gitlab-secret_detection 0.32.0 → 0.33.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 634d085e5d5edc94f7a6d0c8f7ee5cc444db4fbb157fbdd553417a874c1b7adb
-  data.tar.gz: 5cff29f966656f1a10a53cdda190b9479db418409604e2ce5c823f6d2bebf0d1
+  metadata.gz: 677391eaf60a2aea60b9fe351c9e5c4641904749e48dda4e54d8bd4848b6d486
+  data.tar.gz: eee95d816b99088e124c3816c1a65576cd7603993830706e9299dc1f14806486
 SHA512:
-  metadata.gz: 033e6942aac1c8ad699ae07c42b7094e842d44a85b8a68f3659699b6c592db914dabcbceb476723c6dd08ea89fd9a7e530ea5121c5bbb0503fe24b12f6946720
-  data.tar.gz: c14cd7a81a5ddbcc3218a88fc0b90c4bb37a250ec8658f96cdecbfaa5db12a4de818e6e219e7a644e4c575aa82cf17513008f79ebb44a344dbab1fe0af9cf544
+  metadata.gz: fa95b99e2721f085dec57a6f9dc47aca0dda0d7bd91b98dc43e898a9037c59e0122de83dc34c9fac352132ae73032ff2792fdfa6ef8b7b2d7aeafa82ddfc8c6c
+  data.tar.gz: 0e07f18fa8799a90f95ba13194f0c5e6d53894ad21c7b673cb3b6c45e3dd3153b6328b8d41364fc020a066359a3d64bcccd0a514c750163b61cbe1088440174d

data/lib/gitlab/secret_detection/core/secret_push_protection_rules.toml

@@ -1,5 +1,14 @@
-# rule-set version: 0.11.0
+# rule-set version: 0.12.0
 # Rules are auto-generated. See https://gitlab.com/gitlab-org/security-products/secret-detection/secret-detection-rules for instructions on updating the rules.
+[[rules]]
+id = 'AdafruitIOKey'
+regex = '\baio_[A-Za-z]{4}[0-9]{2}[0-9A-Za-z]{22}\b'
+description = 'Adafruit IO Key'
+title = 'Adafruit IO Key'
+remediation = "For general guidance on handling security incidents with regards to leaked keys, please see the GitLab documentation on\n[Credential exposure to the internet](https://docs.gitlab.com/ee/security/responding_to_security_incidents.html#credential-exposure-to-public-internet)."
+tags = ['gitlab_blocking']
+keywords = ['aio_']
+
 [[rules]]
 id = 'Adobe Client Secret'
 regex = '\b(p8e-)[a-zA-Z0-9]{32}\b'
@@ -9,6 +18,15 @@ remediation = "For general guidance on handling security incidents with regards
 tags = ['gitlab_blocking']
 keywords = ['p8e-']
 
+[[rules]]
+id = 'AivenServicePassword'
+regex = '\bAVNS_[0-9A-Za-z_-]{15,123}\b'
+description = 'Aiven Service Password'
+title = 'Aiven Service Password'
+remediation = "For general guidance on handling security incidents with regards to leaked keys, please see the GitLab documentation on\n[Credential exposure to the internet](https://docs.gitlab.com/ee/security/responding_to_security_incidents.html#credential-exposure-to-public-internet)."
+tags = ['gitlab_blocking']
+keywords = ['AVNS_']
+
 [[rules]]
 id = 'anthropic_key'
 regex = '\b(sk-ant-[a-z]{3}\d{2}-[A-Za-z0-9\\-_]{86}-[A-Za-z0-9\\-_]{8})(?:[[:punct:]]|[[:space:]]|[[:blank:]]|$)'
@@ -18,6 +36,42 @@ remediation = "For general guidance on handling security incidents with regards
 tags = ['gitlab_blocking', 'client_side_sd']
 keywords = ['sk-ant-']
 
+[[rules]]
+id = 'AsanaPersonalAccessTokenV2'
+regex = '\b2\/[0-9]{16}\/[0-9]{16}:[0-9a-f]{32}\b'
+description = "An Asana personal access token was identified. Personal access tokens allow programmatic access to the Asana API. a\nmalicious actor who got access to this access token could execute functionality with the same permissions as that user."
+title = 'Asana personal access token'
+remediation = "For general guidance on handling security incidents with regards to leaked keys, please see the GitLab documentation on\n[Credential exposure to the internet](https://docs.gitlab.com/ee/security/responding_to_security_incidents.html#credential-exposure-to-public-internet).\n\nTo revoke the detected Asana personal access token:\n\n- Sign in to your developer account and access <https://app.asana.com/0/my-apps>\n- Find the token under the \"Personal access tokens\" section of the \"My apps\" page\n- Select \"View details\"\n- Select \"Delete\" in the \"Token details\" dialog\n\nFor more information see [Asana's developer documentation on personal access tokens](https://developers.asana.com/docs/personal-access-token)."
+tags = ['gitlab_blocking']
+keywords = ['2/']
+
+[[rules]]
+id = 'AsanaPersonalAccessTokenV1'
+regex = '\b1\/[0-9]{14,16}:[0-9a-f]{32}\b'
+description = "An Asana personal access token was identified. Personal access tokens allow programmatic access to the Asana API. A\nmalicious actor who got access to this access token could execute functionality with the same permissions as that user."
+title = 'Asana personal access token'
+remediation = "For general guidance on handling security incidents with regards to leaked keys, please see the GitLab documentation on\n[Credential exposure to the internet](https://docs.gitlab.com/ee/security/responding_to_security_incidents.html#credential-exposure-to-public-internet)."
+tags = ['gitlab_blocking']
+keywords = ['1/']
+
+[[rules]]
+id = 'AtlassianUserApiToken'
+regex = '\bATATT3xFfGF0[0-9A-Za-z_-]{171}=[0-9A-F]{8}\b'
+description = "An Atlassian User API token was detected. User tokens can be used in scripts or other processes to perform basic\nauthentication with Jira Cloud applications or Confluence Cloud. You should treat API tokens as securely as any other\npassword. A malicious actor with access to this token can compromise any repository or Atlassian service this user has\naccess to."
+title = 'Atlassian user API token'
+remediation = "For general guidance on handling security incidents with regards to leaked keys, please see the GitLab documentation on\n[Credential exposure to the internet](https://docs.gitlab.com/ee/security/responding_to_security_incidents.html#credential-exposure-to-public-internet).\n\nTo revoke an Atlassian User API token:\n\n- Sign in to <https://id.atlassian.com/manage-profile/security/api-tokens>.\n- Select \"Revoke\" next to the API token that you want to revoke.\n\nPlease see [Atlassians help page](https://support.atlassian.com/atlassian-account/docs/manage-api-tokens-for-your-atlassian-account/)\nfor more information on managing API tokens for your Atlassian account."
+tags = ['gitlab_blocking']
+keywords = ['ATATT3xFfGF0']
+
+[[rules]]
+id = 'AtlassianApiKey'
+regex = '\bATCTT3xFfGN0[0-9A-Za-z_-]{171}=[0-9A-F]{8}\b'
+description = "An Atlassian Admin API Key or Bitbucket Repository Access Token was identified. These API keys allow you to manage your\norganization through the Atlassian Admin APIs.\n\n- For Admin API Keys a malicious actor can take over the entire organization's Atlassian products and services using\n  this key.\n- For Bitbucket Repository Access Tokens, a malicious actor can gain the privileges assigned to the repository token\n  which could be full access to a repository or just read access to certain aspects of the workspace."
+title = 'Atlassian admin API key / Bitbucket repository access token'
+remediation = "For general guidance on handling security incidents with regards to leaked keys, please see the GitLab documentation on\n[Credential exposure to the internet](https://docs.gitlab.com/ee/security/responding_to_security_incidents.html#credential-exposure-to-public-internet).\n\nTo revoke an Atlassian Repository Token:\n\n- At <https://bitbucket.org>, go to the repository the access token was created for\n- On the sidebar, select \"Repository Settings\"\n- On the sidebar, under Security, select \"Access tokens\"\n- Find the access token and select \"Revoke\", then confirm that you want to revoke the token\n\nFor more information on revoking and creating Atlassian Bitbucket Repository Tokens, please see their [documentation](https://support.atlassian.com/bitbucket-cloud/docs/create-a-repository-access-token/).\n\nTo revoke an Atlassian Admin API key:\n\n- Go to <https://admin.atlassian.com>\n- Select your organization if you have more than one\n- Select \"Settings > API keys\"\n- Select \"Revoke\" next to the API key\n\nFor more information on revoking and creating Atlassian Admin API Keys, please see their [documentation](https://support.atlassian.com/organization-administration/docs/manage-an-organization-with-the-admin-apis/)."
+tags = ['gitlab_blocking']
+keywords = ['ATCTT3xFfGN0']
+
 [[rules]]
 id = 'AWS'
 regex = '\bAKIA[0-9A-Z]{16}\b'
@@ -27,6 +81,15 @@ remediation = "For general guidance on handling security incidents with regards
 tags = ['aws', 'revocation_type', 'gitlab_blocking']
 keywords = ['AKIA']
 
+[[rules]]
+id = 'AzureEntraClientSecret'
+regex = '\b[0-9A-Za-z]{3}8Q~[0-9A-Za-z_.~]{34}\b'
+description = 'Azure Entra Client Secret'
+title = 'Azure Entra Client Secret'
+remediation = "For general guidance on handling security incidents with regards to leaked keys, please see the GitLab documentation on\n[Credential exposure to the internet](https://docs.gitlab.com/ee/security/responding_to_security_incidents.html#credential-exposure-to-public-internet)."
+tags = ['gitlab_blocking']
+keywords = ['8Q~']
+
 [[rules]]
 id = 'CircleCIPersonalAccessToken'
 regex = '\bCCIPAT_[a-zA-Z0-9]{22}_[a-f0-9]{40}\b'
@@ -45,15 +108,60 @@ remediation = "For general guidance on handling security incidents with regards
 tags = ['gitlab_blocking']
 keywords = ['CFPAT-']
 
+[[rules]]
+id = 'DockerPersonalAccessToken'
+regex = '\bdckr_pat_[0-9A-Za-z_]{27}\b'
+description = 'Docker Personal Access Token'
+title = 'Docker Personal Access Token'
+remediation = "For general guidance on handling security incidents with regards to leaked keys, please see the GitLab documentation on\n[Credential exposure to the internet](https://docs.gitlab.com/ee/security/responding_to_security_incidents.html#credential-exposure-to-public-internet)."
+tags = ['gitlab_blocking']
+keywords = ['dckr_pat_']
+
 [[rules]]
 id = 'Doppler API token'
-regex = '\b(dp\.pt\.)[a-zA-Z0-9]{43}\b'
+regex = '\bdp\.pt\.[0-9A-Za-z]{40,44}\b'
 description = 'Doppler personal access token was detected.'
 title = 'Doppler API token'
 remediation = "For general guidance on handling security incidents with regards to leaked keys, please see the GitLab documentation on\n[Credential exposure to the internet](https://docs.gitlab.com/ee/security/responding_to_security_incidents.html#credential-exposure-to-public-internet).\n\nTo revoke the Doppler personal access token:\n\n- Open and sign in to <https://dashboard.doppler.com/>\n- Select \"Tokens\" on the right-hand side menu\n- Select the \"Personal\" tab\n- Find the personal token and select \"Roll\" in the Action column\n- After the \"Roll Personal Token\" dialog is displayed select \"Roll\"\n- Copy the new token's value\n\nFor more information please see their documentation: <https://docs.doppler.com/docs/start>"
 tags = ['gitlab_blocking']
 keywords = ['dp.pt.']
 
+[[rules]]
+id = 'Doppler Service token'
+regex = '\bdp\.st\.[0-9A-Za-z]{40,44}\b'
+description = 'Doppler service token was detected.'
+title = 'Doppler Service token'
+remediation = "For general guidance on handling security incidents with regards to leaked keys, please see the GitLab documentation on\n[Credential exposure to the internet](https://docs.gitlab.com/ee/security/responding_to_security_incidents.html#credential-exposure-to-public-internet)."
+tags = ['gitlab_blocking']
+keywords = ['dp.st.']
+
+[[rules]]
+id = 'Dropbox short lived API token'
+regex = '\bsl\.[0-9A-Za-z_-]{136,200}\b'
+description = "A Dropbox short lived API token was detected. These tokens were deprecated in 2021,\nsee <https://dropbox.tech/developers/migrating-app-permissions-and-access-tokens#introducing-scoped-apps> for more\ndetails."
+title = 'Dropbox short lived API token'
+remediation = "For general guidance on handling security incidents with regards to leaked keys, please see the GitLab documentation on\n[Credential exposure to the internet](https://docs.gitlab.com/ee/security/responding_to_security_incidents.html#credential-exposure-to-public-internet)."
+tags = ['gitlab_blocking']
+keywords = ['sl.']
+
+[[rules]]
+id = 'DynatracePlatformToken'
+regex = '\bdt0s[0-9]{2}\.[A-Z0-9]{8}\.[A-Z0-9]{64}\b'
+description = "A Dynatrace Platform token or OAuth client secret was identified.\n\n- Platform tokens are long-living access tokens for interaction with Dynatrace platform services. They can be created\n  by regular users to consume the services and data inside of Dynatrace by using the API in the bounds of their user\n  permissions.\n- OAuth client secret tokens are tokens for interacting with the API using an OAuth client authorization flow. They can\n  be configured with various permission levels and scopes.\n\nA full list of token types and their prefixes are [documented here](https://docs.dynatrace.com/docs/manage/identity-access-management/access-tokens-and-oauth-clients/access-tokens#token-format-prefixes).\n\nA malicious actor with access to any of these tokens can access and potentially modify application telemetry and cloud\nservice infrastructure information."
+title = 'Dynatrace platform token / OAuth client secret'
+remediation = "For general guidance on handling security incidents with regards to leaked keys, please see the GitLab documentation on\n[Credential exposure to the internet](https://docs.gitlab.com/ee/security/responding_to_security_incidents.html#credential-exposure-to-public-internet).\n\nFor more information on managing platform access tokens, please see [Dynatrace's platform token documentation](https://docs.dynatrace.com/docs/manage/identity-access-management/access-tokens-and-oauth-clients/platform-tokens#my-platform-tokens)\n\nFor more information on managing OAuth client secrets, please see [Dynatrace's OAuth clients documentation](https://docs.dynatrace.com/docs/manage/identity-access-management/access-tokens-and-oauth-clients/oauth-clients)"
+tags = ['gitlab_blocking']
+keywords = ['dt0s']
+
+[[rules]]
+id = 'FigmaPersonalAccessToken'
+regex = '\bfigd_[0-9A-Za-z_-]{40}\b'
+description = 'Figma Personal Access Token'
+title = 'Figma Personal Access Token'
+remediation = "For general guidance on handling security incidents with regards to leaked keys, please see the GitLab documentation on\n[Credential exposure to the internet](https://docs.gitlab.com/ee/security/responding_to_security_incidents.html#credential-exposure-to-public-internet)."
+tags = ['gitlab_blocking']
+keywords = ['figd_']
+
 [[rules]]
 id = 'GCP OAuth client secret'
 regex = 'GOCSPX-[a-zA-Z0-9_-]{28}'
@@ -108,6 +216,24 @@ remediation = "For general guidance on handling security incidents with regards
 tags = ['gitlab_blocking']
 keywords = ['ghr_']
 
+[[rules]]
+id = 'GithubFineGrainedPersonalAccessToken'
+regex = '\bgithub_pat_[0-9A-Za-z]{22}_[0-9A-Za-z]{59}\b'
+description = "A GitHub fine-grained personal access token was identified. Personal access tokens can be used to access GitHub services\nas the user who created them. These tokens can be given access to public repositories, a single repository or all\nrepositories. A malicious actor with access to this token can execute functionality on behalf of the user with the given\npermissions of the token."
+title = 'GitHub fine-grained personal access token'
+remediation = "For general guidance on handling security incidents with regards to leaked keys, please see the GitLab documentation on\n[Credential exposure to the internet](https://docs.gitlab.com/ee/security/responding_to_security_incidents.html#credential-exposure-to-public-internet).\n\nTo regenerate a personal access token:\n\n- Sign in to your GitHub account and access <https://github.com/settings/tokens>\n- Under the \"Personal access tokens\" menu in the right hand side, select \"Fine-grained tokens\"\n- Find the token that was identified and select its name in the list\n- Select \"Regenerate token\" at the top of the page\n\nAlternatively, you could select \"Delete this token\" at the bottom of the page and create a new one. Be sure to note\nthe scopes and permissions set before doing this action.\n\nFor more information, please see [GitHubs documentation on personal access tokens](https://docs.github.com/en/authentication/keeping-your-account-and-data-secure/managing-your-personal-access-tokens)."
+tags = ['gitlab_blocking']
+keywords = ['github_pat_']
+
+[[rules]]
+id = 'GithubAppInstallationToken'
+regex = '\bv1\.[0-9A-Fa-f]{40}\b'
+description = 'GitHub App Installation Token'
+title = 'GitHub App Installation Token'
+remediation = "For general guidance on handling security incidents with regards to leaked keys, please see the GitLab documentation on\n[Credential exposure to the internet](https://docs.gitlab.com/ee/security/responding_to_security_incidents.html#credential-exposure-to-public-internet)."
+tags = ['gitlab_blocking']
+keywords = ['v1.']
+
 [[rules]]
 id = 'gitlab_personal_access_token'
 regex = '\b(glpat-[0-9a-zA-Z_\-]{20})(?:[[:punct:]]|[[:space:]]|[[:blank:]]|$)'
@@ -228,12 +354,66 @@ keywords = ['.atlasv1.']
 [[rules]]
 id = 'Hashicorp Vault batch token'
 regex = 'b\.AAAAAQ[0-9a-zA-Z_-]{156}'
-description = "A HashiCorp Vault batch token was identified. Batch tokens are used when hundereds to thousands of systems need to\naccess Vault but genenerating unique tokens would not scale. These tokens are usually short lived and bound to a\nspecific vault policy. A malicious actor with access to this token can impersonate a service and would have the same\npermission levels as the policy that the batch token is created for."
+description = "A HashiCorp Vault batch token was identified. Batch tokens are used when hundereds to thousands of systems need to\naccess Vault but generating unique tokens would not scale. These tokens are usually short lived and bound to a\nspecific vault policy. A malicious actor with access to this token can impersonate a service and would have the same\npermission levels as the policy that the batch token is created for."
 title = 'HashiCorp Vault batch token'
 remediation = "For general guidance on handling security incidents with regards to leaked keys, please see the GitLab documentation on\n[Credential exposure to the internet](https://docs.gitlab.com/ee/security/responding_to_security_incidents.html#credential-exposure-to-public-internet).\n\nBatch tokens cannot be revoked so you should use very short \"time to live\" values when creating batch tokens.\n\nFor more information, please see [Vault's documentation on batch tokens](https://developer.hashicorp.com/vault/tutorials/tokens/batch-tokens)."
 tags = ['gitlab_blocking']
 keywords = ['b.AAAAAQ']
 
+[[rules]]
+id = 'HighnoteTestSecretKey'
+regex = '\bsk_test_[0-9A-Za-z_]{63,98}\b'
+description = 'Highnote Test Secret Key'
+title = 'Highnote Test Secret Key'
+remediation = "For general guidance on handling security incidents with regards to leaked keys, please see the GitLab documentation on\n[Credential exposure to the internet](https://docs.gitlab.com/ee/security/responding_to_security_incidents.html#credential-exposure-to-public-internet)."
+tags = ['gitlab_blocking']
+keywords = ['sk_test_']
+
+[[rules]]
+id = 'HighnoteLiveSecretKey'
+regex = '\bsk_live_[0-9A-Za-z_]{63,98}\b'
+description = 'Highnote Live Secret Key'
+title = 'Highnote Live Secret Key'
+remediation = "For general guidance on handling security incidents with regards to leaked keys, please see the GitLab documentation on\n[Credential exposure to the internet](https://docs.gitlab.com/ee/security/responding_to_security_incidents.html#credential-exposure-to-public-internet)."
+tags = ['gitlab_blocking']
+keywords = ['sk_live_']
+
+[[rules]]
+id = 'Hubspot API token'
+regex = '\bpat-[a-z]{2}[0-9]-[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}\b'
+description = "A HubSpot private app API token was identified. Private apps allow you to use HubSpot's APIs to access specific data\nfrom your HubSpot account and can be restricted by setting specific scopes. A malicious actor with access to this token\ncan call API endpoints with the same levels as those set in the scope of the application. This could be anywhere from\nonly reading marketing campaigns to accessing user and account information and sending emails."
+title = 'HubSpot private app API token'
+remediation = "For general guidance on handling security incidents with regards to leaked keys, please see the GitLab documentation on\n[Credential exposure to the internet](https://docs.gitlab.com/ee/security/responding_to_security_incidents.html#credential-exposure-to-public-internet).\n\nTo rotate a private app API token:\n\n- Sign in to your HubSpot account at <https://app.hubspot.com/>\n- In the left-hand menu, hover over the database icon and select \"Integrations\"\n- Find the private app that has the identified token and select its name\n- Select the \"Auth\" tab in the top of the page\n- In the \"Access token\" section of the page, select \"Rotate\"\n- Select \"Rotate and expire this token now\" when prompted\n- Select \"Rotate now\" in the \"Rotate access token now?\" dialog\n\nFor more information, please see [HubSpot's documentation on private apps](https://developers.hubspot.com/beta-docs/guides/apps/private-apps/overview)"
+tags = ['gitlab_blocking']
+keywords = ['pat-']
+
+[[rules]]
+id = 'HuggingFaceUserAccessToken'
+regex = '\bhf_[A-Za-z]{34}\b'
+description = 'Hugging Face User Access Token'
+title = 'Hugging Face User Access Token'
+remediation = "For general guidance on handling security incidents with regards to leaked keys, please see the GitLab documentation on\n[Credential exposure to the internet](https://docs.gitlab.com/ee/security/responding_to_security_incidents.html#credential-exposure-to-public-internet)."
+tags = ['gitlab_blocking']
+keywords = ['hf_']
+
+[[rules]]
+id = 'ArtifactoryApiKey'
+regex = '\bAKCp[0-9A-Za-z/+]{69}\b'
+description = "An Artifactory API Key was identified. An Artifactory API Key enable actions like deploying artifacts,\nmanaging repositories, configuring permissions, and retrieving artifacts from JFrog Artifactory repositories.\nIf leaked, a malicious actor could use it to exfiltrate sensitive proprietary code, inject malicious packages into\nthe build pipeline, or delete critical artifacts that could disrupt an organization's software delivery capabilities."
+title = 'Artifactory API Key'
+remediation = "For general guidance on handling security incidents with regards to leaked keys, please see the GitLab documentation on\n[Credential exposure to the internet](https://docs.gitlab.com/ee/security/responding_to_security_incidents.html#credential-exposure-to-public-internet)."
+tags = ['gitlab_blocking']
+keywords = ['AKCp']
+
+[[rules]]
+id = 'ArtifactoryIdentityToken'
+regex = '\bcmVmd[0-9A-Za-z]{59}\b'
+description = "An Artifactory Identity Token was identified.\nAn Artifactory Identity Token allows authentication to access repositories, download artifacts, upload artifacts,\nand execute privileged operations within JFrog Artifactory based on the token's assigned permissions. If leaked,\na malicious actor could use this token to steal proprietary code, inject compromised dependencies into the software\nsupply chain, or potentially gain unauthorized access to connected CI/CD systems that rely on Artifactory for builds."
+title = 'Artifactory Identity Token'
+remediation = "For general guidance on handling security incidents with regards to leaked keys, please see the GitLab documentation on\n[Credential exposure to the internet](https://docs.gitlab.com/ee/security/responding_to_security_incidents.html#credential-exposure-to-public-internet)."
+tags = ['gitlab_blocking']
+keywords = ['cmVmd']
+
 [[rules]]
 id = 'Linear API token'
 regex = '\blin_api_[a-zA-Z0-9]{40}\b'
@@ -281,12 +461,12 @@ keywords = ['_mmk']
 
 [[rules]]
 id = 'New Relic user API Key'
-regex = "['\\\"](NRAK-[A-Z0-9]{27})['\\\"]"
+regex = '\bNRAK-[0-9A-Z]{27}\b'
 description = "A New Relic user API key was identified. User keys are used for querying data and managing configurations (Alerts,\nSynthetics, dashboards, etc.). A malicious actor with access to this key can execute API requests as the user who\ncreated it."
 title = 'New Relic user API key'
 remediation = "For general guidance on handling security incidents with regards to leaked keys, please see the GitLab documentation on\n[Credential exposure to the internet](https://docs.gitlab.com/ee/security/responding_to_security_incidents.html#credential-exposure-to-public-internet).\n\nFor more information, please see [New Relic's documentation on rotating API keys](https://docs.newrelic.com/docs/apis/intro-apis/new-relic-api-keys/#rotate-keys)."
 tags = ['gitlab_blocking']
-keywords = ['NRAK']
+keywords = ['NRAK-']
 
 [[rules]]
 id = 'New Relic user API ID'
@@ -333,6 +513,33 @@ remediation = "For general guidance on handling security incidents with regards
 tags = ['gitlab_blocking']
 keywords = ['pscale_tkn_']
 
+[[rules]]
+id = 'PlanetscaleAppSecret'
+regex = '\bpscale_app_secret_[0-9A-Za-z_-]{43}\b'
+description = "A PlanetScale App secret was identified. App secrets are used when allowing users to sign in to your application.\nDepending on the scopes assigned, a malicious actor with access to this secret can impersonate the service to access\nusers details."
+title = 'PlanetScale App secret'
+remediation = "For general guidance on handling security incidents with regards to leaked keys, please see the GitLab documentation on\n[Credential exposure to the internet](https://docs.gitlab.com/ee/security/responding_to_security_incidents.html#credential-exposure-to-public-internet).\n\nTo regenerate an OAuth secret:\n\n- Sign in to your PlanetScale account and access <https://app.planetscale.com/>.\n- From the menu on the left-hand side, select \"Settings\"\n- Under \"Settings\", select \"OAuth applications\"\n- Find the application that uses the identified token and select its name\n- Take note of the OAuth application's permissions and scope\n- Select \"Generate secret\"\n\nFor more information, please see [PlanetScale's documentation on OAuth applications](https://planetscale.com/docs/concepts/planetscale-api-oauth-applications#oauth-applications)."
+tags = ['gitlab_blocking']
+keywords = ['pscale_app_secret_']
+
+[[rules]]
+id = 'PlanetscaleOAuthSecret'
+regex = '\bpscale_oauth_[0-9A-Za-z]{32,64}\b'
+description = 'PlanetScale OAuth secret'
+title = 'PlanetScale OAuth secret'
+remediation = "For general guidance on handling security incidents with regards to leaked keys, please see the GitLab documentation on\n[Credential exposure to the internet](https://docs.gitlab.com/ee/security/responding_to_security_incidents.html#credential-exposure-to-public-internet)."
+tags = ['gitlab_blocking']
+keywords = ['pscale_oauth_']
+
+[[rules]]
+id = 'PostHogPersonalAPIkey'
+regex = '\bphx_[0-9A-Za-z]{43}\b'
+description = 'A PostHog Personal API key was identified. API keys can enable full access to your account.'
+title = 'Posthog Personal API key'
+remediation = "For general guidance on handling security incidents with regards to leaked keys, please see the GitLab documentation on\n[Credential exposure to the internet](https://docs.gitlab.com/ee/security/responding_to_security_incidents.html#credential-exposure-to-public-internet).\n\nTo revoke an API Key, sign in to your PostHog account and access your\n[Personal API keys](https://us.posthog.com/settings/user-api-keys).\n\nFor more information, please see [PostHog's API Overview documentation](https://posthog.com/docs/api)."
+tags = ['gitlab_blocking']
+keywords = ['phx_']
+
 [[rules]]
 id = 'PyPI upload token'
 regex = 'pypi-AgEIcHlwaS5vcmc[A-Za-z0-9-_]{50,1000}'
@@ -450,6 +657,33 @@ remediation = "For general guidance on handling security incidents with regards
 tags = ['gitlab_blocking']
 keywords = ['xapp-1-']
 
+[[rules]]
+id = 'SonarQubeUserToken'
+regex = '\bsqu_[0-9a-f]{40}\b'
+description = 'SonarQube User Token'
+title = 'SonarQube User Token'
+remediation = "For general guidance on handling security incidents with regards to leaked keys, please see the GitLab documentation on\n[Credential exposure to the internet](https://docs.gitlab.com/ee/security/responding_to_security_incidents.html#credential-exposure-to-public-internet)."
+tags = ['gitlab_blocking']
+keywords = ['squ_']
+
+[[rules]]
+id = 'SonarQubeGlobalAnalysisToken'
+regex = '\bsqa_[0-9a-f]{40}\b'
+description = 'SonarQube Global Analysis Token'
+title = 'SonarQube Global Analysis Token'
+remediation = "For general guidance on handling security incidents with regards to leaked keys, please see the GitLab documentation on\n[Credential exposure to the internet](https://docs.gitlab.com/ee/security/responding_to_security_incidents.html#credential-exposure-to-public-internet)."
+tags = ['gitlab_blocking']
+keywords = ['sqa_']
+
+[[rules]]
+id = 'SonarQubeProjectAnalysisToken'
+regex = '\bsqp_[0-9a-f]{40}\b'
+description = 'SonarQube Project Analysis Token'
+title = 'SonarQube Project Analysis Token'
+remediation = "For general guidance on handling security incidents with regards to leaked keys, please see the GitLab documentation on\n[Credential exposure to the internet](https://docs.gitlab.com/ee/security/responding_to_security_incidents.html#credential-exposure-to-public-internet)."
+tags = ['gitlab_blocking']
+keywords = ['sqp_']
+
 [[rules]]
 id = 'StripeLiveSecretKey'
 regex = '\bsk_live_[A-Za-z0-9]{99}\b'
@@ -468,6 +702,24 @@ remediation = "For general guidance on handling security incidents with regards
 tags = ['gitlab_blocking']
 keywords = ['rk_live_']
 
+[[rules]]
+id = 'StripeLiveShortSecretKey'
+regex = '\bsk_live_[A-Za-z0-9]{24}\b'
+description = "A Stripe live secret key was identified. Live secret keys authenticate requests on your server when in\nlive mode. By default, you can use this key to perform any API request without restriction. A malicious actor who gained\naccess to this key could gain read/write access to all data in Stripe for this account."
+title = 'Stripe live secret key'
+remediation = "For general guidance on handling security incidents with regards to leaked keys, please see the GitLab documentation on\n[Credential exposure to the internet](https://docs.gitlab.com/ee/security/responding_to_security_incidents.html#credential-exposure-to-public-internet).\n\nTo rotate your Stripe live secret key:\n\n- Sign in to your Stripe account and access <https://dashboard.stripe.com/apikeys>\n- Ensure \"Test mode\" is disabled\n- In the \"Standard keys\" section, find the key that was identified and select the ellipsis in the right-hand side\n- Select \"Roll key...\"\n- In the \"Roll API key\" dialog, select an expiration date, for example \"now\"\n- Select \"Roll API Key\"\n\nFor more information, please see [Stripe's documentation on rotating API keys](https://docs.stripe.com/keys#rolling-keys)."
+tags = ['gitlab_blocking']
+keywords = ['sk_live_']
+
+[[rules]]
+id = 'TencentCloudSecretID'
+regex = '\bAKID[0-9A-Za-z]{32}\b'
+description = 'Tencent Cloud Secret ID'
+title = 'Tencent Cloud Secret ID'
+remediation = "For general guidance on handling security incidents with regards to leaked keys, please see the GitLab documentation on\n[Credential exposure to the internet](https://docs.gitlab.com/ee/security/responding_to_security_incidents.html#credential-exposure-to-public-internet)."
+tags = ['gitlab_blocking']
+keywords = ['AKID']
+
 [[rules]]
 id = 'Twilio API Key'
 regex = '\bSK[0-9a-fA-F]{32}\b'
@@ -475,4 +727,40 @@ description = 'Twilio API Key'
 title = 'Twilio API key'
 remediation = "For general guidance on handling security incidents with regards to leaked keys, please see the GitLab documentation on\n[Credential exposure to the internet](https://docs.gitlab.com/ee/security/responding_to_security_incidents.html#credential-exposure-to-public-internet)."
 tags = ['gitlab_blocking']
-keywords = ['SK', 'twilio']
+keywords = ['SK']
+
+[[rules]]
+id = 'Twilio Account SID'
+regex = '\bAC[0-9a-f]{32}\b'
+description = 'Twilio Account SID'
+title = 'Twilio Account SID'
+remediation = "For general guidance on handling security incidents with regards to leaked keys, please see the GitLab documentation on\n[Credential exposure to the internet](https://docs.gitlab.com/ee/security/responding_to_security_incidents.html#credential-exposure-to-public-internet)."
+tags = ['gitlab_blocking']
+keywords = ['AC']
+
+[[rules]]
+id = 'VolcengineAccessKeyID'
+regex = '\bAKLT[0-9A-Za-z]{30,44}\b'
+description = 'Volcengine Access Key ID'
+title = 'Volcengine Access Key ID'
+remediation = "For general guidance on handling security incidents with regards to leaked keys, please see the GitLab documentation on\n[Credential exposure to the internet](https://docs.gitlab.com/ee/security/responding_to_security_incidents.html#credential-exposure-to-public-internet)."
+tags = ['gitlab_blocking']
+keywords = ['AKLT']
+
+[[rules]]
+id = 'WakaTimeAPIKey'
+regex = '\bwaka_[0-9a-f]{8}-[0-9a-f]{4}-4[0-9a-f]{3}-[89ab][0-9a-f]{3}-[0-9a-f]{12}\b'
+description = 'WakaTime API Key'
+title = 'WakaTime API Key'
+remediation = "For general guidance on handling security incidents with regards to leaked keys, please see the GitLab documentation on\n[Credential exposure to the internet](https://docs.gitlab.com/ee/security/responding_to_security_incidents.html#credential-exposure-to-public-internet)."
+tags = ['gitlab_blocking']
+keywords = ['waka_']
+
+[[rules]]
+id = 'Yandex.Cloud API Key'
+regex = '\bAQVN[0123wxyz][0-9A-Za-z_-]{35}\b'
+description = 'Yandex.Cloud API Key'
+title = 'Yandex.Cloud API Key'
+remediation = "For general guidance on handling security incidents with regards to leaked keys, please see the GitLab documentation on\n[Credential exposure to the internet](https://docs.gitlab.com/ee/security/responding_to_security_incidents.html#credential-exposure-to-public-internet)."
+tags = ['gitlab_blocking']
+keywords = ['AQVN']

data/lib/gitlab/secret_detection/version.rb

@@ -5,7 +5,7 @@ module Gitlab
     class Gem
       # Ensure to maintain the same version in CHANGELOG file.
       # More details available under 'Release Process' section in the README.md file.
-      VERSION = "0.32.0"
+      VERSION = "0.33.0"
 
       # SD_ENV env var is used to determine which environment the
       # server is running. This var is defined in `.runway/env-<env>.yml` files.

metadata

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: gitlab-secret_detection
 version: !ruby/object:Gem::Version
-  version: 0.32.0
+  version: 0.33.0
 platform: ruby
 authors:
 - group::secret detection