RubyGems - gitlab-secret_detection - Versions diffs - 0.21.1 → 0.29.1 - Mend

gitlab-secret_detection 0.21.1 → 0.29.1

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (6) hide show

checksums.yaml +4 -4
data/README.md +1 -1
data/lib/gitlab/secret_detection/core/scanner.rb +2 -2
data/lib/gitlab/secret_detection/core/secret_push_protection_rules.toml +166 -22
data/lib/gitlab/secret_detection/version.rb +1 -1
metadata +167 -21

checksums.yaml CHANGED Viewed

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 889d73558aa44e46f3ef3e590e5fad55c147795ca567502646df0a45e99009f5
-  data.tar.gz: 9648a61aa8af0b510809197e945bc99e7d865375f39d3edfc1378269f8d9718f
+  metadata.gz: 673a9afd30ab84aa8c163e417ec0fe729fc6ec39c07b15a903e666b3b0d36cc7
+  data.tar.gz: e213724b9cbbfdac19ecab74bf88d7a684396ad6ba875069f6e7dd99f9488617
 SHA512:
-  metadata.gz: f247d572884d48912f3fb9d65b33cb1f010973b5adc9f2602e98599d8856186acd94613fe594c7489402d089ea1e9cd76085d214e5b5df497742dedc592b9806
-  data.tar.gz: 06c14d1d937caf49eed9f78cec0075fa49f0164add65ab6630b7305a46057a94c4170079c98025f4a863755dc7c106eaf01ae16a5216d2ab97fc3f5c9a5c5092
+  metadata.gz: 5e6f2662182666ce60547c9a29bcccc0cd10ec0df4d5d3ebf0310f712e311a56b47a8efabc00592a243dbf71592d405e350f5b68b4cd4706ee29fdb3b1c14ccb
+  data.tar.gz: f06f4926180c559d22945608360a53217bb7ece7d64d8e1548d153745b28fa7fd53b1739c6eb1957008862fe673a8d489627065b4a9122c8b18d0f65492d5b6d

data/README.md CHANGED Viewed

@@ -7,7 +7,7 @@ Reference Issue: https://gitlab.com/groups/gitlab-org/-/epics/13792
 #### Tools and Framework
-- Ruby `3.2.X`
+- Ruby `3.3.X`
 - gRPC framework for serving RPC requests
 ## Feature Distribution

data/lib/gitlab/secret_detection/core/scanner.rb CHANGED Viewed

@@ -235,14 +235,14 @@ module Gitlab
             return nil
           end
-          keywords_regex = include_keywords.join('|')
+          keywords_regex = include_keywords.map { |keyword| RE2::Regexp.quote(keyword) }.join('|')
           logger.debug(
             message: "Creating RE2 Keyword Matcher with set of rule keywords",
             keywords: include_keywords.to_a
           )
-          RE2("\\b(#{keywords_regex})")
+          RE2("(#{keywords_regex})")
         end
         def filter_by_keywords(keyword_matcher, payloads)

data/lib/gitlab/secret_detection/core/secret_push_protection_rules.toml CHANGED Viewed

@@ -1,5 +1,14 @@
-# rule-set version: 0.8.0
+# rule-set version: 0.11.0
 # Rules are auto-generated. See https://gitlab.com/gitlab-org/security-products/secret-detection/secret-detection-rules for instructions on updating the rules.
+[[rules]]
+id = 'Adobe Client Secret'
+regex = '\b(p8e-)[a-zA-Z0-9]{32}\b'
+description = "An Adobe client secret was detected. Adobe client secrets are used to connect to various API or webhook event based\nservices. Depending on which type of service was defined for a project, a malicious actor with access to the secret can\nuse it to gain access to various APIs or events that may contain sensitive information."
+title = 'Adobe client secret'
+remediation = "For general guidance on handling security incidents with regards to leaked keys, please see the GitLab documentation on\n[Credential exposure to the internet](https://docs.gitlab.com/ee/security/responding_to_security_incidents.html#credential-exposure-to-public-internet).\n\nRemediation steps depend on which type of client secret was leaked, please see the following\ntypes of remediation steps below and use the one that applies to the secret that was detected.\n\nOAuth (Server-to-Server):\n\n- Sign in to your account at <https://developer.adobe.com/console>\n- Select the project or \"All projects\" to find the project that is impacted\n- On the left-hand side, under \"Credentials\", select \"OAuth Server-to-Server\"\n- Under \"Client Secret\" select \"Retrieve client secret\"\n- After the table of secrets is visible, below the table, select \"Add new client secret\"\n- After the new secret has been created, find the leaked token value and select the trash icon to remove it\n- Copy the secret value and update all services with the new client secret\n\nOAuth Web App (Event based project):\n\n- Sign in to your account at <https://developer.adobe.com/console>\n- Select the project or select \"All projects\" to find the project that is impacted\n- On the left-hand side, under \"Credentials\", select \"OAuth Web App\".\n- Select \"Retrieve client secret\"\n- Verify this is the leaked secret\n- If this project is configured for events, copy all event details before removing it. You can do this by finding the\n  event listed on the right hand side and selecting on it. You should be brought to a dashboard that shows its details\n  such as event delivery methods, providers, subscribed events, and connected Credentials.\n- To remove the event, select \"...\" in the event, which is on the right hand side of the project page, above\n  \"Connect another service\".\n  - Select \"remove\"\n  - When prompted, type in the project name and select \"Delete Events Registration\"\n- In the top right-hand corner, select \"Delete credential\"\n  - When prompted, type in the project name and select \"Delete Credential\"\n- Re-add the event with the same details as before\n  - When prompted to add back the Credentials, be sure to use \"User Authentication\" OAuth\n  - Select \"Web App\" for OAuth 2.0 authentication and authorization\n- After the event has been re-added, under \"Credentials\" on left hand side, select \"OAuth Web App\"\n- Select \"Retrieve client secret\"\n- Copy the secret value and update all services with the new client secret\n\nOAuth Web App (API Service based project):\n\n- Sign in to your account at <https://developer.adobe.com/console>\n- Select the project or select \"All projects\" to find the project that is impacted\n- On the left-hand side, under \"Credentials\", select \"OAuth Web App\"\n- Select \"Retrieve client secret\"\n- If this project is configured for API, select the trash icon \"Remove\" to remove the connected product and service.\n  - When prompted, enter the project name and select \"Remove API\"\n- In the top right-hand corner, select \"Delete credential\"\n  - When prompted, type in the project name and select \"Delete Credential\"\n- Re-add the API with the same details as before\n  - Select \"Web App\" for OAuth 2.0 authentication and authorization\n- After the service has been re-added, on the left-hand side under \"Credentials\", select \"OAuth Web App\"\n- Select \"Retrieve client secret\"\n- Copy the secret value and update all services with the new client secret"
+tags = ['gitlab_blocking']
+keywords = ['p8e-']
 [[rules]]
 id = 'anthropic_key'
 regex = '\b(sk-ant-[a-z]{3}\d{2}-[A-Za-z0-9\\-_]{86}-[A-Za-z0-9\\-_]{8})(?:[[:punct:]]|[[:space:]]|[[:blank:]]|$)'
@@ -19,13 +28,31 @@ tags = ['aws', 'revocation_type', 'gitlab_blocking']
 keywords = ['AKIA']
 [[rules]]
-id = 'GCP API key'
-regex = "(?i)\\b(AIza[0-9A-Za-z-_]{35})(?:['|\\\"|\\n|\\r|\\s|\\x60|;]|$)"
-description = "A GCP API key was detected. GCP API keys are used to authorize requests from services, not for users. API keys are\ncommonly used for accessing public data anonymously, and are used to associate API requests with the consumer Google\nCloud project for quota and billing. A malicious actor with access to this key can issue requests to Google Cloud\nservices that are billed to the owning account."
-title = 'GCP API key'
-remediation = "For general guidance on handling security incidents with regards to leaked keys, please see the GitLab documentation on\n[Credential exposure to the internet](https://docs.gitlab.com/ee/security/responding_to_security_incidents.html#credential-exposure-to-public-internet).\n\nTo revoke an API key:\n\n- Sign in to your GCP account and go to <https://console.cloud.google.com/apis/credentials>\n- Under the \"Actions\" column of the \"API Keys\" table, select the kebab menu (vertical ellipsis) for the identified key\n- Select \"Delete API Key\"\n- When prompted select \"Delete\" in the \"Delete credential\" dialog\n\nFor more information please see [https://cloud.google.com/docs/authentication/api-keys](https://cloud.google.com/docs/authentication/api-keys)"
-tags = ['gitlab_partner_token', 'revocation_type', 'gitlab_blocking']
-keywords = ['AIza']
+id = 'CircleCIPersonalAccessToken'
+regex = '\bCCIPAT_[a-zA-Z0-9]{22}_[a-f0-9]{40}\b'
+description = "A CircleCI personal access token was identified. Personal access tokens grant the same level of permissions as the user\nthat created the token. A malicious actor with access to this token can impersonate the user and gain access to all\nfeatures and services in CircleCI."
+title = 'CircleCI Personal Access Token'
+remediation = "For general guidance on handling security incidents with regards to leaked keys, please see the GitLab documentation on\n[Credential exposure to the internet](https://docs.gitlab.com/ee/security/responding_to_security_incidents.html#credential-exposure-to-public-internet).\n\nFor rotating a Personal Access token:\n\n- In the CircleCI application, go to your User settings.\n- Select \"Personal API Tokens\".\n- Select \"X\" in the Remove column for the token you wish to replace and confirm your deletion.\n- Select \"Create New Token\".\n- In the Token name field, type a new name for the old token you are rotating. It can be the same name given to the old\n  token.\n- Select \"Add API Token\".\n- After the token appears, copy and paste it to another location. It is not possible to view the token again.\n\nFor more information please see their [documentation on rotating personal access tokens](https://circleci.com/docs/managing-api-tokens/#rotating-a-personal-api-token)."
+tags = ['gitlab_blocking']
+keywords = ['CCIPAT_']
+[[rules]]
+id = 'ContentfulPersonalAccessToken'
+regex = '\bCFPAT-([a-zA-Z0-9_\-]){43}\b'
+description = "A Contentful personal access token was identified. Personal access tokens are tied to the user who requests them and\ncarry the same permissions, including access to organizations, spaces, and content."
+title = 'Contentful personal access token'
+remediation = "For general guidance on handling security incidents with regards to leaked keys, please see the GitLab documentation on\n[Credential exposure to the internet](https://docs.gitlab.com/ee/security/responding_to_security_incidents.html#credential-exposure-to-public-internet).\n\nTo revoke a personal access token:\n\n- Sign in and visit your account profile: <https://app.contentful.com/account/profile/user>\n- Select the \"CMA tokens\" tab in the top menu\n- Identify the token that was detected\n- Select \"Revoke\" in the right hand column\n- Select \"Revoke\" when prompted\n\nFor more information, please see the developer [documentation on personal access tokens](https://www.contentful.com/help/token-management/personal-access-tokens)."
+tags = ['gitlab_blocking']
+keywords = ['CFPAT-']
+[[rules]]
+id = 'Doppler API token'
+regex = '\b(dp\.pt\.)[a-zA-Z0-9]{43}\b'
+description = 'Doppler personal access token was detected.'
+title = 'Doppler API token'
+remediation = "For general guidance on handling security incidents with regards to leaked keys, please see the GitLab documentation on\n[Credential exposure to the internet](https://docs.gitlab.com/ee/security/responding_to_security_incidents.html#credential-exposure-to-public-internet).\n\nTo revoke the Doppler personal access token:\n\n- Open and sign in to <https://dashboard.doppler.com/>\n- Select \"Tokens\" on the right-hand side menu\n- Select the \"Personal\" tab\n- Find the personal token and select \"Roll\" in the Action column\n- After the \"Roll Personal Token\" dialog is displayed select \"Roll\"\n- Copy the new token's value\n\nFor more information please see their documentation: <https://docs.doppler.com/docs/start>"
+tags = ['gitlab_blocking']
+keywords = ['dp.pt.']
 [[rules]]
 id = 'GCP OAuth client secret'
@@ -99,6 +126,15 @@ remediation = "For general guidance on handling security incidents with regards
 tags = ['gitlab', 'revocation_type', 'gitlab_blocking', 'client_side_sd']
 keywords = ['glpat-']
+[[rules]]
+id = 'gitlab_personal_access_token_routable_versioned'
+regex = '\bglpat-[0-9a-zA-Z_-]{27,300}\.[0-9a-z]{2}\.[0-9a-z]{2}[0-9a-z]{7}\b'
+description = 'GitLab Personal Access Token (routable)'
+title = 'GitLab Personal Access Token (routable)'
+remediation = "For general guidance on handling security incidents with regards to leaked keys, please see the GitLab documentation on\n[Credential exposure to the internet](https://docs.gitlab.com/ee/security/responding_to_security_incidents.html#credential-exposure-to-public-internet)."
+tags = ['gitlab', 'revocation_type', 'gitlab_blocking', 'client_side_sd']
+keywords = ['glpat-']
 [[rules]]
 id = 'gitlab_pipeline_trigger_token'
 regex = '\b(glptt-[0-9a-zA-Z_\-]{40})(?:[[:punct:]]|[[:space:]]|[[:blank:]]|$)'
@@ -126,6 +162,15 @@ remediation = "For general guidance on handling security incidents with regards
 tags = ['gitlab', 'gitlab_blocking', 'client_side_sd']
 keywords = ['glrt']
+[[rules]]
+id = 'gitlab_runner_auth_token_routable'
+regex = '\bglrt-[0-9a-zA-Z_-]{27,300}\.[0-9a-z]{2}\.[0-9a-z]{2}[0-9a-z]{7}\b'
+description = "A routable GitLab runner authentication token was identified. These tokens allow users to register or authenticate as a runner\nwith the selected project. A malicious actor with access to this token can add a custom runner to the pipeline and\npossibly compromise the repository if the runner was used."
+title = 'GitLab runner authentication token (routable)'
+remediation = "For general guidance on handling security incidents with regards to leaked keys, please see the GitLab documentation on\n[Credential exposure to the internet](https://docs.gitlab.com/ee/security/responding_to_security_incidents.html#credential-exposure-to-public-internet).\n\nTo revoke a runner authentication token, the runner needs to be removed and re-created\n\n- Sign in to your GitLab account and visit the project that created the runner registration token\n- In the left-hand menu, select \"Settings\"\n- Under the \"Settings\" options, select \"CI/CD\"\n- Under the \"Runners\" section, find the runner with the identified token, (you can check the runner `config.toml` if you\n  are unsure)\n- Select \"Remove runner\"\n- When prompted, select \"Remove\"\n\nFor more information, please see [GitLabs documentation on registering runners](https://docs.gitlab.com/runner/register/)."
+tags = ['gitlab', 'gitlab_blocking', 'client_side_sd']
+keywords = ['glrt-']
 [[rules]]
 id = 'gitlab_oauth_app_secret'
 regex = '\b(gloas-[0-9a-zA-Z_\-]{64})(?:[[:punct:]]|[[:space:]]|[[:blank:]]|$)'
@@ -164,7 +209,7 @@ keywords = ['glimt']
 [[rules]]
 id = 'Grafana API token'
-regex = "['\\\"]eyJrIjoi(?i)[a-z0-9-_=]{72,92}['\\\"]"
+regex = "['\\\"]eyJrIjoi[a-zA-Z0-9-_=]{72,92}['\\\"]"
 description = 'Grafana API token'
 title = 'Grafana API token'
 remediation = "For general guidance on handling security incidents with regards to leaked keys, please see the GitLab documentation on\n[Credential exposure to the internet](https://docs.gitlab.com/ee/security/responding_to_security_incidents.html#credential-exposure-to-public-internet)."
@@ -173,7 +218,7 @@ keywords = ['eyJrIjoi']
 [[rules]]
 id = 'Hashicorp Terraform user/org API token'
-regex = "['\\\"](?i)[a-z0-9]{14}\\.atlasv1\\.[a-z0-9-_=]{60,70}['\\\"]"
+regex = "['\\\"][a-zA-Z0-9]{14}\\.atlasv1\\.[a-zA-Z0-9-_=]{60,70}['\\\"]"
 description = "A HashiCorp Terraform API token was identified. API tokens can be used to access the HCP Terraform API. A malicious\nactor with access to this token can perform all actions the user account is entitled to."
 title = 'HashiCorp Terraform API token'
 remediation = "For general guidance on handling security incidents with regards to leaked keys, please see the GitLab documentation on\n[Credential exposure to the internet](https://docs.gitlab.com/ee/security/responding_to_security_incidents.html#credential-exposure-to-public-internet).\n\nTo revoke an API token:\n\n- Sign in to the Terraform HCP console and access <https://app.terraform.io/app/settings/tokens>\n- Find the token that was identified\n- Select the trash icon on the right hand side of the token\n- When prompted, select \"Confirm\" in the \"Deleting token ...\" dialog\n\nFor more information, please see [Terraform's documentation on API tokens](https://app.terraform.io/app/settings/tokens)."
@@ -189,9 +234,18 @@ remediation = "For general guidance on handling security incidents with regards
 tags = ['gitlab_blocking']
 keywords = ['b.AAAAAQ']
+[[rules]]
+id = 'Linear API token'
+regex = '\blin_api_[a-zA-Z0-9]{40}\b'
+description = "A Linear API token was identified. Personal API tokens can be used to access Linear's GraphQL API. A malicious actor\nwith access to this token can read or write issues, projects and teams to Linear and any systems the account has been\nintegrated with."
+title = 'Linear API token'
+remediation = "For general guidance on handling security incidents with regards to leaked keys, please see the GitLab documentation on\n[Credential exposure to the internet](https://docs.gitlab.com/ee/security/responding_to_security_incidents.html#credential-exposure-to-public-internet).\n\nTo revoke a Linear API token:\n\n- Sign in to your account at <https://linear.app/>\n- Select your organization in the top left corner and select \"Preferences\"\n- In the left-hand menu, select \"API\" under \"My Account\"\n- Find the identified API key in the \"Personal API Keys\" section of the page\n- Select \"Revoke\" next to the identified key\n- When prompted, select \"Revoke\" in the \"Revoke access?\" dialog\n\nFor more information, please see [Linear's documentation on using personal API keys](https://developers.linear.app/docs/graphql/working-with-the-graphql-api#personal-api-keys)."
+tags = ['gitlab_blocking']
+keywords = ['lin_api_']
 [[rules]]
 id = 'Mailchimp API key'
-regex = "(?i)mailchimp[a-z0-9_ .\\-,]{0,25}(?:=|>|:=|\\|\\|:|<=|=>|:).{0,5}['\\\"]([a-f0-9]{32}-us20)['\\\"]"
+regex = "(?i:mailchimp)[a-zA-Z0-9_ .\\-,]{0,25}(?:=|>|:=|\\|\\|:|<=|=>|:).{0,5}['\\\"]([a-f0-9]{32}-us20)['\\\"]"
 description = "A Mailchimp API key was identified. API keys can be used send emails, create and send marketing campaigns, access\ncustomer lists and email addresses. A malicious actor with access to this key can perform any API request to Mailchimp\nwithout restriction."
 title = 'Mailchimp API key'
 remediation = "For general guidance on handling security incidents with regards to leaked keys, please see the GitLab documentation on\n[Credential exposure to the internet](https://docs.gitlab.com/ee/security/responding_to_security_incidents.html#credential-exposure-to-public-internet).\n\nTo revoke an API key:\n\n- Sign in to your Mailchimp account at <https://login.mailchimp.com/>\n- Select your profile icon then select Profile\n- Select the Extras dropdown list then choose \"API keys\"\n- Find the identified key and select \"Revoke\"\n- When prompted, type \"REVOKE\" to confirm and select \"Revoke\" in the \"Revoke API Key\" dialog\n\nFor more information, please see [Mailchimp's documentation on API key security](https://mailchimp.com/help/about-api-keys/#api+key+security)."
@@ -200,7 +254,7 @@ keywords = ['mailchimp']
 [[rules]]
 id = 'Mailgun private API token'
-regex = "(?i)mailgun[a-z0-9_ .\\-,]{0,25}(?:=|>|:=|\\|\\|:|<=|=>|:).{0,5}['\\\"](key-[a-f0-9]{32})['\\\"]"
+regex = "(?i:mailgun)[a-zA-Z0-9_ .\\-,]{0,25}(?:=|>|:=|\\|\\|:|<=|=>|:).{0,5}['\\\"](key-[a-f0-9]{32})['\\\"]"
 description = "A Mailgun private API token was identified. This key allows you to perform read, write, and delete operations through\nvarious API endpoints and for any of your sending domains. A malicious actor with access to this key can perform any API\nrequest to Mailgun without restriction."
 title = 'Mailgun private API token'
 remediation = "For general guidance on handling security incidents with regards to leaked keys, please see the GitLab documentation on\n[Credential exposure to the internet](https://docs.gitlab.com/ee/security/responding_to_security_incidents.html#credential-exposure-to-public-internet).\n\nTo rotate a private API token:\n\n- Sign in to your Mailgun account and access the dashboard at <https://app.mailgun.com/>\n- On the top right-hand side, select your account profile and then select \"API Security\"\n- Find the identified key and select the trash icon\n  - If you cannot select the trash icon, you must first generate a new key by selecting \"Add new key\"\n- When prompted, select \"Delete\" in the \"Delete API Key\" dialog\n\nFor more information, please see [Mailgun's documentation on API keys](https://documentation.mailgun.com/docs/mailgun/user-manual/get-started/#primary-account-api-key)."
@@ -209,13 +263,22 @@ keywords = ['mailgun']
 [[rules]]
 id = 'Mailgun webhook signing key'
-regex = "(?i)mailgun[a-z0-9_ .\\-,]{0,25}(?:=|>|:=|\\|\\|:|<=|=>|:).{0,5}['\\\"]([a-h0-9]{32}-[a-h0-9]{8}-[a-h0-9]{8})['\\\"]"
+regex = "(?i:mailgun)[a-zA-Z0-9_ .\\-,]{0,25}(?:=|>|:=|\\|\\|:|<=|=>|:).{0,5}['\\\"]([a-h0-9]{32}-[a-h0-9]{8}-[a-h0-9]{8})['\\\"]"
 description = "A Mailgun webhook signing key was identified. This key is used by Mailgun to sign all incoming webhook message payloads.\nA malicious actor with access to this key can potentially sign fake webhook events and send it to your service to pass\nvalidation and be processed."
 title = 'Mailgun webhook signing key'
 remediation = "For general guidance on handling security incidents with regards to leaked keys, please see the GitLab documentation on\n[Credential exposure to the internet](https://docs.gitlab.com/ee/security/responding_to_security_incidents.html#credential-exposure-to-public-internet).\n\nTo rotate your HTTP webhook signing key:\n\n- Sign in to your Mailgun account and access the dashboard at <https://app.mailgun.com/>\n- On the top right-hand side, select your account profile and select \"API Security\"\n- In the \"HTTP webhook signing key\" section, select the rotate arrow icon in the right hand side\n- When prompted, select \"Reset Key\" in the \"Reset HTTP webhook signing key\" dialog\n\nFor more information, please see [Mailgun's documentation on webhooks](https://documentation.mailgun.com/docs/mailgun/user-manual/tracking-messages/#securing-webhooks)."
 tags = ['gitlab_blocking']
 keywords = ['mailgun']
+[[rules]]
+id = 'MaxMind License Key'
+regex = '\b([a-zA-Z0-9]{6}_[a-zA-Z0-9]{29}_mmk)\b'
+description = 'MaxMind License Key'
+title = 'MaxMind License Key'
+remediation = "For general guidance on handling security incidents with regards to leaked keys, please see the GitLab documentation on\n[Credential exposure to the internet](https://docs.gitlab.com/ee/security/responding_to_security_incidents.html#credential-exposure-to-public-internet)."
+tags = ['gitlab_blocking']
+keywords = ['_mmk']
 [[rules]]
 id = 'New Relic user API Key'
 regex = "['\\\"](NRAK-[A-Z0-9]{27})['\\\"]"
@@ -227,7 +290,7 @@ keywords = ['NRAK']
 [[rules]]
 id = 'New Relic user API ID'
-regex = "(?i)newrelic[a-z0-9_ .\\-,]{0,25}(?:=|>|:=|\\|\\|:|<=|=>|:).{0,5}['\\\"]([A-Z0-9]{64})['\\\"]"
+regex = "(?i:newrelic)[a-zA-Z0-9_ .\\-,]{0,25}(?:=|>|:=|\\|\\|:|<=|=>|:).{0,5}['\\\"]([a-zA-Z0-9]{64})['\\\"]"
 description = 'New Relic user API ID'
 title = 'New Relic user API ID'
 remediation = "For general guidance on handling security incidents with regards to leaked keys, please see the GitLab documentation on\n[Credential exposure to the internet](https://docs.gitlab.com/ee/security/responding_to_security_incidents.html#credential-exposure-to-public-internet).\n\nFor more information, please see [New Relic's documentation on rotating API keys](https://docs.newrelic.com/docs/apis/intro-apis/new-relic-api-keys/#rotate-keys)."
@@ -236,13 +299,40 @@ keywords = ['newrelic']
 [[rules]]
 id = 'npm access token'
-regex = "['\\\"](npm_(?i)[a-z0-9]{36})['\\\"]"
+regex = "['\\\"](npm_[a-zA-Z0-9]{36})['\\\"]"
 description = "An npm access token was identified. Access tokens can either be classic or granular, both of which allow customization\nof permissions. Depending on the permissions, a malicious actor with access to this token can read packages and package\ninformation, or create new packages and publish them under the account that created them."
 title = 'npm access token'
 remediation = "For general guidance on handling security incidents with regards to leaked keys, please see the GitLab documentation on\n[Credential exposure to the internet](https://docs.gitlab.com/ee/security/responding_to_security_incidents.html#credential-exposure-to-public-internet).\n\nTo revoke an access token from the UI:\n\n- Sign in to your npm account at <https://www.npmjs.com/login>\n- In the top right corner, select your profile picture and then select \"Access Tokens\"\n- Find the token that was identified and select \"x\" in the \"Delete\" column\n- When prompted, select \"OK\" in the dialog\n\nFor more information, please see [npm's documentation on revoking access tokens](https://docs.npmjs.com/revoking-access-tokens)."
 tags = ['gitlab_blocking']
 keywords = ['npm_']
+[[rules]]
+id = 'Onfido Live API Token'
+regex = '\bapi_live(?:_[a-z]{2})?\.[_a-zA-Z0-9]{11}\.[-_a-zA-Z0-9]{32}\b'
+description = 'Onfido Live API Token'
+title = 'Onfido Live API Token'
+remediation = "For general guidance on handling security incidents with regards to leaked keys, please see the GitLab documentation on\n[Credential exposure to the internet](https://docs.gitlab.com/ee/security/responding_to_security_incidents.html#credential-exposure-to-public-internet)."
+tags = ['gitlab_blocking']
+keywords = ['api_live']
+[[rules]]
+id = 'Planetscale password'
+regex = '\bpscale_pw_[a-zA-Z0-9]{43}\b'
+description = "A PlanetScale password was identified. PlanetScale passwords are used to connect to database instances. A malicious\nactor with access to this password can access PlanetScale managed databases."
+title = 'PlanetScale password'
+remediation = "For general guidance on handling security incidents with regards to leaked keys, please see the GitLab documentation on\n[Credential exposure to the internet](https://docs.gitlab.com/ee/security/responding_to_security_incidents.html#credential-exposure-to-public-internet).\n\nFor more information, please see [PlanetScale's documentation on database connection strings](https://planetscale.com/docs/concepts/connection-strings)."
+tags = ['gitlab_blocking']
+keywords = ['pscale_pw_']
+[[rules]]
+id = 'Planetscale API token'
+regex = '\bpscale_tkn_[a-zA-Z0-9\-_]{43}\b'
+description = "A PlanetScale API service token was identified. Service tokens are created and assigned permissions depending on the\nallowed scope. A malicious actor with access to the service token is granted the same permissions that were assigned to\nthis service token."
+title = 'PlanetScale API token'
+remediation = "For general guidance on handling security incidents with regards to leaked keys, please see the GitLab documentation on\n[Credential exposure to the internet](https://docs.gitlab.com/ee/security/responding_to_security_incidents.html#credential-exposure-to-public-internet).\n\nTo revoke a service token:\n\n- Sign in to your PlanetScale account and access <https://app.planetscale.com/>.\n- From the menu on the left-hand side, select \"Settings\"\n- Under \"Settings\", select \"Service tokens\"\n- Find the identified security token and select its name\n- Take note of its organization access, permissions and scope\n- Select \"Delete service token\" in the top right corner\n- When prompted, select \"Delete\" in the \"Delete service token\" dialog\n\nFor more information, please see [PlanetScale's documentation on service tokens](https://planetscale.com/docs/concepts/service-tokens)."
+tags = ['gitlab_blocking']
+keywords = ['pscale_tkn_']
 [[rules]]
 id = 'PyPI upload token'
 regex = 'pypi-AgEIcHlwaS5vcmc[A-Za-z0-9-_]{50,1000}'
@@ -272,13 +362,40 @@ keywords = ['sgp_']
 [[rules]]
 id = 'Sendgrid API token'
-regex = 'SG\.(?i)[a-z0-9_\-\.]{66}'
+regex = 'SG\.[a-zA-Z0-9_\-\.]{66}'
 description = 'SendGrid API token'
 title = 'SendGrid API token'
 remediation = "For general guidance on handling security incidents with regards to leaked keys, please see the GitLab documentation on\n[Credential exposure to the internet](https://docs.gitlab.com/ee/security/responding_to_security_incidents.html#credential-exposure-to-public-internet)."
 tags = ['gitlab_blocking']
 keywords = ['SG.']
+[[rules]]
+id = 'Sendinblue API token'
+regex = '\bxkeysib-[a-f0-9]{64}-[a-zA-Z0-9]{16}\b'
+description = 'Brevo API token'
+title = 'Brevo API token'
+remediation = "For general guidance on handling security incidents with regards to leaked keys, please see the GitLab documentation on\n[Credential exposure to the internet](https://docs.gitlab.com/ee/security/responding_to_security_incidents.html#credential-exposure-to-public-internet)."
+tags = ['gitlab_blocking']
+keywords = ['xkeysib-']
+[[rules]]
+id = 'Sendinblue SMTP token'
+regex = '\bxsmtpsib-[a-f0-9]{64}-[a-zA-Z0-9]{16}\b'
+description = 'Brevo SMTP token'
+title = 'Brevo SMTP token'
+remediation = "For general guidance on handling security incidents with regards to leaked keys, please see the GitLab documentation on\n[Credential exposure to the internet](https://docs.gitlab.com/ee/security/responding_to_security_incidents.html#credential-exposure-to-public-internet)."
+tags = ['gitlab_blocking']
+keywords = ['xsmtpsib-']
+[[rules]]
+id = 'Shippo API token'
+regex = '\bshippo_live_[a-f0-9]{40}\b'
+description = "A live Shippo API token was identified. API tokens can be used to access the Shippo API which is used for shipping services.\nA malicious actor with access to this token can access billing and order information and modify shipping data."
+title = 'Shippo API token'
+remediation = "For general guidance on handling security incidents with regards to leaked keys, please see the GitLab documentation on\n[Credential exposure to the internet](https://docs.gitlab.com/ee/security/responding_to_security_incidents.html#credential-exposure-to-public-internet).\n\nTo revoke an API token:\n\n- Sign in to your Shippo account and access <https://apps.goshippo.com/>\n- In the top right-hand side, select the \"gear\" icon to go to the \"Settings\" page\n- Scroll down in the left hand menu to \"Advanced\" and select \"API\"\n- Under the \"Token\" section, select \"Manage your token\"\n- Find the identified token and select the trash icon\n- When prompted, select \"Yes, remove token\" in the \"Manage Your Tokens\" dialog\n\nFor more information, please see [Shippo's documentation on API keys](https://portal.goshippo.com/api-config/api)."
+tags = ['gitlab_blocking']
+keywords = ['shippo_live_']
 [[rules]]
 id = 'Shopify shared secret'
 regex = 'shpss_[a-fA-F0-9]{32}'
@@ -325,10 +442,37 @@ tags = ['gitlab_blocking']
 keywords = ['xoxb', 'xoxa', 'xoxp', 'xoxr', 'xoxs']
 [[rules]]
-id = 'Stripe'
-regex = '(?i)(?:sk|pk)_(?:test|live)_[0-9a-z]{10,32}'
-description = 'Stripe'
-title = 'Stripe key'
-remediation = "For general guidance on handling security incidents with regards to leaked keys, please see the GitLab documentation on\n[Credential exposure to the internet](https://docs.gitlab.com/ee/security/responding_to_security_incidents.html#credential-exposure-to-public-internet).\n\nFor more information, please see [Stripe's documentation on API keys](https://docs.stripe.com/keys)."
+id = 'SlackAppLevelToken'
+regex = '\bxapp-1-[A-Z0-9]{11}-[0-9]{13}-[a-f0-9]{64}\b'
+description = "A Slack app level token was identified. App level tokens are for use with Slack apps but only with specific APIs, which\nare related to the app across all organizations where the app is installed. Three scope levels can be assigned:\n\n- connections:write: Route your app's interactions and event payloads over WebSockets\n- authorizations:read: View information about your app's authorizations on installed teams\n- app_configurations:write: Configure your application\n\nA malicious actor with access to this token is granted one or more of the above permissions to access the API with for\na specific application."
+title = 'Slack app level token'
+remediation = "For general guidance on handling security incidents with regards to leaked keys, please see the GitLab documentation on\n[Credential exposure to the internet](https://docs.gitlab.com/ee/security/responding_to_security_incidents.html#credential-exposure-to-public-internet).\n\nTo revoke a Slack app level token:\n\n- Sign in to Slack and access <https://api.slack.com/apps>\n- Find the application with the identified token and select the name\n- In the left-hand menu, select \"Basic Information\"\n- Scroll down to the \"App-Level Tokens\" section and select the token name of the identified token\n- In the token dialog, select \"Revoke\"\n- When prompted, select \"Yes, I'm sure\" in the \"Are you sure?\" dialog"
+tags = ['gitlab_blocking']
+keywords = ['xapp-1-']
+[[rules]]
+id = 'StripeLiveSecretKey'
+regex = '\bsk_live_[A-Za-z0-9]{99}\b'
+description = "A Stripe live secret key was identified. Live secret keys authenticate requests on your server when in\nlive mode. By default, you can use this key to perform any API request without restriction. A malicious actor who gained\naccess to this key could gain read/write access to all data in Stripe for this account."
+title = 'Stripe live secret key'
+remediation = "For general guidance on handling security incidents with regards to leaked keys, please see the GitLab documentation on\n[Credential exposure to the internet](https://docs.gitlab.com/ee/security/responding_to_security_incidents.html#credential-exposure-to-public-internet).\n\nTo rotate your Stripe live secret key:\n\n- Sign in to your Stripe account and access <https://dashboard.stripe.com/apikeys>\n- Ensure \"Test mode\" is disabled\n- In the \"Standard keys\" section, find the key that was identified and select the ellipsis in the right-hand side\n- Select \"Roll key...\"\n- In the \"Roll API key\" dialog, select an expiration date, for example \"now\"\n- Select \"Roll API Key\"\n\nFor more information, please see [Stripe's documentation on rotating API keys](https://docs.stripe.com/keys#rolling-keys)."
+tags = ['gitlab_blocking']
+keywords = ['sk_live_']
+[[rules]]
+id = 'StripeLiveRestrictedKey'
+regex = '\brk_live_[A-Za-z0-9]{99}\b'
+description = "A Stripe live restricted key was identified. Restricted keys offer greater security by only allowing read or write\naccess to specific API resources. A malicious actor with access to this key is limited by the scope defined for the key."
+title = 'Stripe live restricted key'
+remediation = "For general guidance on handling security incidents with regards to leaked keys, please see the GitLab documentation on\n[Credential exposure to the internet](https://docs.gitlab.com/ee/security/responding_to_security_incidents.html#credential-exposure-to-public-internet).\n\nTo rotate your Stripe live restricted key:\n\n- Sign in to your Stripe account and access <https://dashboard.stripe.com/apikeys>\n- Ensure \"Test mode\" is disabled\n- In the \"Restricted keys\" section, find the key that was identified and select the ellipsis in the right-hand side\n- Select \"Roll key...\"\n- In the \"Roll API key\" dialog, select an expiration date, for example \"now\"\n- Select \"Roll API Key\"\n\nFor more information, please see [Stripe's documentation on rotating API keys](https://docs.stripe.com/keys#rolling-keys)."
+tags = ['gitlab_blocking']
+keywords = ['rk_live_']
+[[rules]]
+id = 'Twilio API Key'
+regex = '\bSK[0-9a-fA-F]{32}\b'
+description = 'Twilio API Key'
+title = 'Twilio API key'
+remediation = "For general guidance on handling security incidents with regards to leaked keys, please see the GitLab documentation on\n[Credential exposure to the internet](https://docs.gitlab.com/ee/security/responding_to_security_incidents.html#credential-exposure-to-public-internet)."
 tags = ['gitlab_blocking']
-keywords = ['sk_test', 'pk_test', 'sk_live', 'pk_live']
+keywords = ['SK', 'twilio']

data/lib/gitlab/secret_detection/version.rb CHANGED Viewed

@@ -5,7 +5,7 @@ module Gitlab
     class Gem
       # Ensure to maintain the same version in CHANGELOG file.
       # More details available under 'Release Process' section in the README.md file.
-      VERSION = "0.21.1"
+      VERSION = "0.29.1"
       # SD_ENV env var is used to determine which environment the
       # server is running. This var is defined in `.runway/env-<env>.yml` files.

metadata CHANGED Viewed

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: gitlab-secret_detection
 version: !ruby/object:Gem::Version
-  version: 0.21.1
+  version: 0.29.1
 platform: ruby
 authors:
 - group::secret detection
@@ -10,22 +10,28 @@ authors:
 autorequire:
 bindir: bin
 cert_chain: []
-date: 2025-04-01 00:00:00.000000000 Z
+date: 2025-06-04 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: grpc
   requirement: !ruby/object:Gem::Requirement
     requirements:
-    - - "~>"
+    - - ">="
       - !ruby/object:Gem::Version
-        version: '1.63'
+        version: 1.63.0
+    - - "<"
+      - !ruby/object:Gem::Version
+        version: '2'
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
-    - - "~>"
+    - - ">="
       - !ruby/object:Gem::Version
-        version: '1.63'
+        version: 1.63.0
+    - - "<"
+      - !ruby/object:Gem::Version
+        version: '2'
 - !ruby/object:Gem::Dependency
   name: grpc_reflection
   requirement: !ruby/object:Gem::Requirement
@@ -40,20 +46,6 @@ dependencies:
     - - "~>"
       - !ruby/object:Gem::Version
         version: '0.1'
-- !ruby/object:Gem::Dependency
-  name: grpc-tools
-  requirement: !ruby/object:Gem::Requirement
-    requirements:
-    - - "~>"
-      - !ruby/object:Gem::Version
-        version: '1.63'
-  type: :runtime
-  prerelease: false
-  version_requirements: !ruby/object:Gem::Requirement
-    requirements:
-    - - "~>"
-      - !ruby/object:Gem::Version
-        version: '1.63'
 - !ruby/object:Gem::Dependency
   name: parallel
   requirement: !ruby/object:Gem::Requirement
@@ -124,6 +116,160 @@ dependencies:
     - - "~>"
       - !ruby/object:Gem::Version
         version: '2.2'
+- !ruby/object:Gem::Dependency
+  name: benchmark-malloc
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '0.2'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '0.2'
+- !ruby/object:Gem::Dependency
+  name: gitlab-styles
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: 13.1.0
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: 13.1.0
+- !ruby/object:Gem::Dependency
+  name: grpc-tools
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '1.63'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '1.63'
+- !ruby/object:Gem::Dependency
+  name: lefthook
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '1.7'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '1.7'
+- !ruby/object:Gem::Dependency
+  name: pry-byebug
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+- !ruby/object:Gem::Dependency
+  name: rspec
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '3.13'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '3.13'
+- !ruby/object:Gem::Dependency
+  name: rspec-benchmark
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: 0.6.0
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: 0.6.0
+- !ruby/object:Gem::Dependency
+  name: rspec-parameterized
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '1.0'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '1.0'
+- !ruby/object:Gem::Dependency
+  name: rubocop
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+- !ruby/object:Gem::Dependency
+  name: rubocop-rspec
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+- !ruby/object:Gem::Dependency
+  name: simplecov
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
 description: |-
   GitLab Secret Detection gem accepts text-based payloads, matches them against predefined secret
       detection rules (based on the ruleset used by GitLab Secrets analyzer), and returns the scan results. The gem also
@@ -183,7 +329,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
     - !ruby/object:Gem::Version
       version: '0'
 requirements: []
-rubygems_version: 3.4.19
+rubygems_version: 3.5.22
 signing_key:
 specification_version: 4
 summary: GitLab Secret Detection gem scans for the secret leaks in the given text-based