configs

Configuration Secrets

Hardcoded Database Passwords

version: v0.1

Comments / Notes:

• Only support for Postgres and MySQL password strings

• Checks if the password is null / length of 0

• Supports quoted passwords

• Case insensitive

Pattern Format

[^\r\n\x00-\x08]+

Start Pattern

(?:[^0-9A-Za-z]|\A)(?i)(?:postgres|mysql|mysql_root)_password[\t ]*[=:][\t ]*['"]?

End Pattern

\z|[\r\n'"]

Hardcoded Spring SQL passwords

Hardcoded JDBC / Spring datasource passwords which typically are in property files or passed in at runtime

version: v0.1

Pattern Format

[^\r\n'"\x00-\x08]+

Start Pattern

(\A|\b)(?:spring\.datasource|jdbc)\.password[ \t]*=[ \t]*['"]?

End Pattern

\z|['"\r\n]

Django Secret Key

version: v0.1

Pattern Format

[^\r\n"']+

Start Pattern

(\b|\A)SECRET_KEY[ \t]*=[ \t]*["']

End Pattern

['"]

YAML Static Password Fields

⚠️ WARNING: THIS RULE IS EXPERIMENTAL AND MIGHT CAUSE A HIGH FALSE POSITIVE RATE (test before commiting to org level) ⚠️ Pattern to find Static passwords in YAML configuration files

version: v0.1

Comments / Notes:

• The hardcoded password is between 12 and 32 chars long

• Some false positives in Code might appear

• The pattern only checks for certain key words to begin the pattern (secret, password, etc.)

Pattern Format

[^\r\n'"]+

Start Pattern

(?:\n|\A)[ \t]*(?:secret|service_pass(wd|word|code|phrase)|pass(?:wd|word|code|phrase)?|key)[ \t]*:[ \t]*['"]?

End Pattern

['"\r\n]|\z

Additional Matches

Add these additional matches to the Secret Scanning Custom Pattern.

• Not Match:

  ^(?:keyPassphrase|password|key|[ \t]+|\$\{[A-Za-z0-9_-]+\}|(?:str|string|int|bool)( +#.*)?),?$

• Not Match:

  ^(?:.* = )?(?:None|[Tt]rue|[Ff]alse|[Nn]ull|Default(?:Type)?|Event|[A-Z]+_KEY|VERSION|NAME|update|destroy|(?:dis|en)ableEventListeners|\.\.\.),?$

• Not Match:

  ^(?:(?:this|self|obj)\.)(?:[A-Za-z_]+\,|[A-Za-z_].*)$

• Not Match:

  ^(?:[a-zA-Z_]+(?:\(\))?\.)*[a-zA-Z_]+\(\)$

• Not Match:

  ^\s*(?:typing\.)?(?:[Tt]uple|[Ll]ist|[Dd]ict|Callable|Iterable|Sequence|Optional|Union)\[.*$

GitHub Actions SHA Checker

version: v0.1

Comments / Notes:

• Checks for all github actions using a version that isn't a pinned SHA-1 commit hash

• Checks for uses: org name / repo name @ string under 40 characters

• Not case sensitive

• Exclude all actions in actions, github and advanced-security repo

Pattern Format

[a-z0-9_-]{1,39}\/[a-z0-9_-]{1,100}@[a-z0-9._-]{1,39}

Start Pattern

\buses:[ \t]{1,5}

End Pattern

\s|\z

Additional Matches

Add these additional matches to the Secret Scanning Custom Pattern.

• Not Match:

  ^(actions|github|advanced-security)/

.NET Configuration file

version: v0.1

Comments / Notes:

• XML key/value format,

Pattern Format

[^"\x00\x08]+

Start Pattern

<add\s+key="[^"]*(?i)(password|secret|pass(?:wd|word|code|phrase)?|key|token)"\s+value="

End Pattern

\"

.NET MachineKey

version: v0.1

Comments / Notes:

• contents of the validationKey or decryptionKey of a machineKey XML element

Pattern Format

[A-Fa-f0-9]+

Start Pattern

<machineKey\s+[^>]*(validation|decryption)Key="

End Pattern

\"