gitlab-secret_detection 0.40.0 → 0.42.0
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
checksums.yaml
CHANGED
|
@@ -1,7 +1,7 @@
|
|
|
1
1
|
---
|
|
2
2
|
SHA256:
|
|
3
|
-
metadata.gz:
|
|
4
|
-
data.tar.gz:
|
|
3
|
+
metadata.gz: 6a583c94c37e2031d9c0ac6016db3ce14443ef1d3ef66b5dc920bca8a6c2cb04
|
|
4
|
+
data.tar.gz: 9d3f3fd64f1627beb0608d41b89e5c49f0a58f00d4fde340103be0995095dcd4
|
|
5
5
|
SHA512:
|
|
6
|
-
metadata.gz:
|
|
7
|
-
data.tar.gz:
|
|
6
|
+
metadata.gz: 32fe69f21cdce71c2bfe1cbfbd310568cf58a97d62c507afe30f130e745806851b9fd1c5fa4e58ed4608eba0a1ffcd5c95f2452e25c73ce76e4ba216f551743b
|
|
7
|
+
data.tar.gz: 9b44d66f319e52393c1db3d923d2e20c40c81fa7a337c68f3ea492c2d571e1a7576332026e4f53dba59cf9b0efc000c91a4ba09e13d757b928ef7e96ff2feb77
|
|
@@ -1,4 +1,4 @@
|
|
|
1
|
-
# rule-set version: 0.
|
|
1
|
+
# rule-set version: 0.24.3
|
|
2
2
|
# Rules are auto-generated. See https://gitlab.com/gitlab-org/security-products/secret-detection/secret-detection-rules for instructions on updating the rules.
|
|
3
3
|
[[rules]]
|
|
4
4
|
id = 'AdafruitIOKey'
|
|
@@ -189,6 +189,14 @@ remediation = "For general guidance on handling security incidents with regards
|
|
|
189
189
|
tags = ['gitlab_blocking']
|
|
190
190
|
keywords = ['ApiKey-v1']
|
|
191
191
|
|
|
192
|
+
[[rules]]
|
|
193
|
+
id = 'CircleCI access tokens'
|
|
194
|
+
regex = '\bCCI(?:PAT|PRJ)_[a-zA-Z0-9]{22}_[a-f0-9]{40}\b'
|
|
195
|
+
description = "A CircleCI project token was identified. CircleCI project tokens can be given one of three scopes:\n\n- Status\n- Read Only\n- Admin\n\nDepending on the access level of this detected token, a malicious actor with access to this token may be able to gain\nfull access to the project and CI/CD pipelines."
|
|
196
|
+
title = 'CircleCI access token'
|
|
197
|
+
remediation = "For general guidance on handling security incidents with regards to leaked keys, please see the GitLab documentation on\n[Credential exposure to the internet](https://docs.gitlab.com/ee/security/responding_to_security_incidents.html#credential-exposure-to-public-internet).\n\nTo rotate a project token:\n\n- In the sidebar of the CircleCI application select Projects, then the ellipsis (...) next to your project, and select\n \"Project Settings\".\n- Select API Permissions.\n- Select the \"X\" in the Remove column for the token you wish to replace. When the confirmation window appears, enter\n the text DELETE in the form and then select \"Delete API Token\".\n- Select \"Create API Token\".\n- Choose the same scope used for the old token from the dropdown list.\n- In the Label field, type a label for the token. It can be the same name given to the old token.\n- Select \"Add API Token\".\n\nFor more information please see their [documentation on rotating project tokens](https://circleci.com/docs/managing-api-tokens/#rotating-a-project-api-token)."
|
|
198
|
+
keywords = ['CCIPAT', 'CCIPRJ']
|
|
199
|
+
|
|
192
200
|
[[rules]]
|
|
193
201
|
id = 'ContentfulPersonalAccessToken'
|
|
194
202
|
regex = '\bCFPAT-([a-zA-Z0-9_\-]){43}\b'
|
|
@@ -398,7 +406,7 @@ keywords = ['glpat-']
|
|
|
398
406
|
|
|
399
407
|
[[rules]]
|
|
400
408
|
id = 'gitlab_pipeline_trigger_token'
|
|
401
|
-
regex = '\b(glptt-[0-9a-zA-Z_\-]{40})(?:[[:punct:]]|[[:space:]]|[[:blank:]]|$)'
|
|
409
|
+
regex = '\b(glptt-(?:[0-9a-zA-Z_\-]{20}|[0-9a-zA-Z_\-]{40}))(?:[[:punct:]]|[[:space:]]|[[:blank:]]|$)'
|
|
402
410
|
description = "A GitLab pipeline trigger token was identified. Pipeline trigger tokens can be used to execute pipelines for a branch\nor tag of a project. The token impersonates a user's project access and permissions. A malicious actor with access to\nthis token can execute pipelines with custom variables, potentially being able to compromise the repository."
|
|
403
411
|
title = 'GitLab pipeline trigger token'
|
|
404
412
|
remediation = "For general guidance on handling security incidents with regards to leaked keys, please see the GitLab documentation on\n[Credential exposure to the internet](https://docs.gitlab.com/ee/security/responding_to_security_incidents.html#credential-exposure-to-public-internet).\n\nTo revoke a pipeline trigger token:\n\n- Sign in to your GitLab account and visit the project that created the pipeline trigger token\n- In the left-hand menu, select \"Settings\"\n- Under the \"Settings\" options, select \"CI/CD\"\n- Under the \"Pipeline trigger tokens\" section find the identified token\n- Select the trash icon in the \"Actions\" column of the \"Active pipeline trigger tokens\" table\n- When prompted, select \"Revoke trigger\"\n\nFor more information, please see [GitLabs documentation on pipeline trigger tokens](https://docs.gitlab.com/ee/ci/triggers/index.html#create-a-pipeline-trigger-token)."
|
|
@@ -5,7 +5,7 @@ module Gitlab
|
|
|
5
5
|
class Gem
|
|
6
6
|
# Ensure to maintain the same version in CHANGELOG file.
|
|
7
7
|
# More details available under 'Release Process' section in the README.md file.
|
|
8
|
-
VERSION = "0.
|
|
8
|
+
VERSION = "0.42.0"
|
|
9
9
|
|
|
10
10
|
# SD_ENV env var is used to determine which environment the
|
|
11
11
|
# server is running. This var is defined in `.runway/env-<env>.yml` files.
|
metadata
CHANGED
|
@@ -1,7 +1,7 @@
|
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
|
2
2
|
name: gitlab-secret_detection
|
|
3
3
|
version: !ruby/object:Gem::Version
|
|
4
|
-
version: 0.
|
|
4
|
+
version: 0.42.0
|
|
5
5
|
platform: ruby
|
|
6
6
|
authors:
|
|
7
7
|
- group::secret detection
|
|
@@ -10,7 +10,7 @@ authors:
|
|
|
10
10
|
autorequire:
|
|
11
11
|
bindir: bin
|
|
12
12
|
cert_chain: []
|
|
13
|
-
date: 2026-
|
|
13
|
+
date: 2026-06-08 00:00:00.000000000 Z
|
|
14
14
|
dependencies:
|
|
15
15
|
- !ruby/object:Gem::Dependency
|
|
16
16
|
name: grpc
|