-
Notifications
You must be signed in to change notification settings - Fork 83
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add TrueNAS API Key rule #110
Conversation
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks again for this new rule!
Is there some way to make this rule more precise? The TrueNAS API Key format unfortunately doesn't have a distinctive prefix or suffix that can be easily matched, and so it ends up producing false positives.
I do see what look like real instances of TrueNAS API Keys using GitHub code search. But in my own local test across 2TiB of source code, I get 390 TrueNAS API Key
findings with the rule as written, but they are all false positives.
If this can be made more precise, I'll take it in the default
ruleset. Otherwise, we could consider creating a new ruleset, np.experimental
perhaps, that includes it.
Note, this TrueNAS API Key is not something that other secret scanners (Truffle Hog, GitLeaks, GitHub Advanced Security, GitGuardian) seem to have rules for. Thank you for your original research @gemesa! |
Try |
TrueNAS has 2 APIs: WebSocket and REST API. I tested both and created 2 separate rules, what do you think? |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM! Thank you.
No description provided.