From 3f3ed72cf01de0c01c546cc6d82ba8775f31bae3 Mon Sep 17 00:00:00 2001 From: Dewan Ishtiaque Ahmed <30604461+dewan-ahmed@users.noreply.github.com> Date: Thu, 9 May 2024 18:29:47 -0300 Subject: [PATCH 1/5] Add Harness PAT rule. --- cmd/generate/config/main.go | 1 + cmd/generate/config/rules/harness.go | 26 ++++++++++++++++++++++++++ config/gitleaks.toml | 8 ++++++++ 3 files changed, 35 insertions(+) create mode 100644 cmd/generate/config/rules/harness.go diff --git a/cmd/generate/config/main.go b/cmd/generate/config/main.go index 086eceb34..a5f701246 100644 --- a/cmd/generate/config/main.go +++ b/cmd/generate/config/main.go @@ -99,6 +99,7 @@ func main() { rules.GrafanaApiKey(), rules.GrafanaCloudApiToken(), rules.GrafanaServiceAccountToken(), + rules.HarnessPAT(), rules.Hashicorp(), rules.HashicorpField(), rules.Heroku(), diff --git a/cmd/generate/config/rules/harness.go b/cmd/generate/config/rules/harness.go new file mode 100644 index 000000000..c40261992 --- /dev/null +++ b/cmd/generate/config/rules/harness.go @@ -0,0 +1,26 @@ +package rules + +import ( + "regexp" + + "github.com/zricethezav/gitleaks/v8/cmd/generate/secrets" + "github.com/zricethezav/gitleaks/v8/config" +) + +func HarnessPAT() *config.Rule { + // Define rule for Harness Personal Access Token (PAT) + r := config.Rule{ + Description: "Identified a Harness Personal Access Token (PAT), risking unauthorized access to a Harness account.", + RuleID: "harness-pat", + Regex: regexp.MustCompile(`pat\.[a-zA-Z0-9]{24}\.[a-zA-Z0-9]{24}\.[a-zA-Z0-9]{24}`), + Keywords: []string{"pat."}, + } + + // Generate a sample secret for validation + tps := []string{ + generateSampleSecret("harness", "pat."+secrets.NewSecret(alphaNumeric("24"))+"."+secrets.NewSecret(alphaNumeric("24"))+"."+secrets.NewSecret(alphaNumeric("24"))), + } + + // Validate the rule + return validate(r, tps, nil) +} diff --git a/config/gitleaks.toml b/config/gitleaks.toml index 3b4d04d29..0210c726c 100644 --- a/config/gitleaks.toml +++ b/config/gitleaks.toml @@ -2093,6 +2093,14 @@ keywords = [ "glsa_", ] +[[rules]] +id = "harness-pat" +description = "Identified a Harness Personal Access Token (PAT), risking unauthorized access to a Harness account." +regex = '''pat\.[a-zA-Z0-9]{24}\.[a-zA-Z0-9]{24}\.[a-zA-Z0-9]{24}''' +keywords = [ + "harness_", +] + [[rules]] id = "hashicorp-tf-api-token" description = "Uncovered a HashiCorp Terraform user/org API token, which may lead to unauthorized infrastructure management and security breaches." From c61bf20a2b8bafec53d73c58151a824793f8903d Mon Sep 17 00:00:00 2001 From: Dewan Ishtiaque Ahmed <30604461+dewan-ahmed@users.noreply.github.com> Date: Fri, 10 May 2024 12:43:14 -0300 Subject: [PATCH 2/5] Add support for Harness PAT and SAT. --- cmd/generate/config/main.go | 1 + cmd/generate/config/rules/harness.go | 18 ++++++++++++++++++ config/gitleaks.toml | 10 +++++++++- 3 files changed, 28 insertions(+), 1 deletion(-) diff --git a/cmd/generate/config/main.go b/cmd/generate/config/main.go index a5f701246..aaad9e889 100644 --- a/cmd/generate/config/main.go +++ b/cmd/generate/config/main.go @@ -100,6 +100,7 @@ func main() { rules.GrafanaCloudApiToken(), rules.GrafanaServiceAccountToken(), rules.HarnessPAT(), + rules.HarnessSAT(), rules.Hashicorp(), rules.HashicorpField(), rules.Heroku(), diff --git a/cmd/generate/config/rules/harness.go b/cmd/generate/config/rules/harness.go index c40261992..8b49d3a6d 100644 --- a/cmd/generate/config/rules/harness.go +++ b/cmd/generate/config/rules/harness.go @@ -24,3 +24,21 @@ func HarnessPAT() *config.Rule { // Validate the rule return validate(r, tps, nil) } + +func HarnessSAT() *config.Rule { + // Define rule for Harness Personal Access Token (PAT) + r := config.Rule{ + Description: "Identified a Harness Service Account Token (SAT), risking unauthorized access to a Harness account.", + RuleID: "harness-sat", + Regex: regexp.MustCompile(`sat\.[a-zA-Z0-9]{24}\.[a-zA-Z0-9]{24}\.[a-zA-Z0-9]{24}`), + Keywords: []string{"sat."}, + } + + // Generate a sample secret for validation + tps := []string{ + generateSampleSecret("harness", "sat."+secrets.NewSecret(alphaNumeric("24"))+"."+secrets.NewSecret(alphaNumeric("24"))+"."+secrets.NewSecret(alphaNumeric("24"))), + } + + // Validate the rule + return validate(r, tps, nil) +} diff --git a/config/gitleaks.toml b/config/gitleaks.toml index 0210c726c..8d3134953 100644 --- a/config/gitleaks.toml +++ b/config/gitleaks.toml @@ -2098,7 +2098,15 @@ id = "harness-pat" description = "Identified a Harness Personal Access Token (PAT), risking unauthorized access to a Harness account." regex = '''pat\.[a-zA-Z0-9]{24}\.[a-zA-Z0-9]{24}\.[a-zA-Z0-9]{24}''' keywords = [ - "harness_", + "pat.", +] + +[[rules]] +id = "harness-sat" +description = "Identified a Harness Service Account Token (SAT), risking unauthorized access to a Harness account." +regex = '''sat\.[a-zA-Z0-9]{24}\.[a-zA-Z0-9]{24}\.[a-zA-Z0-9]{24}''' +keywords = [ + "sat.", ] [[rules]] From 8501ca9bc735b944662627e1106f78990ca471cc Mon Sep 17 00:00:00 2001 From: Dewan Ishtiaque Ahmed <30604461+dewan-ahmed@users.noreply.github.com> Date: Fri, 10 May 2024 12:45:43 -0300 Subject: [PATCH 3/5] Update comment for Harness SAT. --- cmd/generate/config/rules/harness.go | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/cmd/generate/config/rules/harness.go b/cmd/generate/config/rules/harness.go index 8b49d3a6d..83133ed91 100644 --- a/cmd/generate/config/rules/harness.go +++ b/cmd/generate/config/rules/harness.go @@ -26,7 +26,7 @@ func HarnessPAT() *config.Rule { } func HarnessSAT() *config.Rule { - // Define rule for Harness Personal Access Token (PAT) + // Define rule for Harness Service Account Token (SAT) r := config.Rule{ Description: "Identified a Harness Service Account Token (SAT), risking unauthorized access to a Harness account.", RuleID: "harness-sat", From a1d989dc32ac7164395d825b8c0f14d324e0daa2 Mon Sep 17 00:00:00 2001 From: Dewan Ishtiaque Ahmed <30604461+dewan-ahmed@users.noreply.github.com> Date: Fri, 10 May 2024 16:12:43 -0300 Subject: [PATCH 4/5] Consolidate PAT and SAT into Harness API Key --- cmd/generate/config/main.go | 3 +-- cmd/generate/config/rules/harness.go | 33 +++++++--------------------- config/gitleaks.toml | 16 ++++---------- 3 files changed, 13 insertions(+), 39 deletions(-) diff --git a/cmd/generate/config/main.go b/cmd/generate/config/main.go index aaad9e889..7e78d2bb7 100644 --- a/cmd/generate/config/main.go +++ b/cmd/generate/config/main.go @@ -99,8 +99,7 @@ func main() { rules.GrafanaApiKey(), rules.GrafanaCloudApiToken(), rules.GrafanaServiceAccountToken(), - rules.HarnessPAT(), - rules.HarnessSAT(), + rules.HarnessApiKey(), rules.Hashicorp(), rules.HashicorpField(), rules.Heroku(), diff --git a/cmd/generate/config/rules/harness.go b/cmd/generate/config/rules/harness.go index 83133ed91..666263276 100644 --- a/cmd/generate/config/rules/harness.go +++ b/cmd/generate/config/rules/harness.go @@ -7,36 +7,19 @@ import ( "github.com/zricethezav/gitleaks/v8/config" ) -func HarnessPAT() *config.Rule { - // Define rule for Harness Personal Access Token (PAT) +func HarnessApiKey() *config.Rule { + // Define rule for Harness Personal Access Token (PAT) and Service Account Token (SAT) r := config.Rule{ - Description: "Identified a Harness Personal Access Token (PAT), risking unauthorized access to a Harness account.", - RuleID: "harness-pat", - Regex: regexp.MustCompile(`pat\.[a-zA-Z0-9]{24}\.[a-zA-Z0-9]{24}\.[a-zA-Z0-9]{24}`), - Keywords: []string{"pat."}, + Description: "Identified a Harness Access Token (PAT or SAT), risking unauthorized access to a Harness account.", + RuleID: "harness-api-key", + Regex: regexp.MustCompile(`(pat|sat)\.[a-zA-Z0-9]{22}\.[a-zA-Z0-9]{24}\.[a-zA-Z0-9]{20}`), + Keywords: []string{"pat.", "sat."}, } // Generate a sample secret for validation tps := []string{ - generateSampleSecret("harness", "pat."+secrets.NewSecret(alphaNumeric("24"))+"."+secrets.NewSecret(alphaNumeric("24"))+"."+secrets.NewSecret(alphaNumeric("24"))), - } - - // Validate the rule - return validate(r, tps, nil) -} - -func HarnessSAT() *config.Rule { - // Define rule for Harness Service Account Token (SAT) - r := config.Rule{ - Description: "Identified a Harness Service Account Token (SAT), risking unauthorized access to a Harness account.", - RuleID: "harness-sat", - Regex: regexp.MustCompile(`sat\.[a-zA-Z0-9]{24}\.[a-zA-Z0-9]{24}\.[a-zA-Z0-9]{24}`), - Keywords: []string{"sat."}, - } - - // Generate a sample secret for validation - tps := []string{ - generateSampleSecret("harness", "sat."+secrets.NewSecret(alphaNumeric("24"))+"."+secrets.NewSecret(alphaNumeric("24"))+"."+secrets.NewSecret(alphaNumeric("24"))), + generateSampleSecret("harness", "pat."+secrets.NewSecret(alphaNumeric("22"))+"."+secrets.NewSecret(alphaNumeric("24"))+"."+secrets.NewSecret(alphaNumeric("20"))), + generateSampleSecret("harness", "sat."+secrets.NewSecret(alphaNumeric("22"))+"."+secrets.NewSecret(alphaNumeric("24"))+"."+secrets.NewSecret(alphaNumeric("20"))), } // Validate the rule diff --git a/config/gitleaks.toml b/config/gitleaks.toml index 8d3134953..249336d9b 100644 --- a/config/gitleaks.toml +++ b/config/gitleaks.toml @@ -2094,19 +2094,11 @@ keywords = [ ] [[rules]] -id = "harness-pat" -description = "Identified a Harness Personal Access Token (PAT), risking unauthorized access to a Harness account." -regex = '''pat\.[a-zA-Z0-9]{24}\.[a-zA-Z0-9]{24}\.[a-zA-Z0-9]{24}''' +id = "harness-api-key" +description = "Identified a Harness Access Token (PAT or SAT), risking unauthorized access to a Harness account." +regex = '''(pat|sat)\.[a-zA-Z0-9]{22}\.[a-zA-Z0-9]{24}\.[a-zA-Z0-9]{20}''' keywords = [ - "pat.", -] - -[[rules]] -id = "harness-sat" -description = "Identified a Harness Service Account Token (SAT), risking unauthorized access to a Harness account." -regex = '''sat\.[a-zA-Z0-9]{24}\.[a-zA-Z0-9]{24}\.[a-zA-Z0-9]{24}''' -keywords = [ - "sat.", + "pat.","sat.", ] [[rules]] From eaa3ffe7ca79d294d8ed31cab65407e8250c64ff Mon Sep 17 00:00:00 2001 From: Zachary Rice Date: Fri, 14 Jun 2024 15:28:58 -0400 Subject: [PATCH 5/5] add ignore and capture group to match --- cmd/generate/config/rules/harness.go | 2 +- config/gitleaks.toml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/cmd/generate/config/rules/harness.go b/cmd/generate/config/rules/harness.go index 666263276..50d5262a3 100644 --- a/cmd/generate/config/rules/harness.go +++ b/cmd/generate/config/rules/harness.go @@ -12,7 +12,7 @@ func HarnessApiKey() *config.Rule { r := config.Rule{ Description: "Identified a Harness Access Token (PAT or SAT), risking unauthorized access to a Harness account.", RuleID: "harness-api-key", - Regex: regexp.MustCompile(`(pat|sat)\.[a-zA-Z0-9]{22}\.[a-zA-Z0-9]{24}\.[a-zA-Z0-9]{20}`), + Regex: regexp.MustCompile(`((?:pat|sat)\.[a-zA-Z0-9]{22}\.[a-zA-Z0-9]{24}\.[a-zA-Z0-9]{20})`), Keywords: []string{"pat.", "sat."}, } diff --git a/config/gitleaks.toml b/config/gitleaks.toml index 249336d9b..7ac213f89 100644 --- a/config/gitleaks.toml +++ b/config/gitleaks.toml @@ -2096,7 +2096,7 @@ keywords = [ [[rules]] id = "harness-api-key" description = "Identified a Harness Access Token (PAT or SAT), risking unauthorized access to a Harness account." -regex = '''(pat|sat)\.[a-zA-Z0-9]{22}\.[a-zA-Z0-9]{24}\.[a-zA-Z0-9]{20}''' +regex = '''((?:pat|sat)\.[a-zA-Z0-9]{22}\.[a-zA-Z0-9]{24}\.[a-zA-Z0-9]{20})''' keywords = [ "pat.","sat.", ]