gitlab-secret_detection 0.37.1 → 0.38.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: bb59a6c39f08266e66c0009144c63600505fa8bddbbc311e01b0afb6cc51b3c3
-  data.tar.gz: a9370c0430557aa36b666c99cc6ad50a2d525d3ad7fea697680105eab092aba6
+  metadata.gz: db8f4b15d10dfeee9f82ecb41a6edd4237ba6da77cf83958fbf8e32d55edf4e7
+  data.tar.gz: 422c8f40835c0dff3106b6f5933bae77253685501c0b698096d2551658f57084
 SHA512:
-  metadata.gz: 3db36f3aba5b35ba46d1fec1e71a726be094b6d0bf09ed1ebbd1f9e9bb8ca9b479a04e0cabd410e26370799f449ff6554eef2b206f36bb72dda6f6b67b6b83ce
-  data.tar.gz: 800ff9920b99507ac0b9e4d5d1d68c2b04ddd84a7decda582b49b6a418f255cfe998c2ae7a0b96a2fb3e1085594281b5e6caefd16510143be7c4efc79e914500
+  metadata.gz: 1888e803f532e8cea79a06ab22b6d09ad95ca6f32975930ba4e231f2637c994dfb3631ad5aec7dd0f5c08cc7b25132ebf42319fb8cb1125219bbd0be4ada7cb3
+  data.tar.gz: 16dbb33e6df6cf8426dd2fd7da169ed59ac81b2ce6495d04a9edfaa791b1923dbec247e57d7e437d2cd7435718db94168b5a23149737801fbb11b5079d7740bf

data/lib/gitlab/secret_detection/core/secret_push_protection_rules.toml

@@ -1,4 +1,4 @@
-# rule-set version: 0.18.0
+# rule-set version: 0.20.0
 # Rules are auto-generated. See https://gitlab.com/gitlab-org/security-products/secret-detection/secret-detection-rules for instructions on updating the rules.
 [[rules]]
 id = 'AdafruitIOKey'
@@ -38,7 +38,7 @@ keywords = ['amzn1.application-oa2-client']
 
 [[rules]]
 id = 'anthropic_key'
-regex = '\b(sk-ant-[a-z]{3}\d{2}-[A-Za-z0-9\\-_]{86}-[A-Za-z0-9\\-_]{8})(?:[[:punct:]]|[[:space:]]|[[:blank:]]|$)'
+regex = '\bsk-ant-[a-z]{3}\d{2}-[0-9A-Za-z_-]{94}[0-9A-Za-z_]\b'
 description = "An Anthropic API key was detected. Anthropic keys are used to access generative AI services. Malicious\nactors could use these keys to build up excessive charges to your account."
 title = 'Anthropic API key'
 remediation = "For general guidance on handling security incidents with regards to leaked keys, please see the GitLab documentation on\n[Credential exposure to the internet](https://docs.gitlab.com/ee/security/responding_to_security_incidents.html#credential-exposure-to-public-internet).\n\nTo remediate a leaked Anthropic key, you should delete it from the list of API keys for your organization.\n\n- Sign in to your [Anthropic account](https://console.anthropic.com/)\n- Go to \"API settings\" by selecting your profile icon and then selecting \"API Keys\" or through the Settings tab\n- Identify the leaked API key and select the meatball menu (three horizontal dots) next to the key you want to delete\n- Select \"Delete API Key\"\n  - Note: Deleting an API key is a permanent action and cannot be undone\n- Generate a new key by selecting \"Create Key\" and give it a descriptive name\n\nFor more information, please see Anthropic's website: <https://support.anthropic.com/en/articles/8384961-what-should-i-do-if-i-suspect-my-api-key-has-been-compromised>."
@@ -83,21 +83,39 @@ keywords = ['ATCTT3xFfGN0']
 
 [[rules]]
 id = 'AWS'
-regex = '\bAKIA[2-7A-Z]{16}\b'
-description = "An AWS Access Token was detected. AWS Access Tokens are usually paired along with their secret key values. A malicious\nactor with access to this token can access AWS services with the same permissions as the user which generated the key,\nprovided they have access to both values."
-title = 'AWS access token'
-remediation = "For general guidance on handling security incidents with regards to leaked keys, please see the GitLab documentation on\n[Credential exposure to the internet](https://docs.gitlab.com/ee/security/responding_to_security_incidents.html#credential-exposure-to-public-internet).\n\nTo delete an access key:\n\n- In the \"Access keys\" section, find the key that was identified\n- Select \"Actions\"\n- Select \"Delete\"\n- Follow the instructions in the dialog to first deactivate and then confirm the deletion\n\nFor information on how to manage and revoke access keys for AWS please see their [documentation](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_access-keys.html#Using_CreateAccessKey)."
+regex = '\b(?:AKIA|ASIA|A3T[A-Z0-9])[2-7A-Z]{16}\b'
+description = "An AWS Access Key ID was detected. AWS Access Key IDs come in different types: long-term IAM user access keys\n(starting with AKIA), temporary STS credentials (starting with ASIA), or AWS STS service bearer tokens. These\ncredentials are paired with Secret Access Keys to authenticate programmatic requests to AWS services. A\nmalicious actor with access to both the Access Key ID and its associated Secret Access Key can access AWS\nresources with the permissions granted to that credential, potentially leading to data breaches, resource\nmanipulation, or unauthorized charges."
+title = 'AWS Access Key ID'
+remediation = "For general guidance on handling security incidents with regards to leaked keys, please see the GitLab\ndocumentation on\n[Credential exposure to the internet](https://docs.gitlab.com/ee/security/responding_to_security_incidents.html#credential-exposure-to-public-internet).\n\n- **For Long-term IAM Access Keys (AKIA/A3T prefix)**:\n\nTo delete a long-term IAM access key:\n\n1. Log in to the AWS Management Console at <https://console.aws.amazon.com>\n2. Navigate to the IAM service by searching for \"IAM\" in the search bar or accessing it directly at\n   <https://console.aws.amazon.com/iam>\n3. In the left navigation pane, select \"Users\" and locate the IAM user associated with the compromised key\n4. Select the username to view the user details page\n5. Navigate to the \"Security credentials\" tab\n6. In the \"Access keys\" section, find the key that matches the leaked Access Key ID\n7. Select \"Actions\" dropdown next to the key\n8. Select \"Deactivate\" to immediately disable the key, then select \"Delete\" to permanently remove it\n9. Generate a new access key pair if needed by selecting \"Create access key\"\n10. Update all applications, scripts, and systems that were using the compromised credentials with the new key\n11. Verify the old key is no longer active by checking the \"Access keys\" section shows the key as deleted\n\n- **For Temporary STS Credentials (ASIA prefix)**:\n\nTemporary credentials cannot be manually deleted but will expire automatically. To mitigate exposure:\n\n1. Log in to the AWS Management Console at <https://console.aws.amazon.com>\n2. Navigate to the IAM service at <https://console.aws.amazon.com/iam>\n3. Identify the IAM role or user that generated the temporary credentials by reviewing AWS CloudTrail logs\n4. If the credentials were generated via AssumeRole, consider attaching a deny policy to the role to prevent\n   further access until credentials expire\n5. Review and reduce the session duration policy on the role to minimize exposure window for future sessions\n6. Monitor CloudTrail logs for any unauthorized activity during the credential validity period\n7. For immediate revocation, you can revoke active sessions by attaching an inline policy to the role with\n   a condition that denies access for sessions created before the current time\n8. Update the trust policy or role permissions if the compromise indicates a broader security issue\n\n- **For All Access Key Types**:\n\nAfter remediation:\n\n1. Review AWS CloudTrail logs to identify any unauthorized activity that occurred using the compromised\n   credentials at <https://console.aws.amazon.com/cloudtrail>\n2. Check for any unauthorized resource creation, modification, or data access\n3. Implement AWS CloudWatch alarms to detect unusual API activity patterns\n4. Consider enabling Amazon GuardDuty for continuous threat detection\n5. Review and update IAM policies to follow the principle of least privilege\n\nFor information on how to manage and revoke access keys for AWS, please see their\n[official documentation](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_access-keys.html)\nand\n[STS temporary credentials documentation](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp.html)."
 tags = ['aws', 'revocation_type', 'gitlab_blocking']
-keywords = ['AKIA']
+keywords = ['AKIA', 'ASIA', 'A3T']
 
 [[rules]]
-id = 'AWSSTSKey'
-regex = '\bASIA[2-7A-Z]{16}\b'
-description = "An AWS Security Token Service (STS) Key is a temporary security credential that provides short-term access to\nAWS services. These tokens are created when an IAM role is assumed and typically expire within 1-12 hours. A\nmalicious actor with access to this token can perform any actions allowed by the assumed role's permissions\nuntil the token expires. STS tokens are often associated with the permanent credentials (IAM user or service)\nthat originally assumed the role."
-title = 'AWSSTSKey'
-remediation = "For general guidance on handling security incidents with regards to leaked keys, please see the GitLab\ndocumentation on\n[Credential exposure to the internet](https://docs.gitlab.com/ee/security/responding_to_security_incidents.html#credential-exposure-to-public-internet).\n\n**Important**: STS tokens cannot be directly revoked or rotated. They will expire automatically, but immediate\naction is required to limit potential damage.\n\nFor detailed information on managing AWS STS Keys and IAM roles, please see the\n[AWS IAM User Guide](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp.html).\n\n**Note**: STS tokens expire automatically and cannot be directly revoked. Response efforts must focus on\nmonitoring, damage assessment, and preventing future unauthorized assumptions of the associated IAM role."
+id = 'AWSBedrockKey'
+regex = '\bABSK[A-Za-z0-9+/]{70,150}={0,2}'
+description = "An AWS Bedrock Key was detected. AWS Bedrock Keys are usually paired along with their secret key values. A malicious\nactor with access to this token can access AWS services with the same permissions as the user which generated the key,\nprovided they have access to both values."
+title = 'AWS Bedrock Key'
+remediation = "For general guidance on handling security incidents with regards to leaked keys, please see the GitLab documentation on\n[Credential exposure to the internet](https://docs.gitlab.com/ee/security/responding_to_security_incidents.html#credential-exposure-to-public-internet).\n\nTo delete an AWS Bedrock key:\n\n1. Sign in to the AWS Management Console and open the [Amazon Bedrock console](https://console.aws.amazon.com/bedrock/).\n1. In the left navigation pane, select **API keys.**\n1. In the **API keys for Amazon Bedrock** section, choose a key.\n1. Choose **Actions**.\n1. Select **Delete**.\n\nFor information on how to manage and revoke bedrock keys for AWS please see their [documentation](https://docs.aws.amazon.com/bedrock/latest/userguide/api-keys-revoke.html)."
 tags = ['gitlab_blocking']
-keywords = ['ASIA']
+keywords = ['ABSK']
+
+[[rules]]
+id = 'AWSBedrockShortLivedKey'
+regex = '\bbedrock-api-key-[A-Za-z0-9+/]{100,}={0,2}\b'
+description = "An AWS Bedrock Short Lived Key was detected. These are temporary credentials generated to access Amazon\nBedrock, AWS's managed service for foundation models and generative AI applications. Short-lived keys are\ntypically issued through AWS Security Token Service (STS) and include an access key ID, secret access key,\nand session token. A malicious actor with access to these credentials could invoke Bedrock models, access\ncustom models, or retrieve sensitive data within the permissions scope until the credentials expire."
+title = 'AWS Bedrock Short Lived Key'
+remediation = "For general guidance on handling security incidents with regards to leaked keys, please see the GitLab\ndocumentation on\n[Credential exposure to the internet](https://docs.gitlab.com/ee/security/responding_to_security_incidents.html#credential-exposure-to-public-internet).\n\nShort-lived credentials cannot be manually revoked but will expire automatically based on their session\nduration. To mitigate exposure:\n\n1. Log in to the AWS Management Console at <https://console.aws.amazon.com>\n2. Navigate to AWS CloudTrail at <https://console.aws.amazon.com/cloudtrail> to identify the IAM entity\n   (user or role) that generated the temporary credentials\n3. Review the CloudTrail event history for AssumeRole or GetSessionToken API calls that match the timeframe\n   of credential creation\n4. Navigate to the IAM service at <https://console.aws.amazon.com/iam> and locate the source IAM role or\n   user that generated the credentials\n5. For immediate mitigation, attach an inline deny policy to the IAM role or user to revoke active sessions\n   by adding a condition that denies access for sessions created before the current time using the\n   `aws:TokenIssueTime` condition key\n6. Review and reduce the maximum session duration on the IAM role to minimize future exposure windows by\n   editing the role's \"Maximum session duration\" setting (minimum 1 hour, maximum 12 hours)\n7. Navigate to Amazon Bedrock at <https://console.aws.amazon.com/bedrock> and review recent API activity\n   in the Bedrock service logs to identify any unauthorized model invocations or data access\n8. Monitor AWS CloudTrail logs continuously during the credential validity period for suspicious Bedrock\n   API calls such as InvokeModel, InvokeModelWithResponseStream, or GetFoundationModelAvailability\n9. If unauthorized access is confirmed, review and update IAM policies following the principle of least\n   privilege to restrict Bedrock permissions to only required models and actions\n10. Consider implementing AWS CloudWatch alarms to detect unusual Bedrock API usage patterns\n11. Enable Amazon GuardDuty if not already active for continuous threat detection across AWS services\n12. Update applications or systems that were using the compromised credentials once new credentials are\n    generated through proper authentication flows\n\nFor detailed information on managing temporary credentials and Amazon Bedrock security, please see the\n[AWS STS documentation](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp.html)\nand\n[Amazon Bedrock security documentation](https://docs.aws.amazon.com/bedrock/latest/userguide/security.html)."
+tags = ['gitlab_blocking']
+keywords = ['bedrock-api-key-']
+
+[[rules]]
+id = 'AWSSessionToken'
+regex = '\b(?:FwoGZXIvYXdzE|IQoJb3JpZ2luX2VjE|FQoDYXdzE)[A-Za-z0-9+/]{180,1000}={0,2}'
+description = "An AWS Session Token is a temporary security credential that is part of AWS Security Token Service (STS)\ntemporary credentials. These tokens are used alongside temporary access key IDs and secret access keys to\nauthenticate requests to AWS services. While session tokens expire automatically, a malicious actor with\naccess to valid temporary credentials can access AWS resources with the same permissions as the assumed role\nor federated user until the token expires, potentially lasting from minutes to several hours."
+title = 'AWS Session Token'
+remediation = "For general guidance on handling security incidents with regards to leaked keys, please see the GitLab\ndocumentation on\n[Credential exposure to the internet](https://docs.gitlab.com/ee/security/responding_to_security_incidents.html#credential-exposure-to-public-internet).\n\nTo revoke your AWS Session Token:\n\n1. Log in to the AWS Management Console at <https://console.aws.amazon.com/>\n2. Navigate to the IAM service dashboard\n3. Identify the source of the temporary credentials:\n   - For assumed roles: Go to \"Roles\" and locate the role that was assumed\n   - For federated users: Check the identity provider configuration\n   - For temporary credentials from GetSessionToken: Review the IAM user that generated them\n4. Revoke active sessions:\n   - For roles: Select the role, go to \"Revoke sessions\" tab, and click \"Revoke active sessions\"\n   - For IAM users: Go to \"Users\", select the user, \"Security credentials\" tab, and revoke sessions\n5. Update or remove any applications or scripts that were using the compromised temporary credentials\n6. Verify the session is no longer active by checking AWS CloudTrail logs for any API calls made with the\n   compromised credentials after revocation\n7. Review and update the permissions or trust policies of the role or user to prevent future unauthorized\n   access\n\nFor detailed information on managing temporary security credentials and revoking sessions, please see the\n[AWS IAM documentation on temporary credentials](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp.html)\nand [revoking IAM role sessions](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_use_revoke-sessions.html)."
+tags = ['gitlab_blocking']
+keywords = ['FwoGZXIvYXdzE', 'IQoJb3JpZ2luX2VjE', 'FQoDYXdzE']
 
 [[rules]]
 id = 'AzureEntraClientSecret'
@@ -225,6 +243,15 @@ remediation = "For general guidance on handling security incidents with regards
 tags = ['gitlab_blocking']
 keywords = ['sl.']
 
+[[rules]]
+id = 'DropboxAppAccessToken'
+regex = '\bsl\.B_[a-zA-Z0-9_-]{138}\b'
+description = "A Dropbox application access token was detected. These tokens are primarily used for testing before switching to a\nproper OAuth authorization flow. Application access tokens allow programmatic access to the Dropbox API. The application\ncan be restricted to an App folder or the full Dropbox account. Additionally, individual scopes can be set under the\npermissions tab, further restricting access. A malicious actor with access to this token can execute functionality only\nto which the permissions were configured. This can lead to sensitive files being accessed or modified."
+title = 'Dropbox application access token'
+remediation = "For general guidance on handling security incidents with regards to leaked keys, please see the GitLab documentation on\n[Credential exposure to the internet](https://docs.gitlab.com/ee/security/responding_to_security_incidents.html#credential-exposure-to-public-internet).\n\nTo regenerate a new application access token:\n\n- Open <https://www.dropbox.com/developers/apps/> and sign in to your Dropbox account\n- Find the application which the token was detected in\n- Under the settings tab, scroll down to the \"Generated access token\" section\n- Select \"Generate\" to generate a new access token.\n\nFor more information, please see their documentation: <https://developers.dropbox.com/oauth-guide#implementing-oauth>"
+tags = ['gitlab_blocking']
+keywords = ['sl.']
+
 [[rules]]
 id = 'DynatracePlatformToken'
 regex = '\bdt0s[0-9]{2}\.[A-Z0-9]{8}\.[A-Z0-9]{64}\b'
@@ -243,6 +270,33 @@ remediation = "For general guidance on handling security incidents with regards
 tags = ['gitlab_blocking']
 keywords = ['figd_']
 
+[[rules]]
+id = 'FlutterwaveProdPublicKey'
+regex = '\bFLWPUBK-[0-9A-Ha-h]{32}-X\b'
+description = "A Flutterwave public key was identified. This key is used in \"public\" scenarios, such as in front-end JavaScript code\n(for example Flutterwave Inline). A malicious actor with access to this key cannot do anything with it."
+title = 'Flutterwave production public key'
+remediation = "For general guidance on handling security incidents with regards to leaked keys, please see the GitLab documentation on\n[Credential exposure to the internet](https://docs.gitlab.com/ee/security/responding_to_security_incidents.html#credential-exposure-to-public-internet).\n\nTo rotate your key:\n\n- Sign in and go to <https://app.flutterwave.com/dashboard/home>\n- Select \"Settings\" on the left-hand menu\n- Select \"API Keys\" under \"Developers\" on the left-hand menu\n- Ensure \"Test mode\" is NOT activated\n- Select \"Generate secret key\" to rotate the public, secret, and encryption key\n\nFor more information, please see the [Flutterwave documentation on authentication](https://developer.flutterwave.com/docs/authentication)."
+tags = ['gitlab_blocking']
+keywords = ['FLWPUBK-']
+
+[[rules]]
+id = 'FlutterwaveProdSecretKey'
+regex = '\bFLWSECK-[0-9A-Ha-h]{32}-X\b'
+description = "A Flutterwave secret key was identified. Secret keys have the highest level of privileges and can authorize any action\non your account. A malicious actor with access to this key can gain access to transaction and user information."
+title = 'Flutterwave production secret key'
+remediation = "For general guidance on handling security incidents with regards to leaked keys, please see the GitLab documentation on\n[Credential exposure to the internet](https://docs.gitlab.com/ee/security/responding_to_security_incidents.html#credential-exposure-to-public-internet).\n\nTo rotate your key:\n\n- Sign in and go to <https://app.flutterwave.com/dashboard/home>\n- Select \"Settings\" on the left-hand menu\n- Select \"API Keys\" under \"Developers\" on the left-hand menu\n- Ensure \"Test mode\" is NOT activated\n- Select \"Generate secret key\" to rotate the public, secret, and encryption key\n\nFor more information, please see the [Flutterwave documentation on authentication](https://developer.flutterwave.com/docs/authentication)."
+tags = ['gitlab_blocking']
+keywords = ['FLWSECK-']
+
+[[rules]]
+id = 'FlutterwaveProdEncryptedKey'
+regex = '\bFLWSECK[a-h0-9]{12}\b'
+description = "A Flutterwave encryption key was identified. This key is only used with the [direct charge endpoint](https://developer.flutterwave.com/docs/direct-card-charge).\nThis key is used to encrypt payloads of card details prior to sending. More information can be found in\n[Flutterwave's encryption guide](https://developer.flutterwave.com/docs/encryption). A malicious\nactor with access to this key can potentially decrypt transactions which can include credit card information."
+title = 'Flutterwave production encrypted key'
+remediation = "For general guidance on handling security incidents with regards to leaked keys, please see the GitLab documentation on\n[Credential exposure to the internet](https://docs.gitlab.com/ee/security/responding_to_security_incidents.html#credential-exposure-to-public-internet).\n\nTo rotate your key:\n\n- Sign in and go to <https://app.flutterwave.com/dashboard/home>\n- Select \"Settings\" on the left-hand menu\n- Select \"API Keys\" under \"Developers\" on the left-hand menu\n- Ensure \"Test mode\" is NOT activated\n- Select \"Generate secret key\" to rotate the public, secret, and encryption key\n\nFor more information, please see the [Flutterwave documentation on authentication](https://developer.flutterwave.com/docs/authentication)."
+tags = ['gitlab_blocking']
+keywords = ['FLWSECK']
+
 [[rules]]
 id = 'GCP OAuth client secret'
 regex = 'GOCSPX-[a-zA-Z0-9_-]{28}'
@@ -424,13 +478,22 @@ tags = ['gitlab', 'gitlab_blocking', 'client_side_sd']
 keywords = ['glimt']
 
 [[rules]]
-id = 'Grafana API token'
-regex = "['\\\"]eyJrIjoi[a-zA-Z0-9-_=]{72,92}['\\\"]"
-description = 'Grafana API token'
-title = 'Grafana API token'
-remediation = "For general guidance on handling security incidents with regards to leaked keys, please see the GitLab documentation on\n[Credential exposure to the internet](https://docs.gitlab.com/ee/security/responding_to_security_incidents.html#credential-exposure-to-public-internet)."
+id = 'GrafanaCloudAccessPolicyToken'
+regex = '\bglc_eyJvIjoi[0-9A-Za-z]{120,140}\b'
+description = "A Grafana cloud access policy token was identified. Cloud access policy tokens are used for managing the stacks in\nGrafana. Any tokens defined in the Grafana Administration settings are limited to that Grafana's stack. Depending on the\nassigned scope, a malicious actor with access to this token can read or write metrics, logs, traces, alerts, rules, and\naccess policies."
+title = 'Grafana cloud access policy token'
+remediation = "For general guidance on handling security incidents with regards to leaked keys, please see the GitLab documentation on\n[Credential exposure to the internet](https://docs.gitlab.com/ee/security/responding_to_security_incidents.html#credential-exposure-to-public-internet).\n\nTo revoke an access policy token:\n\n- Sign in to your Grafana instance and select \"Administration\" on the left-hand menu\n- Under \"User and access\" select \"Cloud access policies\"\n- Find the token that was identified and select the trash icon.\n\nFor more information, please see [Grafana's documentation on cloud access policies](https://grafana.com/docs/grafana-cloud/account-management/authentication-and-permissions/access-policies/)."
 tags = ['gitlab_blocking']
-keywords = ['eyJrIjoi']
+keywords = ['glc_eyJvIjoi']
+
+[[rules]]
+id = 'GrafanaServiceAccountToken'
+regex = '\bglsa_[a-zA-Z0-9]{32}_[0-9a-f]{8}\b'
+description = "A Grafana service account token was identified. A service account token is a generated random string that acts as an\nalternative to a password when authenticating with Grafana's HTTP API. When you create a service account, you can\nassociate one or more access tokens with it. You can use service access tokens the same way as API keys, for example to\naccess Grafana HTTP API programmatically. A malicious actor with access to this token can call the API with the\npermissions of the service account."
+title = 'Grafana service account token'
+remediation = "For general guidance on handling security incidents with regards to leaked keys, please see the GitLab documentation on\n[Credential exposure to the internet](https://docs.gitlab.com/ee/security/responding_to_security_incidents.html#credential-exposure-to-public-internet).\n\nTo revoke a service account token:\n\n- Sign in to your Grafana instance and select \"Administration\" on the left-hand menu\n- Under \"User and access\" select \"Service accounts\"\n- Find the service account that uses the identified service account token\n- Select the service account name in the \"Account\" column of the service accounts table\n- Under the \"Tokens\" section of the service account, select the \"X\" to reveal the \"Delete\" option\n- Select \"Delete\"\n\nFor more information, please see [Grafana's documentation on service accounts](https://grafana.com/docs/grafana-cloud/account-management/authentication-and-permissions/service-accounts/)."
+tags = ['gitlab_blocking']
+keywords = ['glsa_']
 
 [[rules]]
 id = 'Hashicorp Terraform user/org API token'
@@ -459,6 +522,15 @@ remediation = "For general guidance on handling security incidents with regards
 tags = ['gitlab_blocking']
 keywords = ['hvs.']
 
+[[rules]]
+id = 'Heroku API Key'
+regex = '\bHRKU-[0-9A-Fa-f]{8}-[0-9A-Fa-f]{4}-[0-9A-Fa-f]{4}-[0-9A-Fa-f]{4}-[0-9A-Fa-f]{12}\b'
+description = "A Heroku API key or application authorization token was identified. API keys and authorization tokens can be used to\nperform API calls on behalf of a user or account. A malicious actor with access to these tokens can access the Heroku\nAPI platform and all deployed applications."
+title = 'Heroku API key or application authorization token'
+remediation = "For general guidance on handling security incidents with regards to leaked keys, please see the GitLab documentation on\n[Credential exposure to the internet](https://docs.gitlab.com/ee/security/responding_to_security_incidents.html#credential-exposure-to-public-internet).\n\nTo regenerate an API key for the identified user:\n\n- Sign in to your account and visit <https://dashboard.heroku.com/account>\n- Under the \"API Key\" section, select \"Regenerate API Key\"\n- When prompted, select \"Regenerate API Key\" in the \"Regenerate API Key\" dialog\n\nTo regenerate an application authorization token:\n\n- Sign in to your account and visit <https://dashboard.heroku.com/account/applications>\n- Under the \"Authorizations\" section, find the registered authorization that contains the identified token\n- Select the pencil icon\n- Select \"Regenerate token\"\n\nFor more information on API keys, see [their FAQ on generating API keys](https://help.heroku.com/PBGP6IDE/how-should-i-generate-an-api-key-that-allows-me-to-use-the-heroku-platform-api).\n\nHeroku does not have any documentation on application authorization tokens."
+tags = ['gitlab_blocking']
+keywords = ['HRKU-']
+
 [[rules]]
 id = 'HighnoteTestSecretKey'
 regex = '\bsk_test_[0-9A-Za-z_]{63,98}\b'
@@ -495,6 +567,15 @@ remediation = "For general guidance on handling security incidents with regards
 tags = ['gitlab_blocking']
 keywords = ['hf_']
 
+[[rules]]
+id = 'IntercomAppAccessToken'
+regex = '\bdG9rO[0-9A-Za-z]{54}\b'
+description = "An Intercom application access token was identified. Application access tokens can be used to access the workspace's\ndata through the API. A malicious actor with access to this token can read or write conversations, read admin activity\nlogs, or read or write articles."
+title = 'Intercom application access token'
+remediation = "For general guidance on handling security incidents with regards to leaked keys, please see the GitLab documentation on\n[Credential exposure to the internet](https://docs.gitlab.com/ee/security/responding_to_security_incidents.html#credential-exposure-to-public-internet).\n\nIt is not possible to rotate an access token. You must delete your application and recreate it.\n\nFor more information, please see [Intercom's documentation on access tokens](https://developers.intercom.com/docs/build-an-integration/learn-more/authentication#access-tokens)."
+tags = ['gitlab_blocking']
+keywords = ['dG9rO']
+
 [[rules]]
 id = 'ArtifactoryApiKey'
 regex = '\bAKCp[0-9A-Za-z/+]{69}\b'
@@ -621,6 +702,33 @@ remediation = "For general guidance on handling security incidents with regards
 tags = ['gitlab_blocking']
 keywords = ['api_live']
 
+[[rules]]
+id = 'OpenAiProjectKey'
+regex = '\bsk-proj-[a-zA-Z0-9_-]{156}'
+description = "An OpenAI project API key was identified. A project key can be used for programmatic access to OpenAI's API. A malicious\nactor with access to this key can execute functionality on behalf of the user who created the key."
+title = 'OpenAI project key'
+remediation = "For general guidance on handling security incidents with regards to leaked keys, please see the GitLab documentation on\n[Credential exposure to the internet](https://docs.gitlab.com/ee/security/responding_to_security_incidents.html#credential-exposure-to-public-internet).\n\nTo revoke Open AI project API key:\n\n- Sign in to your OpenAI account and visit <https://platform.openai.com/settings/>\n- On the left-hand side menu, select \"API Keys\" under \"Project\"\n- Find the key that was identified, and select the red trash icon on the right-hand side.\n- When prompted, select \"Revoke key\" in the \"Revoke secret key\" dialog\n\nFor more information, please see [OpenAI's documentation on project API keys](https://platform.openai.com/docs/api-reference/project-api-keys)."
+tags = ['gitlab_blocking']
+keywords = ['sk-proj-']
+
+[[rules]]
+id = 'OpenAiServiceAccountKey'
+regex = '\bsk-svcacct-[a-zA-Z0-9_-]{120,190}'
+description = "An OpenAI service account key was identified. A service account key can be used for programmatic access to OpenAI's API.\nA malicious actor with access to this key can execute functionality on behalf of the user who created the key."
+title = 'OpenAI service account key'
+remediation = "For general guidance on handling security incidents with regards to leaked keys, please see the GitLab documentation on\n[Credential exposure to the internet](https://docs.gitlab.com/ee/security/responding_to_security_incidents.html#credential-exposure-to-public-internet).\n\n- Sign in to your OpenAI account and visit <https://platform.openai.com/settings/>\n- On the left-hand side menu, select \"API Keys\" under \"Organization\"\n- Find the key that was identified, and select the red trash icon on the right-hand side.\n- When prompted, select \"Revoke key\" in the \"Revoke secret key\" dialog\n\nFor more information, please see [OpenAI's documentation on project service accounts](https://platform.openai.com/docs/api-reference/project-service-accounts)."
+tags = ['gitlab_blocking']
+keywords = ['sk-svcacct-']
+
+[[rules]]
+id = 'OpenAiServiceAdminKey'
+regex = '\bsk-admin-[a-zA-Z0-9_-]{124}'
+description = "An OpenAI admin key was identified. Admin keys are for programmatic administration of your account. Admin keys grant\naccess to endpoints detailed in the [API Reference for Organizations](https://platform.openai.com/docs/api-reference/administration).\nA malicious actor with access to this key can take over the administration of the organization."
+title = 'OpenAI admin key'
+remediation = "For general guidance on handling security incidents with regards to leaked keys, please see the GitLab documentation on\n[Credential exposure to the internet](https://docs.gitlab.com/ee/security/responding_to_security_incidents.html#credential-exposure-to-public-internet).\n\nTo revoke an OpenAI admin key:\n\n- Sign in to your OpenAI account and visit <https://platform.openai.com/settings/>\n- On the left-hand side menu, select \"Admin Keys\" under \"Organization\"\n- Find the key that was identified, and select the red trash icon in the right-hand side\n- When prompted, select \"Revoke key\" in the \"Revoke secret key\" dialog\n\nFor more information, please see [OpenAI's documentation on administration](https://platform.openai.com/docs/api-reference/administration)."
+tags = ['gitlab_blocking']
+keywords = ['sk-admin-']
+
 [[rules]]
 id = 'Planetscale password'
 regex = '\bpscale_pw_[a-zA-Z0-9]{43}\b'
@@ -666,6 +774,24 @@ remediation = "For general guidance on handling security incidents with regards
 tags = ['gitlab_blocking']
 keywords = ['phx_']
 
+[[rules]]
+id = 'Postman API token'
+regex = '\bPMAK-[a-f0-9]{24}-[a-f0-9]{34}\b'
+description = "A Postman API token was identified. An API key provides access to any Postman data the account has permissions to.\nA malicious actor with access to this token can access all data stored in the Postman service that the user who created\nthe API key has access to."
+title = 'Postman API token'
+remediation = "For general guidance on handling security incidents with regards to leaked keys, please see the GitLab documentation on\n[Credential exposure to the internet](https://docs.gitlab.com/ee/security/responding_to_security_incidents.html#credential-exposure-to-public-internet).\n\nTo regenerate an API token:\n\n- Sign in to your Postman account at <https://www.postman.com/>\n- Select the profile picture in the top right-hand side, and select \"Settings\"\n- Select \"API keys\" in the left-hand menu\n- Find the key that was identified, and select the ellipsis next to the status column in the \"API keys\" section\n- Select \"Regenerate\"\n- When prompted, select \"Regenerate API Key\" in the \"Regenerate API key\" dialog\n\nFor more information, please see [Postman's documentation on API keys](https://learning.postman.com/docs/developer/postman-api/authentication/)."
+tags = ['gitlab_blocking']
+keywords = ['PMAK-']
+
+[[rules]]
+id = 'PostmanCollectionAccessKey'
+regex = '\bPMAT-[A-Z0-9]{26}\b'
+description = "A Postman collection access key was identified. Collection access keys allow read-only access to a single collection.\nA malicious actor with access to this token can read all data stored in the collection this key is associated with."
+title = 'Postman collection access key'
+remediation = "For general guidance on handling security incidents with regards to leaked keys, please see the GitLab documentation on\n[Credential exposure to the internet](https://docs.gitlab.com/ee/security/responding_to_security_incidents.html#credential-exposure-to-public-internet).\n\nTo delete a collection access key:\n\n- Sign in to your Postman account at <https://www.postman.com/>\n- Select the profile picture in the top right-hand side, and select \"Settings\"\n- Select \"API keys\" in the left-hand menu\n- Find the key that was identified in the \"Collection access keys\" section\n- Select \"Delete\"\n\nFor more information, please see [Postman's documentation on generating collection access keys](https://learning.postman.com/docs/developer/postman-api/authentication/#generate-a-collection-access-key)."
+tags = ['gitlab_blocking']
+keywords = ['PMAT-']
+
 [[rules]]
 id = 'PyPI upload token'
 regex = 'pypi-AgEIcHlwaS5vcmc[A-Za-z0-9-_]{50,1000}'
@@ -765,6 +891,15 @@ remediation = "For general guidance on handling security incidents with regards
 tags = ['gitlab_blocking']
 keywords = ['shppa_']
 
+[[rules]]
+id = 'ShopifyPartnerAPIToken'
+regex = '\bprtapi_[a-f0-9]{32}\b'
+description = "A Shopify partner API token was identified. Partner API tokens can be restricted to only allowing access to the\nfollowing:\n\n- View financials: This permission is required to access Transaction resources. These resources represent all of the\n  transactions that impact your Partner earnings.\n- Manage apps: This permission is required to access App resources, including all app-related events such as installs,\n  uninstalls, and charges. This resource represents all of the public and private apps managed by your organization.\n- Manage themes: This permission is required to access the Theme resource. This resource represents all of the Shopify\n  themes managed by your organization.\n- Manage jobs: This permission is required to access Conversation and Job resources. These resources represent Experts\n  Marketplace conversations and jobs owned by your organization.\n\nA malicious actor with access to this token can access one or more of these functions."
+title = 'Shopify Partner API token'
+remediation = "For general guidance on handling security incidents with regards to leaked keys, please see the GitLab documentation on\n[Credential exposure to the internet](https://docs.gitlab.com/ee/security/responding_to_security_incidents.html#credential-exposure-to-public-internet).\n\nTo rotate your Shopify partner API token:\n\n- Sign in to your Shopify partner account and access <https://partners.shopify.com/>\n- In the left-hand menu, select \"Settings\"\n- Scroll down to \"Partner API clients\" and select \"Manage Partner API clients\"\n- Select the client that uses the identified token\n- Select \"Generate secondary token\"\n- Select the trash icon next to the identified token\n- When prompted, select \"Delete token\" in the \"Delete access token?\" dialog\n\nPlease see [Shopify's documentation for more details](https://shopify.dev/docs/api/partner#authentication)."
+tags = ['gitlab_blocking']
+keywords = ['prtapi_']
+
 [[rules]]
 id = 'Slack token'
 regex = 'xox[baprs]-([0-9a-zA-Z]{10,48})'
@@ -783,6 +918,24 @@ remediation = "For general guidance on handling security incidents with regards
 tags = ['gitlab_blocking']
 keywords = ['xapp-1-']
 
+[[rules]]
+id = 'SlackAppConfigurationToken'
+regex = '\bxoxe\.xoxp-1-[A-Za-z0-9]{166}\b'
+description = "A Slack app configuration token was identified. Configuration tokens are per-workspace tokens used with App Manifest\nAPIs to create and configure your apps. A malicious actor with access to this token can take over configuration of all\napplications of the user who created it, however these tokens are rotated every 12 hours and give a malicious actor a\nlimited opportunity to use it."
+title = 'Slack app configuration token'
+remediation = "For general guidance on handling security incidents with regards to leaked keys, please see the GitLab documentation on\n[Credential exposure to the internet](https://docs.gitlab.com/ee/security/responding_to_security_incidents.html#credential-exposure-to-public-internet).\n\nTo revoke a Slack app configuration token:\n\n- Sign in to Slack and access <https://api.slack.com/apps>\n- Find the token in the \"Access Token\" column in the \"Your App Configuration Tokens\" table and select the trash icon in\n  the \"Delete\" column\n- When prompted, select \"Revoke Token\" in the \"Revoke this token?\" dialog\n\nFor more information, please see [Slack's documentation on managing configuration tokens](https://api.slack.com/reference/manifests#config-tokens)."
+tags = ['gitlab_blocking']
+keywords = ['xoxe.xoxp-1-']
+
+[[rules]]
+id = 'SlackAppConfigurationRefreshToken'
+regex = '\bxoxe-1-[A-Za-z0-9]{147}\b'
+description = "A Slack app configuration refresh token was identified. Configuration tokens are per-workspace tokens used with App\nManifest APIs to create and configure your apps. A malicious actor with access to this token can take over configuration\nof all applications of the user who created it. Refresh tokens are more dangerous than configuration tokens as they can\nbe used to create new configuration tokens, allowing a malicious actor perpetual access to all applications."
+title = 'Slack app configuration refresh token'
+remediation = "For general guidance on handling security incidents with regards to leaked keys, please see the GitLab documentation on\n[Credential exposure to the internet](https://docs.gitlab.com/ee/security/responding_to_security_incidents.html#credential-exposure-to-public-internet).\n\nTo revoke a Slack app configuration refresh token:\n\n- Sign in to Slack and access <https://api.slack.com/apps>\n- Find the token in the \"Refresh Token\" column in the \"Your App Configuration Tokens\" table and select the trash icon\n  in the \"Delete\" column\n- When prompted, select \"Revoke Token\" from the \"Revoke this token?\" dialog\n\nFor more information, please see [Slack's documentation on managing configuration tokens](https://api.slack.com/reference/manifests#config-tokens)."
+tags = ['gitlab_blocking']
+keywords = ['xoxe-1-']
+
 [[rules]]
 id = 'SonarQubeUserToken'
 regex = '\bsqu_[0-9a-f]{40}\b'
@@ -846,6 +999,33 @@ remediation = "For general guidance on handling security incidents with regards
 tags = ['gitlab_blocking']
 keywords = ['sk_live_']
 
+[[rules]]
+id = 'TailscalePersonalAuthKey'
+regex = '\btskey-auth-[A-Za-z0-9]{12}CNTRL-[A-Za-z0-9]{32,33}\b'
+description = "A Tailscale personal authentication key was identified. Pre-authentication keys (called auth keys) let you register new\nnodes without needing to sign in using a web browser. An auth key authenticates a device as the user who generated the\nkey. A malicious actor with access to this key can register nodes under the account that owns it."
+title = 'Tailscale personal authentication key'
+remediation = "For general guidance on handling security incidents with regards to leaked keys, please see the GitLab documentation on\n[Credential exposure to the internet](https://docs.gitlab.com/ee/security/responding_to_security_incidents.html#credential-exposure-to-public-internet).\n\nTo revoke a Tailscale auth key:\n\n- Sign in to your Tailscale account and go to <https://login.tailscale.com/admin/settings/general>\n- On the \"Settings\" page in the left-hand menu select \"Keys\" under \"Personal Settings\"\n- Find the key that was identified in the \"Auth keys\" section and select the \"Revoke...\" text next to the \"Type\" column\n- When prompted, select \"Revoke key\" in the \"Revoke\" dialog\n\nFor more information, please see [Tailscale's documentation on personal auth keys](https://tailscale.com/kb/1085/auth-keys)."
+tags = ['gitlab_blocking']
+keywords = ['tskey-auth-']
+
+[[rules]]
+id = 'TailscaleApiAccessToken'
+regex = '\btskey-api-[A-Za-z0-9]{12}CNTRL-[A-Za-z0-9]{32,33}\b'
+description = "A Tailscale API access token was identified. API access tokens give full access to the Tailscaled API. A malicious actor\nwith access to this token can gain full access to the Tailscale networks."
+title = 'Tailscale API access token'
+remediation = "For general guidance on handling security incidents with regards to leaked keys, please see the GitLab documentation on\n[Credential exposure to the internet](https://docs.gitlab.com/ee/security/responding_to_security_incidents.html#credential-exposure-to-public-internet).\n\nTo revoke a Tailscale API access token:\n\n- Sign in to your Tailscale account and go to <https://login.tailscale.com/admin/settings/general>\n- On the \"Settings\" page in the left-hand menu select \"Keys\" under \"Personal Settings\"\n- Find the key that was identified in the \"API access tokens\" section and select the \"Revoke...\" text next to the \"Type\"\n  column\n- When prompted, select \"Revoke key\" in the \"Revoke\" dialog\n\nFor more information, please see [Tailscale's documentation on their API](https://tailscale.com/kb/1101/api)"
+tags = ['gitlab_blocking']
+keywords = ['tskey-api-']
+
+[[rules]]
+id = 'TailscaleOauthClientSecret'
+regex = '\btskey-client-[a-zA-Z0-9]{17}-[a-zA-Z0-9]{30,36}\b'
+description = "A Tailscale OAuth client secret was identified. OAuth clients provide a framework for\ndelegated and scoped access to the Tailscale API. An OAuth client creates access tokens for scoped API\naccess. More details on [scopes can be found in Tailscale's documentation](https://tailscale.com/kb/1215/oauth-clients?q=OAuth#scopes).\nA malicious actor with access to this secret can access the API with the privileges the client was given."
+title = 'Tailscale OAuth client secret'
+remediation = "For general guidance on handling security incidents with regards to leaked keys, please see the GitLab documentation on\n[Credential exposure to the internet](https://docs.gitlab.com/ee/security/responding_to_security_incidents.html#credential-exposure-to-public-internet).\n\nTo revoke a Tailscale OAuth client secret:\n\n- Sign in to your Tailscale account and go to <https://login.tailscale.com/admin/settings/general>\n- On the \"Settings\" page in the left-hand menu select \"OAuth clients\"\n- Find the key that was identified and select the \"Revoke...\" text next to the \"Scopes\" column\n- When prompted, select \"Revoke OAuth client\" in the \"Revoke\" dialog\n\nFor more information, please see [Tailscale's documentation on OAuth clients](https://tailscale.com/kb/1215/oauth-clients)."
+tags = ['gitlab_blocking']
+keywords = ['tskey-client-']
+
 [[rules]]
 id = 'TencentCloudSecretID'
 regex = '\bAKID[0-9A-Za-z]{32}\b'

data/lib/gitlab/secret_detection/version.rb

@@ -5,7 +5,7 @@ module Gitlab
     class Gem
       # Ensure to maintain the same version in CHANGELOG file.
       # More details available under 'Release Process' section in the README.md file.
-      VERSION = "0.37.1"
+      VERSION = "0.38.0"
 
       # SD_ENV env var is used to determine which environment the
       # server is running. This var is defined in `.runway/env-<env>.yml` files.

metadata

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: gitlab-secret_detection
 version: !ruby/object:Gem::Version
-  version: 0.37.1
+  version: 0.38.0
 platform: ruby
 authors:
 - group::secret detection
@@ -10,7 +10,7 @@ authors:
 autorequire:
 bindir: bin
 cert_chain: []
-date: 2025-10-31 00:00:00.000000000 Z
+date: 2025-11-03 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: grpc