diff --git a/generic/secrets/gitleaks/generic-api-key.go b/generic/secrets/gitleaks/generic-api-key.go deleted file mode 100644 index 35e98e0fe0..0000000000 --- a/generic/secrets/gitleaks/generic-api-key.go +++ /dev/null @@ -1,15 +0,0 @@ -// ruleid: generic-api-key -generic_api_token = "CLOJARS_34bf0e88955ff5a1c328d6a7491acc4f48e865a7b8dd4d70a70749037443" -// ruleid: generic-api-key -generic_api_token = "Zf3D0LXCM3EIMbgJpUNnkRtOfOueHznB" -// ruleid: generic-api-key -"client_id" : "0afae57f3ccfd9d7f5767067bc48b30f719e271ba470488056e37ab35d4b6506" -// ruleid: generic-api-key -"client_secret" : "6da89121079f83b2eb6acccf8219ea982c3d79bccc3e9c6a85856480661f8fde" - -// ok: generic-api-key -newPassword=this.mPassword -// ok: generic-api-key -client_vpn_endpoint_id = aws_ec2_client_vpn_endpoint.client-vpn-endpoint.id -// ok: generic-api-key -password combination. R5: Regulatory--21 \ No newline at end of file diff --git a/generic/secrets/gitleaks/generic-api-key.txt b/generic/secrets/gitleaks/generic-api-key.txt new file mode 100644 index 0000000000..6df0fc05f4 --- /dev/null +++ b/generic/secrets/gitleaks/generic-api-key.txt @@ -0,0 +1,142 @@ +// ruleid: generic-api-key +generic_api_token = "CLOJARS_34bf0e88955ff5a1c328d6a7491acc4f48e865a7b8dd4d70a70749037443" +// ruleid: generic-api-key +generic_api_token = "Zf3D0LXCM3EIMbgJpUNnkRtOfOueHznB" +// ruleid: generic-api-key +"client_id" : "0afae57f3ccfd9d7f5767067bc48b30f719e271ba470488056e37ab35d4b6506" +// ruleid: generic-api-key +"client_secret" : "6da89121079f83b2eb6acccf8219ea982c3d79bccc3e9c6a85856480661f8fde" + +// ok: generic-api-key +newPassword=this.mPassword +// ok: generic-api-key +client_vpn_endpoint_id = aws_ec2_client_vpn_endpoint.client-vpn-endpoint.id +// ok: generic-api-key +password combination. R5: Regulatory--21 + +/ ok: generic-api-key +newPassword=this.mPassword +// ok: generic-api-key +client_vpn_endpoint_id = aws_ec2_client_vpn_endpoint.client-vpn-endpoint.id +// ok: generic-api-key +password combination. R5: Regulatory--21 + +// ok: generic-api-key +SLACK_BOT_TOKEN=xoxb-0000000000-xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx + +// ok: generic-api-key +{ + "oauth": { + "clientId": "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx.apps.googleusercontent.com", + "clientSecret": "xxxxxxxxxxxxxxxxxxxxxxxx", + "callback": "http://localhost:8080/oauth2callback" + }, + "port": 8081 +} + +// todook: generic-api-key +github.com/Azure/go-autorest/autorest/azure/auth v0.5.11 h1:P6bYXFoao05z5uhOQzbC3Qd8JqF3jUoocoTeIxkp2cA= + +// ok: generic-api-key + + +// ok: generic-api-key +export const NATIVE_TOKEN_ADDRESS = "0xeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeee"; + +// ok: generic-api-key +tokenId: erc1155.tokenId, + + "pubkey": "TokenkegQfeZyiNwAJbNbGKPFXCWuBvf9Ss623VQ5DA", +// ok: generic-api-key +'@vue/devtools-api': 'vue-devtools-stub' + +// ok: generic-api-key +
+ +// ok: generic-api-key +IMAGER_S3_KEY=AWS_S3_KEY + +// ok: generic-api-key +'@vue/devtools-api': 'vue-devtools-stub' + + +// ok +x.MaxKey = mongodb.MaxKey; + + +// ok +User.findOne({ 'token': req.query.token }).exec(function(err, user) + +// ok +``` +SLACK_VERIFICATION_TOKEN=xxxxxxxxxxxxxxxxxxx +SLACK_BOT_TOKEN=xoxb-0000000000-example +SLACK_WEBHOOK_URL=https://hooks.slack.com/services/xxxxxxxxx/yyyyyyyyy/zzzzzzzzzzzzzzzzzzzzzzzz +``` + +// ok: generic-api-key + stripe: { + host: 'api.stripe.com', + secretKey: 'sk_test_XXXXXXXXXXXXXXXXXXXXXX', + }, + +// ok: generic-api-key +qs: { + 'api-version': '2017-11-11-Preview' +}, + +// ok: generic-api-key +GOOGLE_SECRET= +IMAGER_S3_KEY=AWS_S3_KEY + + +// ok: generic-api-key +export const stackInputsV1: StackInputs = { + gitHubAppWebHookSecret: 'arn:aws:secretsmanager:us-west-2:12321321:secret:fosoodsaeGitHubAppWebHookSecret-21321321', + +} + +// ok: generic-api-key +authors: [someSuperC00lauthor] + +// ok: generic-api-key +key = axis._maxTicksKey, +// ok: generic-api-key +"capitalization": 607352.81238977, +// ok: generic-api-key +tokenId: erc1155.tokenId +// ok: generic-api-key +key: "pricing.FAQ.link" +// ok: generic-api-key +tokenId: erc1155.tokenId, + +// ok: generic-api-key +SHOPIFY_API_KEY= +SHOPIFY_API_SECRET= +SHOPIFY_API_SCOPES= +SHOPIFY_APP_URL= # Ensure it starts with `https://` +SHOPIFY_API_VERSION="2023-01" +MONGO_URL= +ENCRYPTION_STRING= # Required +PORT= +NPM_CONFIG_FORCE=true #Set to true if deploying to a server, so it runs `npm i --force` instead of `npm i` + +// ok: generic-api-key +"pubkey": "asdsadsadsadsadsadsadsawAJbNbGKPFXCWuBvf9Ss623VQ5DA", + +// ok: generic-api-key +# Installation URL: +# https://ngrok-url.io/auth?shop=storename-myshopify.com; + +// ok: generic-api-key +MAX_API_ISSUE_PAGE_SIZE = MAX_ISSUE_PAGE_SIZE + +// ok: generic-api-key +clientToken: "pub4306832bdc5f2b8b980c492ec2c11ef3", +// ok: generic-api-key +
  • some personview contributions
    • +// ok: generic-api-key +keys: 'privkey1.json', +// ok: generic-api-key +"Keywords": "asdsadsadsaUSAdusadusadsa", \ No newline at end of file diff --git a/generic/secrets/gitleaks/generic-api-key.yaml b/generic/secrets/gitleaks/generic-api-key.yaml index bb8905df75..d4fff564c9 100644 --- a/generic/secrets/gitleaks/generic-api-key.yaml +++ b/generic/secrets/gitleaks/generic-api-key.yaml @@ -1,6 +1,6 @@ rules: - id: generic-api-key - message: A gitleaks generic-api-key was detected which attempts to identify hard-coded credentials. It is not recommended to store credentials in source-code, as this risks secrets being leaked and used by either an internal or external malicious adversary. It is recommended to use environment variables to securely provide credentials or retrieve credentials from a secure vault or HSM (Hardware Security Module). + message: A gitleaks generic-api-key was detected which attempts to identify hard-coded credentials. It is not recommended to store credentials in source-code, as this risks secrets being leaked and used by either an internal or external malicious adversary. It is recommended to use environment variables to securely provide credentials or retrieve credentials from a secure vault or HSM (Hardware Security Module). This rule can introduce a lot of false positives, it is not recommended to be used in PR comments. languages: - regex severity: INFO @@ -22,9 +22,35 @@ rules: - vuln technology: - gitleaks + paths: + exclude: + - "*go.sum" + - "*package.json" + - "*package-lock.json" + - "*bundle.js" + - "*pnpm-lock*" + - "*Podfile.lock" + - "*/openssl/*.h" + - "*.xcscmblueprint" patterns: - - pattern-regex: (?i)(?:key|api|token|secret|client|passwd|password|auth|access)(?:[0-9a-z\-_\t .]{0,20})(?:[\s|']|[\s|"]){0,3}(?:=|>|:=|\|\|:|<=|=>|:)(?:'|\"|\s|=|\x60){0,5}([0-9a-z\-_.=]{10,150})(?:['|\"|\n|\r|\s|\x60|;]|$) + # This will likely remove some true positives, but this rule is overly noisy + # Added (?-s) to prevent multi-lines with . which was causing a lot of FPs + # added negative lookaheads to remove: + # [a-z]+\.[a-zA-Z]+ (this.valueValue) + # .* + # \d{4}-\d{2}-\d{2} (2017/03/12) + # [a-z]+-[a-z]+.*. abc123-abc123 + # :*(?!("|'))[0-9A-Za-z]+\.[0-9A-Za-z]+, : 0123.0312abc, + # [A-Z]+_[A-Z]+_ VALUE_VALUE_ + - pattern-regex: (?i)(?-s)(?:key|api|token|secret|client|passwd|password|auth|access).(?:[0-9a-z\-_\t + .]{0,20})(?:[\s|']|[\s|"]){0,3}(?:=|>|:=|\|\|:|<=|=>|:).(?:'|\"|\s|=|\x60){0,5}(?!([a-z]+\.[a-zA-Z]+)|.*(\d{4}-\d{2}-\d{2}|[a-z]+-[a-z]+.*)|:*(?!("|'))[0-9A-Za-z]+\.[0-9A-Za-z]+,|[A-Z]+_[A-Z]+_)([0-9a-z\-_.=]{10,150})(?:['|\"|\n|\r|\s|\x60|;]|$) - metavariable-analysis: - metavariable: $1 analyzer: entropy - - focus-metavariable: $1 + metavariable: $4 + - focus-metavariable: $4 + # These remove test examples in addition to public keys, author= etc. + - pattern-not-regex: (?i)publickeytoken=.* + - pattern-not-regex: (?i)(?:"|')pub + - pattern-not-regex: pubkey.* + - pattern-not-regex: ((token-drop|asset_key)("|'):.*0x) + - pattern-not-regex: (?i)(keywords|xxxx|eeeeeeee|0000|\*\*\*|example|test|public.*key|\.json|author=|author("|')) \ No newline at end of file