bugfix: reduce false positives for stripe tokens by using word bounda…

…ries in regex (#1278)
gitleaks · Oct 16, 2023 · bd9a25a · bd9a25a
1 parent 6d0d8b5
commit bd9a25a
Show file tree

Hide file tree

Showing 2 changed files with 4 additions and 5 deletions.
diff --git a/cmd/generate/config/rules/stripe.go b/cmd/generate/config/rules/stripe.go
@@ -1,8 +1,6 @@
 package rules
 
 import (
-	"regexp"
-
 	"github.com/zricethezav/gitleaks/v8/cmd/generate/secrets"
 	"github.com/zricethezav/gitleaks/v8/config"
 )
@@ -12,7 +10,7 @@ func StripeAccessToken() *config.Rule {
 	r := config.Rule{
 		Description: "Stripe Access Token",
 		RuleID:      "stripe-access-token",
-		Regex:       regexp.MustCompile(`(?i)(sk|pk)_(test|live)_[0-9a-z]{10,32}`),
+		Regex:       generateUniqueTokenRegex(`(sk|pk)_(test|live)_[0-9a-z]{10,32}`, true),
 		Keywords: []string{
 			"sk_test",
 			"pk_test",
@@ -23,5 +21,6 @@ func StripeAccessToken() *config.Rule {
 
 	// validate
 	tps := []string{"stripeToken := \"sk_test_" + secrets.NewSecret(alphaNumeric("30")) + "\""}
-	return validate(r, tps, nil)
+	fps := []string{"nonMatchingToken := \"task_test_" + secrets.NewSecret(alphaNumeric("30")) + "\""}
+	return validate(r, tps, fps)
 }
diff --git a/config/gitleaks.toml b/config/gitleaks.toml
@@ -2777,7 +2777,7 @@ keywords = [
 [[rules]]
 id = "stripe-access-token"
 description = "Stripe Access Token"
-regex = '''(?i)(sk|pk)_(test|live)_[0-9a-z]{10,32}'''
+regex = '''(?i)\b((sk|pk)_(test|live)_[0-9a-z]{10,32})(?:['|\"|\n|\r|\s|\x60|;]|$)'''
 keywords = [
     "sk_test","pk_test","sk_live","pk_live",
 ]