@runsec/mcp 1.0.69 → 1.0.71

package/bin/engine-resolve.cjs

@@ -0,0 +1,49 @@
+#!/usr/bin/env node
+"use strict";
+/**
+ * Shared optional @runsec/engine-* resolution (runsec-mcp.cjs + binaryResolver must agree).
+ */
+const fs = require("node:fs");
+const path = require("node:path");
+const { createRequire } = require("node:module");
+
+const PKG_ROOT = path.join(__dirname, "..");
+
+function packageRequire() {
+  return createRequire(path.join(PKG_ROOT, "package.json"));
+}
+
+function binCandidates(engine) {
+  const pkg = `@runsec/engine-${engine}-${process.platform}-${process.arch}`;
+  const posixBin = path.posix.join("bin", engine);
+  if (process.platform === "win32") {
+    return [`${pkg}/${posixBin}.exe`, `${pkg}/${posixBin}`];
+  }
+  return [`${pkg}/${posixBin}`];
+}
+
+/** @returns {string | null} absolute path to binary */
+function resolveOptionalEngineBinary(engine) {
+  const req = packageRequire();
+  for (const candidate of binCandidates(engine)) {
+    try {
+      const resolved = req.resolve(candidate);
+      if (fs.existsSync(resolved) && fs.statSync(resolved).size >= 1024) {
+        return resolved;
+      }
+    } catch {
+      // try next candidate
+    }
+  }
+  return null;
+}
+
+function hasOptionalEngine(engine) {
+  return Boolean(resolveOptionalEngineBinary(engine));
+}
+
+module.exports = {
+  PKG_ROOT,
+  resolveOptionalEngineBinary,
+  hasOptionalEngine,
+};

package/dist/data/trufflehog-config.yaml

@@ -7,6 +7,14 @@
 # соответствующие детекторы сюда (те же regex/keywords, формат YAML).
 #
 # Usage: trufflehog git file:///path/to/repo --config=./trufflehog-custom-detectors.yaml --json
+#
+# Синхронизация: все детекторы из базового MOEX/gitleaks-списка присутствуют.
+# Дополнительно в этом файле (расширения репозитория):
+#   - ITS-002 Keycloak Client Secret Policy Violation
+#   - ITS-002 Vault Token Policy Violation
+# Для assignment-детекторов (key:=value) — exclude_regexes_match отсекает ${VAR}, $VAR, getenv и т.п.
+# PCI-DSS / SOC2: криптография, object storage, telemetry — см. секцию COMPLIANCE в конце файла.
+# OAuth Client ID удалён (публичный идентификатор, не секрет).
 
 detectors:
   # ============================================================================
@@ -39,6 +47,14 @@ detectors:
       - yandex-service-token
     regex:
       pattern: '(?i)(yandex[_-]?cloud[_-]?token|yc[_-]?iam[_-]?token|yandex[_-]?service[_-]?token)\s*[:=]\s*[''"]?[A-Za-z0-9_\-]{40,}[''"]?'
+    exclude_regexes_match:
+      - '\$\{[^}]+\}'
+      - '\$[A-Z_][A-Z0-9_]*'
+      - '%\([^)]+\)s'
+      - 'process\.env\.'
+      - 'os\.getenv\('
+      - 'getenv\('
+      - 'environ\['
 
   - name: Yandex 360 API Token
     keywords:
@@ -46,6 +62,14 @@ detectors:
       - y360-api-token
     regex:
       pattern: '(?i)(yandex[_-]?360[_-]?token|y360[_-]?api[_-]?token)\s*[:=]\s*[''"]?[A-Za-z0-9_\-]{32,}[''"]?'
+    exclude_regexes_match:
+      - '\$\{[^}]+\}'
+      - '\$[A-Z_][A-Z0-9_]*'
+      - '%\([^)]+\)s'
+      - 'process\.env\.'
+      - 'os\.getenv\('
+      - 'getenv\('
+      - 'environ\['
 
   - name: VK Cloud API Token
     keywords:
@@ -53,6 +77,14 @@ detectors:
       - vcloud-api-token
     regex:
       pattern: '(?i)(vk[_-]?cloud[_-]?token|vcloud[_-]?api[_-]?token)\s*[:=]\s*[''"]?[A-Za-z0-9_\-]{40,}[''"]?'
+    exclude_regexes_match:
+      - '\$\{[^}]+\}'
+      - '\$[A-Z_][A-Z0-9_]*'
+      - '%\([^)]+\)s'
+      - 'process\.env\.'
+      - 'os\.getenv\('
+      - 'getenv\('
+      - 'environ\['
 
   - name: VK OAuth Token
     keywords:
@@ -60,6 +92,14 @@ detectors:
       - vk-access-token
     regex:
       pattern: '(?i)(vk[_-]?oauth[_-]?token|vk[_-]?access[_-]?token)\s*[:=]\s*[''"]?[A-Za-z0-9_\-]{20,}[''"]?'
+    exclude_regexes_match:
+      - '\$\{[^}]+\}'
+      - '\$[A-Z_][A-Z0-9_]*'
+      - '%\([^)]+\)s'
+      - 'process\.env\.'
+      - 'os\.getenv\('
+      - 'getenv\('
+      - 'environ\['
 
   - name: SberCloud API Token
     keywords:
@@ -67,6 +107,14 @@ detectors:
       - sber-cloud-api-token
     regex:
       pattern: '(?i)(sbercloud[_-]?token|sber[_-]?cloud[_-]?api[_-]?token)\s*[:=]\s*[''"]?[A-Za-z0-9_\-]{40,}[''"]?'
+    exclude_regexes_match:
+      - '\$\{[^}]+\}'
+      - '\$[A-Z_][A-Z0-9_]*'
+      - '%\([^)]+\)s'
+      - 'process\.env\.'
+      - 'os\.getenv\('
+      - 'getenv\('
+      - 'environ\['
 
   - name: 1C HTTP API Token
     keywords:
@@ -75,6 +123,14 @@ detectors:
       - 1c-basic-auth
     regex:
       pattern: '(?i)(1c[_-]?api[_-]?token|1c[_-]?http[_-]?auth|1c[_-]?basic[_-]?auth)\s*[:=]\s*[''"]?[A-Za-z0-9_\-+/=]{20,}[''"]?'
+    exclude_regexes_match:
+      - '\$\{[^}]+\}'
+      - '\$[A-Z_][A-Z0-9_]*'
+      - '%\([^)]+\)s'
+      - 'process\.env\.'
+      - 'os\.getenv\('
+      - 'getenv\('
+      - 'environ\['
 
   - name: Bitrix24 REST Token
     keywords:
@@ -83,6 +139,14 @@ detectors:
       - bx24-token
     regex:
       pattern: '(?i)(bitrix24[_-]?token|bitrix[_-]?rest[_-]?token|bx24[_-]?token)\s*[:=]\s*[''"]?[A-Za-z0-9]{32,}[''"]?'
+    exclude_regexes_match:
+      - '\$\{[^}]+\}'
+      - '\$[A-Z_][A-Z0-9_]*'
+      - '%\([^)]+\)s'
+      - 'process\.env\.'
+      - 'os\.getenv\('
+      - 'getenv\('
+      - 'environ\['
 
   # ============================================================================
   # CREDENTIALS IN URL (BASIC AUTH)
@@ -123,12 +187,16 @@ detectors:
       - client_secret
     regex:
       pattern: '(?i)(client_secret)\s*[:=]\s*[''"]?[0-9A-Za-z\-._~]{16,}[''"]?'
+    exclude_regexes_match:
+      - '\$\{[^}]+\}'
+      - '\$[A-Z_][A-Z0-9_]*'
+      - '%\([^)]+\)s'
+      - 'process\.env\.'
+      - 'os\.getenv\('
+      - 'getenv\('
+      - 'environ\['
 
-  - name: OAuth Client ID
-    keywords:
-      - client_id
-    regex:
-      pattern: '(?i)(client_id)\s*[:=]\s*[''"]?[0-9A-Za-z\-._~]{10,}[''"]?'
+  # OAuth Client ID — removed: public identifier, not a secret (PCI-DSS/SOC2 noise reduction).
 
   - name: OIDC Keycloak Client Secret
     keywords:
@@ -137,6 +205,14 @@ detectors:
       - KEYCLOAK_CLIENT_SECRET
     regex:
       pattern: '(?i)(oidc|oauth2|keycloak).*client[_-]?secret.*[:=]\s*[''"]?[0-9A-Za-z\-._~]{16,}[''"]?'
+    exclude_regexes_match:
+      - '\$\{[^}]+\}'
+      - '\$[A-Z_][A-Z0-9_]*'
+      - '%\([^)]+\)s'
+      - 'process\.env\.'
+      - 'os\.getenv\('
+      - 'getenv\('
+      - 'environ\['
 
   - name: ITS-002 Keycloak Client Secret Policy Violation
     keywords:
@@ -145,6 +221,14 @@ detectors:
       - keycloak_client_secret
     regex:
       pattern: '(?i)(keycloak[_\.-]?client[_-]?secret|KEYCLOAK_CLIENT_SECRET)\s*[:=]\s*[''"]?[0-9A-Za-z\-._~]{12,}[''"]?'
+    exclude_regexes_match:
+      - '\$\{[^}]+\}'
+      - '\$[A-Z_][A-Z0-9_]*'
+      - '%\([^)]+\)s'
+      - 'process\.env\.'
+      - 'os\.getenv\('
+      - 'getenv\('
+      - 'environ\['
 
   - name: Spring OAuth2 Client Secret
     keywords:
@@ -152,6 +236,14 @@ detectors:
       - client-secret
     regex:
       pattern: '(?i)spring\.security\.oauth2\.client\.registration\.[^.\s]+\.client-secret\s*=\s*[''"]?[0-9A-Za-z\-._~]{16,}[''"]?'
+    exclude_regexes_match:
+      - '\$\{[^}]+\}'
+      - '\$[A-Z_][A-Z0-9_]*'
+      - '%\([^)]+\)s'
+      - 'process\.env\.'
+      - 'os\.getenv\('
+      - 'getenv\('
+      - 'environ\['
 
   # ============================================================================
   # GITLAB / GITHUB TOKENS (Custom - keep for consistency)
@@ -193,6 +285,14 @@ detectors:
       - openvpn-key
     regex:
       pattern: '(?i)(vpn[_-]?user|vpn[_-]?login|vpn[_-]?password|vpn[_-]?cert|openvpn[_-]?key)\s*[:=]\s*[''"]?[A-Za-z0-9_\-+/=]{16,}[''"]?'
+    exclude_regexes_match:
+      - '\$\{[^}]+\}'
+      - '\$[A-Z_][A-Z0-9_]*'
+      - '%\([^)]+\)s'
+      - 'process\.env\.'
+      - 'os\.getenv\('
+      - 'getenv\('
+      - 'environ\['
 
   - name: Proxy Credentials
     keywords:
@@ -202,6 +302,14 @@ detectors:
       - proxy-auth
     regex:
       pattern: '(?i)(proxy[_-]?user|proxy[_-]?login|proxy[_-]?password|proxy[_-]?auth)\s*[:=]\s*[''"]?[A-Za-z0-9_\-]{8,}[''"]?'
+    exclude_regexes_match:
+      - '\$\{[^}]+\}'
+      - '\$[A-Z_][A-Z0-9_]*'
+      - '%\([^)]+\)s'
+      - 'process\.env\.'
+      - 'os\.getenv\('
+      - 'getenv\('
+      - 'environ\['
 
   - name: GitLab Runner Token
     keywords:
@@ -210,6 +318,14 @@ detectors:
       - runner-registration-token
     regex:
       pattern: '(?i)(gitlab[_-]?runner[_-]?token|ci[_-]?cd[_-]?token|runner[_-]?registration[_-]?token)\s*[:=]\s*[''"]?[A-Za-z0-9_\-]{20,}[''"]?'
+    exclude_regexes_match:
+      - '\$\{[^}]+\}'
+      - '\$[A-Z_][A-Z0-9_]*'
+      - '%\([^)]+\)s'
+      - 'process\.env\.'
+      - 'os\.getenv\('
+      - 'getenv\('
+      - 'environ\['
 
   - name: Self-Hosted CI/CD Token
     keywords:
@@ -219,6 +335,14 @@ detectors:
       - self-hosted-ci-token
     regex:
       pattern: '(?i)(jenkins[_-]?token|teamcity[_-]?token|bamboo[_-]?token|self[_-]?hosted[_-]?ci[_-]?token)\s*[:=]\s*[''"]?[A-Za-z0-9_\-]{20,}[''"]?'
+    exclude_regexes_match:
+      - '\$\{[^}]+\}'
+      - '\$[A-Z_][A-Z0-9_]*'
+      - '%\([^)]+\)s'
+      - 'process\.env\.'
+      - 'os\.getenv\('
+      - 'getenv\('
+      - 'environ\['
 
   # ============================================================================
   # INFRASTRUCTURE (Vault, Atlassian, Grafana, Nexus/NPM, Elastic, 1C, Kafka)
@@ -239,6 +363,14 @@ detectors:
       - vault-token
     regex:
       pattern: '(?i)(vault[_-]?token|VAULT_TOKEN)\s*[:=]\s*[''"]?(hvs\.CAES[A-Za-z0-9_\-]+|hvc\.CAES[A-Za-z0-9_\-]+|s\.[A-Za-z0-9_\-]{8,})[''"]?'
+    exclude_regexes_match:
+      - '\$\{[^}]+\}'
+      - '\$[A-Z_][A-Z0-9_]*'
+      - '%\([^)]+\)s'
+      - 'process\.env\.'
+      - 'os\.getenv\('
+      - 'getenv\('
+      - 'environ\['
 
   - name: Atlassian API Token
     keywords:
@@ -265,6 +397,14 @@ detectors:
       - registry.npmjs.org_auth
     regex:
       pattern: '(?i)(_authToken|_auth|registry\.npmjs\.org[_-]?auth)\s*=\s*[A-Za-z0-9_\-=]{20,}'
+    exclude_regexes_match:
+      - '\$\{[^}]+\}'
+      - '\$[A-Z_][A-Z0-9_]*'
+      - '%\([^)]+\)s'
+      - 'process\.env\.'
+      - 'os\.getenv\('
+      - 'getenv\('
+      - 'environ\['
 
   - name: Elasticsearch OpenSearch Auth
     keywords:
@@ -274,6 +414,14 @@ detectors:
       - elasticsearch.password
     regex:
       pattern: '(?i)(xpack\.security\.(user|password)|cloud\.auth|api_key|elasticsearch\.password)\s*[:=]\s*[''"]?[A-Za-z0-9_\-=]{16,}[''"]?'
+    exclude_regexes_match:
+      - '\$\{[^}]+\}'
+      - '\$[A-Z_][A-Z0-9_]*'
+      - '%\([^)]+\)s'
+      - 'process\.env\.'
+      - 'os\.getenv\('
+      - 'getenv\('
+      - 'environ\['
 
   - name: 1C Base Connection String
     keywords:
@@ -290,6 +438,14 @@ detectors:
       - sasl.password
     regex:
       pattern: '(?i)(sasl\.(jaas\.config|username|password)|org\.apache\.kafka\.common\.security\.plain\.(username|password))\s*[:=]\s*[''"]?[^''"\s]{8,}[''"]?'
+    exclude_regexes_match:
+      - '\$\{[^}]+\}'
+      - '\$[A-Z_][A-Z0-9_]*'
+      - '%\([^)]+\)s'
+      - 'process\.env\.'
+      - 'os\.getenv\('
+      - 'getenv\('
+      - 'environ\['
 
   - name: Generic Header API Key
     keywords:
@@ -298,6 +454,14 @@ detectors:
       - x-api-token
     regex:
       pattern: '(?i)(x-api-key|x-auth-token|x-api-token)\s*[:=]\s*[''"]?[0-9A-Za-z\-._~]{24,}[''"]?'
+    exclude_regexes_match:
+      - '\$\{[^}]+\}'
+      - '\$[A-Z_][A-Z0-9_]*'
+      - '%\([^)]+\)s'
+      - 'process\.env\.'
+      - 'os\.getenv\('
+      - 'getenv\('
+      - 'environ\['
 
   # ============================================================================
   # GENERIC TOKENS / API KEYS
@@ -323,6 +487,14 @@ detectors:
       - apikey
     regex:
       pattern: '(?i)(password|passwd|pwd|secret|key|token|salt|api_key|apikey)\s*[:=]\s*[''"][^''"]{8,}[''"]'
+    exclude_regexes_match:
+      - '\$\{[^}]+\}'
+      - '\$[A-Z_][A-Z0-9_]*'
+      - '%\([^)]+\)s'
+      - 'process\.env\.'
+      - 'os\.getenv\('
+      - 'getenv\('
+      - 'environ\['
 
   - name: Generic API Key
     keywords:
@@ -331,6 +503,14 @@ detectors:
       - apikey
     regex:
       pattern: '(?i)(api[_-]?key|apikey)\s*[:=]\s*[''"]?[0-9A-Za-z_\-]{32,}[''"]?'
+    exclude_regexes_match:
+      - '\$\{[^}]+\}'
+      - '\$[A-Z_][A-Z0-9_]*'
+      - '%\([^)]+\)s'
+      - 'process\.env\.'
+      - 'os\.getenv\('
+      - 'getenv\('
+      - 'environ\['
 
   - name: Generic Secret Token
     keywords:
@@ -339,6 +519,14 @@ detectors:
       - password
     regex:
       pattern: '(?i)(secret|token|password|passwd)\s*[:=]\s*[''"]?[0-9A-Za-z_\-]{40,}[''"]?'
+    exclude_regexes_match:
+      - '\$\{[^}]+\}'
+      - '\$[A-Z_][A-Z0-9_]*'
+      - '%\([^)]+\)s'
+      - 'process\.env\.'
+      - 'os\.getenv\('
+      - 'getenv\('
+      - 'environ\['
 
   # ============================================================================
   # PII (PERSONAL IDENTIFIABLE INFORMATION) - GDPR/COMPLIANCE
@@ -348,9 +536,20 @@ detectors:
     keywords:
       - email
       - e-mail
-      - mail
     regex:
-      pattern: '(?i)(email|e-mail|mail)\s*[:=]\s*[''"]?[a-z0-9._%+-]+@[a-z0-9.-]+\.[a-z]{2,}[''"]?'
+      pattern: '(?i)(?:email|e-mail)\s*[:=]\s*[\x27"]?(?!.*@(example\.(com|org|net)|test\.|mock\.|localhost|invalid|\.test|\.example|noreply\.|no-reply\.|fixture\.|sample\.|dummy\.|placeholder\.))[a-z0-9._%+-]+@[a-z0-9][a-z0-9.-]*\.[a-z]{2,}[\x27"]?'
+    exclude_regexes_match:
+      - '@example\.(com|org|net)'
+      - '@test\.'
+      - '@mock\.'
+      - '@localhost'
+      - 'noreply@'
+      - 'no-reply@'
+      - 'fixture@'
+      - 'sample@'
+      - 'test@'
+      - 'user@example'
+      - '\$\{[^}]+\}'
 
   - name: PII Phone RU
     keywords:
@@ -405,3 +604,72 @@ detectors:
       - инн
     regex:
       pattern: '(?i)(inn|инн)\s*[:=]\s*[''"]?[0-9]{10,12}[''"]?'
+
+  # ============================================================================
+  # PCI-DSS / SOC2 COMPLIANCE (cryptography, storage, telemetry)
+  # ============================================================================
+
+  - name: Private Key (RSA/ECC)
+    keywords:
+      - "-----BEGIN"
+    regex:
+      pattern: '-----BEGIN (?:\w+ )?PRIVATE KEY-----'
+
+  - name: Cryptographic Salt or Encryption Key
+    keywords:
+      - aes_key
+      - encryption_key
+      - secret_salt
+    regex:
+      pattern: '(?i)(aes[_-]?key|encryption[_-]?key|secret[_-]?salt)\s*[:=]\s*[''"][A-Za-z0-9+/=]{32,}[''"]'
+    exclude_regexes_match:
+      - '\$\{[^}]+\}'
+      - '\$[A-Z_][A-Z0-9_]*'
+      - '%\([^)]+\)s'
+      - 'process\.env\.'
+      - 'os\.getenv\('
+      - 'getenv\('
+      - 'environ\['
+
+  - name: AWS S3 / MinIO Access Key ID
+    keywords:
+      - AKIA
+      - MINIO_ROOT_USER
+    regex:
+      pattern: '(^|[^A-Z0-9])[A-Z0-9]{20}($|[^A-Z0-9])'
+
+  - name: AWS S3 / MinIO Secret Access Key
+    keywords:
+      - aws_secret
+      - minio_root_password
+    regex:
+      pattern: '(^|[^A-Za-z0-9/+=])[A-Za-z0-9/+=]{40}($|[^A-Za-z0-9/+=])'
+
+  - name: Sentry Authentication Token
+    keywords:
+      - sentry
+    regex:
+      pattern: '\b[0-9a-fA-F]{64}\b'
+
+  - name: Redis Password
+    keywords:
+      - redis_password
+      - redis_pass
+    regex:
+      pattern: '(?i)(redis[_-]?(password|pass|pwd))\s*[:=]\s*[\x27"][^\x27"\s]{8,}[\x27"]'
+    exclude_regexes_match:
+      - '\$\{[^}]+\}'
+      - '\$[A-Z_][A-Z0-9_]*'
+      - '%\([^)]+\)s'
+      - 'process\.env\.'
+      - 'os\.getenv\('
+      - 'getenv\('
+      - 'environ\['
+
+  - name: Payment Gateway Secret Key (Yookassa/Stripe)
+    keywords:
+      - yoomoney
+      - sk_live_
+      - cloudpayments
+    regex:
+      pattern: '(?i)(sk_live_[0-9a-zA-Z]{24}|live_[0-9a-zA-Z]{32,})'