gitlab-secret_detection 0.32.0 → 0.33.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
checksums.yaml CHANGED
@@ -1,7 +1,7 @@
1
1
  ---
2
2
  SHA256:
3
- metadata.gz: 634d085e5d5edc94f7a6d0c8f7ee5cc444db4fbb157fbdd553417a874c1b7adb
4
- data.tar.gz: 5cff29f966656f1a10a53cdda190b9479db418409604e2ce5c823f6d2bebf0d1
3
+ metadata.gz: 677391eaf60a2aea60b9fe351c9e5c4641904749e48dda4e54d8bd4848b6d486
4
+ data.tar.gz: eee95d816b99088e124c3816c1a65576cd7603993830706e9299dc1f14806486
5
5
  SHA512:
6
- metadata.gz: 033e6942aac1c8ad699ae07c42b7094e842d44a85b8a68f3659699b6c592db914dabcbceb476723c6dd08ea89fd9a7e530ea5121c5bbb0503fe24b12f6946720
7
- data.tar.gz: c14cd7a81a5ddbcc3218a88fc0b90c4bb37a250ec8658f96cdecbfaa5db12a4de818e6e219e7a644e4c575aa82cf17513008f79ebb44a344dbab1fe0af9cf544
6
+ metadata.gz: fa95b99e2721f085dec57a6f9dc47aca0dda0d7bd91b98dc43e898a9037c59e0122de83dc34c9fac352132ae73032ff2792fdfa6ef8b7b2d7aeafa82ddfc8c6c
7
+ data.tar.gz: 0e07f18fa8799a90f95ba13194f0c5e6d53894ad21c7b673cb3b6c45e3dd3153b6328b8d41364fc020a066359a3d64bcccd0a514c750163b61cbe1088440174d
@@ -1,5 +1,14 @@
1
- # rule-set version: 0.11.0
1
+ # rule-set version: 0.12.0
2
2
  # Rules are auto-generated. See https://gitlab.com/gitlab-org/security-products/secret-detection/secret-detection-rules for instructions on updating the rules.
3
+ [[rules]]
4
+ id = 'AdafruitIOKey'
5
+ regex = '\baio_[A-Za-z]{4}[0-9]{2}[0-9A-Za-z]{22}\b'
6
+ description = 'Adafruit IO Key'
7
+ title = 'Adafruit IO Key'
8
+ remediation = "For general guidance on handling security incidents with regards to leaked keys, please see the GitLab documentation on\n[Credential exposure to the internet](https://docs.gitlab.com/ee/security/responding_to_security_incidents.html#credential-exposure-to-public-internet)."
9
+ tags = ['gitlab_blocking']
10
+ keywords = ['aio_']
11
+
3
12
  [[rules]]
4
13
  id = 'Adobe Client Secret'
5
14
  regex = '\b(p8e-)[a-zA-Z0-9]{32}\b'
@@ -9,6 +18,15 @@ remediation = "For general guidance on handling security incidents with regards
9
18
  tags = ['gitlab_blocking']
10
19
  keywords = ['p8e-']
11
20
 
21
+ [[rules]]
22
+ id = 'AivenServicePassword'
23
+ regex = '\bAVNS_[0-9A-Za-z_-]{15,123}\b'
24
+ description = 'Aiven Service Password'
25
+ title = 'Aiven Service Password'
26
+ remediation = "For general guidance on handling security incidents with regards to leaked keys, please see the GitLab documentation on\n[Credential exposure to the internet](https://docs.gitlab.com/ee/security/responding_to_security_incidents.html#credential-exposure-to-public-internet)."
27
+ tags = ['gitlab_blocking']
28
+ keywords = ['AVNS_']
29
+
12
30
  [[rules]]
13
31
  id = 'anthropic_key'
14
32
  regex = '\b(sk-ant-[a-z]{3}\d{2}-[A-Za-z0-9\\-_]{86}-[A-Za-z0-9\\-_]{8})(?:[[:punct:]]|[[:space:]]|[[:blank:]]|$)'
@@ -18,6 +36,42 @@ remediation = "For general guidance on handling security incidents with regards
18
36
  tags = ['gitlab_blocking', 'client_side_sd']
19
37
  keywords = ['sk-ant-']
20
38
 
39
+ [[rules]]
40
+ id = 'AsanaPersonalAccessTokenV2'
41
+ regex = '\b2\/[0-9]{16}\/[0-9]{16}:[0-9a-f]{32}\b'
42
+ description = "An Asana personal access token was identified. Personal access tokens allow programmatic access to the Asana API. a\nmalicious actor who got access to this access token could execute functionality with the same permissions as that user."
43
+ title = 'Asana personal access token'
44
+ remediation = "For general guidance on handling security incidents with regards to leaked keys, please see the GitLab documentation on\n[Credential exposure to the internet](https://docs.gitlab.com/ee/security/responding_to_security_incidents.html#credential-exposure-to-public-internet).\n\nTo revoke the detected Asana personal access token:\n\n- Sign in to your developer account and access <https://app.asana.com/0/my-apps>\n- Find the token under the \"Personal access tokens\" section of the \"My apps\" page\n- Select \"View details\"\n- Select \"Delete\" in the \"Token details\" dialog\n\nFor more information see [Asana's developer documentation on personal access tokens](https://developers.asana.com/docs/personal-access-token)."
45
+ tags = ['gitlab_blocking']
46
+ keywords = ['2/']
47
+
48
+ [[rules]]
49
+ id = 'AsanaPersonalAccessTokenV1'
50
+ regex = '\b1\/[0-9]{14,16}:[0-9a-f]{32}\b'
51
+ description = "An Asana personal access token was identified. Personal access tokens allow programmatic access to the Asana API. A\nmalicious actor who got access to this access token could execute functionality with the same permissions as that user."
52
+ title = 'Asana personal access token'
53
+ remediation = "For general guidance on handling security incidents with regards to leaked keys, please see the GitLab documentation on\n[Credential exposure to the internet](https://docs.gitlab.com/ee/security/responding_to_security_incidents.html#credential-exposure-to-public-internet)."
54
+ tags = ['gitlab_blocking']
55
+ keywords = ['1/']
56
+
57
+ [[rules]]
58
+ id = 'AtlassianUserApiToken'
59
+ regex = '\bATATT3xFfGF0[0-9A-Za-z_-]{171}=[0-9A-F]{8}\b'
60
+ description = "An Atlassian User API token was detected. User tokens can be used in scripts or other processes to perform basic\nauthentication with Jira Cloud applications or Confluence Cloud. You should treat API tokens as securely as any other\npassword. A malicious actor with access to this token can compromise any repository or Atlassian service this user has\naccess to."
61
+ title = 'Atlassian user API token'
62
+ remediation = "For general guidance on handling security incidents with regards to leaked keys, please see the GitLab documentation on\n[Credential exposure to the internet](https://docs.gitlab.com/ee/security/responding_to_security_incidents.html#credential-exposure-to-public-internet).\n\nTo revoke an Atlassian User API token:\n\n- Sign in to <https://id.atlassian.com/manage-profile/security/api-tokens>.\n- Select \"Revoke\" next to the API token that you want to revoke.\n\nPlease see [Atlassians help page](https://support.atlassian.com/atlassian-account/docs/manage-api-tokens-for-your-atlassian-account/)\nfor more information on managing API tokens for your Atlassian account."
63
+ tags = ['gitlab_blocking']
64
+ keywords = ['ATATT3xFfGF0']
65
+
66
+ [[rules]]
67
+ id = 'AtlassianApiKey'
68
+ regex = '\bATCTT3xFfGN0[0-9A-Za-z_-]{171}=[0-9A-F]{8}\b'
69
+ description = "An Atlassian Admin API Key or Bitbucket Repository Access Token was identified. These API keys allow you to manage your\norganization through the Atlassian Admin APIs.\n\n- For Admin API Keys a malicious actor can take over the entire organization's Atlassian products and services using\n this key.\n- For Bitbucket Repository Access Tokens, a malicious actor can gain the privileges assigned to the repository token\n which could be full access to a repository or just read access to certain aspects of the workspace."
70
+ title = 'Atlassian admin API key / Bitbucket repository access token'
71
+ remediation = "For general guidance on handling security incidents with regards to leaked keys, please see the GitLab documentation on\n[Credential exposure to the internet](https://docs.gitlab.com/ee/security/responding_to_security_incidents.html#credential-exposure-to-public-internet).\n\nTo revoke an Atlassian Repository Token:\n\n- At <https://bitbucket.org>, go to the repository the access token was created for\n- On the sidebar, select \"Repository Settings\"\n- On the sidebar, under Security, select \"Access tokens\"\n- Find the access token and select \"Revoke\", then confirm that you want to revoke the token\n\nFor more information on revoking and creating Atlassian Bitbucket Repository Tokens, please see their [documentation](https://support.atlassian.com/bitbucket-cloud/docs/create-a-repository-access-token/).\n\nTo revoke an Atlassian Admin API key:\n\n- Go to <https://admin.atlassian.com>\n- Select your organization if you have more than one\n- Select \"Settings > API keys\"\n- Select \"Revoke\" next to the API key\n\nFor more information on revoking and creating Atlassian Admin API Keys, please see their [documentation](https://support.atlassian.com/organization-administration/docs/manage-an-organization-with-the-admin-apis/)."
72
+ tags = ['gitlab_blocking']
73
+ keywords = ['ATCTT3xFfGN0']
74
+
21
75
  [[rules]]
22
76
  id = 'AWS'
23
77
  regex = '\bAKIA[0-9A-Z]{16}\b'
@@ -27,6 +81,15 @@ remediation = "For general guidance on handling security incidents with regards
27
81
  tags = ['aws', 'revocation_type', 'gitlab_blocking']
28
82
  keywords = ['AKIA']
29
83
 
84
+ [[rules]]
85
+ id = 'AzureEntraClientSecret'
86
+ regex = '\b[0-9A-Za-z]{3}8Q~[0-9A-Za-z_.~]{34}\b'
87
+ description = 'Azure Entra Client Secret'
88
+ title = 'Azure Entra Client Secret'
89
+ remediation = "For general guidance on handling security incidents with regards to leaked keys, please see the GitLab documentation on\n[Credential exposure to the internet](https://docs.gitlab.com/ee/security/responding_to_security_incidents.html#credential-exposure-to-public-internet)."
90
+ tags = ['gitlab_blocking']
91
+ keywords = ['8Q~']
92
+
30
93
  [[rules]]
31
94
  id = 'CircleCIPersonalAccessToken'
32
95
  regex = '\bCCIPAT_[a-zA-Z0-9]{22}_[a-f0-9]{40}\b'
@@ -45,15 +108,60 @@ remediation = "For general guidance on handling security incidents with regards
45
108
  tags = ['gitlab_blocking']
46
109
  keywords = ['CFPAT-']
47
110
 
111
+ [[rules]]
112
+ id = 'DockerPersonalAccessToken'
113
+ regex = '\bdckr_pat_[0-9A-Za-z_]{27}\b'
114
+ description = 'Docker Personal Access Token'
115
+ title = 'Docker Personal Access Token'
116
+ remediation = "For general guidance on handling security incidents with regards to leaked keys, please see the GitLab documentation on\n[Credential exposure to the internet](https://docs.gitlab.com/ee/security/responding_to_security_incidents.html#credential-exposure-to-public-internet)."
117
+ tags = ['gitlab_blocking']
118
+ keywords = ['dckr_pat_']
119
+
48
120
  [[rules]]
49
121
  id = 'Doppler API token'
50
- regex = '\b(dp\.pt\.)[a-zA-Z0-9]{43}\b'
122
+ regex = '\bdp\.pt\.[0-9A-Za-z]{40,44}\b'
51
123
  description = 'Doppler personal access token was detected.'
52
124
  title = 'Doppler API token'
53
125
  remediation = "For general guidance on handling security incidents with regards to leaked keys, please see the GitLab documentation on\n[Credential exposure to the internet](https://docs.gitlab.com/ee/security/responding_to_security_incidents.html#credential-exposure-to-public-internet).\n\nTo revoke the Doppler personal access token:\n\n- Open and sign in to <https://dashboard.doppler.com/>\n- Select \"Tokens\" on the right-hand side menu\n- Select the \"Personal\" tab\n- Find the personal token and select \"Roll\" in the Action column\n- After the \"Roll Personal Token\" dialog is displayed select \"Roll\"\n- Copy the new token's value\n\nFor more information please see their documentation: <https://docs.doppler.com/docs/start>"
54
126
  tags = ['gitlab_blocking']
55
127
  keywords = ['dp.pt.']
56
128
 
129
+ [[rules]]
130
+ id = 'Doppler Service token'
131
+ regex = '\bdp\.st\.[0-9A-Za-z]{40,44}\b'
132
+ description = 'Doppler service token was detected.'
133
+ title = 'Doppler Service token'
134
+ remediation = "For general guidance on handling security incidents with regards to leaked keys, please see the GitLab documentation on\n[Credential exposure to the internet](https://docs.gitlab.com/ee/security/responding_to_security_incidents.html#credential-exposure-to-public-internet)."
135
+ tags = ['gitlab_blocking']
136
+ keywords = ['dp.st.']
137
+
138
+ [[rules]]
139
+ id = 'Dropbox short lived API token'
140
+ regex = '\bsl\.[0-9A-Za-z_-]{136,200}\b'
141
+ description = "A Dropbox short lived API token was detected. These tokens were deprecated in 2021,\nsee <https://dropbox.tech/developers/migrating-app-permissions-and-access-tokens#introducing-scoped-apps> for more\ndetails."
142
+ title = 'Dropbox short lived API token'
143
+ remediation = "For general guidance on handling security incidents with regards to leaked keys, please see the GitLab documentation on\n[Credential exposure to the internet](https://docs.gitlab.com/ee/security/responding_to_security_incidents.html#credential-exposure-to-public-internet)."
144
+ tags = ['gitlab_blocking']
145
+ keywords = ['sl.']
146
+
147
+ [[rules]]
148
+ id = 'DynatracePlatformToken'
149
+ regex = '\bdt0s[0-9]{2}\.[A-Z0-9]{8}\.[A-Z0-9]{64}\b'
150
+ description = "A Dynatrace Platform token or OAuth client secret was identified.\n\n- Platform tokens are long-living access tokens for interaction with Dynatrace platform services. They can be created\n by regular users to consume the services and data inside of Dynatrace by using the API in the bounds of their user\n permissions.\n- OAuth client secret tokens are tokens for interacting with the API using an OAuth client authorization flow. They can\n be configured with various permission levels and scopes.\n\nA full list of token types and their prefixes are [documented here](https://docs.dynatrace.com/docs/manage/identity-access-management/access-tokens-and-oauth-clients/access-tokens#token-format-prefixes).\n\nA malicious actor with access to any of these tokens can access and potentially modify application telemetry and cloud\nservice infrastructure information."
151
+ title = 'Dynatrace platform token / OAuth client secret'
152
+ remediation = "For general guidance on handling security incidents with regards to leaked keys, please see the GitLab documentation on\n[Credential exposure to the internet](https://docs.gitlab.com/ee/security/responding_to_security_incidents.html#credential-exposure-to-public-internet).\n\nFor more information on managing platform access tokens, please see [Dynatrace's platform token documentation](https://docs.dynatrace.com/docs/manage/identity-access-management/access-tokens-and-oauth-clients/platform-tokens#my-platform-tokens)\n\nFor more information on managing OAuth client secrets, please see [Dynatrace's OAuth clients documentation](https://docs.dynatrace.com/docs/manage/identity-access-management/access-tokens-and-oauth-clients/oauth-clients)"
153
+ tags = ['gitlab_blocking']
154
+ keywords = ['dt0s']
155
+
156
+ [[rules]]
157
+ id = 'FigmaPersonalAccessToken'
158
+ regex = '\bfigd_[0-9A-Za-z_-]{40}\b'
159
+ description = 'Figma Personal Access Token'
160
+ title = 'Figma Personal Access Token'
161
+ remediation = "For general guidance on handling security incidents with regards to leaked keys, please see the GitLab documentation on\n[Credential exposure to the internet](https://docs.gitlab.com/ee/security/responding_to_security_incidents.html#credential-exposure-to-public-internet)."
162
+ tags = ['gitlab_blocking']
163
+ keywords = ['figd_']
164
+
57
165
  [[rules]]
58
166
  id = 'GCP OAuth client secret'
59
167
  regex = 'GOCSPX-[a-zA-Z0-9_-]{28}'
@@ -108,6 +216,24 @@ remediation = "For general guidance on handling security incidents with regards
108
216
  tags = ['gitlab_blocking']
109
217
  keywords = ['ghr_']
110
218
 
219
+ [[rules]]
220
+ id = 'GithubFineGrainedPersonalAccessToken'
221
+ regex = '\bgithub_pat_[0-9A-Za-z]{22}_[0-9A-Za-z]{59}\b'
222
+ description = "A GitHub fine-grained personal access token was identified. Personal access tokens can be used to access GitHub services\nas the user who created them. These tokens can be given access to public repositories, a single repository or all\nrepositories. A malicious actor with access to this token can execute functionality on behalf of the user with the given\npermissions of the token."
223
+ title = 'GitHub fine-grained personal access token'
224
+ remediation = "For general guidance on handling security incidents with regards to leaked keys, please see the GitLab documentation on\n[Credential exposure to the internet](https://docs.gitlab.com/ee/security/responding_to_security_incidents.html#credential-exposure-to-public-internet).\n\nTo regenerate a personal access token:\n\n- Sign in to your GitHub account and access <https://github.com/settings/tokens>\n- Under the \"Personal access tokens\" menu in the right hand side, select \"Fine-grained tokens\"\n- Find the token that was identified and select its name in the list\n- Select \"Regenerate token\" at the top of the page\n\nAlternatively, you could select \"Delete this token\" at the bottom of the page and create a new one. Be sure to note\nthe scopes and permissions set before doing this action.\n\nFor more information, please see [GitHubs documentation on personal access tokens](https://docs.github.com/en/authentication/keeping-your-account-and-data-secure/managing-your-personal-access-tokens)."
225
+ tags = ['gitlab_blocking']
226
+ keywords = ['github_pat_']
227
+
228
+ [[rules]]
229
+ id = 'GithubAppInstallationToken'
230
+ regex = '\bv1\.[0-9A-Fa-f]{40}\b'
231
+ description = 'GitHub App Installation Token'
232
+ title = 'GitHub App Installation Token'
233
+ remediation = "For general guidance on handling security incidents with regards to leaked keys, please see the GitLab documentation on\n[Credential exposure to the internet](https://docs.gitlab.com/ee/security/responding_to_security_incidents.html#credential-exposure-to-public-internet)."
234
+ tags = ['gitlab_blocking']
235
+ keywords = ['v1.']
236
+
111
237
  [[rules]]
112
238
  id = 'gitlab_personal_access_token'
113
239
  regex = '\b(glpat-[0-9a-zA-Z_\-]{20})(?:[[:punct:]]|[[:space:]]|[[:blank:]]|$)'
@@ -228,12 +354,66 @@ keywords = ['.atlasv1.']
228
354
  [[rules]]
229
355
  id = 'Hashicorp Vault batch token'
230
356
  regex = 'b\.AAAAAQ[0-9a-zA-Z_-]{156}'
231
- description = "A HashiCorp Vault batch token was identified. Batch tokens are used when hundereds to thousands of systems need to\naccess Vault but genenerating unique tokens would not scale. These tokens are usually short lived and bound to a\nspecific vault policy. A malicious actor with access to this token can impersonate a service and would have the same\npermission levels as the policy that the batch token is created for."
357
+ description = "A HashiCorp Vault batch token was identified. Batch tokens are used when hundereds to thousands of systems need to\naccess Vault but generating unique tokens would not scale. These tokens are usually short lived and bound to a\nspecific vault policy. A malicious actor with access to this token can impersonate a service and would have the same\npermission levels as the policy that the batch token is created for."
232
358
  title = 'HashiCorp Vault batch token'
233
359
  remediation = "For general guidance on handling security incidents with regards to leaked keys, please see the GitLab documentation on\n[Credential exposure to the internet](https://docs.gitlab.com/ee/security/responding_to_security_incidents.html#credential-exposure-to-public-internet).\n\nBatch tokens cannot be revoked so you should use very short \"time to live\" values when creating batch tokens.\n\nFor more information, please see [Vault's documentation on batch tokens](https://developer.hashicorp.com/vault/tutorials/tokens/batch-tokens)."
234
360
  tags = ['gitlab_blocking']
235
361
  keywords = ['b.AAAAAQ']
236
362
 
363
+ [[rules]]
364
+ id = 'HighnoteTestSecretKey'
365
+ regex = '\bsk_test_[0-9A-Za-z_]{63,98}\b'
366
+ description = 'Highnote Test Secret Key'
367
+ title = 'Highnote Test Secret Key'
368
+ remediation = "For general guidance on handling security incidents with regards to leaked keys, please see the GitLab documentation on\n[Credential exposure to the internet](https://docs.gitlab.com/ee/security/responding_to_security_incidents.html#credential-exposure-to-public-internet)."
369
+ tags = ['gitlab_blocking']
370
+ keywords = ['sk_test_']
371
+
372
+ [[rules]]
373
+ id = 'HighnoteLiveSecretKey'
374
+ regex = '\bsk_live_[0-9A-Za-z_]{63,98}\b'
375
+ description = 'Highnote Live Secret Key'
376
+ title = 'Highnote Live Secret Key'
377
+ remediation = "For general guidance on handling security incidents with regards to leaked keys, please see the GitLab documentation on\n[Credential exposure to the internet](https://docs.gitlab.com/ee/security/responding_to_security_incidents.html#credential-exposure-to-public-internet)."
378
+ tags = ['gitlab_blocking']
379
+ keywords = ['sk_live_']
380
+
381
+ [[rules]]
382
+ id = 'Hubspot API token'
383
+ regex = '\bpat-[a-z]{2}[0-9]-[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}\b'
384
+ description = "A HubSpot private app API token was identified. Private apps allow you to use HubSpot's APIs to access specific data\nfrom your HubSpot account and can be restricted by setting specific scopes. A malicious actor with access to this token\ncan call API endpoints with the same levels as those set in the scope of the application. This could be anywhere from\nonly reading marketing campaigns to accessing user and account information and sending emails."
385
+ title = 'HubSpot private app API token'
386
+ remediation = "For general guidance on handling security incidents with regards to leaked keys, please see the GitLab documentation on\n[Credential exposure to the internet](https://docs.gitlab.com/ee/security/responding_to_security_incidents.html#credential-exposure-to-public-internet).\n\nTo rotate a private app API token:\n\n- Sign in to your HubSpot account at <https://app.hubspot.com/>\n- In the left-hand menu, hover over the database icon and select \"Integrations\"\n- Find the private app that has the identified token and select its name\n- Select the \"Auth\" tab in the top of the page\n- In the \"Access token\" section of the page, select \"Rotate\"\n- Select \"Rotate and expire this token now\" when prompted\n- Select \"Rotate now\" in the \"Rotate access token now?\" dialog\n\nFor more information, please see [HubSpot's documentation on private apps](https://developers.hubspot.com/beta-docs/guides/apps/private-apps/overview)"
387
+ tags = ['gitlab_blocking']
388
+ keywords = ['pat-']
389
+
390
+ [[rules]]
391
+ id = 'HuggingFaceUserAccessToken'
392
+ regex = '\bhf_[A-Za-z]{34}\b'
393
+ description = 'Hugging Face User Access Token'
394
+ title = 'Hugging Face User Access Token'
395
+ remediation = "For general guidance on handling security incidents with regards to leaked keys, please see the GitLab documentation on\n[Credential exposure to the internet](https://docs.gitlab.com/ee/security/responding_to_security_incidents.html#credential-exposure-to-public-internet)."
396
+ tags = ['gitlab_blocking']
397
+ keywords = ['hf_']
398
+
399
+ [[rules]]
400
+ id = 'ArtifactoryApiKey'
401
+ regex = '\bAKCp[0-9A-Za-z/+]{69}\b'
402
+ description = "An Artifactory API Key was identified. An Artifactory API Key enable actions like deploying artifacts,\nmanaging repositories, configuring permissions, and retrieving artifacts from JFrog Artifactory repositories.\nIf leaked, a malicious actor could use it to exfiltrate sensitive proprietary code, inject malicious packages into\nthe build pipeline, or delete critical artifacts that could disrupt an organization's software delivery capabilities."
403
+ title = 'Artifactory API Key'
404
+ remediation = "For general guidance on handling security incidents with regards to leaked keys, please see the GitLab documentation on\n[Credential exposure to the internet](https://docs.gitlab.com/ee/security/responding_to_security_incidents.html#credential-exposure-to-public-internet)."
405
+ tags = ['gitlab_blocking']
406
+ keywords = ['AKCp']
407
+
408
+ [[rules]]
409
+ id = 'ArtifactoryIdentityToken'
410
+ regex = '\bcmVmd[0-9A-Za-z]{59}\b'
411
+ description = "An Artifactory Identity Token was identified.\nAn Artifactory Identity Token allows authentication to access repositories, download artifacts, upload artifacts,\nand execute privileged operations within JFrog Artifactory based on the token's assigned permissions. If leaked,\na malicious actor could use this token to steal proprietary code, inject compromised dependencies into the software\nsupply chain, or potentially gain unauthorized access to connected CI/CD systems that rely on Artifactory for builds."
412
+ title = 'Artifactory Identity Token'
413
+ remediation = "For general guidance on handling security incidents with regards to leaked keys, please see the GitLab documentation on\n[Credential exposure to the internet](https://docs.gitlab.com/ee/security/responding_to_security_incidents.html#credential-exposure-to-public-internet)."
414
+ tags = ['gitlab_blocking']
415
+ keywords = ['cmVmd']
416
+
237
417
  [[rules]]
238
418
  id = 'Linear API token'
239
419
  regex = '\blin_api_[a-zA-Z0-9]{40}\b'
@@ -281,12 +461,12 @@ keywords = ['_mmk']
281
461
 
282
462
  [[rules]]
283
463
  id = 'New Relic user API Key'
284
- regex = "['\\\"](NRAK-[A-Z0-9]{27})['\\\"]"
464
+ regex = '\bNRAK-[0-9A-Z]{27}\b'
285
465
  description = "A New Relic user API key was identified. User keys are used for querying data and managing configurations (Alerts,\nSynthetics, dashboards, etc.). A malicious actor with access to this key can execute API requests as the user who\ncreated it."
286
466
  title = 'New Relic user API key'
287
467
  remediation = "For general guidance on handling security incidents with regards to leaked keys, please see the GitLab documentation on\n[Credential exposure to the internet](https://docs.gitlab.com/ee/security/responding_to_security_incidents.html#credential-exposure-to-public-internet).\n\nFor more information, please see [New Relic's documentation on rotating API keys](https://docs.newrelic.com/docs/apis/intro-apis/new-relic-api-keys/#rotate-keys)."
288
468
  tags = ['gitlab_blocking']
289
- keywords = ['NRAK']
469
+ keywords = ['NRAK-']
290
470
 
291
471
  [[rules]]
292
472
  id = 'New Relic user API ID'
@@ -333,6 +513,33 @@ remediation = "For general guidance on handling security incidents with regards
333
513
  tags = ['gitlab_blocking']
334
514
  keywords = ['pscale_tkn_']
335
515
 
516
+ [[rules]]
517
+ id = 'PlanetscaleAppSecret'
518
+ regex = '\bpscale_app_secret_[0-9A-Za-z_-]{43}\b'
519
+ description = "A PlanetScale App secret was identified. App secrets are used when allowing users to sign in to your application.\nDepending on the scopes assigned, a malicious actor with access to this secret can impersonate the service to access\nusers details."
520
+ title = 'PlanetScale App secret'
521
+ remediation = "For general guidance on handling security incidents with regards to leaked keys, please see the GitLab documentation on\n[Credential exposure to the internet](https://docs.gitlab.com/ee/security/responding_to_security_incidents.html#credential-exposure-to-public-internet).\n\nTo regenerate an OAuth secret:\n\n- Sign in to your PlanetScale account and access <https://app.planetscale.com/>.\n- From the menu on the left-hand side, select \"Settings\"\n- Under \"Settings\", select \"OAuth applications\"\n- Find the application that uses the identified token and select its name\n- Take note of the OAuth application's permissions and scope\n- Select \"Generate secret\"\n\nFor more information, please see [PlanetScale's documentation on OAuth applications](https://planetscale.com/docs/concepts/planetscale-api-oauth-applications#oauth-applications)."
522
+ tags = ['gitlab_blocking']
523
+ keywords = ['pscale_app_secret_']
524
+
525
+ [[rules]]
526
+ id = 'PlanetscaleOAuthSecret'
527
+ regex = '\bpscale_oauth_[0-9A-Za-z]{32,64}\b'
528
+ description = 'PlanetScale OAuth secret'
529
+ title = 'PlanetScale OAuth secret'
530
+ remediation = "For general guidance on handling security incidents with regards to leaked keys, please see the GitLab documentation on\n[Credential exposure to the internet](https://docs.gitlab.com/ee/security/responding_to_security_incidents.html#credential-exposure-to-public-internet)."
531
+ tags = ['gitlab_blocking']
532
+ keywords = ['pscale_oauth_']
533
+
534
+ [[rules]]
535
+ id = 'PostHogPersonalAPIkey'
536
+ regex = '\bphx_[0-9A-Za-z]{43}\b'
537
+ description = 'A PostHog Personal API key was identified. API keys can enable full access to your account.'
538
+ title = 'Posthog Personal API key'
539
+ remediation = "For general guidance on handling security incidents with regards to leaked keys, please see the GitLab documentation on\n[Credential exposure to the internet](https://docs.gitlab.com/ee/security/responding_to_security_incidents.html#credential-exposure-to-public-internet).\n\nTo revoke an API Key, sign in to your PostHog account and access your\n[Personal API keys](https://us.posthog.com/settings/user-api-keys).\n\nFor more information, please see [PostHog's API Overview documentation](https://posthog.com/docs/api)."
540
+ tags = ['gitlab_blocking']
541
+ keywords = ['phx_']
542
+
336
543
  [[rules]]
337
544
  id = 'PyPI upload token'
338
545
  regex = 'pypi-AgEIcHlwaS5vcmc[A-Za-z0-9-_]{50,1000}'
@@ -450,6 +657,33 @@ remediation = "For general guidance on handling security incidents with regards
450
657
  tags = ['gitlab_blocking']
451
658
  keywords = ['xapp-1-']
452
659
 
660
+ [[rules]]
661
+ id = 'SonarQubeUserToken'
662
+ regex = '\bsqu_[0-9a-f]{40}\b'
663
+ description = 'SonarQube User Token'
664
+ title = 'SonarQube User Token'
665
+ remediation = "For general guidance on handling security incidents with regards to leaked keys, please see the GitLab documentation on\n[Credential exposure to the internet](https://docs.gitlab.com/ee/security/responding_to_security_incidents.html#credential-exposure-to-public-internet)."
666
+ tags = ['gitlab_blocking']
667
+ keywords = ['squ_']
668
+
669
+ [[rules]]
670
+ id = 'SonarQubeGlobalAnalysisToken'
671
+ regex = '\bsqa_[0-9a-f]{40}\b'
672
+ description = 'SonarQube Global Analysis Token'
673
+ title = 'SonarQube Global Analysis Token'
674
+ remediation = "For general guidance on handling security incidents with regards to leaked keys, please see the GitLab documentation on\n[Credential exposure to the internet](https://docs.gitlab.com/ee/security/responding_to_security_incidents.html#credential-exposure-to-public-internet)."
675
+ tags = ['gitlab_blocking']
676
+ keywords = ['sqa_']
677
+
678
+ [[rules]]
679
+ id = 'SonarQubeProjectAnalysisToken'
680
+ regex = '\bsqp_[0-9a-f]{40}\b'
681
+ description = 'SonarQube Project Analysis Token'
682
+ title = 'SonarQube Project Analysis Token'
683
+ remediation = "For general guidance on handling security incidents with regards to leaked keys, please see the GitLab documentation on\n[Credential exposure to the internet](https://docs.gitlab.com/ee/security/responding_to_security_incidents.html#credential-exposure-to-public-internet)."
684
+ tags = ['gitlab_blocking']
685
+ keywords = ['sqp_']
686
+
453
687
  [[rules]]
454
688
  id = 'StripeLiveSecretKey'
455
689
  regex = '\bsk_live_[A-Za-z0-9]{99}\b'
@@ -468,6 +702,24 @@ remediation = "For general guidance on handling security incidents with regards
468
702
  tags = ['gitlab_blocking']
469
703
  keywords = ['rk_live_']
470
704
 
705
+ [[rules]]
706
+ id = 'StripeLiveShortSecretKey'
707
+ regex = '\bsk_live_[A-Za-z0-9]{24}\b'
708
+ description = "A Stripe live secret key was identified. Live secret keys authenticate requests on your server when in\nlive mode. By default, you can use this key to perform any API request without restriction. A malicious actor who gained\naccess to this key could gain read/write access to all data in Stripe for this account."
709
+ title = 'Stripe live secret key'
710
+ remediation = "For general guidance on handling security incidents with regards to leaked keys, please see the GitLab documentation on\n[Credential exposure to the internet](https://docs.gitlab.com/ee/security/responding_to_security_incidents.html#credential-exposure-to-public-internet).\n\nTo rotate your Stripe live secret key:\n\n- Sign in to your Stripe account and access <https://dashboard.stripe.com/apikeys>\n- Ensure \"Test mode\" is disabled\n- In the \"Standard keys\" section, find the key that was identified and select the ellipsis in the right-hand side\n- Select \"Roll key...\"\n- In the \"Roll API key\" dialog, select an expiration date, for example \"now\"\n- Select \"Roll API Key\"\n\nFor more information, please see [Stripe's documentation on rotating API keys](https://docs.stripe.com/keys#rolling-keys)."
711
+ tags = ['gitlab_blocking']
712
+ keywords = ['sk_live_']
713
+
714
+ [[rules]]
715
+ id = 'TencentCloudSecretID'
716
+ regex = '\bAKID[0-9A-Za-z]{32}\b'
717
+ description = 'Tencent Cloud Secret ID'
718
+ title = 'Tencent Cloud Secret ID'
719
+ remediation = "For general guidance on handling security incidents with regards to leaked keys, please see the GitLab documentation on\n[Credential exposure to the internet](https://docs.gitlab.com/ee/security/responding_to_security_incidents.html#credential-exposure-to-public-internet)."
720
+ tags = ['gitlab_blocking']
721
+ keywords = ['AKID']
722
+
471
723
  [[rules]]
472
724
  id = 'Twilio API Key'
473
725
  regex = '\bSK[0-9a-fA-F]{32}\b'
@@ -475,4 +727,40 @@ description = 'Twilio API Key'
475
727
  title = 'Twilio API key'
476
728
  remediation = "For general guidance on handling security incidents with regards to leaked keys, please see the GitLab documentation on\n[Credential exposure to the internet](https://docs.gitlab.com/ee/security/responding_to_security_incidents.html#credential-exposure-to-public-internet)."
477
729
  tags = ['gitlab_blocking']
478
- keywords = ['SK', 'twilio']
730
+ keywords = ['SK']
731
+
732
+ [[rules]]
733
+ id = 'Twilio Account SID'
734
+ regex = '\bAC[0-9a-f]{32}\b'
735
+ description = 'Twilio Account SID'
736
+ title = 'Twilio Account SID'
737
+ remediation = "For general guidance on handling security incidents with regards to leaked keys, please see the GitLab documentation on\n[Credential exposure to the internet](https://docs.gitlab.com/ee/security/responding_to_security_incidents.html#credential-exposure-to-public-internet)."
738
+ tags = ['gitlab_blocking']
739
+ keywords = ['AC']
740
+
741
+ [[rules]]
742
+ id = 'VolcengineAccessKeyID'
743
+ regex = '\bAKLT[0-9A-Za-z]{30,44}\b'
744
+ description = 'Volcengine Access Key ID'
745
+ title = 'Volcengine Access Key ID'
746
+ remediation = "For general guidance on handling security incidents with regards to leaked keys, please see the GitLab documentation on\n[Credential exposure to the internet](https://docs.gitlab.com/ee/security/responding_to_security_incidents.html#credential-exposure-to-public-internet)."
747
+ tags = ['gitlab_blocking']
748
+ keywords = ['AKLT']
749
+
750
+ [[rules]]
751
+ id = 'WakaTimeAPIKey'
752
+ regex = '\bwaka_[0-9a-f]{8}-[0-9a-f]{4}-4[0-9a-f]{3}-[89ab][0-9a-f]{3}-[0-9a-f]{12}\b'
753
+ description = 'WakaTime API Key'
754
+ title = 'WakaTime API Key'
755
+ remediation = "For general guidance on handling security incidents with regards to leaked keys, please see the GitLab documentation on\n[Credential exposure to the internet](https://docs.gitlab.com/ee/security/responding_to_security_incidents.html#credential-exposure-to-public-internet)."
756
+ tags = ['gitlab_blocking']
757
+ keywords = ['waka_']
758
+
759
+ [[rules]]
760
+ id = 'Yandex.Cloud API Key'
761
+ regex = '\bAQVN[0123wxyz][0-9A-Za-z_-]{35}\b'
762
+ description = 'Yandex.Cloud API Key'
763
+ title = 'Yandex.Cloud API Key'
764
+ remediation = "For general guidance on handling security incidents with regards to leaked keys, please see the GitLab documentation on\n[Credential exposure to the internet](https://docs.gitlab.com/ee/security/responding_to_security_incidents.html#credential-exposure-to-public-internet)."
765
+ tags = ['gitlab_blocking']
766
+ keywords = ['AQVN']
@@ -5,7 +5,7 @@ module Gitlab
5
5
  class Gem
6
6
  # Ensure to maintain the same version in CHANGELOG file.
7
7
  # More details available under 'Release Process' section in the README.md file.
8
- VERSION = "0.32.0"
8
+ VERSION = "0.33.0"
9
9
 
10
10
  # SD_ENV env var is used to determine which environment the
11
11
  # server is running. This var is defined in `.runway/env-<env>.yml` files.
metadata CHANGED
@@ -1,7 +1,7 @@
1
1
  --- !ruby/object:Gem::Specification
2
2
  name: gitlab-secret_detection
3
3
  version: !ruby/object:Gem::Version
4
- version: 0.32.0
4
+ version: 0.33.0
5
5
  platform: ruby
6
6
  authors:
7
7
  - group::secret detection