I have a few use cases where I want to match files that have no file extension for example in case a passwd file has ended up in a codebase. I made this Devskim rule that works if I supply a file extension but if the filename is passwd without extension.
[
{
"name": "Detect /etc/passwd-like syntax",
"id": "etcpasswdsyntax",
"description": "Detects files containing /etc/passwd-like syntax (username:password:UID:GID:comment:home:shell).",
"recommendation": "Review the file for sensitive data. Ensure it is not exposed or hardcoded in the project.",
"severity": "BestPractice",
"confidence": "high",
"tags": ["security", "sensitive-data", "linux", "passwd"],
"patterns": [
{
"pattern": "^[a-zA-Z0-9_]+:[x*!]?:[0-9]+:[0-9]+:[a-zA-Z0-9_,:/ -]+:[/a-zA-Z0-9_ -]+:[/a-zA-Z0-9_ -]+$",
"type": "regex",
"modifiers": ["m"],
"_comment": "Matches /etc/passwd line syntax: user:pass:UID:GID:comment:home:shell"
}
]
}
]For example on this file:
root:x:0:0:root:/root:/bin/bash
steve:x:1000:1000:Steve:/home/steve:/bin/bash
nobody:*:65534:65534:Nobody:/nonexistent:/usr/sbin/nologin
I have a few use cases where I want to match files that have no file extension for example in case a
passwdfile has ended up in a codebase. I made this Devskim rule that works if I supply a file extension but if the filename ispasswdwithout extension.[ { "name": "Detect /etc/passwd-like syntax", "id": "etcpasswdsyntax", "description": "Detects files containing /etc/passwd-like syntax (username:password:UID:GID:comment:home:shell).", "recommendation": "Review the file for sensitive data. Ensure it is not exposed or hardcoded in the project.", "severity": "BestPractice", "confidence": "high", "tags": ["security", "sensitive-data", "linux", "passwd"], "patterns": [ { "pattern": "^[a-zA-Z0-9_]+:[x*!]?:[0-9]+:[0-9]+:[a-zA-Z0-9_,:/ -]+:[/a-zA-Z0-9_ -]+:[/a-zA-Z0-9_ -]+$", "type": "regex", "modifiers": ["m"], "_comment": "Matches /etc/passwd line syntax: user:pass:UID:GID:comment:home:shell" } ] } ]For example on this file: