feat(secret): Support for detecting Hugging Face Access Tokens (#6236)

Co-authored-by: DmitriyLewen <dmitriy.lewen@smartforce.io>
aquasecurity · Mar 7, 2024 · 6639911 · 6639911
1 parent 337cb75
commit 6639911
Show file tree

Hide file tree

Showing 3 changed files with 42 additions and 0 deletions.
diff --git a/pkg/fanal/secret/builtin-rules.go b/pkg/fanal/secret/builtin-rules.go
@@ -69,6 +69,7 @@ var (
 	CategoryTwitch               = types.SecretRuleCategory("Twitch")
 	CategoryTypeform             = types.SecretRuleCategory("Typeform")
 	CategoryDocker               = types.SecretRuleCategory("Docker")
+	CategoryHuggingFace          = types.SecretRuleCategory("HuggingFace")
 )
 
 // Reusable regex patterns
@@ -158,6 +159,15 @@ var builtinRules = []Rule{
 		Regex:    MustCompile(`glpat-[0-9a-zA-Z\-\_]{20}`),
 		Keywords: []string{"glpat-"},
 	},
+	{
+		// cf. https://huggingface.co/docs/hub/en/security-tokens
+		ID:       "hugging-face-access-token",
+		Category: CategoryHuggingFace,
+		Severity: "CRITICAL",
+		Title:    "Hugging Face Access Token",
+		Regex:    MustCompile(`hf_[A-Za-z0-9]{39}`),
+		Keywords: []string{"hf_"},
+	},
 	{
 		ID:              "private-key",
 		Category:        CategoryAsymmetricPrivateKey,

diff --git a/pkg/fanal/secret/scanner_test.go b/pkg/fanal/secret/scanner_test.go
@@ -609,6 +609,28 @@ func TestSecretScanner(t *testing.T) {
 			},
 		},
 	}
+	wantFindingHuggingFace := types.SecretFinding{
+		RuleID:    "hugging-face-access-token",
+		Category:  secret.CategoryHuggingFace,
+		Title:     "Hugging Face Access Token",
+		Severity:  "CRITICAL",
+		StartLine: 1,
+		EndLine:   1,
+		Match:     "HF_example_token: ******************************************",
+		Code: types.Code{
+			Lines: []types.Line{
+				{
+					Number:      1,
+					Content:     "HF_example_token: ******************************************",
+					Highlighted: "HF_example_token: ******************************************",
+					IsCause:     true,
+					FirstCause:  true,
+					LastCause:   true,
+				},
+			},
+		},
+	}
+
 	wantMultiLine := types.SecretFinding{
 		RuleID:    "multi-line-secret",
 		Category:  "general",
@@ -701,6 +723,15 @@ func TestSecretScanner(t *testing.T) {
 				Findings: []types.SecretFinding{wantFindingDockerKey1, wantFindingDockerKey2},
 			},
 		},
+		{
+			name:          "find Hugging face secret",
+			configPath:    filepath.Join("testdata", "config.yaml"),
+			inputFilePath: filepath.Join("testdata", "hugging-face-secret.txt"),
+			want: types.Secret{
+				FilePath: filepath.Join("testdata", "hugging-face-secret.txt"),
+				Findings: []types.SecretFinding{wantFindingHuggingFace},
+			},
+		},
 		{
 			name:          "include when keyword found",
 			configPath:    filepath.Join("testdata", "config-happy-keywords.yaml"),

diff --git a/pkg/fanal/secret/testdata/hugging-face-secret.txt b/pkg/fanal/secret/testdata/hugging-face-secret.txt
@@ -0,0 +1 @@
+HF_example_token: hf_Testpoiqazwsxedcrfvtgbyhn12345ujmik6789