version: v0.1
Comments / Notes:
-
Only support for Postgres and MySQL password strings
-
Checks if the password is null / length of 0
-
Supports quoted passwords
-
Case insensitive
Pattern Format
[^\r\n\x00-\x08]+
Start Pattern
(?:[^0-9A-Za-z]|\A)(?i)(?:postgres|mysql|mysql_root)_password[\t ]*[=:][\t ]*['"]?
End Pattern
\z|[\r\n'"]
Hardcoded JDBC / Spring datasource passwords which typically are in property files or passed in at runtime
version: v0.1
Pattern Format
[^\r\n'"\x00-\x08]+
Start Pattern
(\A|\b)(?:spring\.datasource|jdbc)\.password[ \t]*=[ \t]*['"]?
End Pattern
\z|['"\r\n]
version: v0.1
Pattern Format
[^\r\n"']+
Start Pattern
(\b|\A)SECRET_KEY[ \t]*=[ \t]*["']
End Pattern
['"]
version: v0.1
Comments / Notes:
-
The hardcoded password is between 12 and 32 chars long
-
Some false positives in Code might appear
-
The pattern only checks for certain key words to begin the pattern (
secret
,password
, etc.)
Pattern Format
[^\r\n'"]+
Start Pattern
(?:\n|\A)[ \t]*(?:secret|service_pass(wd|word|code|phrase)|pass(?:wd|word|code|phrase)?|key)[ \t]*:[ \t]*['"]?
End Pattern
['"\r\n]|\z
Additional Matches
Add these additional matches to the Secret Scanning Custom Pattern.
-
Not Match:
^(?:keyPassphrase|password|key|[ \t]+|\$\{[A-Za-z0-9_-]+\}|(?:str|string|int|bool)( +#.*)?),?$
-
Not Match:
^(?:.* = )?(?:None|[Tt]rue|[Ff]alse|[Nn]ull|Default(?:Type)?|Event|[A-Z]+_KEY|VERSION|NAME|update|destroy|(?:dis|en)ableEventListeners|\.\.\.),?$
-
Not Match:
^(?:(?:this|self|obj)\.)(?:[A-Za-z_]+\,|[A-Za-z_].*)$
-
Not Match:
^(?:[a-zA-Z_]+(?:\(\))?\.)*[a-zA-Z_]+\(\)$
-
Not Match:
^\s*(?:typing\.)?(?:[Tt]uple|[Ll]ist|[Dd]ict|Callable|Iterable|Sequence|Optional|Union)\[.*$
version: v0.1
Comments / Notes:
-
Checks for all github actions using a version that isn't a pinned SHA-1 commit hash
-
Checks for uses: org name / repo name @ string under 40 characters
-
Not case sensitive
-
Exclude all actions in actions, github and advanced-security repo
Pattern Format
[a-z0-9_-]{1,39}\/[a-z0-9_-]{1,100}@[a-z0-9._-]{1,39}
Start Pattern
\buses:[ \t]{1,5}
End Pattern
\s|\z
Additional Matches
Add these additional matches to the Secret Scanning Custom Pattern.
-
Not Match:
^(actions|github|advanced-security)/
version: v0.1
Comments / Notes:
- XML key/value format,
Pattern Format
[^"\x00\x08]+
Start Pattern
<add\s+key="[^"]*(?i)(password|secret|pass(?:wd|word|code|phrase)?|key|token)"\s+value="
End Pattern
\"
version: v0.1
Comments / Notes:
- contents of the validationKey or decryptionKey of a machineKey XML element
Pattern Format
[A-Fa-f0-9]+
Start Pattern
<machineKey\s+[^>]*(validation|decryption)Key="
End Pattern
\"