Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

feat: optional rule to detect (heuristically) hardcoded password #174

Closed
jossef opened this issue Sep 10, 2023 · 1 comment · Fixed by #181
Closed

feat: optional rule to detect (heuristically) hardcoded password #174

jossef opened this issue Sep 10, 2023 · 1 comment · Fixed by #181
Assignees
@baruchiro
Labels
enhancement New feature or request

Comments

@jossef
Copy link
Member

jossef commented Sep 10, 2023
edited by baruchiro
Loading

add new rule with id hardcoded-password. This is to resolve cases like #80 .
in addition, change arguments to the following:

usage example:

--ignore-rule -> all default rules, except $
--rule -> no default rules, include $

--add-special-rule -> add non-default rule to the running rules
@jossef jossef added the enhancement New feature or request label Sep 10, 2023
@baruchiro baruchiro mentioned this issue Sep 10, 2023
Merged
baruchiro pushed a commit that referenced this issue Sep 10, 2023
feat: change the include and exclude to select and ignore (#177)
09a8355 
BREAKING CHANGE:
`--include-rule` renamed to `--rule`
`--exclude-rule` renamed to `--ignore-rule`
Now you can use them together

- redundant error return

Part of #174
@baruchiro
Copy link
Contributor

I did some research about how gitleaks is handling our case of password=user123, and how it avoids false-positives.

gitleaks is searching for patterns when words like password, key, api, and more, are become before a string (regex: [0-9a-z\-_.=]{10,150}).

Using 3 ways to avoid FP:

  1. Searching for suspicious secrets longer than 10 characters.
  2. Using "Stop Words"- a long list of words that if they are found inside the secret, the secret is considered as a placeholder and not as a real password.
  3. Using ⁠Shannon Entropy to calculate the "randomization" of a suspicious secret, assuming that a secret will not be a regular string written by a human. Currently, the entropy is 3.5.
    image

Question

Can we say that we are doing our best effort to find secrets, and if the user using a short obvious password like user123 it is not an important password or it is our limitation to not find any string?

If not, I will reuse this rule with lower boundaries to find a lot of suspicious strings with more false-positives.

@baruchiro baruchiro mentioned this issue Sep 12, 2023
Merged
baruchiro pushed a commit that referenced this issue Sep 12, 2023
feat: add special rules with hardcoded-password rule (#181)
69e9383 
- add hardcoded-password rule
- feat: add special (non-default) rules with hardcoded-password rule

Fix #80
Close #174
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@baruchiro baruchiro

Labels
enhancement New feature or request
Projects
2ms
Archived in project
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

feat: add special rules with hardcoded-password rule Checkmarx/2ms
2 participants
@jossef @baruchiro