feat(rules): make case insensitivity optional

gitleaks · Aug 24, 2023 · 034272f · 034272f
1 parent db4bc0f
commit 034272f
Show file tree

Hide file tree

Showing 85 changed files with 151 additions and 136 deletions.
diff --git a/CONTRIBUTING.md b/CONTRIBUTING.md
@@ -39,7 +39,7 @@ If you want to add a new rule to the [default Gitleaks configuration](https://gi
 
 
            // Regex used for detecting secrets. See regex section below for more details
-           Regex: generateSemiGenericRegex([]string{"beamer"}, `b_[a-z0-9=_\-]{44}`),
+           Regex: generateSemiGenericRegex([]string{"beamer"}, `b_[a-z0-9=_\-]{44}`, true)
 
            // Keywords used for string matching on fragments (think of this as a prefilter)
            Keywords: []string{"beamer"},
@@ -63,18 +63,18 @@ If you want to add a new rule to the [default Gitleaks configuration](https://gi
    The function signatures look like this:
 
    ```golang
-   func generateSemiGenericRegex(identifiers []string, secretRegex string) *regexp.Regexp
+   func generateSemiGenericRegex(identifiers []string, secretRegex string, isCaseInsensitive bool) *regexp.Regexp
 
-   func generateUniqueTokenRegex(secretRegex string) *regexp.Regexp
+   func generateUniqueTokenRegex(secretRegex string, isCaseInsensitive bool) *regexp.Regexp
    ```
 
-   `generateSemiGenericRegex` accepts a list of identifiers and a regex.
+   `generateSemiGenericRegex` accepts a list of identifiers, a regex, and a boolean indicating whether the pattern should be case-insensitive.
    The list of identifiers _should_ match the list of `Keywords` in the rule
    definition above. Both `identifiers` in the `generateSemiGenericRegex`
    function _and_ `Keywords` act as filters for Gitleaks telling the program
    "_at least one of these strings must be present to be considered a leak_"
 
-   `generateUniqueToken` just accepts a regex. If you are writing a rule for a
+   `generateUniqueToken` just accepts a regex and a boolean indicating whether the pattern should be case-insensitive. If you are writing a rule for a
    token that is unique enough not to require an identifier then you can use
    this function. For example, Pulumi's API Token has the prefix `pul-` which is
    unique enough to use `generateUniqueToken`. But something like Beamer's API

diff --git a/cmd/generate/config/rules/adafruit.go b/cmd/generate/config/rules/adafruit.go
@@ -10,7 +10,7 @@ func AdafruitAPIKey() *config.Rule {
 	r := config.Rule{
 		Description: "Adafruit API Key",
 		RuleID:      "adafruit-api-key",
-		Regex:       generateSemiGenericRegex([]string{"adafruit"}, alphaNumericExtendedShort("32")),
+		Regex:       generateSemiGenericRegex([]string{"adafruit"}, alphaNumericExtendedShort("32"), true),
 		SecretGroup: 1,
 		Keywords:    []string{"adafruit"},
 	}

diff --git a/cmd/generate/config/rules/adobe.go b/cmd/generate/config/rules/adobe.go
@@ -10,7 +10,7 @@ func AdobeClientID() *config.Rule {
 	r := config.Rule{
 		Description: "Adobe Client ID (OAuth Web)",
 		RuleID:      "adobe-client-id",
-		Regex:       generateSemiGenericRegex([]string{"adobe"}, hex("32")),
+		Regex:       generateSemiGenericRegex([]string{"adobe"}, hex("32"), true),
 		SecretGroup: 1,
 		Keywords:    []string{"adobe"},
 	}
@@ -27,7 +27,7 @@ func AdobeClientSecret() *config.Rule {
 	r := config.Rule{
 		Description: "Adobe Client Secret",
 		RuleID:      "adobe-client-secret",
-		Regex:       generateUniqueTokenRegex(`(p8e-)(?i)[a-z0-9]{32}`),
+		Regex:       generateUniqueTokenRegex(`(p8e-)(?i)[a-z0-9]{32}`, true),
 		Keywords:    []string{"p8e-"},
 	}
 

diff --git a/cmd/generate/config/rules/airtable.go b/cmd/generate/config/rules/airtable.go
@@ -10,7 +10,7 @@ func Airtable() *config.Rule {
 	r := config.Rule{
 		Description: "Airtable API Key",
 		RuleID:      "airtable-api-key",
-		Regex:       generateSemiGenericRegex([]string{"airtable"}, alphaNumeric("17")),
+		Regex:       generateSemiGenericRegex([]string{"airtable"}, alphaNumeric("17"), true),
 		SecretGroup: 1,
 		Keywords:    []string{"airtable"},
 	}

diff --git a/cmd/generate/config/rules/algolia.go b/cmd/generate/config/rules/algolia.go
@@ -10,7 +10,7 @@ func AlgoliaApiKey() *config.Rule {
 	r := config.Rule{
 		Description: "Algolia API Key",
 		RuleID:      "algolia-api-key",
-		Regex:       generateSemiGenericRegex([]string{"algolia"}, `[a-z0-9]{32}`),
+		Regex:       generateSemiGenericRegex([]string{"algolia"}, `[a-z0-9]{32}`, true),
 		Keywords:    []string{"algolia"},
 	}
 

diff --git a/cmd/generate/config/rules/alibaba.go b/cmd/generate/config/rules/alibaba.go
@@ -10,7 +10,7 @@ func AlibabaAccessKey() *config.Rule {
 	r := config.Rule{
 		Description: "Alibaba AccessKey ID",
 		RuleID:      "alibaba-access-key-id",
-		Regex:       generateUniqueTokenRegex(`(LTAI)(?i)[a-z0-9]{20}`),
+		Regex:       generateUniqueTokenRegex(`(LTAI)(?i)[a-z0-9]{20}`, true),
 		Keywords:    []string{"LTAI"},
 	}
 
@@ -28,7 +28,7 @@ func AlibabaSecretKey() *config.Rule {
 		Description: "Alibaba Secret Key",
 		RuleID:      "alibaba-secret-key",
 		Regex: generateSemiGenericRegex([]string{"alibaba"},
-			alphaNumeric("30")),
+			alphaNumeric("30"), true),
 		SecretGroup: 1,
 		Keywords:    []string{"alibaba"},
 	}

diff --git a/cmd/generate/config/rules/asana.go b/cmd/generate/config/rules/asana.go
@@ -10,7 +10,7 @@ func AsanaClientID() *config.Rule {
 	r := config.Rule{
 		Description: "Asana Client ID",
 		RuleID:      "asana-client-id",
-		Regex:       generateSemiGenericRegex([]string{"asana"}, numeric("16")),
+		Regex:       generateSemiGenericRegex([]string{"asana"}, numeric("16"), true),
 		SecretGroup: 1,
 		Keywords:    []string{"asana"},
 	}
@@ -27,7 +27,7 @@ func AsanaClientSecret() *config.Rule {
 	r := config.Rule{
 		Description: "Asana Client Secret",
 		RuleID:      "asana-client-secret",
-		Regex:       generateSemiGenericRegex([]string{"asana"}, alphaNumeric("32")),
+		Regex:       generateSemiGenericRegex([]string{"asana"}, alphaNumeric("32"), true),
 		SecretGroup: 1,
 		Keywords:    []string{"asana"},
 	}

diff --git a/cmd/generate/config/rules/atlassian.go b/cmd/generate/config/rules/atlassian.go
@@ -11,7 +11,7 @@ func Atlassian() *config.Rule {
 		Description: "Atlassian API token",
 		RuleID:      "atlassian-api-token",
 		Regex: generateSemiGenericRegex([]string{
-			"atlassian", "confluence", "jira"}, alphaNumeric("24")),
+			"atlassian", "confluence", "jira"}, alphaNumeric("24"), true),
 		SecretGroup: 1,
 		Keywords:    []string{"atlassian", "confluence", "jira"},
 	}

diff --git a/cmd/generate/config/rules/authress.go b/cmd/generate/config/rules/authress.go
@@ -14,7 +14,7 @@ func Authress() *config.Rule {
 		Description: "Authress Service Client Access Key",
 		RuleID:      "authress-service-client-access-key",
 		SecretGroup: 1,
-		Regex:       generateUniqueTokenRegex(`(?:sc|ext|scauth|authress)_[a-z0-9]{5,30}\.[a-z0-9]{4,6}\.acc[_-][a-z0-9-]{10,32}\.[a-z0-9+/_=-]{30,120}`),
+		Regex:       generateUniqueTokenRegex(`(?:sc|ext|scauth|authress)_[a-z0-9]{5,30}\.[a-z0-9]{4,6}\.acc[_-][a-z0-9-]{10,32}\.[a-z0-9+/_=-]{30,120}`, true),
 		Keywords:    []string{"sc_", "ext_", "scauth_", "authress_"},
 	}
 

diff --git a/cmd/generate/config/rules/beamer.go b/cmd/generate/config/rules/beamer.go
@@ -12,7 +12,7 @@ func Beamer() *config.Rule {
 		RuleID:      "beamer-api-token",
 		SecretGroup: 1,
 		Regex: generateSemiGenericRegex([]string{"beamer"},
-			`b_[a-z0-9=_\-]{44}`),
+			`b_[a-z0-9=_\-]{44}`, true),
 		Keywords: []string{"beamer"},
 	}
 

diff --git a/cmd/generate/config/rules/bitbucket.go b/cmd/generate/config/rules/bitbucket.go
@@ -10,7 +10,7 @@ func BitBucketClientID() *config.Rule {
 	r := config.Rule{
 		Description: "Bitbucket Client ID",
 		RuleID:      "bitbucket-client-id",
-		Regex:       generateSemiGenericRegex([]string{"bitbucket"}, alphaNumeric("32")),
+		Regex:       generateSemiGenericRegex([]string{"bitbucket"}, alphaNumeric("32"), true),
 		SecretGroup: 1,
 		Keywords:    []string{"bitbucket"},
 	}
@@ -27,7 +27,7 @@ func BitBucketClientSecret() *config.Rule {
 	r := config.Rule{
 		Description: "Bitbucket Client Secret",
 		RuleID:      "bitbucket-client-secret",
-		Regex:       generateSemiGenericRegex([]string{"bitbucket"}, alphaNumericExtended("64")),
+		Regex:       generateSemiGenericRegex([]string{"bitbucket"}, alphaNumericExtended("64"), true),
 		SecretGroup: 1,
 		Keywords:    []string{"bitbucket"},
 	}

diff --git a/cmd/generate/config/rules/bittrex.go b/cmd/generate/config/rules/bittrex.go
@@ -10,7 +10,7 @@ func BittrexAccessKey() *config.Rule {
 	r := config.Rule{
 		Description: "Bittrex Access Key",
 		RuleID:      "bittrex-access-key",
-		Regex:       generateSemiGenericRegex([]string{"bittrex"}, alphaNumeric("32")),
+		Regex:       generateSemiGenericRegex([]string{"bittrex"}, alphaNumeric("32"), true),
 		SecretGroup: 1,
 		Keywords:    []string{"bittrex"},
 	}
@@ -27,7 +27,7 @@ func BittrexSecretKey() *config.Rule {
 	r := config.Rule{
 		Description: "Bittrex Secret Key",
 		RuleID:      "bittrex-secret-key",
-		Regex:       generateSemiGenericRegex([]string{"bittrex"}, alphaNumeric("32")),
+		Regex:       generateSemiGenericRegex([]string{"bittrex"}, alphaNumeric("32"), true),
 		SecretGroup: 1,
 		Keywords:    []string{"bittrex"},
 	}

diff --git a/cmd/generate/config/rules/codecov.go b/cmd/generate/config/rules/codecov.go
@@ -10,7 +10,7 @@ func CodecovAccessToken() *config.Rule {
 	r := config.Rule{
 		RuleID:      "codecov-access-token",
 		Description: "Codecov Access Token",
-		Regex:       generateSemiGenericRegex([]string{"codecov"}, alphaNumeric("32")),
+		Regex:       generateSemiGenericRegex([]string{"codecov"}, alphaNumeric("32"), true),
 		SecretGroup: 1,
 		Keywords: []string{
 			"codecov",

diff --git a/cmd/generate/config/rules/coinbase.go b/cmd/generate/config/rules/coinbase.go
@@ -11,7 +11,7 @@ func CoinbaseAccessToken() *config.Rule {
 		RuleID:      "coinbase-access-token",
 		Description: "Coinbase Access Token",
 		Regex: generateSemiGenericRegex([]string{"coinbase"},
-			alphaNumericExtendedShort("64")),
+			alphaNumericExtendedShort("64"), true),
 		SecretGroup: 1,
 		Keywords: []string{
 			"coinbase",

diff --git a/cmd/generate/config/rules/confluent.go b/cmd/generate/config/rules/confluent.go
@@ -10,7 +10,7 @@ func ConfluentSecretKey() *config.Rule {
 	r := config.Rule{
 		RuleID:      "confluent-secret-key",
 		Description: "Confluent Secret Key",
-		Regex:       generateSemiGenericRegex([]string{"confluent"}, alphaNumeric("64")),
+		Regex:       generateSemiGenericRegex([]string{"confluent"}, alphaNumeric("64"), true),
 		SecretGroup: 1,
 		Keywords: []string{
 			"confluent",
@@ -29,7 +29,7 @@ func ConfluentAccessToken() *config.Rule {
 	r := config.Rule{
 		RuleID:      "confluent-access-token",
 		Description: "Confluent Access Token",
-		Regex:       generateSemiGenericRegex([]string{"confluent"}, alphaNumeric("16")),
+		Regex:       generateSemiGenericRegex([]string{"confluent"}, alphaNumeric("16"), true),
 		SecretGroup: 1,
 		Keywords: []string{
 			"confluent",

diff --git a/cmd/generate/config/rules/contentful.go b/cmd/generate/config/rules/contentful.go
@@ -11,7 +11,7 @@ func Contentful() *config.Rule {
 		Description: "Contentful delivery API token",
 		RuleID:      "contentful-delivery-api-token",
 		Regex: generateSemiGenericRegex([]string{"contentful"},
-			alphaNumericExtended("43")),
+			alphaNumericExtended("43"), true),
 		SecretGroup: 1,
 		Keywords:    []string{"contentful"},
 	}

diff --git a/cmd/generate/config/rules/databricks.go b/cmd/generate/config/rules/databricks.go
@@ -10,7 +10,7 @@ func Databricks() *config.Rule {
 	r := config.Rule{
 		Description: "Databricks API token",
 		RuleID:      "databricks-api-token",
-		Regex:       generateUniqueTokenRegex(`dapi[a-h0-9]{32}`),
+		Regex:       generateUniqueTokenRegex(`dapi[a-h0-9]{32}`, true),
 		Keywords:    []string{"dapi"},
 	}
 

diff --git a/cmd/generate/config/rules/datadog.go b/cmd/generate/config/rules/datadog.go
@@ -11,7 +11,7 @@ func DatadogtokenAccessToken() *config.Rule {
 		RuleID:      "datadog-access-token",
 		Description: "Datadog Access Token",
 		Regex: generateSemiGenericRegex([]string{"datadog"},
-			alphaNumeric("40")),
+			alphaNumeric("40"), true),
 		SecretGroup: 1,
 		Keywords: []string{
 			"datadog",

diff --git a/cmd/generate/config/rules/definednetworking.go b/cmd/generate/config/rules/definednetworking.go
@@ -18,7 +18,7 @@ func DefinedNetworkingAPIToken() *config.Rule {
 		SecretGroup: 1,
 
 		// Regex used for detecting secrets. See regex section below for more details
-		Regex: generateSemiGenericRegex([]string{"dnkey"}, `dnkey-[a-z0-9=_\-]{26}-[a-z0-9=_\-]{52}`),
+		Regex: generateSemiGenericRegex([]string{"dnkey"}, `dnkey-[a-z0-9=_\-]{26}-[a-z0-9=_\-]{52}`, true),
 
 		// Keywords used for string matching on fragments (think of this as a prefilter)
 		Keywords: []string{"dnkey"},

diff --git a/cmd/generate/config/rules/digitalocean.go b/cmd/generate/config/rules/digitalocean.go
@@ -10,7 +10,7 @@ func DigitalOceanPAT() *config.Rule {
 		Description: "DigitalOcean Personal Access Token",
 		RuleID:      "digitalocean-pat",
 		SecretGroup: 1,
-		Regex:       generateUniqueTokenRegex(`dop_v1_[a-f0-9]{64}`),
+		Regex:       generateUniqueTokenRegex(`dop_v1_[a-f0-9]{64}`, true),
 		Keywords:    []string{"dop_v1_"},
 	}
 
@@ -25,7 +25,7 @@ func DigitalOceanOAuthToken() *config.Rule {
 		Description: "DigitalOcean OAuth Access Token",
 		RuleID:      "digitalocean-access-token",
 		SecretGroup: 1,
-		Regex:       generateUniqueTokenRegex(`doo_v1_[a-f0-9]{64}`),
+		Regex:       generateUniqueTokenRegex(`doo_v1_[a-f0-9]{64}`, true),
 		Keywords:    []string{"doo_v1_"},
 	}
 
@@ -40,7 +40,7 @@ func DigitalOceanRefreshToken() *config.Rule {
 		Description: "DigitalOcean OAuth Refresh Token",
 		RuleID:      "digitalocean-refresh-token",
 		SecretGroup: 1,
-		Regex:       generateUniqueTokenRegex(`dor_v1_[a-f0-9]{64}`),
+		Regex:       generateUniqueTokenRegex(`dor_v1_[a-f0-9]{64}`, true),
 		Keywords:    []string{"dor_v1_"},
 	}
 

diff --git a/cmd/generate/config/rules/discord.go b/cmd/generate/config/rules/discord.go
@@ -10,7 +10,7 @@ func DiscordAPIToken() *config.Rule {
 	r := config.Rule{
 		Description: "Discord API key",
 		RuleID:      "discord-api-token",
-		Regex:       generateSemiGenericRegex([]string{"discord"}, hex("64")),
+		Regex:       generateSemiGenericRegex([]string{"discord"}, hex("64"), true),
 		SecretGroup: 1,
 		Keywords:    []string{"discord"},
 	}
@@ -27,7 +27,7 @@ func DiscordClientID() *config.Rule {
 	r := config.Rule{
 		Description: "Discord client ID",
 		RuleID:      "discord-client-id",
-		Regex:       generateSemiGenericRegex([]string{"discord"}, numeric("18")),
+		Regex:       generateSemiGenericRegex([]string{"discord"}, numeric("18"), true),
 		SecretGroup: 1,
 		Keywords:    []string{"discord"},
 	}
@@ -44,7 +44,7 @@ func DiscordClientSecret() *config.Rule {
 	r := config.Rule{
 		Description: "Discord client secret",
 		RuleID:      "discord-client-secret",
-		Regex:       generateSemiGenericRegex([]string{"discord"}, alphaNumericExtended("32")),
+		Regex:       generateSemiGenericRegex([]string{"discord"}, alphaNumericExtended("32"), true),
 		SecretGroup: 1,
 		Keywords:    []string{"discord"},
 	}

diff --git a/cmd/generate/config/rules/droneci.go b/cmd/generate/config/rules/droneci.go
@@ -10,7 +10,7 @@ func DroneciAccessToken() *config.Rule {
 	r := config.Rule{
 		RuleID:      "droneci-access-token",
 		Description: "Droneci Access Token",
-		Regex:       generateSemiGenericRegex([]string{"droneci"}, alphaNumeric("32")),
+		Regex:       generateSemiGenericRegex([]string{"droneci"}, alphaNumeric("32"), true),
 		SecretGroup: 1,
 		Keywords: []string{
 			"droneci",

diff --git a/cmd/generate/config/rules/dropbox.go b/cmd/generate/config/rules/dropbox.go
@@ -10,7 +10,7 @@ func DropBoxAPISecret() *config.Rule {
 	r := config.Rule{
 		Description: "Dropbox API secret",
 		RuleID:      "dropbox-api-token",
-		Regex:       generateSemiGenericRegex([]string{"dropbox"}, alphaNumeric("15")),
+		Regex:       generateSemiGenericRegex([]string{"dropbox"}, alphaNumeric("15"), true),
 		SecretGroup: 1,
 		Keywords:    []string{"dropbox"},
 	}
@@ -27,7 +27,7 @@ func DropBoxShortLivedAPIToken() *config.Rule {
 	r := config.Rule{
 		RuleID:      "dropbox-short-lived-api-token",
 		Description: "Dropbox short lived API token",
-		Regex:       generateSemiGenericRegex([]string{"dropbox"}, `sl\.[a-z0-9\-=_]{135}`),
+		Regex:       generateSemiGenericRegex([]string{"dropbox"}, `sl\.[a-z0-9\-=_]{135}`, true),
 		Keywords:    []string{"dropbox"},
 	}
 
@@ -40,7 +40,7 @@ func DropBoxLongLivedAPIToken() *config.Rule {
 	r := config.Rule{
 		RuleID:      "dropbox-long-lived-api-token",
 		Description: "Dropbox long lived API token",
-		Regex:       generateSemiGenericRegex([]string{"dropbox"}, `[a-z0-9]{11}(AAAAAAAAAA)[a-z0-9\-_=]{43}`),
+		Regex:       generateSemiGenericRegex([]string{"dropbox"}, `[a-z0-9]{11}(AAAAAAAAAA)[a-z0-9\-_=]{43}`, true),
 		Keywords:    []string{"dropbox"},
 	}
 

diff --git a/cmd/generate/config/rules/etsy.go b/cmd/generate/config/rules/etsy.go
@@ -10,7 +10,7 @@ func EtsyAccessToken() *config.Rule {
 	r := config.Rule{
 		RuleID:      "etsy-access-token",
 		Description: "Etsy Access Token",
-		Regex:       generateSemiGenericRegex([]string{"etsy"}, alphaNumeric("24")),
+		Regex:       generateSemiGenericRegex([]string{"etsy"}, alphaNumeric("24"), true),
 		SecretGroup: 1,
 		Keywords: []string{
 			"etsy",

diff --git a/cmd/generate/config/rules/facebook.go b/cmd/generate/config/rules/facebook.go
@@ -10,7 +10,7 @@ func Facebook() *config.Rule {
 	r := config.Rule{
 		Description: "Facebook Access Token",
 		RuleID:      "facebook",
-		Regex:       generateSemiGenericRegex([]string{"facebook"}, hex("32")),
+		Regex:       generateSemiGenericRegex([]string{"facebook"}, hex("32"), true),
 		SecretGroup: 1,
 		Keywords:    []string{"facebook"},
 	}

diff --git a/cmd/generate/config/rules/fastly.go b/cmd/generate/config/rules/fastly.go
@@ -10,7 +10,7 @@ func FastlyAPIToken() *config.Rule {
 	r := config.Rule{
 		Description: "Fastly API key",
 		RuleID:      "fastly-api-token",
-		Regex:       generateSemiGenericRegex([]string{"fastly"}, alphaNumericExtended("32")),
+		Regex:       generateSemiGenericRegex([]string{"fastly"}, alphaNumericExtended("32"), true),
 		SecretGroup: 1,
 		Keywords:    []string{"fastly"},
 	}

diff --git a/cmd/generate/config/rules/finicity.go b/cmd/generate/config/rules/finicity.go
@@ -10,7 +10,7 @@ func FinicityClientSecret() *config.Rule {
 	r := config.Rule{
 		Description: "Finicity Client Secret",
 		RuleID:      "finicity-client-secret",
-		Regex:       generateSemiGenericRegex([]string{"finicity"}, alphaNumeric("20")),
+		Regex:       generateSemiGenericRegex([]string{"finicity"}, alphaNumeric("20"), true),
 		SecretGroup: 1,
 		Keywords:    []string{"finicity"},
 	}
@@ -27,7 +27,7 @@ func FinicityAPIToken() *config.Rule {
 	r := config.Rule{
 		Description: "Finicity API token",
 		RuleID:      "finicity-api-token",
-		Regex:       generateSemiGenericRegex([]string{"finicity"}, hex("32")),
+		Regex:       generateSemiGenericRegex([]string{"finicity"}, hex("32"), true),
 		SecretGroup: 1,
 		Keywords:    []string{"finicity"},
 	}

diff --git a/cmd/generate/config/rules/finnhub.go b/cmd/generate/config/rules/finnhub.go
@@ -10,7 +10,7 @@ func FinnhubAccessToken() *config.Rule {
 	r := config.Rule{
 		RuleID:      "finnhub-access-token",
 		Description: "Finnhub Access Token",
-		Regex:       generateSemiGenericRegex([]string{"finnhub"}, alphaNumeric("20")),
+		Regex:       generateSemiGenericRegex([]string{"finnhub"}, alphaNumeric("20"), true),
 		SecretGroup: 1,
 		Keywords: []string{
 			"finnhub",