feat: add creds, credentials keywords to detectors (Yelp#417)

Realized while troubleshooting a user issue that this is a common keyword for leaks that we don't currently catch.
jimmyhlee94 · Mar 3, 2021 · 5572e7d · 5572e7d
1 parent 467f9f1
commit 5572e7d
Show file tree

Hide file tree

Showing 10 changed files with 16 additions and 5 deletions.
diff --git a/detect_secrets/plugins/cloudant.py b/detect_secrets/plugins/cloudant.py
@@ -16,7 +16,7 @@ class CloudantDetector(RegexBasedDetector):
     cl_account = r'[\w\-]+'
     cl = r'(?:cloudant|cl|clou)'
     opt_api = r'(?:api|)'
-    cl_key_or_pass = opt_api + r'(?:key|pwd|pw|password|pass|token)'
+    cl_key_or_pass = opt_api + r'(?:key|pwd|pw|password|pass|token|creds|credentials|cred)'
     cl_pw = r'([0-9a-f]{64})'
     cl_api_key = r'([a-z]{24})'
     colon = r'\:'

diff --git a/detect_secrets/plugins/db2.py b/detect_secrets/plugins/db2.py
@@ -45,7 +45,7 @@ class Db2Detector(RegexBasedDetector):
     opt_quote = r'(?:"|\'|)'
     opt_db = r'(?:db2|dashdb|db|)'
     opt_dash_undrscr = r'(?:_|-|)'
-    password_keyword = r'(?:password|pwd|pass|passwd)'
+    password_keyword = r'(?:password|pwd|pass|passwd|creds|credentials|cred)'
     opt_space = r'(?: *)'
     assignment = r'(?:=|:|:=|=>|::)'
     # catch any character except newline and quotations, we exclude these

diff --git a/detect_secrets/plugins/gh.py b/detect_secrets/plugins/gh.py
@@ -15,7 +15,7 @@ class GheDetector(RegexBasedDetector):
     opt_space = r'(?: *)'
     opt_quote = r'(?:"|\'|)'
     header_keyword = r'(?:token|bearer|Basic)'
-    key_or_pass = r'(?:key|pwd|password|pass|token|oauth)'
+    key_or_pass = r'(?:key|pwd|password|pass|token|oauth|creds|credentials|cred)'
     api_endpoint = r'(?:github.ibm.com|api.github.ibm.com)'
     forty_hex = r'(?:(?<=\W)|(?<=^))([0-9a-f]{40})(?:(?=\W)|(?=$))'
     b64_encoded_token = r'(?:(?<=\W)|(?<=^))([A-Za-z0-9+/]{55}=)(?:(?=\W)|(?=$))'

diff --git a/detect_secrets/plugins/ibm_cloud_iam.py b/detect_secrets/plugins/ibm_cloud_iam.py
@@ -14,7 +14,7 @@ class IbmCloudIamDetector(RegexBasedDetector):
         r'ibm(?:_|-|)cloud|ibm(?:_|-|)iam|ibm|iam|cloud|test|)'
     opt_dash_undrscr = r'(?:_|-|)'
     opt_api = r'(?:api|)'
-    key_or_pass = r'(?:key|keyid|pwd|password|pass|token|authenticator)'
+    key_or_pass = r'(?:key|keyid|pwd|password|pass|token|authenticator|creds|credentials|cred)'
     secret = r'([a-zA-Z0-9_\-]{44})'
     denylist = [
         RegexBasedDetector.assign_regex_generator(

diff --git a/detect_secrets/plugins/keyword.py b/detect_secrets/plugins/keyword.py
@@ -50,6 +50,9 @@
     'private-key',
     'secret',
     'secrete',
+    'creds',
+    'credentials',
+    'cred',
 )
 FALSE_POSITIVES = {
     '""',

diff --git a/detect_secrets/plugins/softlayer.py b/detect_secrets/plugins/softlayer.py
@@ -13,7 +13,7 @@ class SoftlayerDetector(RegexBasedDetector):
 
     # opt means optional
     sl = r'(?:softlayer|sl|)(?:_|-|)(?:api|)'
-    key_or_pass = r'(?:key|pwd|password|pass|token)'
+    key_or_pass = r'(?:key|pwd|password|pass|token|creds|credentials|cred)'
     secret = r'([a-z0-9]{64})'
     denylist = [
         RegexBasedDetector.assign_regex_generator(

diff --git a/tests/plugins/cloudant_test.py b/tests/plugins/cloudant_test.py
@@ -55,6 +55,8 @@ class TestCloudantDetector:
             ('cloudant_pw=\'{cl_pw}\''.format(cl_pw=CL_PW), True),
             ('cloudant_pw="{cl_pw}"'.format(cl_pw=CL_PW), True),
             ('clou_pw = "{cl_pw}"'.format(cl_pw=CL_PW), True),
+            ('cloudant-creds="{cl_pw}"'.format(cl_pw=CL_PW), True),
+            ('CL_CREDENTIALS:{cl_pw}'.format(cl_pw=CL_PW), True),
             ('cloudant_key = "{cl_api_key}"'.format(cl_api_key=CL_API_KEY), True),
             ('cloudant_password = "a-fake-tooshort-key"', False),
             ('cl_api_key = "a-fake-api-key"', False),

diff --git a/tests/plugins/gh_test.py b/tests/plugins/gh_test.py
@@ -31,6 +31,8 @@ class TestGheDetector(object):
                 'YWJjZWRmYWJlZmQzMzMzMTQ1OTA4YWJjZGRmY2JkZGUxMTQ1Njc4OQo=', True,
             ),
             ('password abcdef0123456789abcdef0123456789abcdef01', True),
+            ('cred = abcdef0123456789abcdef0123456789abcdef01', True),
+            ('gh-credentials: abcdef0123456789abcdef0123456789abcdef01', True),
             ('git+https://abcdef0123456789abcdef0123456789abcdef01@github.ibm.com', True),
             ('sonar.github.oauth=abcdef0123456789abcdef0123456789abcdef01', True),
             (

diff --git a/tests/plugins/ibm_cloud_iam_test.py b/tests/plugins/ibm_cloud_iam_test.py
@@ -47,6 +47,8 @@ class TestIbmCloudIamDetector(object):
             ('ibm_password = "{cloud_iam_key}"'.format(cloud_iam_key=CLOUD_IAM_KEY), True),
             ('test_apikey = "{cloud_iam_key}"'.format(cloud_iam_key=CLOUD_IAM_KEY), True),
             ('ibm-cloud-pwd = {cloud_iam_key}'.format(cloud_iam_key=CLOUD_IAM_KEY), True),
+            ('ibm-cloud-creds = {cloud_iam_key}'.format(cloud_iam_key=CLOUD_IAM_KEY), True),
+            ('CREDENTIALS = {cloud_iam_key}'.format(cloud_iam_key=CLOUD_IAM_KEY), True),
             ('apikey:{cloud_iam_key}'.format(cloud_iam_key=CLOUD_IAM_KEY), True),
             ('IAMAuthenticator("{cloud_iam_key}")'.format(cloud_iam_key=CLOUD_IAM_KEY), True),
             ('.set("apikey", "{cloud_iam_key}")'.format(cloud_iam_key=CLOUD_IAM_KEY), True),

diff --git a/tests/plugins/softlayer_test.py b/tests/plugins/softlayer_test.py
@@ -69,6 +69,8 @@ class TestSoftlayerDetector(object):
             ('softlayer_password = "{sl_token}"'.format(sl_token=SL_TOKEN), True),
             ('sl_pass="{sl_token}"'.format(sl_token=SL_TOKEN), True),
             ('softlayer-pwd = {sl_token}'.format(sl_token=SL_TOKEN), True),
+            ('softlayer-cred = {sl_token}'.format(sl_token=SL_TOKEN), True),
+            ('SOFTLAYER_CREDENTIALS = {sl_token}'.format(sl_token=SL_TOKEN), True),
             ('softlayer_api_key="%s" % SL_API_KEY_ENV', False),
             ('sl_api_key: "%s" % <softlayer_api_key>', False),
             ('SOFTLAYER_APIKEY: "insert_key_here"', False),