gitlab-secret_detection 0.14.2 → 0.15.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 6e705b3e254f6972c25d7f6ef1b9bcbc21a2571bdc861001b3e3bab7999b03ad
-  data.tar.gz: dd47048712bc544fc74d86ed927e4abc9f690253454561f07cb2afabcdcef7e4
+  metadata.gz: a0e9ac1b0ce5d733485b7932dca164974da5f4fc1ef0f3e71d714cdccb9f6ca8
+  data.tar.gz: d4b9e18e4a883cd80ec283eae875bc556d747a0abaa3b584a50c43d5d2d8cf7f
 SHA512:
-  metadata.gz: 97564ccb6513e7ef41482b52c331c8c04759d968015364e5bb345ace5fab446b6938950ee9b5941adc3603bd7da7aaf144747ad572a368b4fca1970110f8de15
-  data.tar.gz: c424885c5629f8bc78356db53950830aa9df9cbbee238fb8901f80670d13716b16badc7c72998179a54dd24cdb2885246c46dd82c95250ba19f2cb46ea44ce50
+  metadata.gz: 02b602fcf3bcc2b3a0ab05ff1bc00f81eedbb22e90fdfd1683d6855828a0916ca69a20f8a88315d1cd49a405225f7d99dceaf7e07053c060f6f41882c2d85544
+  data.tar.gz: 25d87112be19698122507647ca3e823f2727ec04efed202d4305864159d09d8764e78dc4b78de27e2ac0bf346145bc5f39ab93df908f90871d05c37feb3fc36d

data/lib/gitlab/secret_detection/core/secret_push_protection_rules.toml

@@ -1,223 +1,371 @@
-# rule-set version: 0.3.0
+# rule-set version: 0.6.1
 # Rules are auto-generated. See https://gitlab.com/gitlab-org/security-products/secret-detection/secret-detection-rules for instructions on updating the rules.
 [[rules]]
-description = "Anthropic keys"
-id = "anthropic_key"
-keywords = ["sk-ant-"]
-regex = "\\b(sk-ant-[a-z]{3}\\d{2}-[A-Za-z0-9\\\\-_]{86}-[A-Za-z0-9\\\\-_]{8})(?:[[:punct:]]|[[:space:]]|[[:blank:]]|$)"
-tags = ["gitlab_blocking"]
-[[rules]]
-description = "AWS Access Token"
-id = "AWS"
-keywords = ["AKIA"]
-regex = "\\bAKIA[0-9A-Z]{16}\\b"
-tags = ["aws", "revocation_type", "gitlab_blocking"]
-[[rules]]
-description = "GCP API keys can be misused to gain API quota from billed projects"
-id = "GCP API key"
-keywords = ["AIza"]
+id = 'anthropic_key'
+regex = '\b(sk-ant-[a-z]{3}\d{2}-[A-Za-z0-9\\-_]{86}-[A-Za-z0-9\\-_]{8})(?:[[:punct:]]|[[:space:]]|[[:blank:]]|$)'
+description = "An Anthropic API key was detected. Anthropic keys are used to access generative AI services. Malicious\nactors could use these keys to build up excessive charges to your account."
+title = 'Anthropic API key'
+remediation = "For general guidance on handling security incidents with regards to leaked keys, please see the GitLab documentation on\n[Credential exposure to the internet](https://docs.gitlab.com/ee/security/responding_to_security_incidents.html#credential-exposure-to-public-internet).\n\nTo remediate a leaked Anthropic key, you should delete it from the list of API keys for your organization.\n\n- Sign in to your [Anthropic account](https://console.anthropic.com/)\n- Go to \"API settings\" by selecting your profile icon and then selecting \"API Keys\" or through the Settings tab\n- Identify the leaked API key and select the meatball menu (three horizontal dots) next to the key you want to delete\n- Select \"Delete API Key\"\n  - Note: Deleting an API key is a permanent action and cannot be undone\n- Generate a new key by selecting \"Create Key\" and give it a descriptive name\n\nFor more information, please see Anthropic's website: <https://support.anthropic.com/en/articles/8384961-what-should-i-do-if-i-suspect-my-api-key-has-been-compromised>."
+tags = ['gitlab_blocking']
+keywords = ['sk-ant-']
+examples = ['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', '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', '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', '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', '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']
+
+[[rules]]
+id = 'AWS'
+regex = '\bAKIA[0-9A-Z]{16}\b'
+description = "An AWS Access Token was detected. AWS Access Tokens are usually paired along with their secret key values. A malicious\nactor with access to this token can access AWS services with the same permissions as the user which generated the key,\nprovided they have access to both values."
+title = 'AWS access token'
+remediation = "For general guidance on handling security incidents with regards to leaked keys, please see the GitLab documentation on\n[Credential exposure to the internet](https://docs.gitlab.com/ee/security/responding_to_security_incidents.html#credential-exposure-to-public-internet).\n\nTo delete an access key:\n\n- In the \"Access keys\" section, find the key that was identified\n- Select \"Actions\"\n- Select \"Delete\"\n- Follow the instructions in the dialog to first deactivate and then confirm the deletion\n\nFor information on how to manage and revoke access keys for AWS please see their [documentation](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_access-keys.html#Using_CreateAccessKey)."
+tags = ['aws', 'revocation_type', 'gitlab_blocking']
+keywords = ['AKIA']
+examples = ['AKIAT2KV5DSWWSVRCUGP', 'AKIAT2KV5DSW7OXGDEWS', 'AKIAT2KV5DSW64ABURJ2', 'AKIAT2KV5DSWUK3ZBIJE', 'AKIAT2KV5DSWU7SNOI66']
+
+[[rules]]
+id = 'GCP API key'
 regex = "(?i)\\b(AIza[0-9A-Za-z-_]{35})(?:['|\\\"|\\n|\\r|\\s|\\x60|;]|$)"
-secretGroup = 1
-tags = ["gitlab_partner_token", "revocation_type", "gitlab_blocking"]
-[[rules]]
-description = "GCP OAuth client secrets can be misused to spoof your application"
-id = "GCP OAuth client secret"
-keywords = ["GOCSPX-"]
-regex = "GOCSPX-[a-zA-Z0-9_-]{28}"
-tags = ["gitlab_partner_token", "revocation_type", "gitlab_blocking"]
-[[rules]]
-description = "Google (GCP) Service-account"
-id = "Google (GCP) Service-account"
-keywords = ["service_account"]
-regex = "\\\"private_key\\\":\\s*\\\"-{5}BEGIN PRIVATE KEY-{5}[\\s\\S]*?\","
-tags = ["gitlab_partner_token", "revocation_type", "gitlab_blocking"]
-[[rules]]
-description = "Github Personal Access Token"
-id = "Github Personal Access Token"
-keywords = ["ghp_"]
-regex = "ghp_[0-9a-zA-Z]{36}"
-tags = ["gitlab_blocking"]
-[[rules]]
-description = "Github OAuth Access Token"
-id = "Github OAuth Access Token"
-keywords = ["gho_"]
-regex = "gho_[0-9a-zA-Z]{36}"
-tags = ["gitlab_blocking"]
-[[rules]]
-description = "Github App Token"
-id = "Github App Token"
-keywords = ["ghu_", "ghs_"]
-regex = "(ghu|ghs)_[0-9a-zA-Z]{36}"
-tags = ["gitlab_blocking"]
-[[rules]]
-description = "Github Refresh Token"
-id = "Github Refresh Token"
-keywords = ["ghr_"]
-regex = "ghr_[0-9a-zA-Z]{76}"
-tags = ["gitlab_blocking"]
-[[rules]]
-description = "GitLab Personal Access Token"
-id = "gitlab_personal_access_token"
-keywords = ["glpat"]
-regex = "\\b(glpat-[0-9a-zA-Z_\\-]{20})(?:[[:punct:]]|[[:space:]]|[[:blank:]]|$)"
-tags = ["gitlab", "revocation_type", "gitlab_blocking"]
-[[rules]]
-description = "GitLab Pipeline Trigger Token"
-id = "gitlab_pipeline_trigger_token"
-keywords = ["glptt"]
-regex = "\\b(glptt-[0-9a-zA-Z_\\-]{40})(?:[[:punct:]]|[[:space:]]|[[:blank:]]|$)"
-tags = ["gitlab", "gitlab_blocking"]
-[[rules]]
-description = "GitLab Runner Registration Token"
-id = "gitlab_runner_registration_token"
-keywords = ["GR1348941"]
-regex = "\\b(GR1348941[0-9a-zA-Z_\\-]{20})(?:[[:punct:]]|[[:space:]]|[[:blank:]]|$)"
-tags = ["gitlab", "gitlab_blocking"]
-[[rules]]
-description = "GitLab Runner Authentication Token"
-id = "gitlab_runner_auth_token"
-keywords = ["glrt"]
-regex = "\\b(glrt-[0-9a-zA-Z_\\-]{20})(?:[[:punct:]]|[[:space:]]|[[:blank:]]|$)"
-tags = ["gitlab", "gitlab_blocking"]
-[[rules]]
-description = "GitLab OAuth Application Secrets"
-id = "gitlab_oauth_app_secret"
-keywords = ["gloas"]
-regex = "\\b(gloas-[0-9a-zA-Z_\\-]{64})(?:[[:punct:]]|[[:space:]]|[[:blank:]]|$)"
-tags = ["gitlab", "gitlab_blocking"]
-[[rules]]
-description = "GitLab Feed token"
-id = "gitlab_feed_token_v2"
-keywords = ["glft"]
-regex = "\\b(glft-[0-9a-zA-Z_\\-]{20})(?:[[:punct:]]|[[:space:]]|[[:blank:]]|$)"
-tags = ["gitlab", "gitlab_blocking"]
-[[rules]]
-description = "GitLab Agent for Kubernetes token"
-id = "gitlab_kubernetes_agent_token"
-keywords = ["glagent"]
-regex = "\\b(glagent-[0-9a-zA-Z_\\-]{50})(?:[[:punct:]]|[[:space:]]|[[:blank:]]|$)"
-tags = ["gitlab", "gitlab_blocking"]
-[[rules]]
-description = "GitLab Incoming email token"
-id = "gitlab_incoming_email_token"
-keywords = ["glimt"]
-regex = "\\b(glimt-[0-9a-zA-Z_\\-]{25})(?:[[:punct:]]|[[:space:]]|[[:blank:]]|$)"
-tags = ["gitlab", "gitlab_blocking"]
-[[rules]]
-description = "Grafana API token"
-id = "Grafana API token"
-keywords = ["grafana"]
+description = "A GCP API key was detected. GCP API keys are used to authorize requests from services, not for users. API keys are\ncommonly used for accessing public data anonymously, and are used to associate API requests with the consumer Google\nCloud project for quota and billing. A malicious actor with access to this key can issue requests to Google Cloud\nservices that are billed to the owning account."
+title = 'GCP API key'
+remediation = "For general guidance on handling security incidents with regards to leaked keys, please see the GitLab documentation on\n[Credential exposure to the internet](https://docs.gitlab.com/ee/security/responding_to_security_incidents.html#credential-exposure-to-public-internet).\n\nTo revoke an API key:\n\n- Sign in to your GCP account and go to <https://console.cloud.google.com/apis/credentials>\n- Under the \"Actions\" column of the \"API Keys\" table, select the kebab menu (vertical ellipsis) for the identified key\n- Select \"Delete API Key\"\n- When prompted select \"Delete\" in the \"Delete credential\" dialog\n\nFor more information please see [https://cloud.google.com/docs/authentication/api-keys](https://cloud.google.com/docs/authentication/api-keys)"
+tags = ['gitlab_partner_token', 'revocation_type', 'gitlab_blocking']
+keywords = ['AIza']
+examples = ['AIzaSyD7ncvI609LcKJWm50OeQHzLbtTWeaQHrY', 'AIzaSyCtwNzXH9qnS6ejDeQidZ6GlxL6T1Rd2Ik', 'AIzaSyBM_CYHZXOE0AeQ1n2223x54zE0SJhPev8', 'AIzaSyB8otsACvltRM7GnlcDjvXe7tKce4XY9V0', 'AIzaSyCyQUmnK1WVKfVM6WZexUTnqqpdmAzF9lo']
+
+[[rules]]
+id = 'GCP OAuth client secret'
+regex = 'GOCSPX-[a-zA-Z0-9_-]{28}'
+description = "A GCP OAuth client secret was identified. Client secret are used when allowing users to Sign in to your application.\nDepending on the scopes requested, a malicious actor with access to the secret can impersonate the service to access\nusers information."
+title = 'GCP OAuth client secret'
+remediation = "For general guidance on handling security incidents with regards to leaked keys, please see the GitLab documentation on\n[Credential exposure to the internet](https://docs.gitlab.com/ee/security/responding_to_security_incidents.html#credential-exposure-to-public-internet).\n\nTo revoke the OAuth client secret:\n\n- Sign in to your GCP account and go to <https://console.cloud.google.com/apis/credentials>\n- Under the \"Name\" column of \"OAuth 2.0 Client IDs\" table, select the name of the client of the identified key\n- Under the \"Client secrets\" section, you must first add a new secret, select \"Add Secret\"\n- For the identified key, select \"Disable\"\n- When prompted, select \"Disable\" in the \"Disable this secret?\" dialog\n- You may now select the trash icon to delete the disabled key\n\nFor more information, please see [Googles authentication documentation on setting up OAuth 2.0](https://support.google.com/cloud/answer/6158849?hl=en)"
+tags = ['gitlab_partner_token', 'revocation_type', 'gitlab_blocking']
+keywords = ['GOCSPX-']
+examples = ['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', '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', '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', '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', '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']
+
+[[rules]]
+id = 'Google (GCP) Service-account'
+regex = '\"private_key\":\s*\"-{5}BEGIN PRIVATE KEY-{5}[\s\S]*?",'
+description = "A GCP service account was identified. Service accounts can be assigned a wide range of permissions or access.\nA malicious actor with access to the service account can potentially compromise the entire GCP account or have limited\naccess to resources, depending on the access granted."
+title = 'Google (GCP) service account'
+remediation = "For general guidance on handling security incidents with regards to leaked keys, please see the GitLab documentation on\n[Credential exposure to the internet](https://docs.gitlab.com/ee/security/responding_to_security_incidents.html#credential-exposure-to-public-internet).\n\nTo revoke the GCP Service account:\n\n- Sign in to your GCP account and go to <https://console.cloud.google.com/iam-admin/serviceaccounts>\n- Select the correct project from the list (if given a choice)\n- Find the key ID and the associated service account in the \"Service accounts\" table\n- Select the kebab menu (vertical ellipsis) for the identified key and select \"Manage keys\"\n- Select the trash icon next to the identified key\n\nFor more information, please see [Googles documentation on creating service account keys](https://cloud.google.com/iam/docs/keys-create-delete)."
+tags = ['gitlab_partner_token', 'revocation_type', 'gitlab_blocking']
+keywords = ['"private_key":', 'BEGIN PRIVATE KEY']
+examples = []
+
+[[rules]]
+id = 'Github Personal Access Token'
+regex = 'ghp_[0-9a-zA-Z]{36}'
+description = "A GitHub personal access token (classic) was identified. Personal access tokens can be used to access GitHub services\nas the user who created them. In most cases these tokens are given read-write access to all repositories. A malicious\nactor with access to this token can execute functionality on behalf of the user with the given permissions of the token."
+title = 'GitHub personal access token (classic)'
+remediation = "For general guidance on handling security incidents with regards to leaked keys, please see the GitLab documentation on\n[Credential exposure to the internet](https://docs.gitlab.com/ee/security/responding_to_security_incidents.html#credential-exposure-to-public-internet).\n\nTo regenerate a personal access token:\n\n- Sign in to your GitHub account and access <https://github.com/settings/tokens>\n- Find the token that was identified and select the name\n- Select \"Regenerate token\" at the top of the page\n\nAlternatively, you could select \"Delete this token\" at the bottom of the page and create a new one. Be sure to note\nthe scopes and permissions set before doing this action.\n\nFor more information, please see [GitHubs documentation on personal access tokens](https://docs.github.com/en/authentication/keeping-your-account-and-data-secure/managing-your-personal-access-tokens)."
+tags = ['gitlab_blocking']
+keywords = ['ghp_']
+examples = ['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', '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', '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', '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', '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']
+
+[[rules]]
+id = 'Github OAuth Access Token'
+regex = 'gho_[0-9a-zA-Z]{36}'
+description = "A GitHub OAuth Access Token was identified. Unlike a traditional OAuth token, user access tokens do not use scopes.\nInstead, it uses fine-grained permissions. A user access token only has permissions that both the user and the app have.\nIf a malicious actor gains access to the token and the app was granted permission to write the contents of a\nrepository, but the user can only read the contents, then the user access token can only read the contents."
+title = 'GitHub OAuth Access Token'
+remediation = "For general guidance on handling security incidents with regards to leaked keys, please see the GitLab documentation on\n[Credential exposure to the internet](https://docs.gitlab.com/ee/security/responding_to_security_incidents.html#credential-exposure-to-public-internet).\n\nFor more information, please see [GitHubs documentation to revoke an OAuth access tokens](https://docs.github.com/en/rest/apps/oauth-applications?apiVersion=2022-11-28#delete-an-app-token).\n\nAlso note, GitHub Apps are preferred over OAuth apps, please see [GitHubs documentation for more details](https://docs.github.com/en/apps/oauth-apps/building-oauth-apps/differences-between-github-apps-and-oauth-apps)."
+tags = ['gitlab_blocking']
+keywords = ['gho_']
+examples = ['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', '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', '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', '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', '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']
+
+[[rules]]
+id = 'Github App Token'
+regex = '(ghu|ghs)_[0-9a-zA-Z]{36}'
+description = 'GitHub App Token'
+title = 'GitHub app token'
+remediation = "For general guidance on handling security incidents with regards to leaked keys, please see the GitLab documentation on\n[Credential exposure to the internet](https://docs.gitlab.com/ee/security/responding_to_security_incidents.html#credential-exposure-to-public-internet)."
+tags = ['gitlab_blocking']
+keywords = ['ghu_', 'ghs_']
+examples = ['ghu_y7dK1sBhuwXKEY0Xqb3RFk8uWdN1Cr3n9lS6', 'ghu_FM4I3LxPopaiufPx8Ipxio1FY4Ia9B1tkQdI', 'ghu_xKgLhPRmOv9hcxh68o5uu631ivc8FH2bWft0', 'ghu_TDTtpQXiEbsWeXFWLc7zrETqzhlsGo4S7P5S', 'ghu_CD7rA7x5nFP8wTJMzrADH4ypICN51V0USPUa']
+
+[[rules]]
+id = 'Github Refresh Token'
+regex = 'ghr_[0-9a-zA-Z]{76}'
+description = 'GitHub Refresh Token'
+title = 'GitHub refresh token'
+remediation = "For general guidance on handling security incidents with regards to leaked keys, please see the GitLab documentation on\n[Credential exposure to the internet](https://docs.gitlab.com/ee/security/responding_to_security_incidents.html#credential-exposure-to-public-internet)."
+tags = ['gitlab_blocking']
+keywords = ['ghr_']
+examples = ['ghr_ITRO0crlZfa4uXNqK438UvsRNNppMsTMpaGS6hlPDaTtU7A9UbTxEfXVruMVOuJPKwCCE32tIa23', 'ghr_3PpqJ7QHRXa1tOnfsmCNXHXGdTy3HC2vPp64b2DI1z695r40XY8SibP40bkfY3VcDFvQuc1ef4qi', 'ghr_6iH3FuHopoiiIzV0W8F5eUy0lviwdxG2EbfondPNI17x5xSpF3lWe6IByzGGTHZ0h05yrQ0oMY8f', 'ghr_SmNefjeZC03MKAUppsyzZVHOG3716LAoEaZ2e4Ci7fGzkzrRJxaJNEUFxZVZLakB15duC805wMoc', 'ghr_pj36SvV8XiDV5uHwPPjQfCkD3cjapYwuPLc2DOcz3rmU3mpqjbhocv6By0iFSy3HPB42Cu1D6Dso']
+
+[[rules]]
+id = 'gitlab_personal_access_token'
+regex = '\b(glpat-[0-9a-zA-Z_\-]{20})(?:[[:punct:]]|[[:space:]]|[[:blank:]]|$)'
+description = "A GitLab personal access token was identified. Personal access tokens can be used to access GitLab services\nas the user who created them. In most cases these tokens are given read-write access to all repositories. A malicious\nactor with access to this token can execute functionality on behalf of the user with the given permissions of the token."
+title = 'GitLab personal access token'
+remediation = "For general guidance on handling security incidents with regards to leaked keys, please see the GitLab documentation on\n[Credential exposure to the internet](https://docs.gitlab.com/ee/security/responding_to_security_incidents.html#credential-exposure-to-public-internet).\n\nTo regenerate a personal access token:\n\n- Sign in to your GitLab account and access: <https://gitlab.com/-/profile/preferences>\n- In the \"User settings\" left-hand side menu, select \"Access tokens\"\n- Find the access token that was identified in the \"Active personal access tokens\" table\n- Note the permissions that were assigned to this token\n- Select the trash icon in the \"Action\" column of the token\n- When prompted, select \"Revoke\""
+tags = ['gitlab', 'revocation_type', 'gitlab_blocking']
+keywords = ['glpat']
+examples = ['glpat-vzDNJu3Lvh4YCCekKsnx', 'glpat-PUhSbkjSK4S6ccPtS_nu', 'glpat-u8jzQK8cz9jNCjo775aG', 'glpat-gBbQ1iU-BDYCF-71JETg', 'glpat-WdCGu2_tGeZ6SqMbKuc6', 'glpat-zvP5wYSKsXLppzFuLydC']
+
+[[rules]]
+id = 'gitlab_personal_access_token_routable'
+regex = '\bglpat-[0-9a-zA-Z_-]{27,300}\.[0-9a-z]{2}[0-9a-z]{7}\b'
+description = 'GitLab Personal Access Token (routable)'
+title = 'GitLab Personal Access Token (routable)'
+remediation = "For general guidance on handling security incidents with regards to leaked keys, please see the GitLab documentation on\n[Credential exposure to the internet](https://docs.gitlab.com/ee/security/responding_to_security_incidents.html#credential-exposure-to-public-internet)."
+tags = ['gitlab', 'revocation_type', 'gitlab_blocking']
+keywords = ['glpat-']
+examples = ['glpat-bzox79Of-KE9FD2LjoXXF4CvyxA.0r03gxo7s', 'glpat-YzozdzVlMTEyNjRzZ3NmCmc6M3c1ZTExMjY0c2dzZgpoOjN3NWUxMTI2NHNnc2YKajozdzVlMTEyNjRzZ3NmCms6M3c1ZTExMjY0c2dzZgpsOjN3NWUxMTI2NHNnc2YKbTozdzVlMTEyNjRzZ3NmCm86M3c1ZTExMjY0c2dzZgpwOjN3NWUxMTI2NHNnc2YKdTozdzVlMTEyNjRzZ3NmPcvif4caKLQwleVqBR5hp3vDX9WAKZKrT318xMVLFzdtP-OZciT7mCO-NDPZnozuj2_LP-aLYwRfzxHkPrxDbBlB.8c1f6ihl5']
+
+[[rules]]
+id = 'gitlab_pipeline_trigger_token'
+regex = '\b(glptt-[0-9a-zA-Z_\-]{40})(?:[[:punct:]]|[[:space:]]|[[:blank:]]|$)'
+description = "A GitLab pipeline trigger token was identified. Pipeline trigger tokens can be used to execute pipelines for a branch\nor tag of a project. The token impersonates a user's project access and permissions. A malicious actor with access to\nthis token can execute pipelines with custom variables, potentially being able to compromise the repository."
+title = 'GitLab pipeline trigger token'
+remediation = "For general guidance on handling security incidents with regards to leaked keys, please see the GitLab documentation on\n[Credential exposure to the internet](https://docs.gitlab.com/ee/security/responding_to_security_incidents.html#credential-exposure-to-public-internet).\n\nTo revoke a pipeline trigger token:\n\n- Sign in to your GitLab account and visit the project that created the pipeline trigger token\n- In the left-hand menu, select \"Settings\"\n- Under the \"Settings\" options, select \"CI/CD\"\n- Under the \"Pipeline trigger tokens\" section find the identified token\n- Select the trash icon in the \"Actions\" column of the \"Active pipeline trigger tokens\" table\n- When prompted, select \"Revoke trigger\"\n\nFor more information, please see [GitLabs documentation on pipeline trigger tokens](https://docs.gitlab.com/ee/ci/triggers/index.html#create-a-pipeline-trigger-token)."
+tags = ['gitlab', 'gitlab_blocking']
+keywords = ['glptt']
+examples = ['glptt-3148005ee63d3decf8c0307ee4b491fbfdbcde2b', 'glptt-47cfe3286b8a496483e8de33ebf8ae99fc09cc02', 'glptt-36296c2ff270f79a5662b6f951bb6cab3b636488', 'glptt-f248878a8bd4a0b5cdf140e3ff47bd40b1fe26c0', 'glptt-d4b33b1347addf641cf23e2227c3c3a462c7d226']
+
+[[rules]]
+id = 'gitlab_runner_registration_token'
+regex = '\b(GR1348941[0-9a-zA-Z_\-]{20})(?:[[:punct:]]|[[:space:]]|[[:blank:]]|$)'
+description = "A deprecated GitLab runner registration token was identified. These tokens allow users to register a runner with the\nselected project. A malicious actor with access to this token can add a custom runner to the pipeline and possibly\ncompromise the repository if the runner was used."
+title = 'GitLab runner registration token'
+remediation = "For general guidance on handling security incidents with regards to leaked keys, please see the GitLab documentation on\n[Credential exposure to the internet](https://docs.gitlab.com/ee/security/responding_to_security_incidents.html#credential-exposure-to-public-internet).\n\nTo rotate a runner registration token:\n\n- Sign in to your GitLab account and visit the project that created the runner registration token\n- In the left-hand menu, select \"Settings\"\n- Under the \"Settings\" options, select \"CI/CD\"\n- Under the \"Runners\" section, select the kebab menu (vertical ellipsis) next to the \"New project runner\"\n- Select \"Reset registration token\" from the dropdown list\n- When prompted select \"Reset token\" in the \"Reset registration token\" dialog\n\nFor more information, please see [GitLabs documentation on using runner authentication tokens instead](https://docs.gitlab.com/runner/register/#register-with-a-runner-authentication-token)."
+tags = ['gitlab', 'gitlab_blocking']
+keywords = ['GR1348941']
+examples = []
+
+[[rules]]
+id = 'gitlab_runner_auth_token'
+regex = '\b(glrt-[0-9a-zA-Z_\-]{20})(?:[[:punct:]]|[[:space:]]|[[:blank:]]|$)'
+description = "A GitLab runner authentication token was identified. These tokens allow users to register or authenticate as a runner\nwith the selected project. A malicious actor with access to this token can add a custom runner to the pipeline and\npossibly compromise the repository if the runner was used."
+title = 'GitLab runner authentication token'
+remediation = "For general guidance on handling security incidents with regards to leaked keys, please see the GitLab documentation on\n[Credential exposure to the internet](https://docs.gitlab.com/ee/security/responding_to_security_incidents.html#credential-exposure-to-public-internet).\n\nTo revoke a runner authentication token, the runner needs to be removed and re-created\n\n- Sign in to your GitLab account and visit the project that created the runner registration token\n- In the left-hand menu, select \"Settings\"\n- Under the \"Settings\" options, select \"CI/CD\"\n- Under the \"Runners\" section, find the runner with the identified token, (you can check the runner `config.toml` if you\n  are unsure)\n- Select \"Remove runner\"\n- When prompted, select \"Remove\"\n\nFor more information, please see [GitLabs documentation on registering runners](https://docs.gitlab.com/runner/register/)."
+tags = ['gitlab', 'gitlab_blocking']
+keywords = ['glrt']
+examples = []
+
+[[rules]]
+id = 'gitlab_oauth_app_secret'
+regex = '\b(gloas-[0-9a-zA-Z_\-]{64})(?:[[:punct:]]|[[:space:]]|[[:blank:]]|$)'
+description = "A GitLab OAuth application secret was identified. OAuth secrets are used when allowing users to sign in to your\napplication. Depending on the scopes assigned, a malicious actor could impersonate the service to access their\nrepositories or data."
+title = 'GitLab OAuth application secret'
+remediation = "For general guidance on handling security incidents with regards to leaked keys, please see the GitLab documentation on\n[Credential exposure to the internet](https://docs.gitlab.com/ee/security/responding_to_security_incidents.html#credential-exposure-to-public-internet).\n\nTo regenerate an OAuth secret:\n\n- Sign in to your GitLab account and access: <https://gitlab.com/-/profile/preferences>\n- In the \"User settings\" left-hand side menu, select \"Applications\"\n- Find the application that uses the identified token and select the name link in the \"Name\" column\n- Select \"Renew secret\" in the application details page\n- When prompted, select \"Renew secret\"\n\nFor more information, please see [GitLabs documentation on configuring an OAuth 2.0 provider](https://docs.gitlab.com/ee/integration/oauth_provider.html)"
+tags = ['gitlab', 'gitlab_blocking']
+keywords = ['gloas']
+examples = []
+
+[[rules]]
+id = 'gitlab_feed_token_v2'
+regex = '\b(glft-[0-9a-zA-Z_\-]{20})(?:[[:punct:]]|[[:space:]]|[[:blank:]]|$)'
+description = "A GitLab feed token was identified. Your feed token authenticates you when your RSS reader loads a personalized RSS feed\nor when your calendar application loads a personalized calendar. It is visible in those feed URLs. It cannot be used to\naccess any other data. A malicious actor with access to this token can read your personalized RSS feed and issue RSS\nfeeds to your calendar feed as if they were you."
+title = 'GitLab feed token v2'
+remediation = "For general guidance on handling security incidents with regards to leaked keys, please see the GitLab documentation on\n[Credential exposure to the internet](https://docs.gitlab.com/ee/security/responding_to_security_incidents.html#credential-exposure-to-public-internet).\n\nTo regenerate a feed token:\n\n- Sign in to your GitLab account and access: <https://gitlab.com/-/profile/preferences>\n- In the \"User settings\" left-hand side menu, select \"Access tokens\"\n- Under the \"Feed token\" section, select the \"reset this token\" link\n- When prompted select \"OK\"\n\nFor more information, please see [GitLabs documentation on feed tokens](https://docs.gitlab.com/ee/security/tokens/#feed-token)."
+tags = ['gitlab', 'gitlab_blocking']
+keywords = ['glft']
+examples = ['glft-_-jaYhe-BDGxJL5cftsT', 'glft-Kbu1dHAFZkkSxHXHQrj9', 'glft-RrZsD6dU_GB15_6gsTUA', 'glft-k2fG9yscyVYjqPPSAEc8', 'glft-jNGswsjgUxxoweyBLCxL']
+
+[[rules]]
+id = 'gitlab_kubernetes_agent_token'
+regex = '\b(glagent-[0-9a-zA-Z_\-]{50})(?:[[:punct:]]|[[:space:]]|[[:blank:]]|$)'
+description = "A GitLab Agent for Kubernetes token was identified. The Kubernetes access token is used to authenticate the GitLab agent\nwith a Kubernetes cluster. A malicious actor with access to this token can access source code in the agent's\nconfiguration project, access source code in any public project on the GitLab instance, or even, under very specific\nconditions, obtain a Kubernetes manifest."
+title = 'GitLab Kubernetes agent token'
+remediation = "For general guidance on handling security incidents with regards to leaked keys, please see the GitLab documentation on\n[Credential exposure to the internet](https://docs.gitlab.com/ee/security/responding_to_security_incidents.html#credential-exposure-to-public-internet).\n\nFor more information please see [GitLabs documentation on rotating the Kubernetes agent token](https://docs.gitlab.com/ee/user/clusters/agent/work_with_agent.html#reset-the-agent-token)."
+tags = ['gitlab', 'gitlab_blocking']
+keywords = ['glagent']
+examples = []
+
+[[rules]]
+id = 'gitlab_incoming_email_token'
+regex = '\b(glimt-[0-9a-zA-Z_\-]{25})(?:[[:punct:]]|[[:space:]]|[[:blank:]]|$)'
+description = "A GitLab incoming email token was identified. Your incoming email token authenticates you when you create a new issue\nby email, and is included in your personal project-specific email addresses. It cannot be used to access any other data.\nA malicious actor with access to this token can create issues as if they were you."
+title = 'GitLab incoming email token'
+remediation = "For general guidance on handling security incidents with regards to leaked keys, please see the GitLab documentation on\n[Credential exposure to the internet](https://docs.gitlab.com/ee/security/responding_to_security_incidents.html#credential-exposure-to-public-internet).\n\nTo regenerate a feed token:\n\n- Sign in to your GitLab account and access: <https://gitlab.com/-/profile/preferences>\n- In the \"User settings\" left-hand side menu, select \"Access tokens\"\n- Under the \"Incoming email token\" section, select the \"reset this token\" link\n- When prompted select \"OK\"\n\nFor more information, please see [GitLabs documentation on feed tokens](https://docs.gitlab.com/ee/security/tokens/#feed-token)."
+tags = ['gitlab', 'gitlab_blocking']
+keywords = ['glimt']
+examples = ['glimt-ayq56xygb566edb4tfmujvm7j', 'glimt-9geeuorhl93039xz1qkvcx2dr', 'glimt-8r4ce2t4i84cujpk7tql8a74g', 'glimt-egyyns3scx2zr71n9d4619c7c', 'glimt-ahsxcdernt30bkka3de3xagik']
+
+[[rules]]
+id = 'Grafana API token'
 regex = "['\\\"]eyJrIjoi(?i)[a-z0-9-_=]{72,92}['\\\"]"
-tags = ["gitlab_blocking"]
-[[rules]]
-description = "Hashicorp Terraform user/org API token"
-id = "Hashicorp Terraform user/org API token"
-keywords = ["atlasv1", "hashicorp", "terraform"]
+description = 'Grafana API token'
+title = 'Grafana API token'
+remediation = "For general guidance on handling security incidents with regards to leaked keys, please see the GitLab documentation on\n[Credential exposure to the internet](https://docs.gitlab.com/ee/security/responding_to_security_incidents.html#credential-exposure-to-public-internet)."
+tags = ['gitlab_blocking']
+keywords = ['eyJrIjoi']
+examples = ['glsa_BHu6ehiG4fZMUqrT0GfDLlrGdfOfjqJd_129dc16e', 'glsa_zPJHWa4D2XqzyQe0MFCIdKIGaEva4cI5_babe87d0', 'glsa_m7Xe5Oap7AoNghVDS37mQvhrlNqyVT2t_e092d808', 'glsa_ADe8xD1o0nqKtDmdaNGluiy5dNhJUpE8_bd8bfed6', 'glsa_xsvHn93uOUHcOL03xcFOTNxbcGogZSZ8_5deb528f', 'glc_eyJvIjoiMTI1OTk5OCIsIm4iOiJwZGMtc2VjcmV0cy1kZWZhdWx0LWZvbyIsImsiOiJPOFBtcjgzRE02MkJzQTg0OTQwTlpYWUciLCJtIjp7InIiOiJwcm9kLXVzLWVhc3QtMCJ9fQ==', 'glc_eyJvIjoiMTI1OTk5OCIsIm4iOiJwZGMtc2VjcmV0cy1kZWZhdWx0LWZvbzIiLCJrIjoiM3NVYjd4MjZnYnM5bzJNcTR3RDM2cDlJIiwibSI6eyJyIjoicHJvZC11cy1lYXN0LTAifX0=', 'glc_eyJvIjoiMTI1OTk5OCIsIm4iOiJwZGMtc2VjcmV0cy1kZWZhdWx0LWYiLCJrIjoiNzFIakp2NnoxNmo5STNSZ1lCbzZaTzg5IiwibSI6eyJyIjoicHJvZC11cy1lYXN0LTAifX0=', 'glc_eyJvIjoiMTI1OTk5OCIsIm4iOiJwZGMtc2VjcmV0cy1kZWZhdWx0LTEiLCJrIjoid2Q4OVhQOHhDNm5ZczI5MjBYOG1NeDZhIiwibSI6eyJyIjoicHJvZC11cy1lYXN0LTAifX0=', 'glc_eyJvIjoiMTI1OTk5OCIsIm4iOiJwZGMtc2VjcmV0cy1kZWZhdWx0LTMiLCJrIjoiNTQwMVlvWVB3TGRhNzExOEk0aHoyeHNKIiwibSI6eyJyIjoicHJvZC11cy1lYXN0LTAifX0=']
+
+[[rules]]
+id = 'Hashicorp Terraform user/org API token'
 regex = "['\\\"](?i)[a-z0-9]{14}\\.atlasv1\\.[a-z0-9-_=]{60,70}['\\\"]"
-tags = ["gitlab_blocking"]
-[[rules]]
-description = "Hashicorp Vault batch token"
-id = "Hashicorp Vault batch token"
-keywords = ["hashicorp", "AAAAAQ", "vault"]
-regex = "b\\.AAAAAQ[0-9a-zA-Z_-]{156}"
-tags = ["gitlab_blocking"]
-[[rules]]
-description = "Mailchimp API key"
-id = "Mailchimp API key"
-keywords = ["mailchimp"]
-regex = "(?i)(mailchimp[a-z0-9_ .\\-,]{0,25})(=|>|:=|\\|\\|:|<=|=>|:).{0,5}['\\\"]([a-f0-9]{32}-us20)['\\\"]"
-secretGroup = 3
-tags = ["gitlab_blocking"]
-[[rules]]
-description = "Mailgun private API token"
-id = "Mailgun private API token"
-keywords = ["mailgun"]
-regex = "(?i)(mailgun[a-z0-9_ .\\-,]{0,25})(=|>|:=|\\|\\|:|<=|=>|:).{0,5}['\\\"](key-[a-f0-9]{32})['\\\"]"
-secretGroup = 3
-tags = ["gitlab_blocking"]
-[[rules]]
-description = "Mailgun webhook signing key"
-id = "Mailgun webhook signing key"
-keywords = ["mailgun"]
-regex = "(?i)(mailgun[a-z0-9_ .\\-,]{0,25})(=|>|:=|\\|\\|:|<=|=>|:).{0,5}['\\\"]([a-h0-9]{32}-[a-h0-9]{8}-[a-h0-9]{8})['\\\"]"
-secretGroup = 3
-tags = ["gitlab_blocking"]
-[[rules]]
-description = "New Relic user API Key"
-id = "New Relic user API Key"
-keywords = ["NRAK"]
+description = "A HashiCorp Terraform API token was identified. API tokens can be used to access the HCP Terraform API. A malicious\nactor with access to this token can perform all actions the user account is entitled to."
+title = 'HashiCorp Terraform API token'
+remediation = "For general guidance on handling security incidents with regards to leaked keys, please see the GitLab documentation on\n[Credential exposure to the internet](https://docs.gitlab.com/ee/security/responding_to_security_incidents.html#credential-exposure-to-public-internet).\n\nTo revoke an API token:\n\n- Sign in to the Terraform HCP console and access <https://app.terraform.io/app/settings/tokens>\n- Find the token that was identified\n- Select the trash icon on the right hand side of the token\n- When prompted, select \"Confirm\" in the \"Deleting token ...\" dialog\n\nFor more information, please see [Terraform's documentation on API tokens](https://app.terraform.io/app/settings/tokens)."
+tags = ['gitlab_blocking']
+keywords = ['.atlasv1.']
+examples = ['BizztZSVkU3rqw.atlasv1.hFSzMR14YYmIE8nZ2v4Kocqcr3epoR45XYM9JWShqMCFCkiqqDSN4j2DdGFvLwyqCbg', 'b78m834YOAEGew.atlasv1.IllPgz65bZAzWhF3hws2vGdFaQbyGo3thWawyESHYEWYJLcuoEhyHfTU4BzNfn10JB8', 'Ye7wiL8D6GaHNw.atlasv1.NBTyurc9MNA7bogNoQQ3rM2ni7gLzSmSAGB56Rj7kBxTEOIMmdg76nJKtzL2u01P33U', '77K50cHYnMqzVw.atlasv1.Nr9NqT7567yBTjBsByxzrICUdFzyCFyIYzLXWcGBOwYyy5IGjbxoqmH24j5Eb1IZCAU', '5zdzwLEyAzFhSA.atlasv1.4KETQ2Nd15EUEFO9wagBxzREco6U4Kgqs9AXNFozoRdPIqKUDgiH7t5WdZyyzuyzJJ8', 'D0HrDKkRFRuwiQ.atlasv1.ys8WrENRB1avyTdaYrtStzfGVbPIB5yKJg5UtosC829DQ6a0xno3nXNVzK9z7rIlAYY', 'jcFTJPFZmXd4Sw.atlasv1.vAwLxCQ6pk3zqxT5z0jCasXdgynt3YyQZIycCIv8b2QEf6zKczA9rgpVYBym82b2X2Y', 'X0mfzdxgqgLAXw.atlasv1.NpQWlBmSpgFnP8dX5LiNmsCussVvFKxNgyUy1eVVQa7np0P8bEQx4qKzIHWMREzuKtg', 'Qkc1U9jGuTgDug.atlasv1.qG48mzxAsXp8Buul5ZcFF2WNS3dQ02LeLccOZNtKs03sFep8gNDuEhTTuD8DSNeJlRY']
+
+[[rules]]
+id = 'Hashicorp Vault batch token'
+regex = 'b\.AAAAAQ[0-9a-zA-Z_-]{156}'
+description = "A HashiCorp Vault batch token was identified. Batch tokens are used when hundereds to thousands of systems need to\naccess Vault but genenerating unique tokens would not scale. These tokens are usually short lived and bound to a\nspecific vault policy. A malicious actor with access to this token can impersonate a service and would have the same\npermission levels as the policy that the batch token is created for."
+title = 'HashiCorp Vault batch token'
+remediation = "For general guidance on handling security incidents with regards to leaked keys, please see the GitLab documentation on\n[Credential exposure to the internet](https://docs.gitlab.com/ee/security/responding_to_security_incidents.html#credential-exposure-to-public-internet).\n\nBatch tokens cannot be revoked so you should use very short \"time to live\" values when creating batch tokens.\n\nFor more information, please see [Vault's documentation on batch tokens](https://developer.hashicorp.com/vault/tutorials/tokens/batch-tokens)."
+tags = ['gitlab_blocking']
+keywords = ['b.AAAAAQ']
+examples = []
+
+[[rules]]
+id = 'Mailchimp API key'
+regex = "(?i)mailchimp[a-z0-9_ .\\-,]{0,25}(?:=|>|:=|\\|\\|:|<=|=>|:).{0,5}['\\\"]([a-f0-9]{32}-us20)['\\\"]"
+description = "A Mailchimp API key was identified. API keys can be used send emails, create and send marketing campaigns, access\ncustomer lists and email addresses. A malicious actor with access to this key can perform any API request to Mailchimp\nwithout restriction."
+title = 'Mailchimp API key'
+remediation = "For general guidance on handling security incidents with regards to leaked keys, please see the GitLab documentation on\n[Credential exposure to the internet](https://docs.gitlab.com/ee/security/responding_to_security_incidents.html#credential-exposure-to-public-internet).\n\nTo revoke an API key:\n\n- Sign in to your Mailchimp account at <https://login.mailchimp.com/>\n- Select your profile icon then select Profile\n- Select the Extras dropdown list then choose \"API keys\"\n- Find the identified key and select \"Revoke\"\n- When prompted, type \"REVOKE\" to confirm and select \"Revoke\" in the \"Revoke API Key\" dialog\n\nFor more information, please see [Mailchimp's documentation on API key security](https://mailchimp.com/help/about-api-keys/#api+key+security)."
+tags = ['gitlab_blocking']
+keywords = ['mailchimp']
+examples = ['309fe248df0ecc5cee6767160cede8c7-us8', '9a06f5c22e96e09309dbd2891da2b342-us8', 'e8add115c8e1c93ebc6b123e589c239d-us8', '1db33fdeae034cedace1a9f60993bc38-us8', 'f24ac423f0ea9cc7f2e11ebdc95d579f-us8']
+
+[[rules]]
+id = 'Mailgun private API token'
+regex = "(?i)mailgun[a-z0-9_ .\\-,]{0,25}(?:=|>|:=|\\|\\|:|<=|=>|:).{0,5}['\\\"](key-[a-f0-9]{32})['\\\"]"
+description = "A Mailgun private API token was identified. This key allows you to perform read, write, and delete operations through\nvarious API endpoints and for any of your sending domains. A malicious actor with access to this key can perform any API\nrequest to Mailgun without restriction."
+title = 'Mailgun private API token'
+remediation = "For general guidance on handling security incidents with regards to leaked keys, please see the GitLab documentation on\n[Credential exposure to the internet](https://docs.gitlab.com/ee/security/responding_to_security_incidents.html#credential-exposure-to-public-internet).\n\nTo rotate a private API token:\n\n- Sign in to your Mailgun account and access the dashboard at <https://app.mailgun.com/>\n- On the top right-hand side, select your account profile and then select \"API Security\"\n- Find the identified key and select the trash icon\n  - If you cannot select the trash icon, you must first generate a new key by selecting \"Add new key\"\n- When prompted, select \"Delete\" in the \"Delete API Key\" dialog\n\nFor more information, please see [Mailgun's documentation on API keys](https://documentation.mailgun.com/docs/mailgun/user-manual/get-started/#primary-account-api-key)."
+tags = ['gitlab_blocking']
+keywords = ['mailgun']
+examples = ['bae699190ebfc8aefa84f3bb699cdc0c-72e4a3d5-3cb9d956', 'f64e1d7ec2b9d3571096f0a2fa980104-72e4a3d5-7fdee90c', '254b8c8823761388d8af5ec2498bbfbb-72e4a3d5-69f67519', '9eed30445bb4526c68d90cf2c7fbcaf8-72e4a3d5-32dc5817', '5d2b7ad6d9af5b04c97133121ef527e1-72e4a3d5-ea5a0c8f']
+
+[[rules]]
+id = 'Mailgun webhook signing key'
+regex = "(?i)mailgun[a-z0-9_ .\\-,]{0,25}(?:=|>|:=|\\|\\|:|<=|=>|:).{0,5}['\\\"]([a-h0-9]{32}-[a-h0-9]{8}-[a-h0-9]{8})['\\\"]"
+description = "A Mailgun webhook signing key was identified. This key is used by Mailgun to sign all incoming webhook message payloads.\nA malicious actor with access to this key can potentially sign fake webhook events and send it to your service to pass\nvalidation and be processed."
+title = 'Mailgun webhook signing key'
+remediation = "For general guidance on handling security incidents with regards to leaked keys, please see the GitLab documentation on\n[Credential exposure to the internet](https://docs.gitlab.com/ee/security/responding_to_security_incidents.html#credential-exposure-to-public-internet).\n\nTo rotate your HTTP webhook signing key:\n\n- Sign in to your Mailgun account and access the dashboard at <https://app.mailgun.com/>\n- On the top right-hand side, select your account profile and select \"API Security\"\n- In the \"HTTP webhook signing key\" section, select the rotate arrow icon in the right hand side\n- When prompted, select \"Reset Key\" in the \"Reset HTTP webhook signing key\" dialog\n\nFor more information, please see [Mailgun's documentation on webhooks](https://documentation.mailgun.com/docs/mailgun/user-manual/tracking-messages/#securing-webhooks)."
+tags = ['gitlab_blocking']
+keywords = ['mailgun']
+examples = ['bb9b2f6d3f66695305c2f702b8ed1f10', '10884bc5a2a5abb00a9082336ab87dd6', 'f5b37201455bbb7770869f1f66bd0d00', 'e9710ebe95c09a17e0f63bbdd0a1406c', 'aeaeace2708a8da745b25158df79720c']
+
+[[rules]]
+id = 'New Relic user API Key'
 regex = "['\\\"](NRAK-[A-Z0-9]{27})['\\\"]"
-tags = ["gitlab_blocking"]
-[[rules]]
-description = "New Relic user API ID"
-id = "New Relic user API ID"
-keywords = ["newrelic"]
-regex = "(?i)(newrelic[a-z0-9_ .\\-,]{0,25})(=|>|:=|\\|\\|:|<=|=>|:).{0,5}['\\\"]([A-Z0-9]{64})['\\\"]"
-secretGroup = 3
-tags = ["gitlab_blocking"]
-[[rules]]
-description = "npm access token"
-id = "npm access token"
-keywords = ["npm_"]
+description = "A New Relic user API key was identified. User keys are used for querying data and managing configurations (Alerts,\nSynthetics, dashboards, etc.). A malicious actor with access to this key can execute API requests as the user who\ncreated it."
+title = 'New Relic user API key'
+remediation = "For general guidance on handling security incidents with regards to leaked keys, please see the GitLab documentation on\n[Credential exposure to the internet](https://docs.gitlab.com/ee/security/responding_to_security_incidents.html#credential-exposure-to-public-internet).\n\nFor more information, please see [New Relic's documentation on rotating API keys](https://docs.newrelic.com/docs/apis/intro-apis/new-relic-api-keys/#rotate-keys)."
+tags = ['gitlab_blocking']
+keywords = ['NRAK']
+examples = ['NRAK-YG8Z45MCUC8JLOZSBAZDAD7E3PV', 'NRAK-1CE8GEWKR62LKB8Q9E23PB5LG4Z', 'NRAK-9KV2EB65ATZAGAVFQ11CTUXBTHA', 'NRAK-U3QT1WH79AX2RB0DT7BI73MN3KE', 'NRAK-7JOW06Q0HVF8LLIMBQD2XL0MDQS']
+
+[[rules]]
+id = 'New Relic user API ID'
+regex = "(?i)newrelic[a-z0-9_ .\\-,]{0,25}(?:=|>|:=|\\|\\|:|<=|=>|:).{0,5}['\\\"]([A-Z0-9]{64})['\\\"]"
+description = 'New Relic user API ID'
+title = 'New Relic New Relic user API ID'
+remediation = "For general guidance on handling security incidents with regards to leaked keys, please see the GitLab documentation on\n[Credential exposure to the internet](https://docs.gitlab.com/ee/security/responding_to_security_incidents.html#credential-exposure-to-public-internet).\n\nFor more information, please see [New Relic's documentation on rotating API keys](https://docs.newrelic.com/docs/apis/intro-apis/new-relic-api-keys/#rotate-keys)."
+tags = ['gitlab_blocking']
+keywords = ['newrelic']
+examples = []
+
+[[rules]]
+id = 'npm access token'
 regex = "['\\\"](npm_(?i)[a-z0-9]{36})['\\\"]"
-tags = ["gitlab_blocking"]
-[[rules]]
-description = "PyPI upload token"
-id = "PyPI upload token"
-keywords = ["pypi-AgEIcHlwaS5vcmc"]
-regex = "pypi-AgEIcHlwaS5vcmc[A-Za-z0-9-_]{50,1000}"
-tags = ["pypi", "revocation_type", "gitlab_blocking"]
-[[rules]]
-description = "Rubygem API token"
-id = "Rubygem API token"
-keywords = ["rubygems_"]
-regex = "rubygems_[a-f0-9]{48}"
-tags = ["gitlab_blocking"]
-[[rules]]
-description = "Segment Public API token"
-id = "Segment Public API token"
-keywords = ["sgp_"]
-regex = "sgp_[a-zA-Z0-9]{64}"
-tags = ["gitlab_blocking"]
-[[rules]]
-description = "Sendgrid API token"
-id = "Sendgrid API token"
-keywords = ["sendgrid"]
-regex = "SG\\.(?i)[a-z0-9_\\-\\.]{66}"
-tags = ["gitlab_blocking"]
-[[rules]]
-description = "Shopify shared secret"
-id = "Shopify shared secret"
-keywords = ["shpss_"]
-regex = "shpss_[a-fA-F0-9]{32}"
-tags = ["gitlab_blocking"]
-[[rules]]
-description = "Shopify access token"
-id = "Shopify access token"
-keywords = ["shpat_"]
-regex = "shpat_[a-fA-F0-9]{32}"
-tags = ["gitlab_blocking"]
-[[rules]]
-description = "Shopify custom app access token"
-id = "Shopify custom app access token"
-keywords = ["shpca_"]
-regex = "shpca_[a-fA-F0-9]{32}"
-tags = ["gitlab_blocking"]
-[[rules]]
-description = "Shopify private app access token"
-id = "Shopify private app access token"
-keywords = ["shppa_"]
-regex = "shppa_[a-fA-F0-9]{32}"
-tags = ["gitlab_blocking"]
-[[rules]]
-description = "Slack token"
-id = "Slack token"
-keywords = ["xoxb", "xoxa", "xoxp", "xoxr", "xoxs"]
-regex = "xox[baprs]-([0-9a-zA-Z]{10,48})"
-tags = ["gitlab_blocking"]
-[[rules]]
-description = "Stripe"
-id = "Stripe"
-keywords = ["sk_test", "pk_test", "sk_live", "pk_live"]
-regex = "(?i)(sk|pk)_(test|live)_[0-9a-z]{10,32}"
-tags = ["gitlab_blocking"]
+description = "An npm access token was identified. Access tokens can either be classic or granular, both of which allow customization\nof permissions. Depending on the permissions, a malicious actor with access to this token can read packages and package\ninformation, or create new packages and publish them under the account that created them."
+title = 'npm access token'
+remediation = "For general guidance on handling security incidents with regards to leaked keys, please see the GitLab documentation on\n[Credential exposure to the internet](https://docs.gitlab.com/ee/security/responding_to_security_incidents.html#credential-exposure-to-public-internet).\n\nTo revoke an access token from the UI:\n\n- Sign in to your npm account at <https://www.npmjs.com/login>\n- In the top right corner, select your profile picture and then select \"Access Tokens\"\n- Find the token that was identified and select \"x\" in the \"Delete\" column\n- When prompted, select \"OK\" in the dialog\n\nFor more information, please see [npm's documentation on revoking access tokens](https://docs.npmjs.com/revoking-access-tokens)."
+tags = ['gitlab_blocking']
+keywords = ['npm_']
+examples = ['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', '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', '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', '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', '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']
+
+[[rules]]
+id = 'PyPI upload token'
+regex = 'pypi-AgEIcHlwaS5vcmc[A-Za-z0-9-_]{50,1000}'
+description = "A PyPi upload token was identified. Upload tokens are used for uploading packages for publishing Python packages.\nA malicious actor with access to this token can upload potentially malicious artifacts."
+title = 'PyPi upload token'
+remediation = "For general guidance on handling security incidents with regards to leaked keys, please see the GitLab documentation on\n[Credential exposure to the internet](https://docs.gitlab.com/ee/security/responding_to_security_incidents.html#credential-exposure-to-public-internet).\n\nIt is strongly recommended to switch to OIDC Connect instead of using PyPi upload tokens.\nPlease see [PyPi's documentation on trusted publishers](https://docs.pypi.org/trusted-publishers/).\n\nTo delete a PyPi upload token:\n\n- Sign in to your PyPi account and visit <https://pypi.org/manage/account/>\n- Scroll down to the \"API tokens\" section\n- Find the identified token and select the \"Options\" dropdown list\n- Select \"Remove token\"\n- When prompted, enter your password and select \"Remove API Token\"\n\nFor more information, please see [PyPi's documentation on upload tokens](https://pypi.org/help/#apitoken)."
+tags = ['pypi', 'revocation_type', 'gitlab_blocking']
+keywords = ['pypi-AgEIcHlwaS5vcmc']
+examples = ['pypi-AgEIcHlwaS5vcmcCJDhmYTNhZDI3LTVlMDgtNDM3Mi1hMTRhLTU0OWQzNmU1OWI1YwACKlszLCIwODAxOGIxNy03Y2ZlLTQwMDktOTRhZC1iNzM2M2FlMDc0M2EiXQAABiAzqOE4WXxBGDNleANVrOBbWKIgVgpyRNc1U9rXe7wm7A', 'pypi-AgEIcHlwaS5vcmcCJGIyODA0MjkwLTIwNWUtNDU0My1hNjJhLWNkZjk0ZDZjYjM2ZQACKlszLCIwODAxOGIxNy03Y2ZlLTQwMDktOTRhZC1iNzM2M2FlMDc0M2EiXQAABiC_icNR31mWnlcp61UqaDUStiNq1Z8P5eFj5hLtdPqQfQ', 'pypi-AgEIcHlwaS5vcmcCJDE3NzJlM2Q2LWI2NTItNDc1MS1iNWE0LWRjODYxODAyYjExNwACKlszLCIwODAxOGIxNy03Y2ZlLTQwMDktOTRhZC1iNzM2M2FlMDc0M2EiXQAABiCmA5HUpuGEc5DTRqIo2hxe7l5Z9tkXZcBqY-rSJ36NpA', 'pypi-AgEIcHlwaS5vcmcCJDU3MzNjNTU3LTBmODEtNGM3MS1hZmIxLTQ0YWRmYTIwYTljYwACKlszLCIwODAxOGIxNy03Y2ZlLTQwMDktOTRhZC1iNzM2M2FlMDc0M2EiXQAABiBCWxQhPVpUrRsnTZGscqQaSfFn-qoTzQ-1irZ7dXUuRg', 'pypi-AgEIcHlwaS5vcmcCJGFmY2Q1NWZiLTUxNTktNDc0Ny1hNTRhLWQxZjE4ZDk0NDdlYgACKlszLCIwODAxOGIxNy03Y2ZlLTQwMDktOTRhZC1iNzM2M2FlMDc0M2EiXQAABiCnUB78AmNi3pxdqqX-k4iuPAxo-u82eOOGFVvSQYpYKQ']
+
+[[rules]]
+id = 'Rubygem API token'
+regex = 'rubygems_[a-f0-9]{48}'
+description = "A RubyGems API token was identified. RubyGems tokens are used for accessing the API or publishing packages. RubyGems\ntokens can be created with specific permissions or scopes. Depending on the permissions and scope, a malicious actor\nwith access to this token can add or remove packages, add or remove owners, or view the dashboard."
+title = 'RubyGems API token'
+remediation = "For general guidance on handling security incidents with regards to leaked keys, please see the GitLab documentation on\n[Credential exposure to the internet](https://docs.gitlab.com/ee/security/responding_to_security_incidents.html#credential-exposure-to-public-internet).\n\nTo revoke the API token:\n\n- Sign in to your RubyGems account and access <https://rubygems.org/settings/edit>\n- Scroll down to and select \"API Keys\" or go to <https://rubygems.org/profile/api_keys>\n- Find the identified token and select \"Delete\"\n- When prompted, select \"OK\" in the dialog.\n\nFor more information, please see the [RubyGems documentation on API tokens](https://guides.rubygems.org/api-key-scopes/)."
+tags = ['gitlab_blocking']
+keywords = ['rubygems_']
+examples = ['rubygems_7cb1efb21659eb13f80743b3ad583f1fa016ec90b11a26e1', 'rubygems_4e8e148f86acbb6c437d710f2aeb9e9edbb45fc690019aa0', 'rubygems_f73f741a14437ca06bc535c2bc645342b450ba11e3c66093', 'rubygems_d999bf141a090b45ae493b48164b72ba67e99b22d0c09425', 'rubygems_2b29c365e09f660785ca8e0c50318c4c9e6a2cf03b1b46d4']
+
+[[rules]]
+id = 'Segment Public API token'
+regex = 'sgp_[a-zA-Z0-9]{64}'
+description = "A Segment Public API token was identified. The Segment Public API is used to manage your Segment workspaces and its\nresources. Two types of tokens match this pattern, a workspace owner token and a limited role token. In general these\ntokens allow callers of the API to perform read, write, and delete operations. A malicious actor with access to a\nworkspace owner token can access all workspace data. A limited role token can access the data it was granted access to\non creation."
+title = 'Segment public API token'
+remediation = "For general guidance on handling security incidents with regards to leaked keys, please see the GitLab documentation on\n[Credential exposure to the internet](https://docs.gitlab.com/ee/security/responding_to_security_incidents.html#credential-exposure-to-public-internet).\n\nTo rotate a Public API token:\n\n- Sign in to your Segment account and access your workspace from <https://app.segment.com/>\n- From the left-hand menu, select \"Settings\" and go to \"Workspace settings\"\n- Select the \"Access Management\" tab in the \"Workspace settings\" page\n- Select the \"Tokens\" tab under \"Access Management\"\n- Find the key that was identified, and select it\n- In the right hand side, select \"Edit token\" in the \"Token Permissions\" section\n- Select \"Remove token\" in the top right corner\n- When prompted, select \"Remove Token\" in the dialog\n\nFor more information, please see [Segment's documentation on their public API](https://segment.com/docs/api/public-api/)."
+tags = ['gitlab_blocking']
+keywords = ['sgp_']
+examples = ['sgp_jb7lIOyJPlwE0E9hRP6XvpaT1kigZlNJeArhTnkbenQWqfQjfCnWmSvcnNKp8sg7', 'sgp_BYBhebjZZDGPPBxOMHxInS7SO7vKenng94UOMOGXpxqmwSLQhwnbd2L4zZCjiuYW', 'sgp_xytsOCZ9KhxtFlI5wwYigJtwTqLrxT8aPUHCE3YJqj1OZnrPjqBR3jIAdAkayLwE', 'sgp_7t1w0iF9YMCSPNyORHR7DxqY6Y3jJczqo03vMsxOGg2HcXRyuHEcCPB4xCQgtk7A', 'sgp_vtEF4OslsPGWct9uXvCEkmtgi7BRbPg81AWTD4d6ffEZEx2F7pthsw1dx9qJEYWP']
+
+[[rules]]
+id = 'Sendgrid API token'
+regex = 'SG\.(?i)[a-z0-9_\-\.]{66}'
+description = 'SendGrid API token'
+title = 'SendGrid API token'
+remediation = "For general guidance on handling security incidents with regards to leaked keys, please see the GitLab documentation on\n[Credential exposure to the internet](https://docs.gitlab.com/ee/security/responding_to_security_incidents.html#credential-exposure-to-public-internet)."
+tags = ['gitlab_blocking']
+keywords = ['SG.']
+examples = ['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', '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', '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', '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', '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']
+
+[[rules]]
+id = 'Shopify shared secret'
+regex = 'shpss_[a-fA-F0-9]{32}'
+description = 'Shopify shared secret'
+title = 'Shopify shared secret'
+remediation = "For general guidance on handling security incidents with regards to leaked keys, please see the GitLab documentation on\n[Credential exposure to the internet](https://docs.gitlab.com/ee/security/responding_to_security_incidents.html#credential-exposure-to-public-internet)."
+tags = ['gitlab_blocking']
+keywords = ['shpss_']
+examples = []
+
+[[rules]]
+id = 'Shopify access token'
+regex = 'shpat_[a-fA-F0-9]{32}'
+description = "A Shopify personal access token was identified. Access tokens can be given\nrestricted scopes or be given full access to all store data. A malicious actor who gained\naccess to this token could be able to read or modify store data."
+title = 'Shopify personal access token'
+remediation = "For general guidance on handling security incidents with regards to leaked keys, please see the GitLab documentation on\n[Credential exposure to the internet](https://docs.gitlab.com/ee/security/responding_to_security_incidents.html#credential-exposure-to-public-internet).\n\nAccess tokens cannot be revoked, you must uninstall and reinstall the application.\n\nPlease see [Shopify's documentation for more details](https://shopify.dev/docs/apps/build/authentication-authorization/access-tokens/generate-app-access-tokens-admin#rotating-api-credentials-for-admin-created-apps)."
+tags = ['gitlab_blocking']
+keywords = ['shpat_']
+examples = ['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', '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', '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', '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', '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']
+
+[[rules]]
+id = 'Shopify custom app access token'
+regex = 'shpca_[a-fA-F0-9]{32}'
+description = 'Shopify custom app access token'
+title = 'Shopify custom app access token'
+remediation = "For general guidance on handling security incidents with regards to leaked keys, please see the GitLab documentation on\n[Credential exposure to the internet](https://docs.gitlab.com/ee/security/responding_to_security_incidents.html#credential-exposure-to-public-internet)."
+tags = ['gitlab_blocking']
+keywords = ['shpca_']
+examples = []
+
+[[rules]]
+id = 'Shopify private app access token'
+regex = 'shppa_[a-fA-F0-9]{32}'
+description = 'Shopify private app access token'
+title = 'Shopify private app access token'
+remediation = "For general guidance on handling security incidents with regards to leaked keys, please see the GitLab documentation on\n[Credential exposure to the internet](https://docs.gitlab.com/ee/security/responding_to_security_incidents.html#credential-exposure-to-public-internet)."
+tags = ['gitlab_blocking']
+keywords = ['shppa_']
+examples = []
+
+[[rules]]
+id = 'Slack token'
+regex = 'xox[baprs]-([0-9a-zA-Z]{10,48})'
+description = "A Slack bot user OAuth token was identified. A Slack app's capabilities and permissions are governed by the scopes it\nrequests. A full list of permissions can be found [in Slack's scopes documentation](https://api.slack.com/scopes).\nA malicious actor with access to this token can execute functionality that was assigned to it."
+title = 'Slack bot user OAuth token'
+remediation = "For general guidance on handling security incidents with regards to leaked keys, please see the GitLab documentation on\n[Credential exposure to the internet](https://docs.gitlab.com/ee/security/responding_to_security_incidents.html#credential-exposure-to-public-internet).\n\nTo revoke a Slack bot user OAuth token (Note: This requires all users to re-authorize your application):\n\n- Sign in to Slack and access <https://api.slack.com/apps>\n- Find the application with the identified token and select the name\n- In the left-hand menu, select \"OAuth & Permissions\"\n- Scroll down to \"Revoke All OAuth Tokens\" and select \"Revoke tokens\"\n- When prompted, select \"Yes, I'm sure\" in the \"Are you sure?\" dialog\n- After some time, scroll back up to the \"OAuth Tokens\" section and select \"Reinstall to XXX\", where XXX is your\n  workspace name\n\nFor more information, please see [Slack's documentation on OAuth](https://api.slack.com/authentication/oauth-v2)"
+tags = ['gitlab_blocking']
+keywords = ['xoxb', 'xoxa', 'xoxp', 'xoxr', 'xoxs']
+examples = ['xoxb-7967898138371-7967934633779-exwFiPuoIDixBZFjvyHTPGka', 'xoxb-7967898138371-7967934633779-bihkcIaslf2w5ZaJg6Dny1ke', 'xoxb-7967898138371-7967934633779-50c2xbrQg8vbzDVtS4hyViRt', 'xoxb-7967898138371-7967934633779-xS74FK9ie42Hv3lvVqDA6fdd', 'xoxb-7967898138371-7990872428240-B3ylbmfAcjxqrIeblHcM8ijH']
+
+[[rules]]
+id = 'Stripe'
+regex = '(?i)(?:sk|pk)_(?:test|live)_[0-9a-z]{10,32}'
+description = 'Stripe'
+title = 'Stripe key'
+remediation = "For general guidance on handling security incidents with regards to leaked keys, please see the GitLab documentation on\n[Credential exposure to the internet](https://docs.gitlab.com/ee/security/responding_to_security_incidents.html#credential-exposure-to-public-internet).\n\nFor more information, please see [Stripe's documentation on API keys](https://docs.stripe.com/keys)."
+tags = ['gitlab_blocking']
+keywords = ['sk_test', 'pk_test', 'sk_live', 'pk_live']
+examples = ['pk_live_51QGHnCH7jd4CxLOX5EgcLOzh7PvDrgn3okp8oY2HFWfS5qbCaNI7N3Th004JgJUDgMcnu2d25Aq85503U8r0UaJ100Dpah7Z3f', 'pk_live_51QGHnCH7jd4CxLOXsN1YAZLL6dS3JJfxzy3G5c5kn1j1EhXrjFe1VTwnQZY1gzxKtMvpSIkBV8vmVBtwhWBkbbue0042ZK1LEG', 'pk_live_51QGHnCH7jd4CxLOX4Sg6FZvYoyEFf6Qo0OWABij5eDusHesHJ5R3MdHbqXjyTe9QSyn9vPVZtwSMuaGklkVNhBqK00RA5uErYg', 'pk_live_51QGHnCH7jd4CxLOXBEoPeRyUgtaZaMboLkC0CC6sljqtqGESA3ow6pYFWWtwglB2mbLtc8xUpy321FkQHnQoTrox00Lz2Y0lch', 'pk_live_51QGHnCH7jd4CxLOXZGjJpO9C0FzDoREDdvCv6NsiOGzMIs4R2U0WnXMXltv4V01H13H5THZTVS4nivzPLAMdUXKC008VRUINkL', 'pk_test_51QGIryH5iQO6W72FRj5h33OWLZ3CDDANIOqUGYVrxINOVsTvJkvTkEQMd0idXB9qPD0ADD6sfy3cR03fK4D7npEf008ZtepyDY']

metadata

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: gitlab-secret_detection
 version: !ruby/object:Gem::Version
-  version: 0.14.2
+  version: 0.15.0
 platform: ruby
 authors:
 - group::secret detection
@@ -10,7 +10,7 @@ authors:
 autorequire:
 bindir: bin
 cert_chain: []
-date: 2024-12-18 00:00:00.000000000 Z
+date: 2025-01-09 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: grpc