Add new rules for vault tokens (#919)

* add new rules for vault tokens * Configure max length for vault rules
gitleaks · Aug 3, 2022 · b1853bd · b1853bd
1 parent cd52267
commit b1853bd
Show file tree

Hide file tree

Showing 3 changed files with 56 additions and 0 deletions.
diff --git a/cmd/generate/config/main.go b/cmd/generate/config/main.go
@@ -144,6 +144,8 @@ func main() {
 	configRules = append(configRules, rules.TwitterAccessSecret())
 	configRules = append(configRules, rules.TwitterBearerToken())
 	configRules = append(configRules, rules.Typeform())
+	configRules = append(configRules, rules.VaultBatchToken())
+	configRules = append(configRules, rules.VaultServiceToken())
 	configRules = append(configRules, rules.YandexAPIKey())
 	configRules = append(configRules, rules.YandexAWSAccessToken())
 	configRules = append(configRules, rules.YandexAccessToken())

diff --git a/cmd/generate/config/rules/vault.go b/cmd/generate/config/rules/vault.go
@@ -0,0 +1,38 @@
+package rules
+
+import (
+	"github.com/zricethezav/gitleaks/v8/cmd/generate/secrets"
+	"github.com/zricethezav/gitleaks/v8/config"
+)
+
+func VaultServiceToken() *config.Rule {
+	// define rule
+	r := config.Rule{
+		Description: "Vault Service Token",
+		RuleID:      "vault-service-token",
+		Regex:       generateUniqueTokenRegex(`hvs\.[a-z0-9_-]{90,100}`),
+		Keywords:    []string{"hvs"},
+	}
+
+	// validate
+	tps := []string{
+		generateSampleSecret("vault", "hvs."+secrets.NewSecret(alphaNumericExtendedShort("90"))),
+	}
+	return validate(r, tps, nil)
+}
+
+func VaultBatchToken() *config.Rule {
+	// define rule
+	r := config.Rule{
+		Description: "Vault Batch Token",
+		RuleID:      "vault-batch-token",
+		Regex:       generateUniqueTokenRegex(`hvb\.[a-z0-9_-]{138,212}`),
+		Keywords:    []string{"hvb"},
+	}
+
+	// validate
+	tps := []string{
+		generateSampleSecret("vault", "hvb."+secrets.NewSecret(alphaNumericExtendedShort("138"))),
+	}
+	return validate(r, tps, nil)
+}
diff --git a/config/gitleaks.toml b/config/gitleaks.toml
@@ -2604,6 +2604,22 @@ keywords = [
     "tfp_",
 ]
 
+[[rules]]
+description = "Vault Batch Token"
+id = "vault-batch-token"
+regex = '''(?i)\b(hvb\.[a-z0-9_-]{138,212})(?:['|\"|\n|\r|\s|\x60]|$)'''
+keywords = [
+    "hvb",
+]
+
+[[rules]]
+description = "Vault Service Token"
+id = "vault-service-token"
+regex = '''(?i)\b(hvs\.[a-z0-9_-]{90,100})(?:['|\"|\n|\r|\s|\x60]|$)'''
+keywords = [
+    "hvs",
+]
+
 [[rules]]
 description = "Yandex Access Token"
 id = "yandex-access-token"