Merge pull request #2877 from returntocorp/gitleaksUpdate

Update generic Gitleak regex to remove false positives
semgrep · Apr 18, 2023 · 2c3fc75 · 2c3fc75
2 parents 7e6b42d + 09111b8
commit 2c3fc75
Show file tree

Hide file tree

Showing 3 changed files with 172 additions and 19 deletions.
diff --git a/generic/secrets/gitleaks/generic-api-key.go b/generic/secrets/gitleaks/generic-api-key.go
diff --git a/generic/secrets/gitleaks/generic-api-key.txt b/generic/secrets/gitleaks/generic-api-key.txt
@@ -0,0 +1,142 @@
+// ruleid: generic-api-key
+generic_api_token = "CLOJARS_34bf0e88955ff5a1c328d6a7491acc4f48e865a7b8dd4d70a70749037443"
+// ruleid: generic-api-key
+generic_api_token = "Zf3D0LXCM3EIMbgJpUNnkRtOfOueHznB"
+// ruleid: generic-api-key
+"client_id" : "0afae57f3ccfd9d7f5767067bc48b30f719e271ba470488056e37ab35d4b6506"
+// ruleid: generic-api-key
+"client_secret" : "6da89121079f83b2eb6acccf8219ea982c3d79bccc3e9c6a85856480661f8fde"
+
+// ok: generic-api-key
+newPassword=this.mPassword
+// ok: generic-api-key
+client_vpn_endpoint_id = aws_ec2_client_vpn_endpoint.client-vpn-endpoint.id
+// ok: generic-api-key
+password combination. R5: Regulatory--21
+
+/ ok: generic-api-key
+newPassword=this.mPassword
+// ok: generic-api-key
+client_vpn_endpoint_id = aws_ec2_client_vpn_endpoint.client-vpn-endpoint.id
+// ok: generic-api-key
+password combination. R5: Regulatory--21
+
+// ok: generic-api-key
+SLACK_BOT_TOKEN=xoxb-0000000000-xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx   
+
+// ok: generic-api-key
+{
+  "oauth": {
+    "clientId": "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx.apps.googleusercontent.com",
+    "clientSecret": "xxxxxxxxxxxxxxxxxxxxxxxx",
+    "callback": "http://localhost:8080/oauth2callback"
+  },
+  "port": 8081
+}
+
+// todook: generic-api-key
+github.com/Azure/go-autorest/autorest/azure/auth v0.5.11 h1:P6bYXFoao05z5uhOQzbC3Qd8JqF3jUoocoTeIxkp2cA=
+
+// ok: generic-api-key
+<assemblyIdentity name="Microsoft.IdentityModel.Protocols.OpenIdConnect"                                 
+  publicKeyToken="31bf3856ad364e35" culture="neutral" />   
+
+// ok: generic-api-key
+export const NATIVE_TOKEN_ADDRESS = "0xeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeee";
+
+// ok: generic-api-key
+tokenId: erc1155.tokenId,
+
+ "pubkey": "TokenkegQfeZyiNwAJbNbGKPFXCWuBvf9Ss623VQ5DA",
+// ok: generic-api-key
+'@vue/devtools-api': 'vue-devtools-stub'
+
+// ok: generic-api-key
+<section name="entityFramework" type="System.Data.Entity.Internal.ConfigFile.EntityFrameworkSection, EntityFramework, Version=6.0.0.0, Culture=neutral, PublicKey=b77a5c561934e089" requirePermission="false" />
+
+// ok: generic-api-key
+IMAGER_S3_KEY=AWS_S3_KEY
+
+// ok: generic-api-key
+'@vue/devtools-api': 'vue-devtools-stub'
+
+
+// ok
+x.MaxKey = mongodb.MaxKey;
+
+
+// ok
+User.findOne({ 'token': req.query.token }).exec(function(err, user)
+
+// ok
+```
+SLACK_VERIFICATION_TOKEN=xxxxxxxxxxxxxxxxxxx
+SLACK_BOT_TOKEN=xoxb-0000000000-example
+SLACK_WEBHOOK_URL=https://hooks.slack.com/services/xxxxxxxxx/yyyyyyyyy/zzzzzzzzzzzzzzzzzzzzzzzz
+```
+
+// ok: generic-api-key
+  stripe: {
+    host: 'api.stripe.com',
+    secretKey: 'sk_test_XXXXXXXXXXXXXXXXXXXXXX',
+  },
+
+// ok: generic-api-key
+qs: {
+    'api-version': '2017-11-11-Preview'
+},
+
+// ok: generic-api-key
+GOOGLE_SECRET=<SECRET>
+IMAGER_S3_KEY=AWS_S3_KEY
+
+
+// ok: generic-api-key
+export const stackInputsV1: StackInputs = {
+  gitHubAppWebHookSecret: 'arn:aws:secretsmanager:us-west-2:12321321:secret:fosoodsaeGitHubAppWebHookSecret-21321321',
+
+}
+
+// ok: generic-api-key
+authors: [someSuperC00lauthor]
+
+// ok: generic-api-key
+key = axis._maxTicksKey,
+// ok: generic-api-key
+"capitalization": 607352.81238977,
+// ok: generic-api-key
+tokenId: erc1155.tokenId
+// ok: generic-api-key
+key: "pricing.FAQ.link"
+// ok: generic-api-key
+tokenId: erc1155.tokenId,
+
+// ok: generic-api-key
+SHOPIFY_API_KEY=
+SHOPIFY_API_SECRET=
+SHOPIFY_API_SCOPES=
+SHOPIFY_APP_URL= # Ensure it starts with `https://`
+SHOPIFY_API_VERSION="2023-01"
+MONGO_URL=
+ENCRYPTION_STRING= # Required
+PORT=
+NPM_CONFIG_FORCE=true #Set to true if deploying to a server, so it runs `npm i --force` instead of `npm i`
+
+// ok: generic-api-key
+"pubkey": "asdsadsadsadsadsadsadsawAJbNbGKPFXCWuBvf9Ss623VQ5DA",
+
+// ok: generic-api-key
+# Installation URL:
+# https://ngrok-url.io/auth?shop=storename-myshopify.com;
+
+// ok: generic-api-key
+MAX_API_ISSUE_PAGE_SIZE = MAX_ISSUE_PAGE_SIZE
+
+// ok: generic-api-key
+clientToken: "pub4306832bdc5f2b8b980c492ec2c11ef3",
+// ok: generic-api-key
+<li><a href="https://github.com/someperson">some person</a> — <a href="https://github.com/something/something/commits?author=somepersonrulez" title="View the GitHub contributions of Neil Taylor on repository">view contributions</a></li>
+// ok: generic-api-key
+keys: 'privkey1.json',
+// ok: generic-api-key
+"Keywords": "asdsadsadsaUSAdusadusadsa",
diff --git a/generic/secrets/gitleaks/generic-api-key.yaml b/generic/secrets/gitleaks/generic-api-key.yaml
@@ -1,6 +1,6 @@
 rules:
 - id: generic-api-key
-  message: A gitleaks generic-api-key was detected which attempts to identify hard-coded credentials. It is not recommended to store credentials in source-code, as this risks secrets being leaked and used by either an internal or external malicious adversary. It is recommended to use environment variables to securely provide credentials or retrieve credentials from a secure vault or HSM (Hardware Security Module).
+  message: A gitleaks generic-api-key was detected which attempts to identify hard-coded credentials. It is not recommended to store credentials in source-code, as this risks secrets being leaked and used by either an internal or external malicious adversary. It is recommended to use environment variables to securely provide credentials or retrieve credentials from a secure vault or HSM (Hardware Security Module). This rule can introduce a lot of false positives, it is not recommended to be used in PR comments.
   languages:
     - regex
   severity: INFO
@@ -22,9 +22,35 @@ rules:
         - vuln
       technology:
         - gitleaks
+  paths:
+    exclude:
+      - "*go.sum"
+      - "*package.json"
+      - "*package-lock.json"
+      - "*bundle.js"
+      - "*pnpm-lock*"
+      - "*Podfile.lock"
+      - "*/openssl/*.h"
+      - "*.xcscmblueprint"
   patterns:
-    - pattern-regex: (?i)(?:key|api|token|secret|client|passwd|password|auth|access)(?:[0-9a-z\-_\t .]{0,20})(?:[\s|']|[\s|"]){0,3}(?:=|>|:=|\|\|:|<=|=>|:)(?:'|\"|\s|=|\x60){0,5}([0-9a-z\-_.=]{10,150})(?:['|\"|\n|\r|\s|\x60|;]|$)
+    # This will likely remove some true positives, but this rule is overly noisy
+    # Added (?-s) to prevent multi-lines with . which was causing a lot of FPs
+    # added negative lookaheads to remove:
+      # [a-z]+\.[a-zA-Z]+ (this.valueValue)
+      # .* 
+        # \d{4}-\d{2}-\d{2} (2017/03/12)
+        # [a-z]+-[a-z]+.*. abc123-abc123 
+        # :*(?!("|'))[0-9A-Za-z]+\.[0-9A-Za-z]+,  : 0123.0312abc, 
+        # [A-Z]+_[A-Z]+_ VALUE_VALUE_
+    - pattern-regex: (?i)(?-s)(?:key|api|token|secret|client|passwd|password|auth|access).(?:[0-9a-z\-_\t
+        .]{0,20})(?:[\s|']|[\s|"]){0,3}(?:=|>|:=|\|\|:|<=|=>|:).(?:'|\"|\s|=|\x60){0,5}(?!([a-z]+\.[a-zA-Z]+)|.*(\d{4}-\d{2}-\d{2}|[a-z]+-[a-z]+.*)|:*(?!("|'))[0-9A-Za-z]+\.[0-9A-Za-z]+,|[A-Z]+_[A-Z]+_)([0-9a-z\-_.=]{10,150})(?:['|\"|\n|\r|\s|\x60|;]|$)
     - metavariable-analysis:
-        metavariable: $1
         analyzer: entropy
-    - focus-metavariable: $1
+        metavariable: $4
+    - focus-metavariable: $4
+      # These remove test examples in addition to public keys, author= etc. 
+    - pattern-not-regex: (?i)publickeytoken=.*
+    - pattern-not-regex: (?i)(?:"|')pub
+    - pattern-not-regex: pubkey.*
+    - pattern-not-regex: ((token-drop|asset_key)("|'):.*0x)
+    - pattern-not-regex: (?i)(keywords|xxxx|eeeeeeee|0000|\*\*\*|example|test|public.*key|\.json|author=|author("|'))