gitlab-secret_detection 0.36.0 → 0.37.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: e4f3012454207a549b1a76d4056eb461939939da1464144aedb4b362534227c4
-  data.tar.gz: d001452f5a97941ad46917c4bfd5439f322f4fc6cd96d9ab4a03ef6de7c67363
+  metadata.gz: 12cd8b87cf44e46fcf158c4595798eb41e878f35fac4a84bfd6d726e7fe912b2
+  data.tar.gz: ab3aed02332ce98fa430e9f3bfef9a093a0ff52fbb7d2d8305eb1ddcdf8f3eef
 SHA512:
-  metadata.gz: d931a95b9cb870e8bc3657e02bca3d47d611c331162a80e4fe38cb44e587a64f1305374f405cc95e75f8d3c7a0049ee809d53e32ea92c33bb1cd1fd0f0dff073
-  data.tar.gz: 2e24b44772a14fe81d5e4a4886d00b81481af2af31298adb65a3e01479e00df26fc3e8980e7b9162de92954b23fdd18d1d2be3f93108c6912604d005e9e15d98
+  metadata.gz: e087b47c227bf007dbd0883b10c5485b218225c92824959aa0fa1c4ef2c1e383aa786711076cf7e16f818f8c9a5cbb374487fbc9e646115565d4796734f7d0a5
+  data.tar.gz: 65bb7fad2d7ececc8bd309ef266c3d4e5bbedba615e59d262ee910fe54b1029f6b91ce81c9fc590fec3803a29c32155d6cc59dd98e460ecab32cf719fcc3e0d1

data/lib/gitlab/secret_detection/core/secret_push_protection_rules.toml

@@ -1,4 +1,4 @@
-# rule-set version: 0.17.0
+# rule-set version: 0.18.0
 # Rules are auto-generated. See https://gitlab.com/gitlab-org/security-products/secret-detection/secret-detection-rules for instructions on updating the rules.
 [[rules]]
 id = 'AdafruitIOKey'
@@ -261,6 +261,15 @@ remediation = "For general guidance on handling security incidents with regards
 tags = ['gitlab_partner_token', 'revocation_type', 'gitlab_blocking']
 keywords = ['"private_key":', 'BEGIN PRIVATE KEY']
 
+[[rules]]
+id = 'GCPVertexExpressModeKey'
+regex = '\bAQ\.Ab8R[a-zA-Z0-9_-]{46}\b'
+description = "A GCP Vertex Express Mode Key is an API key used to authenticate requests to Google Cloud's Vertex AI\nplatform in Express Mode. This credential provides access to Vertex AI services including machine learning\nmodel deployment, predictions, and data processing. A malicious actor with this key could consume expensive\ncomputational resources, access sensitive ML models, exfiltrate training data, or manipulate AI workloads."
+title = 'GCP Vertex Express Mode Key'
+remediation = "For general guidance on handling security incidents with regards to leaked keys, please see the GitLab\ndocumentation on\n[Credential exposure to the internet](https://docs.gitlab.com/ee/security/responding_to_security_incidents.html#credential-exposure-to-public-internet).\n\nTo revoke your GCP Vertex Express Mode Key:\n\n1. Log in to the [Google Cloud Console](https://console.cloud.google.com/)\n2. Navigate to \"APIs & Services\" > \"Credentials\" from the main navigation menu\n3. Locate the compromised API key in the list of credentials by matching the key prefix or creation date\n4. Click on the key name to view details, then select \"Delete\" or \"Regenerate Key\" as appropriate\n5. Update all applications, notebooks, and services that reference this key with the new credential\n6. Verify the old key no longer works by attempting an API call and confirming authentication failure\n7. Review Cloud Logging for any unauthorized usage during the exposure period\n\nFor detailed information on managing GCP API keys and Vertex AI security, please see the\n[Managing API Keys documentation](https://cloud.google.com/docs/authentication/api-keys) and\n[Vertex AI Security Best Practices](https://cloud.google.com/vertex-ai/docs/general/security-best-practices)."
+tags = ['gitlab_blocking']
+keywords = ['AQ.Ab8R']
+
 [[rules]]
 id = 'Github Personal Access Token'
 regex = 'ghp_[0-9a-zA-Z]{36}'
@@ -441,6 +450,15 @@ remediation = "For general guidance on handling security incidents with regards
 tags = ['gitlab_blocking']
 keywords = ['b.AAAAAQ']
 
+[[rules]]
+id = 'HashicorpVaultServiceToken'
+regex = '\bhvs\.(?:[a-zA-Z0-9]{24}|CAES[a-zA-Z0-9_-]{80,130})\b'
+description = "A HashiCorp Vault Service Token is an authentication credential used to access HashiCorp Vault, a secrets\nmanagement platform. This token grants access to secrets, encryption keys, and other sensitive data stored in\nVault based on the policies attached to it. A malicious actor with access to this token could read, modify, or\ndelete secrets, potentially compromising entire infrastructure environments and any systems that rely on Vault\nfor credential management."
+title = 'HashiCorp Vault Service Token'
+remediation = "For general guidance on handling security incidents with regards to leaked keys, please see the GitLab\ndocumentation on\n[Credential exposure to the internet](https://docs.gitlab.com/ee/security/responding_to_security_incidents.html#credential-exposure-to-public-internet).\n\nTo revoke your HashiCorp Vault Service Token:\n\n1. Log in to your Vault instance at `https://your-vault-address:8200/ui` or use the Vault CLI\n2. Navigate to the \"Access\" section and select \"Auth Methods\" to identify the authentication method used\n3. Use the Vault CLI command `vault token lookup <token>` to identify the compromised token and its accessor\n4. Revoke the token immediately using `vault token revoke <token>` or `vault token revoke -accessor <accessor>`\n5. Generate a new token with appropriate policies using `vault token create -policy=<policy-name>` and update\n   all applications and services that were using the compromised token\n6. Verify the revocation by attempting to use the old token, which should return an authentication error, and\n   audit Vault logs at `/sys/audit` to review any unauthorized access during the exposure period\n\nFor detailed information on managing HashiCorp Vault Service Tokens, please see the\n[Vault Tokens documentation](https://developer.hashicorp.com/vault/docs/concepts/tokens)."
+tags = ['gitlab_blocking']
+keywords = ['hvs.']
+
 [[rules]]
 id = 'HighnoteTestSecretKey'
 regex = '\bsk_test_[0-9A-Za-z_]{63,98}\b'
@@ -495,6 +513,15 @@ remediation = "For general guidance on handling security incidents with regards
 tags = ['gitlab_blocking']
 keywords = ['cmVmd']
 
+[[rules]]
+id = 'KubernetesServiceAccToken'
+regex = 'eyJ[A-Za-z0-9_-]{20,200}\.eyJ[A-Za-z0-9_-]{80,800}(?:c3lzdGVtOnNlcnZpY2VhY2NvdW50|N5c3RlbTpzZXJ2aWNlYWNjb3VudD|zeXN0ZW06c2VydmljZWFjY291bnQ)[A-Za-z0-9_-]{10,400}\.[A-Za-z0-9_-]{20,800}'
+description = "A Kubernetes Service Account Token is a credential used by pods and services to authenticate with the\nKubernetes API server. This token grants access to cluster resources based on the permissions assigned to the\nservice account through Role-Based Access Control (RBAC). A malicious actor with access to this token could\nperform any actions permitted by the service account, including accessing sensitive data, deploying malicious\nworkloads, modifying cluster resources, or escalating privileges within the cluster."
+title = 'Kubernetes Service Account Token'
+remediation = "For general guidance on handling security incidents with regards to leaked keys, please see the GitLab\ndocumentation on\n[Credential exposure to the internet](https://docs.gitlab.com/ee/security/responding_to_security_incidents.html#credential-exposure-to-public-internet).\n\nTo revoke your Kubernetes Service Account Token:\n\n1. Access your Kubernetes cluster using kubectl or the Kubernetes Dashboard\n2. Identify the compromised service account by name and namespace\n3. Delete the compromised service account to immediately invalidate all associated tokens:\n   `kubectl delete serviceaccount <service-account-name> -n <namespace>`\n4. Recreate the service account with the same name (this generates a new UID and invalidates old tokens):\n   `kubectl create serviceaccount <service-account-name> -n <namespace>`\n5. Reapply any RBAC roles and role bindings that were associated with the service account\n6. Restart all pods using this service account to mount the new token:\n   `kubectl rollout restart deployment/<deployment-name> -n <namespace>`\n7. Verify pods are running successfully and can authenticate to the API server by checking pod logs\n8. If using long-lived token Secrets (legacy method), delete the Secret containing the compromised token:\n   `kubectl delete secret <secret-name> -n <namespace>`\n\nFor detailed information on managing Kubernetes Service Account Tokens, please see the official\n[Service Accounts documentation](https://kubernetes.io/docs/concepts/security/service-accounts/) and\n[Configure Service Accounts for Pods](https://kubernetes.io/docs/tasks/configure-pod-container/configure-service-account/)."
+tags = ['gitlab_blocking']
+keywords = ['c3lzdGVtOnNlcnZpY2VhY2NvdW50', 'N5c3RlbTpzZXJ2aWNlYWNjb3VudD', 'zeXN0ZW06c2VydmljZWFjY291bnQ']
+
 [[rules]]
 id = 'LangChainAPIKey'
 regex = 'lsv2_(?:pt|sk)_[a-f0-9]{32}_[a-f0-9]{10}\b'
@@ -783,6 +810,15 @@ remediation = "For general guidance on handling security incidents with regards
 tags = ['gitlab_blocking']
 keywords = ['sqp_']
 
+[[rules]]
+id = 'SplunkAuthToken'
+regex = 'eyJraWQiOiJzcGx1bmsuc2VjcmV0[A-Za-z0-9_-]{20,180}\.[A-Za-z0-9_-]{20,600}\.[A-Za-z0-9_-]{20,200}\b'
+description = "A Splunk Authentication Token is a credential used to authenticate API requests and integrate external\napplications with Splunk Enterprise or Splunk Cloud Platform. This token provides programmatic access to\nSplunk's search, indexing, and administrative capabilities. A malicious actor with access to this token\ncould query sensitive data, modify configurations, or disrupt monitoring operations depending on the\nassociated user's permissions."
+title = 'Splunk Authentication Token'
+remediation = "For general guidance on handling security incidents with regards to leaked keys, please see the GitLab\ndocumentation on\n[Credential exposure to the internet](https://docs.gitlab.com/ee/security/responding_to_security_incidents.html#credential-exposure-to-public-internet).\n\nTo revoke your Splunk Authentication Token:\n\n1. Log in to your Splunk instance at `https://your-splunk-instance:8000` (Splunk Enterprise) or your\n   Splunk Cloud Platform URL\n2. Navigate to **Settings** > **Tokens** (or **Settings** > **Users and Authentication** > **Tokens**)\n3. Locate the compromised token in the token list by checking the token description, creation date,\n   or last used timestamp\n4. Click **Delete** next to the compromised token and confirm the deletion\n5. Generate a new authentication token by clicking **New Token**, providing a description, and setting\n   appropriate permissions\n6. Update all applications, scripts, and integrations that were using the old token with the new token\n   value\n7. Verify connectivity by testing API requests with the new token and monitoring audit logs for successful\n   authentication events\n\nFor detailed information on managing Splunk Authentication Tokens, please see the\n[Splunk documentation on securing Splunk Enterprise](https://docs.splunk.com/Documentation/Splunk/latest/Security/Setupauthenticationwithtokens)\nand\n[token management](https://docs.splunk.com/Documentation/Splunk/latest/Security/UseAuthTokens)."
+tags = ['gitlab_blocking']
+keywords = ['eyJraWQiOiJzcGx1bmsuc2VjcmV0']
+
 [[rules]]
 id = 'StripeLiveSecretKey'
 regex = '\bsk_live_[A-Za-z0-9]{99}\b'

data/lib/gitlab/secret_detection/version.rb

@@ -5,7 +5,7 @@ module Gitlab
     class Gem
       # Ensure to maintain the same version in CHANGELOG file.
       # More details available under 'Release Process' section in the README.md file.
-      VERSION = "0.36.0"
+      VERSION = "0.37.0"
 
       # SD_ENV env var is used to determine which environment the
       # server is running. This var is defined in `.runway/env-<env>.yml` files.

metadata

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: gitlab-secret_detection
 version: !ruby/object:Gem::Version
-  version: 0.36.0
+  version: 0.37.0
 platform: ruby
 authors:
 - group::secret detection
@@ -10,7 +10,7 @@ authors:
 autorequire:
 bindir: bin
 cert_chain: []
-date: 2025-10-13 00:00:00.000000000 Z
+date: 2025-10-14 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: grpc