From af574736d0722eb4f9ea4f5671b05dc5df41c9f0 Mon Sep 17 00:00:00 2001 From: "Security Research (r2c-argo)" Date: Mon, 30 Sep 2024 00:31:09 +0000 Subject: [PATCH] Merge Gitleaks rules 2024-09-30 # 00:31 --- .../secrets/gitleaks/clojars-api-token.yaml | 2 +- .../secrets/gitleaks/doppler-api-token.yaml | 2 +- .../secrets/gitleaks/duffel-api-token.yaml | 2 +- .../secrets/gitleaks/etsy-access-token.yaml | 2 +- .../secrets/gitleaks/flyio-access-token.yaml | 26 +++++++++++++++++++ generic/secrets/gitleaks/gcp-api-key.yaml | 2 +- .../secrets/gitleaks/github-app-token.yaml | 2 +- .../gitleaks/github-fine-grained-pat.yaml | 2 +- generic/secrets/gitleaks/harness-api-key.yaml | 2 +- .../gitleaks/hashicorp-tf-api-token.yaml | 2 +- .../gitleaks/kubernetes-secret-yaml.yaml | 26 +++++++++++++++++++ .../gitleaks/openshift-user-token.yaml | 26 +++++++++++++++++++ generic/secrets/gitleaks/private-key.yaml | 2 +- .../gitleaks/sidekiq-sensitive-url.yaml | 2 +- generic/secrets/gitleaks/slack-app-token.yaml | 2 +- .../gitleaks/slack-config-access-token.yaml | 2 +- .../gitleaks/slack-config-refresh-token.yaml | 2 +- .../secrets/gitleaks/slack-legacy-token.yaml | 2 +- .../secrets/gitleaks/slack-user-token.yaml | 2 +- .../secrets/gitleaks/square-access-token.yaml | 2 +- .../gitleaks/telegram-bot-api-token.yaml | 2 +- .../secrets/gitleaks/vault-service-token.yaml | 2 +- 22 files changed, 97 insertions(+), 19 deletions(-) create mode 100644 generic/secrets/gitleaks/flyio-access-token.yaml create mode 100644 generic/secrets/gitleaks/kubernetes-secret-yaml.yaml create mode 100644 generic/secrets/gitleaks/openshift-user-token.yaml diff --git a/generic/secrets/gitleaks/clojars-api-token.yaml b/generic/secrets/gitleaks/clojars-api-token.yaml index 1bd151c065..307b0aacfb 100644 --- a/generic/secrets/gitleaks/clojars-api-token.yaml +++ b/generic/secrets/gitleaks/clojars-api-token.yaml @@ -23,4 +23,4 @@ rules: technology: - gitleaks patterns: - - pattern-regex: (?i)(CLOJARS_)[a-z0-9]{60} + - pattern-regex: (?i)CLOJARS_[a-z0-9]{60} diff --git a/generic/secrets/gitleaks/doppler-api-token.yaml b/generic/secrets/gitleaks/doppler-api-token.yaml index 4fa906b50d..e0a1bb2a79 100644 --- a/generic/secrets/gitleaks/doppler-api-token.yaml +++ b/generic/secrets/gitleaks/doppler-api-token.yaml @@ -23,4 +23,4 @@ rules: technology: - gitleaks patterns: - - pattern-regex: (dp\.pt\.)(?i)[a-z0-9]{43} + - pattern-regex: dp\.pt\.(?i)[a-z0-9]{43} diff --git a/generic/secrets/gitleaks/duffel-api-token.yaml b/generic/secrets/gitleaks/duffel-api-token.yaml index 93a67e4ea9..0948b07470 100644 --- a/generic/secrets/gitleaks/duffel-api-token.yaml +++ b/generic/secrets/gitleaks/duffel-api-token.yaml @@ -23,4 +23,4 @@ rules: technology: - gitleaks patterns: - - pattern-regex: duffel_(test|live)_(?i)[a-z0-9_\-=]{43} + - pattern-regex: duffel_(?:test|live)_(?i)[a-z0-9_\-=]{43} diff --git a/generic/secrets/gitleaks/etsy-access-token.yaml b/generic/secrets/gitleaks/etsy-access-token.yaml index 799c2e9a2a..8aaefeaebb 100644 --- a/generic/secrets/gitleaks/etsy-access-token.yaml +++ b/generic/secrets/gitleaks/etsy-access-token.yaml @@ -23,4 +23,4 @@ rules: technology: - gitleaks patterns: - - pattern-regex: (?i)(?:etsy)(?:[0-9a-z\-_\t .]{0,20})(?:[\s|']|[\s|"]){0,3}(?:=|>|:{1,3}=|\|\|:|<=|=>|:|\?=)(?:'|\"|\s|=|\x60){0,5}([a-z0-9]{24})(?:['|\"|\n|\r|\s|\x60|;]|$) + - pattern-regex: (?i)(?:(?-i:ETSY|[Ee]tsy))(?:[0-9a-z\-_\t .]{0,20})(?:[\s|']|[\s|"]){0,3}(?:=|>|:{1,3}=|\|\|:|<=|=>|:|\?=)(?:'|\"|\s|=|\x60){0,5}([a-z0-9]{24})(?:['|\"|\n|\r|\s|\x60|;]|$) diff --git a/generic/secrets/gitleaks/flyio-access-token.yaml b/generic/secrets/gitleaks/flyio-access-token.yaml new file mode 100644 index 0000000000..378d78ae11 --- /dev/null +++ b/generic/secrets/gitleaks/flyio-access-token.yaml @@ -0,0 +1,26 @@ +rules: +- id: flyio-access-token + message: A gitleaks flyio-access-token was detected which attempts to identify hard-coded credentials. It is not recommended to store credentials in source-code, as this risks secrets being leaked and used by either an internal or external malicious adversary. It is recommended to use environment variables to securely provide credentials or retrieve credentials from a secure vault or HSM (Hardware Security Module). + languages: + - regex + severity: INFO + metadata: + likelihood: LOW + impact: MEDIUM + confidence: LOW + category: security + cwe: + - "CWE-798: Use of Hard-coded Credentials" + cwe2021-top25: true + cwe2022-top25: true + owasp: + - A07:2021 - Identification and Authentication Failures + references: + - https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html + source-rule-url: https://github.com/zricethezav/gitleaks/tree/master/cmd/generate/config/rules + subcategory: + - vuln + technology: + - gitleaks + patterns: + - pattern-regex: \b((?:fo1_[\w-]{43}|fm1[ar]_[a-zA-Z0-9+\/]{100,}={0,3}|fm2_[a-zA-Z0-9+\/]{100,}={0,3}))(?:['|\"|\n|\r|\s|\x60|;]|$) diff --git a/generic/secrets/gitleaks/gcp-api-key.yaml b/generic/secrets/gitleaks/gcp-api-key.yaml index 6ceb4d34d1..abcccd307b 100644 --- a/generic/secrets/gitleaks/gcp-api-key.yaml +++ b/generic/secrets/gitleaks/gcp-api-key.yaml @@ -23,4 +23,4 @@ rules: technology: - gitleaks patterns: - - pattern-regex: (?i)\b(AIza[0-9A-Za-z\\-_]{35})(?:['|\"|\n|\r|\s|\x60|;]|$) + - pattern-regex: \b(AIza[\w-]{35})(?:['|\"|\n|\r|\s|\x60|;]|$) diff --git a/generic/secrets/gitleaks/github-app-token.yaml b/generic/secrets/gitleaks/github-app-token.yaml index 269ba4b25a..05beb4f806 100644 --- a/generic/secrets/gitleaks/github-app-token.yaml +++ b/generic/secrets/gitleaks/github-app-token.yaml @@ -23,4 +23,4 @@ rules: technology: - gitleaks patterns: - - pattern-regex: (ghu|ghs)_[0-9a-zA-Z]{36} + - pattern-regex: (?:ghu|ghs)_[0-9a-zA-Z]{36} diff --git a/generic/secrets/gitleaks/github-fine-grained-pat.yaml b/generic/secrets/gitleaks/github-fine-grained-pat.yaml index a8557c8a48..ba10f3b1c1 100644 --- a/generic/secrets/gitleaks/github-fine-grained-pat.yaml +++ b/generic/secrets/gitleaks/github-fine-grained-pat.yaml @@ -23,4 +23,4 @@ rules: technology: - gitleaks patterns: - - pattern-regex: github_pat_[0-9a-zA-Z_]{82} + - pattern-regex: github_pat_\w{82} diff --git a/generic/secrets/gitleaks/harness-api-key.yaml b/generic/secrets/gitleaks/harness-api-key.yaml index c668ea9573..58700f4061 100644 --- a/generic/secrets/gitleaks/harness-api-key.yaml +++ b/generic/secrets/gitleaks/harness-api-key.yaml @@ -23,4 +23,4 @@ rules: technology: - gitleaks patterns: - - pattern-regex: ((?:pat|sat)\.[a-zA-Z0-9]{22}\.[a-zA-Z0-9]{24}\.[a-zA-Z0-9]{20}) + - pattern-regex: (?:pat|sat)\.[a-zA-Z0-9_-]{22}\.[a-zA-Z0-9]{24}\.[a-zA-Z0-9]{20} diff --git a/generic/secrets/gitleaks/hashicorp-tf-api-token.yaml b/generic/secrets/gitleaks/hashicorp-tf-api-token.yaml index 8e8e8b1e32..730566458d 100644 --- a/generic/secrets/gitleaks/hashicorp-tf-api-token.yaml +++ b/generic/secrets/gitleaks/hashicorp-tf-api-token.yaml @@ -23,4 +23,4 @@ rules: technology: - gitleaks patterns: - - pattern-regex: (?i)[a-z0-9]{14}\.atlasv1\.[a-z0-9\-_=]{60,70} + - pattern-regex: (?i)[a-z0-9]{14}\.(?-i:atlasv1)\.[a-z0-9\-_=]{60,70} diff --git a/generic/secrets/gitleaks/kubernetes-secret-yaml.yaml b/generic/secrets/gitleaks/kubernetes-secret-yaml.yaml new file mode 100644 index 0000000000..28f8afcc32 --- /dev/null +++ b/generic/secrets/gitleaks/kubernetes-secret-yaml.yaml @@ -0,0 +1,26 @@ +rules: +- id: kubernetes-secret-yaml + message: A gitleaks kubernetes-secret-yaml was detected which attempts to identify hard-coded credentials. It is not recommended to store credentials in source-code, as this risks secrets being leaked and used by either an internal or external malicious adversary. It is recommended to use environment variables to securely provide credentials or retrieve credentials from a secure vault or HSM (Hardware Security Module). + languages: + - regex + severity: INFO + metadata: + likelihood: LOW + impact: MEDIUM + confidence: LOW + category: security + cwe: + - "CWE-798: Use of Hard-coded Credentials" + cwe2021-top25: true + cwe2022-top25: true + owasp: + - A07:2021 - Identification and Authentication Failures + references: + - https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html + source-rule-url: https://github.com/zricethezav/gitleaks/tree/master/cmd/generate/config/rules + subcategory: + - vuln + technology: + - gitleaks + patterns: + - pattern-regex: (?i)(?:\bkind:[ \t]*["']?secret["']?(?:.|\s){0,200}?\bdata:(?:.|\s){0,100}?\s+([\w.-]+:(?:[ \t]*(?:\||>[-+]?)\s+)?[ \t]*(?:["']?[a-z0-9]{10,}={0,3}["']?|\{\{[ \t\w"|$:=,.-]+}}|""|''))|\bdata:(?:.|\s){0,100}?\s+([\w.-]+:(?:[ \t]*(?:\||>[-+]?)\s+)?[ \t]*(?:["']?[a-z0-9]{10,}={0,3}["']?|\{\{[ \t\w"|$:=,.-]+}}|""|''))(?:.|\s){0,200}?\bkind:[ \t]*["']?secret["']?) diff --git a/generic/secrets/gitleaks/openshift-user-token.yaml b/generic/secrets/gitleaks/openshift-user-token.yaml new file mode 100644 index 0000000000..00bcab0a58 --- /dev/null +++ b/generic/secrets/gitleaks/openshift-user-token.yaml @@ -0,0 +1,26 @@ +rules: +- id: openshift-user-token + message: A gitleaks openshift-user-token was detected which attempts to identify hard-coded credentials. It is not recommended to store credentials in source-code, as this risks secrets being leaked and used by either an internal or external malicious adversary. It is recommended to use environment variables to securely provide credentials or retrieve credentials from a secure vault or HSM (Hardware Security Module). + languages: + - regex + severity: INFO + metadata: + likelihood: LOW + impact: MEDIUM + confidence: LOW + category: security + cwe: + - "CWE-798: Use of Hard-coded Credentials" + cwe2021-top25: true + cwe2022-top25: true + owasp: + - A07:2021 - Identification and Authentication Failures + references: + - https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html + source-rule-url: https://github.com/zricethezav/gitleaks/tree/master/cmd/generate/config/rules + subcategory: + - vuln + technology: + - gitleaks + patterns: + - pattern-regex: \b(sha256~[\w-]{43})(?:[^\w-]|\z) diff --git a/generic/secrets/gitleaks/private-key.yaml b/generic/secrets/gitleaks/private-key.yaml index 13e8f3fef4..63123256b0 100644 --- a/generic/secrets/gitleaks/private-key.yaml +++ b/generic/secrets/gitleaks/private-key.yaml @@ -23,4 +23,4 @@ rules: technology: - gitleaks patterns: - - pattern-regex: (?i)-----BEGIN[ A-Z0-9_-]{0,100}PRIVATE KEY( BLOCK)?-----[\s\S-]*KEY( BLOCK)?---- + - pattern-regex: (?i)-----BEGIN[ A-Z0-9_-]{0,100}PRIVATE KEY(?: BLOCK)?-----[\s\S-]*KEY(?: BLOCK)?---- diff --git a/generic/secrets/gitleaks/sidekiq-sensitive-url.yaml b/generic/secrets/gitleaks/sidekiq-sensitive-url.yaml index 72d9b8d4e5..7e77566c8a 100644 --- a/generic/secrets/gitleaks/sidekiq-sensitive-url.yaml +++ b/generic/secrets/gitleaks/sidekiq-sensitive-url.yaml @@ -23,4 +23,4 @@ rules: technology: - gitleaks patterns: - - pattern-regex: (?i)\b(http(?:s??):\/\/)([a-f0-9]{8}:[a-f0-9]{8})@(?:gems.contribsys.com|enterprise.contribsys.com)(?:[\/|\#|\?|:]|$) + - pattern-regex: (?i)\bhttps?://([a-f0-9]{8}:[a-f0-9]{8})@(?:gems.contribsys.com|enterprise.contribsys.com)(?:[\/|\#|\?|:]|$) diff --git a/generic/secrets/gitleaks/slack-app-token.yaml b/generic/secrets/gitleaks/slack-app-token.yaml index 51c5c8c0b8..163fbdd84e 100644 --- a/generic/secrets/gitleaks/slack-app-token.yaml +++ b/generic/secrets/gitleaks/slack-app-token.yaml @@ -23,4 +23,4 @@ rules: technology: - gitleaks patterns: - - pattern-regex: (?i)(xapp-\d-[A-Z0-9]+-\d+-[a-z0-9]+) + - pattern-regex: (?i)xapp-\d-[A-Z0-9]+-\d+-[a-z0-9]+ diff --git a/generic/secrets/gitleaks/slack-config-access-token.yaml b/generic/secrets/gitleaks/slack-config-access-token.yaml index 3d51c7269d..97615b0f22 100644 --- a/generic/secrets/gitleaks/slack-config-access-token.yaml +++ b/generic/secrets/gitleaks/slack-config-access-token.yaml @@ -23,4 +23,4 @@ rules: technology: - gitleaks patterns: - - pattern-regex: (?i)(xoxe.xox[bp]-\d-[A-Z0-9]{163,166}) + - pattern-regex: (?i)xoxe.xox[bp]-\d-[A-Z0-9]{163,166} diff --git a/generic/secrets/gitleaks/slack-config-refresh-token.yaml b/generic/secrets/gitleaks/slack-config-refresh-token.yaml index f76799ee1e..97233d5573 100644 --- a/generic/secrets/gitleaks/slack-config-refresh-token.yaml +++ b/generic/secrets/gitleaks/slack-config-refresh-token.yaml @@ -23,4 +23,4 @@ rules: technology: - gitleaks patterns: - - pattern-regex: (?i)(xoxe-\d-[A-Z0-9]{146}) + - pattern-regex: (?i)xoxe-\d-[A-Z0-9]{146} diff --git a/generic/secrets/gitleaks/slack-legacy-token.yaml b/generic/secrets/gitleaks/slack-legacy-token.yaml index e5565a553b..e38bc74a8b 100644 --- a/generic/secrets/gitleaks/slack-legacy-token.yaml +++ b/generic/secrets/gitleaks/slack-legacy-token.yaml @@ -23,4 +23,4 @@ rules: technology: - gitleaks patterns: - - pattern-regex: (xox[os]-\d+-\d+-\d+-[a-fA-F\d]+) + - pattern-regex: xox[os]-\d+-\d+-\d+-[a-fA-F\d]+ diff --git a/generic/secrets/gitleaks/slack-user-token.yaml b/generic/secrets/gitleaks/slack-user-token.yaml index 70c5cb0277..26445b53bd 100644 --- a/generic/secrets/gitleaks/slack-user-token.yaml +++ b/generic/secrets/gitleaks/slack-user-token.yaml @@ -23,4 +23,4 @@ rules: technology: - gitleaks patterns: - - pattern-regex: (xox[pe](?:-[0-9]{10,13}){3}-[a-zA-Z0-9-]{28,34}) + - pattern-regex: xox[pe](?:-[0-9]{10,13}){3}-[a-zA-Z0-9-]{28,34} diff --git a/generic/secrets/gitleaks/square-access-token.yaml b/generic/secrets/gitleaks/square-access-token.yaml index b5d503e5df..aac623ad64 100644 --- a/generic/secrets/gitleaks/square-access-token.yaml +++ b/generic/secrets/gitleaks/square-access-token.yaml @@ -23,4 +23,4 @@ rules: technology: - gitleaks patterns: - - pattern-regex: (?i)\b((EAAA|sq0atp-)[0-9A-Za-z\-_]{22,60})(?:['|\"|\n|\r|\s|\x60|;]|$) + - pattern-regex: \b((?:EAAA|sq0atp-)[\w-]{22,60})(?:['|\"|\n|\r|\s|\x60|;]|$) diff --git a/generic/secrets/gitleaks/telegram-bot-api-token.yaml b/generic/secrets/gitleaks/telegram-bot-api-token.yaml index a9edae9d57..b73dfe043a 100644 --- a/generic/secrets/gitleaks/telegram-bot-api-token.yaml +++ b/generic/secrets/gitleaks/telegram-bot-api-token.yaml @@ -23,4 +23,4 @@ rules: technology: - gitleaks patterns: - - pattern-regex: (?i:(?:telegr)(?:[0-9a-z\(-_\t .\\]{0,40})(?:[\s|']|[\s|"]){0,3})(?:=|\|\|:|<=|=>|:|\?=|\()(?:'|\"|\s|=|\x60){0,5}([0-9]{5,16}:A[a-z0-9_\-]{34})(?:['|\"|\n|\r|\s|\x60|;|\\]|$) + - pattern-regex: (?i:telegr(?:[0-9a-z\(-_\t .\\]{0,40})(?:[\s|']|[\s|"]){0,3})(?:=|\|\|:|<=|=>|:|\?=|\()(?:'|\"|\s|=|\x60){0,5}([0-9]{5,16}:A[a-z0-9_\-]{34})(?:['|\"|\n|\r|\s|\x60|;|\\]|$) diff --git a/generic/secrets/gitleaks/vault-service-token.yaml b/generic/secrets/gitleaks/vault-service-token.yaml index 87e757131c..34f1b706af 100644 --- a/generic/secrets/gitleaks/vault-service-token.yaml +++ b/generic/secrets/gitleaks/vault-service-token.yaml @@ -23,4 +23,4 @@ rules: technology: - gitleaks patterns: - - pattern-regex: (?i)\b(hvs\.[a-z0-9_-]{90,100})(?:['|\"|\n|\r|\s|\x60|;]|$) + - pattern-regex: \b((?:hvs\.[\w-]{90,120}|s\.(?i:[a-z0-9]{24})))(?:['|\"|\n|\r|\s|\x60|;]|$)