startWord, quote, endSecret)), SecretGroupName: "secret", Keywords: []string{"AKIA", "AGPA", "AIDA", "AROA", "AIPA", "ANPA", "ANVA", "ASIA"}, }, From 708658946ba636871b04feed0e1f680c664d9104 Mon Sep 17 00:00:00 2001 From: afdesk Date: Thu, 18 Jul 2024 16:04:36 +0600 Subject: [PATCH 04/13] test: add more cases --- pkg/fanal/secret/scanner_test.go | 2 +- pkg/fanal/secret/testdata/wrapped-aws-secret.txt | 1 - pkg/fanal/secret/testdata/wrapped-secrets.txt | 5 +++++ 3 files changed, 6 insertions(+), 2 deletions(-) delete mode 100644 pkg/fanal/secret/testdata/wrapped-aws-secret.txt create mode 100644 pkg/fanal/secret/testdata/wrapped-secrets.txt diff --git a/pkg/fanal/secret/scanner_test.go b/pkg/fanal/secret/scanner_test.go index 9d7bf160b0ac..88fc4bd107f2 100644 --- a/pkg/fanal/secret/scanner_test.go +++ b/pkg/fanal/secret/scanner_test.go @@ -961,7 +961,7 @@ func TestSecretScanner(t *testing.T) { { name: "secret inside another word", configPath: filepath.Join("testdata", "skip-test.yaml"), - inputFilePath: "testdata/wrapped-aws-secret.txt", + inputFilePath: "testdata/wrapped-secrets.txt", want: types.Secret{}, }, { diff --git a/pkg/fanal/secret/testdata/wrapped-aws-secret.txt b/pkg/fanal/secret/testdata/wrapped-aws-secret.txt deleted file mode 100644 index 2ee68677545a..000000000000 --- a/pkg/fanal/secret/testdata/wrapped-aws-secret.txt +++ /dev/null @@ -1 +0,0 @@ -DISPID_ICANVASRENDERINGCONTEXT2D_CANVAS DISPID_CANVASRENDERCONTEXT2D \ No newline at end of file diff --git a/pkg/fanal/secret/testdata/wrapped-secrets.txt b/pkg/fanal/secret/testdata/wrapped-secrets.txt new file mode 100644 index 000000000000..b0df22efd19c --- /dev/null +++ b/pkg/fanal/secret/testdata/wrapped-secrets.txt @@ -0,0 +1,5 @@ +DISPID_ICANVASRENDERINGCONTEXT2D_CANVAS DISPID_CANVASRENDERCONTEXT2D +ABCDFLWSECK_TEST-CANVASRENDERCONTEXT2DCANVASRENDA +ABCFLWSECK_TEST123456789012 +abcdexoxb-1234567890 +APK_TEST_1234567890 From 998ec414851b7fc1f23c485aa5191c0356d4c963 Mon Sep 17 00:00:00 2001 From: afdesk Date: Thu, 18 Jul 2024 18:23:39 +0600 Subject: [PATCH 05/13] test: add test cases for sensitive data --- pkg/fanal/secret/scanner_test.go | 66 +++++++++++++++++++ .../testdata/wrapped-secrets-sensitive.txt | 2 + pkg/fanal/secret/testdata/wrapped-secrets.txt | 6 ++ 3 files changed, 74 insertions(+) create mode 100644 pkg/fanal/secret/testdata/wrapped-secrets-sensitive.txt diff --git a/pkg/fanal/secret/scanner_test.go b/pkg/fanal/secret/scanner_test.go index 88fc4bd107f2..da43c3bd4351 100644 --- a/pkg/fanal/secret/scanner_test.go +++ b/pkg/fanal/secret/scanner_test.go @@ -315,6 +315,59 @@ func TestSecretScanner(t *testing.T) { }, }, } + wantFindingMyAwsAccessKey := types.SecretFinding{ + RuleID: "aws-secret-access-key", + Category: secret.CategoryAWS, + Title: "AWS Secret Access Key", + Severity: "CRITICAL", + StartLine: 1, + EndLine: 1, + Match: `MyAWS_secret_KEY="****************************************"`, + Code: types.Code{ + Lines: []types.Line{ + { + Number: 1, + Content: "MyAWS_secret_KEY=\"****************************************\"", + Highlighted: "MyAWS_secret_KEY=\"****************************************\"", + IsCause: true, + FirstCause: true, + LastCause: true, + }, + { + Number: 2, + Content: "our*********************************************************************************************", + Highlighted: "our*********************************************************************************************", + }, + }, + }, + } + + wantFindingMyGitHubPAT := types.SecretFinding{ + RuleID: "github-fine-grained-pat", + Category: secret.CategoryGitHub, + Title: "GitHub Fine-grained personal access tokens", + Severity: "CRITICAL", + StartLine: 2, + EndLine: 2, + Match: "our*********************************************************************************************", + Code: types.Code{ + Lines: []types.Line{ + { + Number: 1, + Content: "MyAWS_secret_KEY=\"****************************************\"", + Highlighted: "MyAWS_secret_KEY=\"****************************************\"", + }, + { + Number: 2, + Content: "our*********************************************************************************************", + Highlighted: "our*********************************************************************************************", + IsCause: true, + FirstCause: true, + LastCause: true, + }, + }, + }, + } wantFindingGHButDisableAWS := types.SecretFinding{ RuleID: "github-pat", Category: secret.CategoryGitHub, @@ -419,6 +472,7 @@ func TestSecretScanner(t *testing.T) { }, }, } + wantFinding10 := types.SecretFinding{ RuleID: "aws-secret-access-key", Category: secret.CategoryAWS, @@ -964,6 +1018,18 @@ func TestSecretScanner(t *testing.T) { inputFilePath: "testdata/wrapped-secrets.txt", want: types.Secret{}, }, + { + name: "secret inside another word, but they're still secret", + configPath: filepath.Join("testdata", "skip-test.yaml"), + inputFilePath: "testdata/wrapped-secrets-sensitive.txt", + want: types.Secret{ + FilePath: filepath.Join("testdata", "wrapped-secrets-sensitive.txt"), + Findings: []types.SecretFinding{ + wantFindingMyAwsAccessKey, + wantFindingMyGitHubPAT, + }, + }, + }, { name: "asymmetric file", configPath: filepath.Join("testdata", "skip-test.yaml"), diff --git a/pkg/fanal/secret/testdata/wrapped-secrets-sensitive.txt b/pkg/fanal/secret/testdata/wrapped-secrets-sensitive.txt new file mode 100644 index 000000000000..cda3a74921d3 --- /dev/null +++ b/pkg/fanal/secret/testdata/wrapped-secrets-sensitive.txt @@ -0,0 +1,2 @@ +MyAWS_secret_KEY="12ASD34qwe56CXZ78tyH10Tna543VBokN85RHCas" +our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 \ No newline at end of file diff --git a/pkg/fanal/secret/testdata/wrapped-secrets.txt b/pkg/fanal/secret/testdata/wrapped-secrets.txt index b0df22efd19c..7e6e0e2c5e74 100644 --- a/pkg/fanal/secret/testdata/wrapped-secrets.txt +++ b/pkg/fanal/secret/testdata/wrapped-secrets.txt @@ -1,5 +1,11 @@ DISPID_ICANVASRENDERINGCONTEXT2D_CANVAS DISPID_CANVASRENDERCONTEXT2D ABCDFLWSECK_TEST-CANVASRENDERCONTEXT2DCANVASRENDA ABCFLWSECK_TEST123456789012 +Rought_ICANVASRENDERINGVIACONTEXT2D3D5D7D8D +Sogho_ICANVASRENDERINGVIACONTEXT2D3D5D7D8D +Soghu_ICANVASRENDERINGVIACONTEXT2D3D5D7D8D +Bighr_ICANVASRENDERINGVIACONTEXT2D3D5D7D8DICANVASRENDERINGVIACONTEXT2D3D5D7D8D9D22 +Surhf_ICANVASRENDERINGVIACONTEXT2D3D5D6D7D8D9 abcdexoxb-1234567890 APK_TEST_1234567890 +ask_live_superlive1 From d32fee0d56ae91d0468f91f6cf47e419292673f4 Mon Sep 17 00:00:00 2001 From: afdesk Date: Thu, 18 Jul 2024 18:26:26 +0600 Subject: [PATCH 06/13] fix: update rules to exclude letters before secrets --- pkg/fanal/secret/builtin-rules.go | 79 ++++++++++++++++--------------- pkg/fanal/secret/scanner.go | 5 ++ 2 files changed, 47 insertions(+), 37 deletions(-) diff --git a/pkg/fanal/secret/builtin-rules.go b/pkg/fanal/secret/builtin-rules.go index fd565432d671..9ea74274b2dc 100644 --- a/pkg/fanal/secret/builtin-rules.go +++ b/pkg/fanal/secret/builtin-rules.go @@ -99,7 +99,7 @@ var builtinRules = []Rule{ Category: CategoryAWS, Severity: "CRITICAL", Title: "AWS Access Key ID", - Regex: MustCompile(fmt.Sprintf(`%s(?P(A3T[A-Z0-9]|AKIA|AGPA|AIDA|AROA|AIPA|ANPA|ANVA|ASIA)[A-Z0-9]{16})%s%s`, startWord, quote, endSecret)), + Regex: MustCompileWithoutWordPrefix(fmt.Sprintf(`(?P(A3T[A-Z0-9]|AKIA|AGPA|AIDA|AROA|AIPA|ANPA|ANVA|ASIA)[A-Z0-9]{16})%s%s`, quote, endSecret)), SecretGroupName: "secret", Keywords: []string{"AKIA", "AGPA", "AIDA", "AROA", "AIPA", "ANPA", "ANVA", "ASIA"}, }, @@ -108,41 +108,45 @@ var builtinRules = []Rule{ Category: CategoryAWS, Severity: "CRITICAL", Title: "AWS Secret Access Key", - Regex: MustCompile(fmt.Sprintf(`(?i)%s%s%s(sec(ret)?)?_?(access)?_?key%s%s%s(?P[A-Za-z0-9\/\+=]{40})%s%s`, startSecret, quote, aws, quote, connect, quote, quote, endSecret)), + Regex: MustCompile(fmt.Sprintf(`(?i)%s%s(sec(ret)?)?_?(access)?_?key%s%s%s(?P[A-Za-z0-9\/\+=]{40})%s%s`, quote, aws, quote, connect, quote, quote, endSecret)), SecretGroupName: "secret", Keywords: []string{"key"}, }, { - ID: "github-pat", - Category: CategoryGitHub, - Title: "GitHub Personal Access Token", - Severity: "CRITICAL", - Regex: MustCompile(`ghp_[0-9a-zA-Z]{36}`), - Keywords: []string{"ghp_"}, + ID: "github-pat", + Category: CategoryGitHub, + Title: "GitHub Personal Access Token", + Severity: "CRITICAL", + Regex: MustCompileWithoutWordPrefix(`?Pghp_[0-9a-zA-Z]{36}`), + SecretGroupName: "secret", + Keywords: []string{"ghp_"}, }, { - ID: "github-oauth", - Category: CategoryGitHub, - Title: "GitHub OAuth Access Token", - Severity: "CRITICAL", - Regex: MustCompile(`gho_[0-9a-zA-Z]{36}`), - Keywords: []string{"gho_"}, + ID: "github-oauth", + Category: CategoryGitHub, + Title: "GitHub OAuth Access Token", + Severity: "CRITICAL", + Regex: MustCompileWithoutWordPrefix(`?Pgho_[0-9a-zA-Z]{36}`), + SecretGroupName: "secret", + Keywords: []string{"gho_"}, }, { - ID: "github-app-token", - Category: CategoryGitHub, - Title: "GitHub App Token", - Severity: "CRITICAL", - Regex: MustCompile(`(ghu|ghs)_[0-9a-zA-Z]{36}`), - Keywords: []string{"ghu_", "ghs_"}, + ID: "github-app-token", + Category: CategoryGitHub, + Title: "GitHub App Token", + Severity: "CRITICAL", + Regex: MustCompileWithoutWordPrefix(`?P(ghu|ghs)_[0-9a-zA-Z]{36}`), + SecretGroupName: "secret", + Keywords: []string{"ghu_", "ghs_"}, }, { - ID: "github-refresh-token", - Category: CategoryGitHub, - Title: "GitHub Refresh Token", - Severity: "CRITICAL", - Regex: MustCompile(`ghr_[0-9a-zA-Z]{76}`), - Keywords: []string{"ghr_"}, + ID: "github-refresh-token", + Category: CategoryGitHub, + Title: "GitHub Refresh Token", + Severity: "CRITICAL", + Regex: MustCompileWithoutWordPrefix(`?Pghr_[0-9a-zA-Z]{76}`), + SecretGroupName: "secret", + Keywords: []string{"ghr_"}, }, { ID: "github-fine-grained-pat", @@ -162,12 +166,13 @@ var builtinRules = []Rule{ }, { // cf. https://huggingface.co/docs/hub/en/security-tokens - ID: "hugging-face-access-token", - Category: CategoryHuggingFace, - Severity: "CRITICAL", - Title: "Hugging Face Access Token", - Regex: MustCompile(`hf_[A-Za-z0-9]{39}`), - Keywords: []string{"hf_"}, + ID: "hugging-face-access-token", + Category: CategoryHuggingFace, + Severity: "CRITICAL", + Title: "Hugging Face Access Token", + Regex: MustCompileWithoutWordPrefix(`?Phf_[A-Za-z0-9]{39}`), + SecretGroupName: "secret", + Keywords: []string{"hf_"}, }, { ID: "private-key", @@ -191,7 +196,7 @@ var builtinRules = []Rule{ Category: CategorySlack, Title: "Slack token", Severity: "HIGH", - Regex: MustCompile(`xox[baprs]-([0-9a-zA-Z]{10,48})`), + Regex: MustCompileWithoutWordPrefix(`xox[baprs]-([0-9a-zA-Z]{10,48})`), Keywords: []string{"xoxb-", "xoxa-", "xoxp-", "xoxr-", "xoxs-"}, }, { @@ -199,7 +204,7 @@ var builtinRules = []Rule{ Category: CategoryStripe, Title: "Stripe Publishable Key", Severity: "LOW", - Regex: MustCompile(`(?i)pk_(test|live)_[0-9a-z]{10,32}`), + Regex: MustCompileWithoutWordPrefix(`(?i)pk_(test|live)_[0-9a-z]{10,32}`), Keywords: []string{"pk_test_", "pk_live_"}, }, { @@ -207,7 +212,7 @@ var builtinRules = []Rule{ Category: CategoryStripe, Title: "Stripe Secret Key", Severity: "CRITICAL", - Regex: MustCompile(`(?i)sk_(test|live)_[0-9a-z]{10,32}`), + Regex: MustCompileWithoutWordPrefix(`(?i)sk_(test|live)_[0-9a-z]{10,32}`), Keywords: []string{"sk_test_", "sk_live_"}, }, { @@ -506,7 +511,7 @@ var builtinRules = []Rule{ Category: CategoryFlutterwave, Title: "Flutterwave public/secret key", Severity: "MEDIUM", - Regex: MustCompile(`FLW(PUB|SEC)K_TEST-(?i)[a-h0-9]{32}-X`), + Regex: MustCompileWithoutWordPrefix(`FLW(PUB|SEC)K_TEST-(?i)[a-h0-9]{32}-X`), Keywords: []string{"FLWSECK_TEST-", "FLWPUBK_TEST-"}, }, { @@ -514,7 +519,7 @@ var builtinRules = []Rule{ Category: CategoryFlutterwave, Title: "Flutterwave encrypted key", Severity: "MEDIUM", - Regex: MustCompile(`FLWSECK_TEST[a-h0-9]{12}`), + Regex: MustCompileWithoutWordPrefix(`FLWSECK_TEST[a-h0-9]{12}`), Keywords: []string{"FLWSECK_TEST"}, }, { diff --git a/pkg/fanal/secret/scanner.go b/pkg/fanal/secret/scanner.go index cc022bb82db4..675ae7dc4c1c 100644 --- a/pkg/fanal/secret/scanner.go +++ b/pkg/fanal/secret/scanner.go @@ -3,6 +3,7 @@ package secret import ( "bytes" "errors" + "fmt" "os" "regexp" "slices" @@ -62,6 +63,10 @@ type Regexp struct { *regexp.Regexp } +func MustCompileWithoutWordPrefix(str string) *Regexp { + return MustCompile(fmt.Sprintf("%s(%s)", startWord, str)) +} + func MustCompile(str string) *Regexp { return &Regexp{regexp.MustCompile(str)} } From 67ba6ca81744a2e9238fe28defadc3e3c60373ef Mon Sep 17 00:00:00 2001 From: afdesk Date: Thu, 18 Jul 2024 19:29:23 +0600 Subject: [PATCH 07/13] test: update description --- pkg/fanal/secret/scanner_test.go | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/pkg/fanal/secret/scanner_test.go b/pkg/fanal/secret/scanner_test.go index da43c3bd4351..9aafc449ccfc 100644 --- a/pkg/fanal/secret/scanner_test.go +++ b/pkg/fanal/secret/scanner_test.go @@ -1019,7 +1019,7 @@ func TestSecretScanner(t *testing.T) { want: types.Secret{}, }, { - name: "secret inside another word, but they're still secret", + name: "sensitive secret inside another word", configPath: filepath.Join("testdata", "skip-test.yaml"), inputFilePath: "testdata/wrapped-secrets-sensitive.txt", want: types.Secret{ From 13a3eb2c88cd9ed9c0bcfcd6cd96186782d650d0 Mon Sep 17 00:00:00 2001 From: afdesk Date: Fri, 19 Jul 2024 13:30:57 +0600 Subject: [PATCH 08/13] test: fix paths to testdata --- pkg/fanal/secret/scanner_test.go | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/pkg/fanal/secret/scanner_test.go b/pkg/fanal/secret/scanner_test.go index 9aafc449ccfc..2affb4ad2267 100644 --- a/pkg/fanal/secret/scanner_test.go +++ b/pkg/fanal/secret/scanner_test.go @@ -1015,13 +1015,13 @@ func TestSecretScanner(t *testing.T) { { name: "secret inside another word", configPath: filepath.Join("testdata", "skip-test.yaml"), - inputFilePath: "testdata/wrapped-secrets.txt", + inputFilePath: filepath.Join("testdata", "wrapped-secrets.txt"), want: types.Secret{}, }, { name: "sensitive secret inside another word", configPath: filepath.Join("testdata", "skip-test.yaml"), - inputFilePath: "testdata/wrapped-secrets-sensitive.txt", + inputFilePath: filepath.Join("testdata", "wrapped-secrets-sensitive.txt"), want: types.Secret{ FilePath: filepath.Join("testdata", "wrapped-secrets-sensitive.txt"), Findings: []types.SecretFinding{ From d510249ac185c1302620e130eb8197c89e86ed54 Mon Sep 17 00:00:00 2001 From: afdesk Date: Fri, 19 Jul 2024 14:06:05 +0600 Subject: [PATCH 09/13] chore: remove unused variable --- pkg/fanal/secret/builtin-rules.go | 9 ++++----- 1 file changed, 4 insertions(+), 5 deletions(-) diff --git a/pkg/fanal/secret/builtin-rules.go b/pkg/fanal/secret/builtin-rules.go index 9ea74274b2dc..bda1e0ee991f 100644 --- a/pkg/fanal/secret/builtin-rules.go +++ b/pkg/fanal/secret/builtin-rules.go @@ -74,11 +74,10 @@ var ( // Reusable regex patterns const ( - quote = `["']?` - connect = `\s*(:|=>|=)?\s*` - startSecret = `(^|\s+)` - endSecret = `[.,]?(\s+|$)` - startWord = "([^0-9a-zA-Z]|^)" + quote = `["']?` + connect = `\s*(:|=>|=)?\s*` + endSecret = `[.,]?(\s+|$)` + startWord = "([^0-9a-zA-Z]|^)" aws = `aws_?` ) From 5d80f36dc1b3996fed8e6e0db70d18a65a4eb870 Mon Sep 17 00:00:00 2001 From: afdesk Date: Sun, 21 Jul 2024 15:44:33 +0600 Subject: [PATCH 10/13] force restart tests From 98c1036f777d70bbea7c3bf2b962e8c09712d79f Mon Sep 17 00:00:00 2001 From: afdesk Date: Mon, 22 Jul 2024 17:35:56 +0600 Subject: [PATCH 11/13] fix: add secret groups --- pkg/fanal/secret/builtin-rules.go | 65 +++++++++++++++++-------------- 1 file changed, 35 insertions(+), 30 deletions(-) diff --git a/pkg/fanal/secret/builtin-rules.go b/pkg/fanal/secret/builtin-rules.go index bda1e0ee991f..38abe4da33b1 100644 --- a/pkg/fanal/secret/builtin-rules.go +++ b/pkg/fanal/secret/builtin-rules.go @@ -191,28 +191,31 @@ var builtinRules = []Rule{ Keywords: []string{"shpss_", "shpat_", "shpca_", "shppa_"}, }, { - ID: "slack-access-token", - Category: CategorySlack, - Title: "Slack token", - Severity: "HIGH", - Regex: MustCompileWithoutWordPrefix(`xox[baprs]-([0-9a-zA-Z]{10,48})`), - Keywords: []string{"xoxb-", "xoxa-", "xoxp-", "xoxr-", "xoxs-"}, + ID: "slack-access-token", + Category: CategorySlack, + Title: "Slack token", + Severity: "HIGH", + Regex: MustCompileWithoutWordPrefix(`?Pxox[baprs]-([0-9a-zA-Z]{10,48})`), + SecretGroupName: "secret", + Keywords: []string{"xoxb-", "xoxa-", "xoxp-", "xoxr-", "xoxs-"}, }, { - ID: "stripe-publishable-token", - Category: CategoryStripe, - Title: "Stripe Publishable Key", - Severity: "LOW", - Regex: MustCompileWithoutWordPrefix(`(?i)pk_(test|live)_[0-9a-z]{10,32}`), - Keywords: []string{"pk_test_", "pk_live_"}, + ID: "stripe-publishable-token", + Category: CategoryStripe, + Title: "Stripe Publishable Key", + Severity: "LOW", + Regex: MustCompileWithoutWordPrefix(`?P(?i)pk_(test|live)_[0-9a-z]{10,32}`), + SecretGroupName: "secret", + Keywords: []string{"pk_test_", "pk_live_"}, }, { - ID: "stripe-secret-token", - Category: CategoryStripe, - Title: "Stripe Secret Key", - Severity: "CRITICAL", - Regex: MustCompileWithoutWordPrefix(`(?i)sk_(test|live)_[0-9a-z]{10,32}`), - Keywords: []string{"sk_test_", "sk_live_"}, + ID: "stripe-secret-token", + Category: CategoryStripe, + Title: "Stripe Secret Key", + Severity: "CRITICAL", + Regex: MustCompileWithoutWordPrefix(`?P(?i)sk_(test|live)_[0-9a-z]{10,32}`), + SecretGroupName: "secret", + Keywords: []string{"sk_test_", "sk_live_"}, }, { ID: "pypi-upload-token", @@ -506,20 +509,22 @@ var builtinRules = []Rule{ Keywords: []string{"finicity"}, }, { - ID: "flutterwave-public-key", - Category: CategoryFlutterwave, - Title: "Flutterwave public/secret key", - Severity: "MEDIUM", - Regex: MustCompileWithoutWordPrefix(`FLW(PUB|SEC)K_TEST-(?i)[a-h0-9]{32}-X`), - Keywords: []string{"FLWSECK_TEST-", "FLWPUBK_TEST-"}, + ID: "flutterwave-public-key", + Category: CategoryFlutterwave, + Title: "Flutterwave public/secret key", + Severity: "MEDIUM", + Regex: MustCompileWithoutWordPrefix(`?PFLW(PUB|SEC)K_TEST-(?i)[a-h0-9]{32}-X`), + SecretGroupName: "secret", + Keywords: []string{"FLWSECK_TEST-", "FLWPUBK_TEST-"}, }, { - ID: "flutterwave-enc-key", - Category: CategoryFlutterwave, - Title: "Flutterwave encrypted key", - Severity: "MEDIUM", - Regex: MustCompileWithoutWordPrefix(`FLWSECK_TEST[a-h0-9]{12}`), - Keywords: []string{"FLWSECK_TEST"}, + ID: "flutterwave-enc-key", + Category: CategoryFlutterwave, + Title: "Flutterwave encrypted key", + Severity: "MEDIUM", + Regex: MustCompileWithoutWordPrefix(`?PFLWSECK_TEST[a-h0-9]{12}`), + SecretGroupName: "secret", + Keywords: []string{"FLWSECK_TEST"}, }, { ID: "frameio-api-token", From 24dc90269a0100277f337a2ac713704d02f6d251 Mon Sep 17 00:00:00 2001 From: afdesk Date: Mon, 22 Jul 2024 18:23:42 +0600 Subject: [PATCH 12/13] feat: add glpat --- pkg/fanal/secret/builtin-rules.go | 13 +++++++------ 1 file changed, 7 insertions(+), 6 deletions(-) diff --git a/pkg/fanal/secret/builtin-rules.go b/pkg/fanal/secret/builtin-rules.go index 38abe4da33b1..fe39bbaa30c5 100644 --- a/pkg/fanal/secret/builtin-rules.go +++ b/pkg/fanal/secret/builtin-rules.go @@ -156,12 +156,13 @@ var builtinRules = []Rule{ Keywords: []string{"github_pat_"}, }, { - ID: "gitlab-pat", - Category: CategoryGitLab, - Title: "GitLab Personal Access Token", - Severity: "CRITICAL", - Regex: MustCompile(`glpat-[0-9a-zA-Z\-\_]{20}`), - Keywords: []string{"glpat-"}, + ID: "gitlab-pat", + Category: CategoryGitLab, + Title: "GitLab Personal Access Token", + Severity: "CRITICAL", + Regex: MustCompileWithoutWordPrefix(`?Pglpat-[0-9a-zA-Z\-\_]{20}`), + SecretGroupName: "secret", + Keywords: []string{"glpat-"}, }, { // cf. https://huggingface.co/docs/hub/en/security-tokens From c5f41096bc464139f137fdcf853454a7c5cfb4b0 Mon Sep 17 00:00:00 2001 From: afdesk Date: Thu, 25 Jul 2024 14:14:53 +0600 Subject: [PATCH 13/13] force restart tests