RubyGems - gitlab-secret_detection - Versions diffs - 0.33.4 → 0.34.0 - Mend

gitlab-secret_detection 0.33.4 → 0.34.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (4) hide show

checksums.yaml +4 -4
data/lib/gitlab/secret_detection/core/secret_push_protection_rules.toml +37 -1
data/lib/gitlab/secret_detection/version.rb +1 -1
metadata +1 -1

checksums.yaml CHANGED Viewed

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: a741f757e4d395301c6ccd0a9b855a642f5158b2fa6ea91996ab41c8eeac3132
-  data.tar.gz: d485d40dc01e20a3c174cf03a0d5ab665ab9f82b2814984eaf192aa2db0297fa
+  metadata.gz: 8558c035ae55ad1b3adea5106c857176618c8077394093becee9d8706b41685f
+  data.tar.gz: 96af12dda6a1b4c9a4898705879bb487d1434197894c331d45c05aa008c0e0dd
 SHA512:
-  metadata.gz: 7c911cf73b59d9d0f86438e5c101d0e6f33eb2e304ece2f2a67535074ff22e71d661576e0a95529657c2c195ad9afd59c8d56e00c598e5370e0384510935878c
-  data.tar.gz: 30e1c079bca76961ecac27e6838dee09bd27afff704501e061401164e0a2fe32a1b07d4d10c6d2ba0485d1579a18260c7a3d77b2a92f627df5fc67b3385b68bc
+  metadata.gz: eb2fa2babef91230b6baf9ab1b263afc59a8080cb589ac481cacd6741330e64bc8c37235a40eb9d838bfd5bb995722eadd245cae42272ac1db334b84213b5a66
+  data.tar.gz: c257856d080344cd5c237da7828688b52bea940482299f458592106f97cc195f2fd45e043ac698f937cc6feebef17a73f03ae41e78371b58b623cbd95a74bffb

data/lib/gitlab/secret_detection/core/secret_push_protection_rules.toml CHANGED Viewed

@@ -1,4 +1,4 @@
-# rule-set version: 0.12.0
+# rule-set version: 0.14.0
 # Rules are auto-generated. See https://gitlab.com/gitlab-org/security-products/secret-detection/secret-detection-rules for instructions on updating the rules.
 [[rules]]
 id = 'AdafruitIOKey'
@@ -27,6 +27,15 @@ remediation = "For general guidance on handling security incidents with regards
 tags = ['gitlab_blocking']
 keywords = ['AVNS_']
+[[rules]]
+id = 'AmazonOAuthClientID'
+regex = '\bamzn1\.application-oa2-client\.[a-fA-F0-9]{32}\b'
+description = "An Amazon OAuth Client ID was detected. This credential is part of Amazon's Login with Amazon service\nand is used for OAuth 2.0 authentication flows to allow users to sign in using their Amazon\ncredentials. The Client ID is typically paired with a Client Secret for secure authentication. A\nmalicious actor with access to these credentials could potentially impersonate your application,\nredirect users to malicious sites, or access customer profile data that users have consented to share."
+title = 'AmazonOAuthClientID'
+remediation = "For general guidance on handling security incidents with regards to leaked keys, please see the GitLab\ndocumentation on\n[Credential exposure to the internet](https://docs.gitlab.com/ee/security/responding_to_security_incidents.html#credential-exposure-to-public-internet).\n\nTo rotate your Amazon OAuth Client ID credentials:\n\n1. Log in to the Amazon Developer Console at <https://developer.amazon.com>\n2. Navigate to Apps & Services > My Apps, or go directly to the Login with Amazon console at\n   <https://developer.amazon.com/loginwithamazon/console/site/lwa/overview.html>\n3. Locate the security profile associated with your compromised Client ID from the Security Profile\n   Management table\n4. Click on the security profile name, then select \"Web Settings\" from the management options\n5. Click the \"Rotate Secret\" button to generate a new Client Secret (the Client ID remains the same)\n6. Update all applications, services, and configurations that use this Client ID with the new Client\n   Secret\n7. Test your applications to ensure they can successfully authenticate with the new credentials\n8. The old Client Secret will expire automatically after 7 days, providing a grace period for\n   updates\n\nFor detailed information on managing Amazon OAuth credentials and Login with Amazon security profiles,\nplease see the\n[Login with Amazon Documentation](https://developer.amazon.com/docs/login-with-amazon/documentation-overview.html)."
+tags = ['gitlab_blocking']
+keywords = ['amzn1.application-oa2-client']
 [[rules]]
 id = 'anthropic_key'
 regex = '\b(sk-ant-[a-z]{3}\d{2}-[A-Za-z0-9\\-_]{86}-[A-Za-z0-9\\-_]{8})(?:[[:punct:]]|[[:space:]]|[[:blank:]]|$)'
@@ -90,6 +99,33 @@ remediation = "For general guidance on handling security incidents with regards
 tags = ['gitlab_blocking']
 keywords = ['8Q~']
+[[rules]]
+id = 'AzureAPIManagementGatewayKey'
+regex = 'GatewayKey [A-Za-z0-9_-]{3,64}&[0-9]{12}&[A-Za-z0-9+\/]{60,90}=='
+description = "An Azure API Management Gateway Key was detected. These keys provide access to APIs\npublished through Azure API Management services and are tied to specific subscriptions and products. A\nmalicious actor with access to this key can consume APIs within the configured rate limits and access\npolicies, potentially leading to unauthorized data access, service abuse, or unexpected charges."
+title = 'AzureAPIManagementGatewayKey'
+remediation = "For general guidance on handling security incidents with regards to leaked keys, please see the GitLab\ndocumentation on\n[Credential exposure to the internet](https://docs.gitlab.com/ee/security/responding_to_security_incidents.html#credential-exposure-to-public-internet).\n\nTo regenerate your Azure API Management Gateway Key:\n\n1. Log in to the [Azure Portal](https://portal.azure.com)\n2. Navigate to your API Management service instance\n3. In the left menu, select \"Subscriptions\" under the \"APIs\" section\n4. Locate the compromised subscription by matching the key prefix or subscription name\n5. Click on the subscription name to open its details\n6. In the subscription details, click \"Regenerate primary key\" or \"Regenerate secondary key\"\n   (regenerate the compromised key)\n7. Update all applications and clients that use this subscription key with the new key value\n8. Monitor API usage logs to verify the old key is no longer being used\n9. Consider temporarily disabling the subscription if immediate key rotation isn't possible\n\nFor detailed information on managing Azure API Management subscriptions and keys, please see the\n[Azure API Management documentation](https://docs.microsoft.com/en-us/azure/api-management/api-management-subscriptions)."
+tags = ['gitlab_blocking']
+keywords = ['GatewayKey']
+[[rules]]
+id = 'AzureAPIManagementDirectKey'
+regex = '(?:[Oo]cp-Apim-Subscription-Key).{0,4}[:=].{0,4}([0-9a-fA-F]{32})\b'
+description = "An Azure API Management Direct Key is a subscription key that provides direct access to APIs managed by Azure\nAPI Management service. These keys authenticate and authorize access to published APIs and can be configured with\ndifferent access levels and rate limits. A malicious actor with access to this key could consume your APIs,\npotentially causing service degradation, data exposure, or unexpected charges based on the permissions and quotas\nassociated with the compromised key."
+title = 'AzureAPIManagementDirectKey'
+remediation = "For general guidance on handling security incidents with regards to leaked keys, please see the GitLab\ndocumentation on\n[Credential exposure to the internet](https://docs.gitlab.com/ee/security/responding_to_security_incidents.html#credential-exposure-to-public-internet).\n\nTo revoke your Azure API Management Direct Key:\n\n1. Log in to the Azure portal at <https://portal.azure.com>\n2. Navigate to your API Management service instance by searching for \"API Management\" or accessing it through\n   your resource groups\n3. In the left navigation pane, select \"Subscriptions\" under the \"APIs\" section\n4. Locate the compromised subscription key by reviewing the subscription names, key values, or creation dates\n5. Click on the subscription containing the compromised key, then select \"Regenerate primary key\" or\n   \"Regenerate secondary key\" as appropriate, or delete the subscription entirely if no longer needed\n6. Update all applications, services, and clients that use this subscription key with the new key value and\n   verify API calls are functioning correctly\n\nFor detailed information on managing Azure API Management Direct Key, please see the\n[Azure API Management subscription documentation](https://docs.microsoft.com/en-us/azure/api-management/api-management-subscriptions)."
+tags = ['gitlab_blocking']
+keywords = ['Ocp-Apim-Subscription-Key', 'ocp-Apim-Subscription-Key']
+[[rules]]
+id = 'CDSCanadaNotifyAPIKey'
+regex = 'ApiKey-v1 gcntfy-[a-zA-Z0-9_\-]{1,64}-[a-f0-9]{8}-[a-f0-9]{4}-[a-f0-9]{4}-[a-f0-9]{4}-[a-f0-9]{12}-[a-f0-9]{8}-[a-f0-9]{4}-[a-f0-9]{4}-[a-f0-9]{4}-[a-f0-9]{12}'
+description = "A Canada Digital Service Notify API Key provides programmatic access to GC Notify, the Government of\nCanada's official notification service for sending emails and text messages to citizens and users.\nThis credential allows applications to automatically send notifications through the GC Notify platform,\nwhich is used for government communications including appointment reminders, application status updates,\nand authentication codes. A malicious actor with access to this API key could send unauthorized\nemails and text messages through government channels, potentially damaging public trust or conducting\nphishing attacks using official government branding."
+title = 'CDSCanadaNotifyAPIKey'
+remediation = "For general guidance on handling security incidents with regards to leaked keys, please see the GitLab\ndocumentation on\n[Credential exposure to the internet](https://docs.gitlab.com/ee/security/responding_to_security_incidents.html#credential-exposure-to-public-internet).\n\nTo revoke your Canada Digital Service Notify API Key:\n\n1. Sign in to GC Notify at <https://notification.canada.ca/sign-in>\n2. Go to the API integration page from the main dashboard\n3. Select \"API keys\" from the available options\n4. Locate the compromised API key in the list and select \"Revoke\" for that specific key\n5. Create a new API key by selecting \"Create an API key\" and configure it with appropriate permissions\n6. Update all applications, scripts, and systems that use the old API key with the new credentials\n7. Verify the change was successful by testing a notification through the API or checking the\n   dashboard for recent activity\n\nFor detailed information on managing Canada Digital Service Notify API Key, please see the\n[Official API Keys Documentation](https://documentation.notification.canada.ca/en/keys.html)."
+tags = ['gitlab_blocking']
+keywords = ['ApiKey-v1']
 [[rules]]
 id = 'CircleCIPersonalAccessToken'
 regex = '\bCCIPAT_[a-zA-Z0-9]{22}_[a-f0-9]{40}\b'

data/lib/gitlab/secret_detection/version.rb CHANGED Viewed

@@ -5,7 +5,7 @@ module Gitlab
     class Gem
       # Ensure to maintain the same version in CHANGELOG file.
       # More details available under 'Release Process' section in the README.md file.
-      VERSION = "0.33.4"
+      VERSION = "0.34.0"
       # SD_ENV env var is used to determine which environment the
       # server is running. This var is defined in `.runway/env-<env>.yml` files.

metadata CHANGED Viewed

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: gitlab-secret_detection
 version: !ruby/object:Gem::Version
-  version: 0.33.4
+  version: 0.34.0
 platform: ruby
 authors:
 - group::secret detection