agent-security-scanner-mcp 3.0.0 → 3.2.0
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/README.md +451 -739
- package/analyzer.py +51 -7
- package/index.js +42 -2697
- package/package.json +7 -6
- package/regex_fallback.py +66 -0
- package/rules/__init__.py +124 -36
- package/rules/generic/secrets/gitleaks/adafruit-api-key.yaml +27 -0
- package/rules/generic/secrets/gitleaks/adobe-client-id.yaml +27 -0
- package/rules/generic/secrets/gitleaks/adobe-client-secret.yaml +27 -0
- package/rules/generic/secrets/gitleaks/age-secret-key.yaml +27 -0
- package/rules/generic/secrets/gitleaks/airtable-api-key.yaml +27 -0
- package/rules/generic/secrets/gitleaks/algolia-api-key.yaml +27 -0
- package/rules/generic/secrets/gitleaks/alibaba-access-key-id.yaml +27 -0
- package/rules/generic/secrets/gitleaks/alibaba-secret-key.yaml +27 -0
- package/rules/generic/secrets/gitleaks/asana-client-id.yaml +27 -0
- package/rules/generic/secrets/gitleaks/asana-client-secret.yaml +27 -0
- package/rules/generic/secrets/gitleaks/atlassian-api-token.yaml +27 -0
- package/rules/generic/secrets/gitleaks/authress-service-client-access-key.yaml +27 -0
- package/rules/generic/secrets/gitleaks/aws-access-token.yaml +27 -0
- package/rules/generic/secrets/gitleaks/beamer-api-token.yaml +27 -0
- package/rules/generic/secrets/gitleaks/bitbucket-client-id.yaml +27 -0
- package/rules/generic/secrets/gitleaks/bitbucket-client-secret.yaml +27 -0
- package/rules/generic/secrets/gitleaks/bittrex-access-key.yaml +27 -0
- package/rules/generic/secrets/gitleaks/bittrex-secret-key.yaml +27 -0
- package/rules/generic/secrets/gitleaks/clojars-api-token.yaml +27 -0
- package/rules/generic/secrets/gitleaks/cloudflare-api-key.yaml +27 -0
- package/rules/generic/secrets/gitleaks/cloudflare-global-api-key.yaml +27 -0
- package/rules/generic/secrets/gitleaks/cloudflare-origin-ca-key.yaml +27 -0
- package/rules/generic/secrets/gitleaks/codecov-access-token.yaml +27 -0
- package/rules/generic/secrets/gitleaks/coinbase-access-token.yaml +27 -0
- package/rules/generic/secrets/gitleaks/confluent-access-token.yaml +27 -0
- package/rules/generic/secrets/gitleaks/confluent-secret-key.yaml +27 -0
- package/rules/generic/secrets/gitleaks/contentful-delivery-api-token.yaml +27 -0
- package/rules/generic/secrets/gitleaks/databricks-api-token.yaml +27 -0
- package/rules/generic/secrets/gitleaks/datadog-access-token.yaml +27 -0
- package/rules/generic/secrets/gitleaks/defined-networking-api-token.yaml +27 -0
- package/rules/generic/secrets/gitleaks/digitalocean-access-token.yaml +27 -0
- package/rules/generic/secrets/gitleaks/digitalocean-pat.yaml +27 -0
- package/rules/generic/secrets/gitleaks/digitalocean-refresh-token.yaml +27 -0
- package/rules/generic/secrets/gitleaks/discord-api-token.yaml +27 -0
- package/rules/generic/secrets/gitleaks/discord-client-id.yaml +27 -0
- package/rules/generic/secrets/gitleaks/discord-client-secret.yaml +27 -0
- package/rules/generic/secrets/gitleaks/doppler-api-token.yaml +27 -0
- package/rules/generic/secrets/gitleaks/droneci-access-token.yaml +27 -0
- package/rules/generic/secrets/gitleaks/dropbox-api-token.yaml +27 -0
- package/rules/generic/secrets/gitleaks/dropbox-long-lived-api-token.yaml +27 -0
- package/rules/generic/secrets/gitleaks/dropbox-short-lived-api-token.yaml +27 -0
- package/rules/generic/secrets/gitleaks/duffel-api-token.yaml +27 -0
- package/rules/generic/secrets/gitleaks/dynatrace-api-token.yaml +27 -0
- package/rules/generic/secrets/gitleaks/easypost-api-token.yaml +27 -0
- package/rules/generic/secrets/gitleaks/easypost-test-api-token.yaml +27 -0
- package/rules/generic/secrets/gitleaks/etsy-access-token.yaml +27 -0
- package/rules/generic/secrets/gitleaks/facebook-access-token.yaml +27 -0
- package/rules/generic/secrets/gitleaks/facebook-page-access-token.yaml +27 -0
- package/rules/generic/secrets/gitleaks/facebook-secret.yaml +27 -0
- package/rules/generic/secrets/gitleaks/facebook.yaml +27 -0
- package/rules/generic/secrets/gitleaks/fastly-api-token.yaml +27 -0
- package/rules/generic/secrets/gitleaks/finicity-api-token.yaml +27 -0
- package/rules/generic/secrets/gitleaks/finicity-client-secret.yaml +27 -0
- package/rules/generic/secrets/gitleaks/finnhub-access-token.yaml +27 -0
- package/rules/generic/secrets/gitleaks/flickr-access-token.yaml +27 -0
- package/rules/generic/secrets/gitleaks/flutterwave-encryption-key.yaml +27 -0
- package/rules/generic/secrets/gitleaks/flutterwave-public-key.yaml +27 -0
- package/rules/generic/secrets/gitleaks/flutterwave-secret-key.yaml +27 -0
- package/rules/generic/secrets/gitleaks/frameio-api-token.yaml +27 -0
- package/rules/generic/secrets/gitleaks/freshbooks-access-token.yaml +27 -0
- package/rules/generic/secrets/gitleaks/gcp-api-key.yaml +27 -0
- package/rules/generic/secrets/gitleaks/generic-api-key.yaml +76 -0
- package/rules/generic/secrets/gitleaks/github-app-token.yaml +27 -0
- package/rules/generic/secrets/gitleaks/github-fine-grained-pat.yaml +27 -0
- package/rules/generic/secrets/gitleaks/github-oauth.yaml +27 -0
- package/rules/generic/secrets/gitleaks/github-pat.yaml +27 -0
- package/rules/generic/secrets/gitleaks/github-refresh-token.yaml +27 -0
- package/rules/generic/secrets/gitleaks/gitlab-pat.yaml +27 -0
- package/rules/generic/secrets/gitleaks/gitlab-ptt.yaml +27 -0
- package/rules/generic/secrets/gitleaks/gitlab-rrt.yaml +27 -0
- package/rules/generic/secrets/gitleaks/gitter-access-token.yaml +27 -0
- package/rules/generic/secrets/gitleaks/gocardless-api-token.yaml +27 -0
- package/rules/generic/secrets/gitleaks/grafana-api-key.yaml +27 -0
- package/rules/generic/secrets/gitleaks/grafana-cloud-api-token.yaml +27 -0
- package/rules/generic/secrets/gitleaks/grafana-service-account-token.yaml +27 -0
- package/rules/generic/secrets/gitleaks/harness-api-key.yaml +27 -0
- package/rules/generic/secrets/gitleaks/hashicorp-tf-api-token.yaml +27 -0
- package/rules/generic/secrets/gitleaks/hashicorp-tf-password.yaml +31 -0
- package/rules/generic/secrets/gitleaks/heroku-api-key.yaml +27 -0
- package/rules/generic/secrets/gitleaks/hubspot-api-key.yaml +27 -0
- package/rules/generic/secrets/gitleaks/huggingface-access-token.yaml +27 -0
- package/rules/generic/secrets/gitleaks/huggingface-organization-api-token.yaml +27 -0
- package/rules/generic/secrets/gitleaks/infracost-api-token.yaml +27 -0
- package/rules/generic/secrets/gitleaks/intercom-api-key.yaml +27 -0
- package/rules/generic/secrets/gitleaks/intra42-client-secret.yaml +27 -0
- package/rules/generic/secrets/gitleaks/jfrog-api-key.yaml +27 -0
- package/rules/generic/secrets/gitleaks/jfrog-identity-token.yaml +27 -0
- package/rules/generic/secrets/gitleaks/jwt-base64.yaml +27 -0
- package/rules/generic/secrets/gitleaks/jwt.yaml +27 -0
- package/rules/generic/secrets/gitleaks/kraken-access-token.yaml +27 -0
- package/rules/generic/secrets/gitleaks/kucoin-access-token.yaml +27 -0
- package/rules/generic/secrets/gitleaks/kucoin-secret-key.yaml +27 -0
- package/rules/generic/secrets/gitleaks/launchdarkly-access-token.yaml +27 -0
- package/rules/generic/secrets/gitleaks/linear-api-key.yaml +27 -0
- package/rules/generic/secrets/gitleaks/linear-client-secret.yaml +27 -0
- package/rules/generic/secrets/gitleaks/linkedin-client-id.yaml +27 -0
- package/rules/generic/secrets/gitleaks/linkedin-client-secret.yaml +27 -0
- package/rules/generic/secrets/gitleaks/lob-api-key.yaml +27 -0
- package/rules/generic/secrets/gitleaks/lob-pub-api-key.yaml +27 -0
- package/rules/generic/secrets/gitleaks/mailchimp-api-key.yaml +27 -0
- package/rules/generic/secrets/gitleaks/mailgun-private-api-token.yaml +27 -0
- package/rules/generic/secrets/gitleaks/mailgun-pub-key.yaml +27 -0
- package/rules/generic/secrets/gitleaks/mailgun-signing-key.yaml +27 -0
- package/rules/generic/secrets/gitleaks/mapbox-api-token.yaml +27 -0
- package/rules/generic/secrets/gitleaks/mattermost-access-token.yaml +27 -0
- package/rules/generic/secrets/gitleaks/messagebird-api-token.yaml +27 -0
- package/rules/generic/secrets/gitleaks/messagebird-client-id.yaml +27 -0
- package/rules/generic/secrets/gitleaks/microsoft-teams-webhook.yaml +27 -0
- package/rules/generic/secrets/gitleaks/netlify-access-token.yaml +27 -0
- package/rules/generic/secrets/gitleaks/new-relic-browser-api-token.yaml +27 -0
- package/rules/generic/secrets/gitleaks/new-relic-insert-key.yaml +27 -0
- package/rules/generic/secrets/gitleaks/new-relic-user-api-id.yaml +27 -0
- package/rules/generic/secrets/gitleaks/new-relic-user-api-key.yaml +27 -0
- package/rules/generic/secrets/gitleaks/npm-access-token.yaml +27 -0
- package/rules/generic/secrets/gitleaks/nytimes-access-token.yaml +27 -0
- package/rules/generic/secrets/gitleaks/okta-access-token.yaml +27 -0
- package/rules/generic/secrets/gitleaks/openai-api-key.yaml +27 -0
- package/rules/generic/secrets/gitleaks/plaid-api-token.yaml +27 -0
- package/rules/generic/secrets/gitleaks/plaid-client-id.yaml +27 -0
- package/rules/generic/secrets/gitleaks/plaid-secret-key.yaml +27 -0
- package/rules/generic/secrets/gitleaks/planetscale-api-token.yaml +27 -0
- package/rules/generic/secrets/gitleaks/planetscale-oauth-token.yaml +27 -0
- package/rules/generic/secrets/gitleaks/planetscale-password.yaml +27 -0
- package/rules/generic/secrets/gitleaks/postman-api-token.yaml +27 -0
- package/rules/generic/secrets/gitleaks/prefect-api-token.yaml +27 -0
- package/rules/generic/secrets/gitleaks/private-key.yaml +27 -0
- package/rules/generic/secrets/gitleaks/pulumi-api-token.yaml +27 -0
- package/rules/generic/secrets/gitleaks/pypi-upload-token.yaml +27 -0
- package/rules/generic/secrets/gitleaks/rapidapi-access-token.yaml +27 -0
- package/rules/generic/secrets/gitleaks/readme-api-token.yaml +27 -0
- package/rules/generic/secrets/gitleaks/rubygems-api-token.yaml +27 -0
- package/rules/generic/secrets/gitleaks/scalingo-api-token.yaml +27 -0
- package/rules/generic/secrets/gitleaks/sendbird-access-id.yaml +27 -0
- package/rules/generic/secrets/gitleaks/sendbird-access-token.yaml +27 -0
- package/rules/generic/secrets/gitleaks/sendgrid-api-token.yaml +27 -0
- package/rules/generic/secrets/gitleaks/sendinblue-api-token.yaml +27 -0
- package/rules/generic/secrets/gitleaks/sentry-access-token.yaml +27 -0
- package/rules/generic/secrets/gitleaks/shippo-api-token.yaml +27 -0
- package/rules/generic/secrets/gitleaks/shopify-access-token.yaml +27 -0
- package/rules/generic/secrets/gitleaks/shopify-custom-access-token.yaml +27 -0
- package/rules/generic/secrets/gitleaks/shopify-private-app-access-token.yaml +27 -0
- package/rules/generic/secrets/gitleaks/shopify-shared-secret.yaml +27 -0
- package/rules/generic/secrets/gitleaks/sidekiq-secret.yaml +27 -0
- package/rules/generic/secrets/gitleaks/sidekiq-sensitive-url.yaml +27 -0
- package/rules/generic/secrets/gitleaks/slack-app-token.yaml +27 -0
- package/rules/generic/secrets/gitleaks/slack-bot-token.yaml +27 -0
- package/rules/generic/secrets/gitleaks/slack-config-access-token.yaml +27 -0
- package/rules/generic/secrets/gitleaks/slack-config-refresh-token.yaml +27 -0
- package/rules/generic/secrets/gitleaks/slack-legacy-bot-token.yaml +27 -0
- package/rules/generic/secrets/gitleaks/slack-legacy-token.yaml +27 -0
- package/rules/generic/secrets/gitleaks/slack-legacy-workspace-token.yaml +27 -0
- package/rules/generic/secrets/gitleaks/slack-user-token.yaml +27 -0
- package/rules/generic/secrets/gitleaks/slack-webhook-url.yaml +27 -0
- package/rules/generic/secrets/gitleaks/snyk-api-token.yaml +27 -0
- package/rules/generic/secrets/gitleaks/square-access-token.yaml +27 -0
- package/rules/generic/secrets/gitleaks/squarespace-access-token.yaml +27 -0
- package/rules/generic/secrets/gitleaks/stripe-access-token.yaml +27 -0
- package/rules/generic/secrets/gitleaks/sumologic-access-id.yaml +27 -0
- package/rules/generic/secrets/gitleaks/sumologic-access-token.yaml +27 -0
- package/rules/generic/secrets/gitleaks/telegram-bot-api-token.yaml +27 -0
- package/rules/generic/secrets/gitleaks/travisci-access-token.yaml +27 -0
- package/rules/generic/secrets/gitleaks/twilio-api-key.yaml +27 -0
- package/rules/generic/secrets/gitleaks/twitch-api-token.yaml +27 -0
- package/rules/generic/secrets/gitleaks/twitter-access-secret.yaml +27 -0
- package/rules/generic/secrets/gitleaks/twitter-access-token.yaml +27 -0
- package/rules/generic/secrets/gitleaks/twitter-api-key.yaml +27 -0
- package/rules/generic/secrets/gitleaks/twitter-api-secret.yaml +27 -0
- package/rules/generic/secrets/gitleaks/twitter-bearer-token.yaml +27 -0
- package/rules/generic/secrets/gitleaks/typeform-api-token.yaml +27 -0
- package/rules/generic/secrets/gitleaks/vault-batch-token.yaml +27 -0
- package/rules/generic/secrets/gitleaks/vault-service-token.yaml +27 -0
- package/rules/generic/secrets/gitleaks/yandex-access-token.yaml +27 -0
- package/rules/generic/secrets/gitleaks/yandex-api-key.yaml +27 -0
- package/rules/generic/secrets/gitleaks/yandex-aws-access-token.yaml +27 -0
- package/rules/generic/secrets/gitleaks/zendesk-secret-key.yaml +27 -0
- package/rules/generic/secrets/security/detected-amazon-mws-auth-token.yaml +26 -0
- package/rules/generic/secrets/security/detected-artifactory-password.yaml +47 -0
- package/rules/generic/secrets/security/detected-artifactory-token.yaml +44 -0
- package/rules/generic/secrets/security/detected-aws-access-key-id-value.yaml +29 -0
- package/rules/generic/secrets/security/detected-aws-account-id.yaml +58 -0
- package/rules/generic/secrets/security/detected-aws-appsync-graphql-key.yaml +27 -0
- package/rules/generic/secrets/security/detected-aws-secret-access-key.yaml +30 -0
- package/rules/generic/secrets/security/detected-aws-session-token.yaml +31 -0
- package/rules/generic/secrets/security/detected-bcrypt-hash.yaml +25 -0
- package/rules/generic/secrets/security/detected-codeclimate.yaml +27 -0
- package/rules/generic/secrets/security/detected-etc-shadow.yaml +27 -0
- package/rules/generic/secrets/security/detected-facebook-access-token.yaml +29 -0
- package/rules/generic/secrets/security/detected-facebook-oauth.yaml +27 -0
- package/rules/generic/secrets/security/detected-generic-api-key.yaml +29 -0
- package/rules/generic/secrets/security/detected-generic-secret.yaml +30 -0
- package/rules/generic/secrets/security/detected-github-token.yaml +47 -0
- package/rules/generic/secrets/security/detected-google-api-key.yaml +29 -0
- package/rules/generic/secrets/security/detected-google-cloud-api-key.yaml +27 -0
- package/rules/generic/secrets/security/detected-google-gcm-service-account.yaml +27 -0
- package/rules/generic/secrets/security/detected-google-oauth-access-token.yaml +26 -0
- package/rules/generic/secrets/security/detected-google-oauth.yaml +26 -0
- package/rules/generic/secrets/security/detected-heroku-api-key.yaml +27 -0
- package/rules/generic/secrets/security/detected-hockeyapp.yaml +27 -0
- package/rules/generic/secrets/security/detected-jwt-token.yaml +25 -0
- package/rules/generic/secrets/security/detected-kolide-api-key.yaml +25 -0
- package/rules/generic/secrets/security/detected-mailchimp-api-key.yaml +26 -0
- package/rules/generic/secrets/security/detected-mailgun-api-key.yaml +26 -0
- package/rules/generic/secrets/security/detected-npm-registry-auth-token.yaml +33 -0
- package/rules/generic/secrets/security/detected-onfido-live-api-token.yaml +20 -0
- package/rules/generic/secrets/security/detected-outlook-team.yaml +27 -0
- package/rules/generic/secrets/security/detected-paypal-braintree-access-token.yaml +27 -0
- package/rules/generic/secrets/security/detected-pgp-private-key-block.yaml +28 -0
- package/rules/generic/secrets/security/detected-picatic-api-key.yaml +26 -0
- package/rules/generic/secrets/security/detected-private-key.yaml +39 -0
- package/rules/generic/secrets/security/detected-sauce-token.yaml +27 -0
- package/rules/generic/secrets/security/detected-sendgrid-api-key.yaml +27 -0
- package/rules/generic/secrets/security/detected-slack-token.yaml +28 -0
- package/rules/generic/secrets/security/detected-slack-webhook.yaml +27 -0
- package/rules/generic/secrets/security/detected-snyk-api-key.yaml +26 -0
- package/rules/generic/secrets/security/detected-softlayer-api-key.yaml +27 -0
- package/rules/generic/secrets/security/detected-sonarqube-docs-api-key.yaml +40 -0
- package/rules/generic/secrets/security/detected-square-access-token.yaml +26 -0
- package/rules/generic/secrets/security/detected-square-oauth-secret.yaml +27 -0
- package/rules/generic/secrets/security/detected-ssh-password.yaml +27 -0
- package/rules/generic/secrets/security/detected-stripe-api-key.yaml +26 -0
- package/rules/generic/secrets/security/detected-stripe-restricted-api-key.yaml +26 -0
- package/rules/generic/secrets/security/detected-telegram-bot-api-key.yaml +30 -0
- package/rules/generic/secrets/security/detected-twilio-api-key.yaml +26 -0
- package/rules/generic/secrets/security/detected-username-and-password-in-uri.yaml +35 -0
- package/rules/generic/secrets/security/google-maps-apikeyleak.yaml +25 -0
- package/rules/prompt-injection.security.yaml +4 -0
- package/rules/python/flask/security/injection/flask-injection-sinks.yaml +352 -0
- package/src/analyzer.py +119 -0
- package/src/cli/demo.js +238 -0
- package/src/cli/doctor.js +273 -0
- package/src/cli/init.js +288 -0
- package/src/fix-patterns.js +698 -0
- package/src/tools/check-package.js +169 -0
- package/src/tools/fix-security.js +115 -0
- package/src/tools/scan-packages.js +154 -0
- package/src/tools/scan-prompt.js +570 -0
- package/src/tools/scan-security.js +117 -0
- package/src/utils.js +153 -0
|
@@ -0,0 +1,29 @@
|
|
|
1
|
+
rules:
|
|
2
|
+
- id: detected-generic-api-key
|
|
3
|
+
patterns:
|
|
4
|
+
- pattern-regex: "[aA][pP][iI]_?[kK][eE][yY][=_:\\s-]+['|\"]?(?<SECRET>[0-9a-zA-Z]{32,45})['|\"]?"
|
|
5
|
+
- metavariable-analysis:
|
|
6
|
+
analyzer: entropy
|
|
7
|
+
metavariable: $SECRET
|
|
8
|
+
languages: [regex]
|
|
9
|
+
message: Generic API Key detected
|
|
10
|
+
severity: ERROR
|
|
11
|
+
metadata:
|
|
12
|
+
source-rule-url: https://github.com/dxa4481/truffleHogRegexes/blob/master/truffleHogRegexes/regexes.json
|
|
13
|
+
category: security
|
|
14
|
+
technology:
|
|
15
|
+
- secrets
|
|
16
|
+
confidence: LOW
|
|
17
|
+
references:
|
|
18
|
+
- https://github.com/dxa4481/truffleHogRegexes/blob/master/truffleHogRegexes/regexes.json
|
|
19
|
+
owasp:
|
|
20
|
+
- A07:2021 - Identification and Authentication Failures
|
|
21
|
+
- A07:2025 - Authentication Failures
|
|
22
|
+
cwe:
|
|
23
|
+
- 'CWE-798: Use of Hard-coded Credentials'
|
|
24
|
+
cwe2022-top25: true
|
|
25
|
+
cwe2021-top25: true
|
|
26
|
+
subcategory:
|
|
27
|
+
- audit
|
|
28
|
+
likelihood: LOW
|
|
29
|
+
impact: MEDIUM
|
|
@@ -0,0 +1,30 @@
|
|
|
1
|
+
rules:
|
|
2
|
+
- id: detected-generic-secret
|
|
3
|
+
patterns:
|
|
4
|
+
- pattern-regex: |-
|
|
5
|
+
[sS][eE][cC][rR][eE][tT][:= \t]*['|\"]?(?<SECRET>[0-9a-zA-Z]{32,45})['|\"]?
|
|
6
|
+
- metavariable-analysis:
|
|
7
|
+
analyzer: entropy
|
|
8
|
+
metavariable: $SECRET
|
|
9
|
+
languages: [regex]
|
|
10
|
+
message: Generic Secret detected
|
|
11
|
+
severity: ERROR
|
|
12
|
+
metadata:
|
|
13
|
+
cwe:
|
|
14
|
+
- 'CWE-798: Use of Hard-coded Credentials'
|
|
15
|
+
source-rule-url: https://github.com/dxa4481/truffleHogRegexes/blob/master/truffleHogRegexes/regexes.json
|
|
16
|
+
category: security
|
|
17
|
+
technology:
|
|
18
|
+
- secrets
|
|
19
|
+
confidence: LOW
|
|
20
|
+
owasp:
|
|
21
|
+
- A07:2021 - Identification and Authentication Failures
|
|
22
|
+
- A07:2025 - Authentication Failures
|
|
23
|
+
references:
|
|
24
|
+
- https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures
|
|
25
|
+
cwe2022-top25: true
|
|
26
|
+
cwe2021-top25: true
|
|
27
|
+
subcategory:
|
|
28
|
+
- audit
|
|
29
|
+
likelihood: LOW
|
|
30
|
+
impact: MEDIUM
|
|
@@ -0,0 +1,47 @@
|
|
|
1
|
+
rules:
|
|
2
|
+
- id: detected-github-token
|
|
3
|
+
patterns:
|
|
4
|
+
- pattern-either:
|
|
5
|
+
- pattern: |
|
|
6
|
+
$VAR = $SECRET
|
|
7
|
+
- pattern: |
|
|
8
|
+
$VAR: $SECRET
|
|
9
|
+
- pattern: |
|
|
10
|
+
$VAR = '$SECRET'
|
|
11
|
+
- pattern: |
|
|
12
|
+
$VAR: '$SECRET'
|
|
13
|
+
- pattern: |
|
|
14
|
+
'$VAR' = '$SECRET'
|
|
15
|
+
- pattern: |
|
|
16
|
+
'$VAR': '$SECRET'
|
|
17
|
+
- pattern: |
|
|
18
|
+
"[hH][tT][tT][pP][sS]?://.*$SECRET.*"
|
|
19
|
+
- metavariable-regex:
|
|
20
|
+
metavariable: $SECRET
|
|
21
|
+
regex: gh[pousr]_[A-Za-z0-9_]{36,251}
|
|
22
|
+
- metavariable-analysis:
|
|
23
|
+
analyzer: entropy
|
|
24
|
+
metavariable: $SECRET
|
|
25
|
+
languages: [generic]
|
|
26
|
+
message: GitHub Token detected
|
|
27
|
+
severity: ERROR
|
|
28
|
+
metadata:
|
|
29
|
+
cwe:
|
|
30
|
+
- 'CWE-798: Use of Hard-coded Credentials'
|
|
31
|
+
source-rule-url: https://github.blog/changelog/2021-03-04-authentication-token-format-updates/
|
|
32
|
+
category: security
|
|
33
|
+
technology:
|
|
34
|
+
- secrets
|
|
35
|
+
- github
|
|
36
|
+
confidence: LOW
|
|
37
|
+
owasp:
|
|
38
|
+
- A07:2021 - Identification and Authentication Failures
|
|
39
|
+
- A07:2025 - Authentication Failures
|
|
40
|
+
references:
|
|
41
|
+
- https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures
|
|
42
|
+
cwe2022-top25: true
|
|
43
|
+
cwe2021-top25: true
|
|
44
|
+
subcategory:
|
|
45
|
+
- audit
|
|
46
|
+
likelihood: LOW
|
|
47
|
+
impact: MEDIUM
|
|
@@ -0,0 +1,29 @@
|
|
|
1
|
+
rules:
|
|
2
|
+
- id: detected-google-api-key
|
|
3
|
+
patterns:
|
|
4
|
+
- pattern-regex: \bAIzaSy[0-9A-Za-z-_]{33}\b
|
|
5
|
+
- pattern-not-regex: \bAIzaSy[0-9A-Za-z-_]{33}\b[=]
|
|
6
|
+
languages:
|
|
7
|
+
- regex
|
|
8
|
+
message: Google API Key Detected
|
|
9
|
+
severity: ERROR
|
|
10
|
+
metadata:
|
|
11
|
+
cwe:
|
|
12
|
+
- 'CWE-798: Use of Hard-coded Credentials'
|
|
13
|
+
source-rule-url: https://github.com/dxa4481/truffleHogRegexes/blob/master/truffleHogRegexes/regexes.json
|
|
14
|
+
category: security
|
|
15
|
+
technology:
|
|
16
|
+
- secrets
|
|
17
|
+
- google
|
|
18
|
+
confidence: LOW
|
|
19
|
+
owasp:
|
|
20
|
+
- A07:2021 - Identification and Authentication Failures
|
|
21
|
+
- A07:2025 - Authentication Failures
|
|
22
|
+
references:
|
|
23
|
+
- https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures
|
|
24
|
+
cwe2022-top25: true
|
|
25
|
+
cwe2021-top25: true
|
|
26
|
+
subcategory:
|
|
27
|
+
- audit
|
|
28
|
+
likelihood: LOW
|
|
29
|
+
impact: MEDIUM
|
|
@@ -0,0 +1,27 @@
|
|
|
1
|
+
rules:
|
|
2
|
+
- id: detected-google-cloud-api-key
|
|
3
|
+
pattern-regex: |-
|
|
4
|
+
AIza[0-9A-Za-z\\-_]{35}
|
|
5
|
+
languages: [regex]
|
|
6
|
+
message: Google Cloud API Key detected
|
|
7
|
+
severity: ERROR
|
|
8
|
+
metadata:
|
|
9
|
+
cwe:
|
|
10
|
+
- 'CWE-798: Use of Hard-coded Credentials'
|
|
11
|
+
source-rule-url: https://github.com/grab/secret-scanner/blob/master/scanner/signatures/pattern.go
|
|
12
|
+
category: security
|
|
13
|
+
technology:
|
|
14
|
+
- secrets
|
|
15
|
+
- google-cloud
|
|
16
|
+
confidence: LOW
|
|
17
|
+
owasp:
|
|
18
|
+
- A07:2021 - Identification and Authentication Failures
|
|
19
|
+
- A07:2025 - Authentication Failures
|
|
20
|
+
references:
|
|
21
|
+
- https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures
|
|
22
|
+
cwe2022-top25: true
|
|
23
|
+
cwe2021-top25: true
|
|
24
|
+
subcategory:
|
|
25
|
+
- audit
|
|
26
|
+
likelihood: LOW
|
|
27
|
+
impact: MEDIUM
|
|
@@ -0,0 +1,27 @@
|
|
|
1
|
+
rules:
|
|
2
|
+
- id: detected-google-gcm-service-account
|
|
3
|
+
pattern-regex: |-
|
|
4
|
+
(("|'|`)?type("|'|`)?\s{0,50}(:|=>|=)\s{0,50}("|'|`)?service_account("|'|`)?,?)
|
|
5
|
+
languages: [regex]
|
|
6
|
+
message: Google (GCM) Service account detected
|
|
7
|
+
severity: ERROR
|
|
8
|
+
metadata:
|
|
9
|
+
cwe:
|
|
10
|
+
- 'CWE-798: Use of Hard-coded Credentials'
|
|
11
|
+
source-rule-url: https://github.com/grab/secret-scanner/blob/master/scanner/signatures/pattern.go
|
|
12
|
+
category: security
|
|
13
|
+
technology:
|
|
14
|
+
- secrets
|
|
15
|
+
- google-cloud
|
|
16
|
+
confidence: LOW
|
|
17
|
+
owasp:
|
|
18
|
+
- A07:2021 - Identification and Authentication Failures
|
|
19
|
+
- A07:2025 - Authentication Failures
|
|
20
|
+
references:
|
|
21
|
+
- https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures
|
|
22
|
+
cwe2022-top25: true
|
|
23
|
+
cwe2021-top25: true
|
|
24
|
+
subcategory:
|
|
25
|
+
- audit
|
|
26
|
+
likelihood: LOW
|
|
27
|
+
impact: MEDIUM
|
|
@@ -0,0 +1,26 @@
|
|
|
1
|
+
rules:
|
|
2
|
+
- id: detected-google-oauth-access-token
|
|
3
|
+
pattern-regex: ya29\.[0-9A-Za-z\-_]+
|
|
4
|
+
languages: [regex]
|
|
5
|
+
message: Google OAuth Access Token detected
|
|
6
|
+
severity: ERROR
|
|
7
|
+
metadata:
|
|
8
|
+
cwe:
|
|
9
|
+
- 'CWE-798: Use of Hard-coded Credentials'
|
|
10
|
+
source-rule-url: https://github.com/dxa4481/truffleHogRegexes/blob/master/truffleHogRegexes/regexes.json
|
|
11
|
+
category: security
|
|
12
|
+
technology:
|
|
13
|
+
- secrets
|
|
14
|
+
- google
|
|
15
|
+
confidence: LOW
|
|
16
|
+
owasp:
|
|
17
|
+
- A07:2021 - Identification and Authentication Failures
|
|
18
|
+
- A07:2025 - Authentication Failures
|
|
19
|
+
references:
|
|
20
|
+
- https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures
|
|
21
|
+
cwe2022-top25: true
|
|
22
|
+
cwe2021-top25: true
|
|
23
|
+
subcategory:
|
|
24
|
+
- audit
|
|
25
|
+
likelihood: LOW
|
|
26
|
+
impact: MEDIUM
|
|
@@ -0,0 +1,26 @@
|
|
|
1
|
+
rules:
|
|
2
|
+
- id: detected-google-oauth-url
|
|
3
|
+
pattern-regex: '[0-9]+-[0-9A-Za-z_]{32}\.apps\.googleusercontent\.com'
|
|
4
|
+
languages: [regex]
|
|
5
|
+
message: Google OAuth url detected
|
|
6
|
+
severity: ERROR
|
|
7
|
+
metadata:
|
|
8
|
+
cwe:
|
|
9
|
+
- 'CWE-798: Use of Hard-coded Credentials'
|
|
10
|
+
source-rule-url: https://github.com/dxa4481/truffleHogRegexes/blob/master/truffleHogRegexes/regexes.json
|
|
11
|
+
category: security
|
|
12
|
+
technology:
|
|
13
|
+
- secrets
|
|
14
|
+
- google
|
|
15
|
+
confidence: LOW
|
|
16
|
+
owasp:
|
|
17
|
+
- A07:2021 - Identification and Authentication Failures
|
|
18
|
+
- A07:2025 - Authentication Failures
|
|
19
|
+
references:
|
|
20
|
+
- https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures
|
|
21
|
+
cwe2022-top25: true
|
|
22
|
+
cwe2021-top25: true
|
|
23
|
+
subcategory:
|
|
24
|
+
- audit
|
|
25
|
+
likelihood: LOW
|
|
26
|
+
impact: MEDIUM
|
|
@@ -0,0 +1,27 @@
|
|
|
1
|
+
rules:
|
|
2
|
+
- id: detected-heroku-api-key
|
|
3
|
+
pattern-regex: |-
|
|
4
|
+
[hH][eE][rR][oO][kK][uU].*[0-9A-Fa-f]{8}-[0-9A-Fa-f]{4}-[0-9A-Fa-f]{4}-[0-9A-Fa-f]{4}-[0-9A-Fa-f]{12}
|
|
5
|
+
languages: [regex]
|
|
6
|
+
message: Heroku API Key detected
|
|
7
|
+
severity: ERROR
|
|
8
|
+
metadata:
|
|
9
|
+
cwe:
|
|
10
|
+
- 'CWE-798: Use of Hard-coded Credentials'
|
|
11
|
+
source-rule-url: https://github.com/dxa4481/truffleHogRegexes/blob/master/truffleHogRegexes/regexes.json
|
|
12
|
+
category: security
|
|
13
|
+
technology:
|
|
14
|
+
- secrets
|
|
15
|
+
- heroku
|
|
16
|
+
confidence: LOW
|
|
17
|
+
owasp:
|
|
18
|
+
- A07:2021 - Identification and Authentication Failures
|
|
19
|
+
- A07:2025 - Authentication Failures
|
|
20
|
+
references:
|
|
21
|
+
- https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures
|
|
22
|
+
cwe2022-top25: true
|
|
23
|
+
cwe2021-top25: true
|
|
24
|
+
subcategory:
|
|
25
|
+
- audit
|
|
26
|
+
likelihood: LOW
|
|
27
|
+
impact: MEDIUM
|
|
@@ -0,0 +1,27 @@
|
|
|
1
|
+
rules:
|
|
2
|
+
- id: detected-hockeyapp
|
|
3
|
+
pattern-regex: |-
|
|
4
|
+
(?i)hockey.{0,50}(\\\"|'|`)?[0-9a-f]{32}(\\\"|'|`)?
|
|
5
|
+
languages: [regex]
|
|
6
|
+
message: HockeyApp detected
|
|
7
|
+
severity: ERROR
|
|
8
|
+
metadata:
|
|
9
|
+
cwe:
|
|
10
|
+
- 'CWE-798: Use of Hard-coded Credentials'
|
|
11
|
+
source-rule-url: https://github.com/grab/secret-scanner/blob/master/scanner/signatures/pattern.go
|
|
12
|
+
category: security
|
|
13
|
+
technology:
|
|
14
|
+
- secrets
|
|
15
|
+
- hockeyapp
|
|
16
|
+
confidence: LOW
|
|
17
|
+
owasp:
|
|
18
|
+
- A07:2021 - Identification and Authentication Failures
|
|
19
|
+
- A07:2025 - Authentication Failures
|
|
20
|
+
references:
|
|
21
|
+
- https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures
|
|
22
|
+
cwe2022-top25: true
|
|
23
|
+
cwe2021-top25: true
|
|
24
|
+
subcategory:
|
|
25
|
+
- audit
|
|
26
|
+
likelihood: LOW
|
|
27
|
+
impact: MEDIUM
|
|
@@ -0,0 +1,25 @@
|
|
|
1
|
+
rules:
|
|
2
|
+
- id: detected-jwt-token
|
|
3
|
+
pattern-regex: |-
|
|
4
|
+
eyJ[A-Za-z0-9-_=]{14,}\.[A-Za-z0-9-_=]{13,}\.?[A-Za-z0-9-_.+/=]*?
|
|
5
|
+
languages: [regex]
|
|
6
|
+
message: JWT token detected
|
|
7
|
+
severity: ERROR
|
|
8
|
+
metadata:
|
|
9
|
+
source-rule-url: https://github.com/Yelp/detect-secrets/blob/master/detect_secrets/plugins/jwt.py
|
|
10
|
+
category: security
|
|
11
|
+
technology:
|
|
12
|
+
- secrets
|
|
13
|
+
- jwt
|
|
14
|
+
confidence: LOW
|
|
15
|
+
references:
|
|
16
|
+
- https://semgrep.dev/blog/2020/hardcoded-secrets-unverified-tokens-and-other-common-jwt-mistakes/
|
|
17
|
+
cwe:
|
|
18
|
+
- 'CWE-321: Use of Hard-coded Cryptographic Key'
|
|
19
|
+
owasp:
|
|
20
|
+
- A02:2021 - Cryptographic Failures
|
|
21
|
+
- A04:2025 - Cryptographic Failures
|
|
22
|
+
subcategory:
|
|
23
|
+
- audit
|
|
24
|
+
likelihood: LOW
|
|
25
|
+
impact: MEDIUM
|
|
@@ -0,0 +1,25 @@
|
|
|
1
|
+
rules:
|
|
2
|
+
- id: detected-kolide-api-key
|
|
3
|
+
pattern-regex: k2sk_v[0-9]_[0-9a-zA-Z]{24}
|
|
4
|
+
languages: [regex]
|
|
5
|
+
message: Kolide API Key detected
|
|
6
|
+
severity: ERROR
|
|
7
|
+
metadata:
|
|
8
|
+
cwe:
|
|
9
|
+
- 'CWE-798: Use of Hard-coded Credentials'
|
|
10
|
+
category: security
|
|
11
|
+
technology:
|
|
12
|
+
- secrets
|
|
13
|
+
- kolide
|
|
14
|
+
confidence: LOW
|
|
15
|
+
owasp:
|
|
16
|
+
- A07:2021 - Identification and Authentication Failures
|
|
17
|
+
- A07:2025 - Authentication Failures
|
|
18
|
+
references:
|
|
19
|
+
- https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures
|
|
20
|
+
cwe2022-top25: true
|
|
21
|
+
cwe2021-top25: true
|
|
22
|
+
subcategory:
|
|
23
|
+
- audit
|
|
24
|
+
likelihood: LOW
|
|
25
|
+
impact: MEDIUM
|
|
@@ -0,0 +1,26 @@
|
|
|
1
|
+
rules:
|
|
2
|
+
- id: detected-mailchimp-api-key
|
|
3
|
+
pattern-regex: '[0-9a-f]{32}-us[0-9]{1,2}'
|
|
4
|
+
languages: [regex]
|
|
5
|
+
message: MailChimp API Key detected
|
|
6
|
+
severity: ERROR
|
|
7
|
+
metadata:
|
|
8
|
+
source-rule-url: https://github.com/dxa4481/truffleHogRegexes/blob/master/truffleHogRegexes/regexes.json
|
|
9
|
+
category: security
|
|
10
|
+
cwe:
|
|
11
|
+
- 'CWE-798: Use of Hard-coded Credentials'
|
|
12
|
+
technology:
|
|
13
|
+
- secrets
|
|
14
|
+
- mailchimp
|
|
15
|
+
confidence: LOW
|
|
16
|
+
owasp:
|
|
17
|
+
- A07:2021 - Identification and Authentication Failures
|
|
18
|
+
- A07:2025 - Authentication Failures
|
|
19
|
+
references:
|
|
20
|
+
- https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures
|
|
21
|
+
cwe2022-top25: true
|
|
22
|
+
cwe2021-top25: true
|
|
23
|
+
subcategory:
|
|
24
|
+
- audit
|
|
25
|
+
likelihood: LOW
|
|
26
|
+
impact: MEDIUM
|
|
@@ -0,0 +1,26 @@
|
|
|
1
|
+
rules:
|
|
2
|
+
- id: detected-mailgun-api-key
|
|
3
|
+
pattern-regex: key-[0-9a-zA-Z]{32}
|
|
4
|
+
languages: [regex]
|
|
5
|
+
message: Mailgun API Key detected
|
|
6
|
+
severity: ERROR
|
|
7
|
+
metadata:
|
|
8
|
+
cwe:
|
|
9
|
+
- 'CWE-798: Use of Hard-coded Credentials'
|
|
10
|
+
source-rule-url: https://github.com/dxa4481/truffleHogRegexes/blob/master/truffleHogRegexes/regexes.json
|
|
11
|
+
category: security
|
|
12
|
+
technology:
|
|
13
|
+
- secrets
|
|
14
|
+
- mailgun
|
|
15
|
+
confidence: LOW
|
|
16
|
+
owasp:
|
|
17
|
+
- A07:2021 - Identification and Authentication Failures
|
|
18
|
+
- A07:2025 - Authentication Failures
|
|
19
|
+
references:
|
|
20
|
+
- https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures
|
|
21
|
+
cwe2022-top25: true
|
|
22
|
+
cwe2021-top25: true
|
|
23
|
+
subcategory:
|
|
24
|
+
- audit
|
|
25
|
+
likelihood: LOW
|
|
26
|
+
impact: MEDIUM
|
|
@@ -0,0 +1,33 @@
|
|
|
1
|
+
rules:
|
|
2
|
+
- id: detected-npm-registry-auth-token
|
|
3
|
+
patterns:
|
|
4
|
+
- pattern: $AUTHTOKEN = $VALUE
|
|
5
|
+
- metavariable-regex:
|
|
6
|
+
metavariable: $AUTHTOKEN
|
|
7
|
+
regex: _(authToken|auth|password)
|
|
8
|
+
- pattern-not: $AUTHTOKEN = ${...}
|
|
9
|
+
languages: [generic]
|
|
10
|
+
message: NPM registry authentication token detected
|
|
11
|
+
paths:
|
|
12
|
+
include:
|
|
13
|
+
- '*npmrc*'
|
|
14
|
+
severity: ERROR
|
|
15
|
+
metadata:
|
|
16
|
+
cwe:
|
|
17
|
+
- 'CWE-798: Use of Hard-coded Credentials'
|
|
18
|
+
category: security
|
|
19
|
+
technology:
|
|
20
|
+
- secrets
|
|
21
|
+
- npm
|
|
22
|
+
confidence: LOW
|
|
23
|
+
owasp:
|
|
24
|
+
- A07:2021 - Identification and Authentication Failures
|
|
25
|
+
- A07:2025 - Authentication Failures
|
|
26
|
+
references:
|
|
27
|
+
- https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures
|
|
28
|
+
cwe2022-top25: true
|
|
29
|
+
cwe2021-top25: true
|
|
30
|
+
subcategory:
|
|
31
|
+
- audit
|
|
32
|
+
likelihood: LOW
|
|
33
|
+
impact: MEDIUM
|
|
@@ -0,0 +1,20 @@
|
|
|
1
|
+
rules:
|
|
2
|
+
- id: detected-onfido-live-api-token
|
|
3
|
+
pattern-regex: (?:api_live(?:_[a-zA-Z]{2})?\.[a-zA-Z0-9-_]{11}\.[-_a-zA-Z0-9]{32})
|
|
4
|
+
languages: [regex]
|
|
5
|
+
message: Onfido live API Token detected
|
|
6
|
+
severity: ERROR
|
|
7
|
+
metadata:
|
|
8
|
+
cwe:
|
|
9
|
+
- 'CWE-798: Use of Hard-coded Credentials'
|
|
10
|
+
category: security
|
|
11
|
+
technology:
|
|
12
|
+
- secrets
|
|
13
|
+
- onfido
|
|
14
|
+
confidence: HIGH
|
|
15
|
+
references:
|
|
16
|
+
- https://documentation.onfido.com/api/latest/#api-tokens
|
|
17
|
+
subcategory:
|
|
18
|
+
- audit
|
|
19
|
+
likelihood: HIGH
|
|
20
|
+
impact: HIGH
|
|
@@ -0,0 +1,27 @@
|
|
|
1
|
+
rules:
|
|
2
|
+
- id: detected-outlook-team
|
|
3
|
+
pattern-regex: |-
|
|
4
|
+
https://outlook\.office\.com/webhook/[0-9a-f-]{36}
|
|
5
|
+
languages: [regex]
|
|
6
|
+
message: Outlook Team detected
|
|
7
|
+
severity: ERROR
|
|
8
|
+
metadata:
|
|
9
|
+
cwe:
|
|
10
|
+
- 'CWE-798: Use of Hard-coded Credentials'
|
|
11
|
+
source-rule-url: https://github.com/grab/secret-scanner/blob/master/scanner/signatures/pattern.go
|
|
12
|
+
category: security
|
|
13
|
+
technology:
|
|
14
|
+
- secrets
|
|
15
|
+
- outlook
|
|
16
|
+
confidence: LOW
|
|
17
|
+
owasp:
|
|
18
|
+
- A07:2021 - Identification and Authentication Failures
|
|
19
|
+
- A07:2025 - Authentication Failures
|
|
20
|
+
references:
|
|
21
|
+
- https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures
|
|
22
|
+
cwe2022-top25: true
|
|
23
|
+
cwe2021-top25: true
|
|
24
|
+
subcategory:
|
|
25
|
+
- audit
|
|
26
|
+
likelihood: LOW
|
|
27
|
+
impact: MEDIUM
|
|
@@ -0,0 +1,27 @@
|
|
|
1
|
+
rules:
|
|
2
|
+
- id: detected-paypal-braintree-access-token
|
|
3
|
+
pattern-regex: access_token\$production\$[0-9a-z]{16}\$[0-9a-z]{32}
|
|
4
|
+
languages: [regex]
|
|
5
|
+
message: PayPal Braintree Access Token detected
|
|
6
|
+
severity: ERROR
|
|
7
|
+
metadata:
|
|
8
|
+
cwe:
|
|
9
|
+
- 'CWE-798: Use of Hard-coded Credentials'
|
|
10
|
+
source-rule-url: https://github.com/dxa4481/truffleHogRegexes/blob/master/truffleHogRegexes/regexes.json
|
|
11
|
+
category: security
|
|
12
|
+
technology:
|
|
13
|
+
- secrets
|
|
14
|
+
- paypal
|
|
15
|
+
- braintree
|
|
16
|
+
confidence: LOW
|
|
17
|
+
owasp:
|
|
18
|
+
- A07:2021 - Identification and Authentication Failures
|
|
19
|
+
- A07:2025 - Authentication Failures
|
|
20
|
+
references:
|
|
21
|
+
- https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures
|
|
22
|
+
cwe2022-top25: true
|
|
23
|
+
cwe2021-top25: true
|
|
24
|
+
subcategory:
|
|
25
|
+
- audit
|
|
26
|
+
likelihood: LOW
|
|
27
|
+
impact: MEDIUM
|
|
@@ -0,0 +1,28 @@
|
|
|
1
|
+
rules:
|
|
2
|
+
- id: detected-pgp-private-key-block
|
|
3
|
+
pattern-regex: '-----BEGIN PGP PRIVATE KEY BLOCK-----'
|
|
4
|
+
languages: [regex]
|
|
5
|
+
message: >-
|
|
6
|
+
Something that looks like a PGP private key block is detected. This is a potential
|
|
7
|
+
hardcoded secret that could be leaked if this code is committed.
|
|
8
|
+
Instead, remove this code block from the commit.
|
|
9
|
+
severity: ERROR
|
|
10
|
+
metadata:
|
|
11
|
+
cwe:
|
|
12
|
+
- 'CWE-798: Use of Hard-coded Credentials'
|
|
13
|
+
source-rule-url: https://github.com/dxa4481/truffleHogRegexes/blob/master/truffleHogRegexes/regexes.json
|
|
14
|
+
category: security
|
|
15
|
+
technology:
|
|
16
|
+
- secrets
|
|
17
|
+
confidence: LOW
|
|
18
|
+
owasp:
|
|
19
|
+
- A07:2021 - Identification and Authentication Failures
|
|
20
|
+
- A07:2025 - Authentication Failures
|
|
21
|
+
references:
|
|
22
|
+
- https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures
|
|
23
|
+
cwe2022-top25: true
|
|
24
|
+
cwe2021-top25: true
|
|
25
|
+
subcategory:
|
|
26
|
+
- audit
|
|
27
|
+
likelihood: LOW
|
|
28
|
+
impact: MEDIUM
|
|
@@ -0,0 +1,26 @@
|
|
|
1
|
+
rules:
|
|
2
|
+
- id: detected-picatic-api-key
|
|
3
|
+
pattern-regex: sk_live_[0-9a-z]{32}
|
|
4
|
+
languages: [regex]
|
|
5
|
+
message: Picatic API Key detected
|
|
6
|
+
severity: ERROR
|
|
7
|
+
metadata:
|
|
8
|
+
cwe:
|
|
9
|
+
- 'CWE-798: Use of Hard-coded Credentials'
|
|
10
|
+
source-rule-url: https://github.com/dxa4481/truffleHogRegexes/blob/master/truffleHogRegexes/regexes.json
|
|
11
|
+
category: security
|
|
12
|
+
technology:
|
|
13
|
+
- secrets
|
|
14
|
+
- picatic
|
|
15
|
+
confidence: LOW
|
|
16
|
+
owasp:
|
|
17
|
+
- A07:2021 - Identification and Authentication Failures
|
|
18
|
+
- A07:2025 - Authentication Failures
|
|
19
|
+
references:
|
|
20
|
+
- https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures
|
|
21
|
+
cwe2022-top25: true
|
|
22
|
+
cwe2021-top25: true
|
|
23
|
+
subcategory:
|
|
24
|
+
- audit
|
|
25
|
+
likelihood: LOW
|
|
26
|
+
impact: MEDIUM
|
|
@@ -0,0 +1,39 @@
|
|
|
1
|
+
rules:
|
|
2
|
+
- id: detected-private-key
|
|
3
|
+
patterns:
|
|
4
|
+
- pattern-either:
|
|
5
|
+
- patterns:
|
|
6
|
+
- pattern: '-----BEGIN $TYPE PRIVATE KEY----- $KEY'
|
|
7
|
+
- metavariable-regex:
|
|
8
|
+
metavariable: $TYPE
|
|
9
|
+
regex: (?i)([dr]sa|ec|openssh|encrypted)?
|
|
10
|
+
- patterns:
|
|
11
|
+
- pattern: |
|
|
12
|
+
-----BEGIN PRIVATE KEY-----
|
|
13
|
+
$KEY
|
|
14
|
+
- metavariable-analysis:
|
|
15
|
+
metavariable: $KEY
|
|
16
|
+
analyzer: entropy
|
|
17
|
+
languages: [generic]
|
|
18
|
+
message: Private Key detected. This is a sensitive credential and should not be hardcoded here. Instead,
|
|
19
|
+
store this in a separate, private file.
|
|
20
|
+
severity: ERROR
|
|
21
|
+
metadata:
|
|
22
|
+
cwe:
|
|
23
|
+
- 'CWE-798: Use of Hard-coded Credentials'
|
|
24
|
+
source-rule-url: https://github.com/grab/secret-scanner/blob/master/scanner/signatures/pattern.go
|
|
25
|
+
category: security
|
|
26
|
+
technology:
|
|
27
|
+
- secrets
|
|
28
|
+
confidence: LOW
|
|
29
|
+
owasp:
|
|
30
|
+
- A07:2021 - Identification and Authentication Failures
|
|
31
|
+
- A07:2025 - Authentication Failures
|
|
32
|
+
references:
|
|
33
|
+
- https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures
|
|
34
|
+
cwe2022-top25: true
|
|
35
|
+
cwe2021-top25: true
|
|
36
|
+
subcategory:
|
|
37
|
+
- audit
|
|
38
|
+
likelihood: LOW
|
|
39
|
+
impact: MEDIUM
|
|
@@ -0,0 +1,27 @@
|
|
|
1
|
+
rules:
|
|
2
|
+
- id: detected-sauce-token
|
|
3
|
+
pattern-regex: |-
|
|
4
|
+
(?i)sauce.{0,50}(\\\"|'|`)?[0-9a-f]{8}-[0-9a-f]{4}-4[0-9a-f]{3}-[0-9a-f]{4}-[0-9a-f]{12}(\\\"|'|`)?
|
|
5
|
+
languages: [regex]
|
|
6
|
+
message: Sauce Token detected
|
|
7
|
+
severity: ERROR
|
|
8
|
+
metadata:
|
|
9
|
+
cwe:
|
|
10
|
+
- 'CWE-798: Use of Hard-coded Credentials'
|
|
11
|
+
source-rule-url: https://github.com/grab/secret-scanner/blob/master/scanner/signatures/pattern.go
|
|
12
|
+
category: security
|
|
13
|
+
technology:
|
|
14
|
+
- secrets
|
|
15
|
+
- sauce
|
|
16
|
+
confidence: LOW
|
|
17
|
+
owasp:
|
|
18
|
+
- A07:2021 - Identification and Authentication Failures
|
|
19
|
+
- A07:2025 - Authentication Failures
|
|
20
|
+
references:
|
|
21
|
+
- https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures
|
|
22
|
+
cwe2022-top25: true
|
|
23
|
+
cwe2021-top25: true
|
|
24
|
+
subcategory:
|
|
25
|
+
- audit
|
|
26
|
+
likelihood: LOW
|
|
27
|
+
impact: MEDIUM
|
|
@@ -0,0 +1,27 @@
|
|
|
1
|
+
rules:
|
|
2
|
+
- id: detected-sendgrid-api-key
|
|
3
|
+
pattern-regex: |-
|
|
4
|
+
SG\.[a-zA-Z0-9]{22}\.[a-zA-Z0-9-]{43}\b
|
|
5
|
+
languages: [regex]
|
|
6
|
+
message: SendGrid API Key detected
|
|
7
|
+
severity: ERROR
|
|
8
|
+
metadata:
|
|
9
|
+
cwe:
|
|
10
|
+
- 'CWE-798: Use of Hard-coded Credentials'
|
|
11
|
+
source-rule-url: https://github.com/narendrakadali/gitrob/blob/master/rules/contentsignatures.json
|
|
12
|
+
category: security
|
|
13
|
+
technology:
|
|
14
|
+
- secrets
|
|
15
|
+
- sendgrid
|
|
16
|
+
confidence: LOW
|
|
17
|
+
owasp:
|
|
18
|
+
- A07:2021 - Identification and Authentication Failures
|
|
19
|
+
- A07:2025 - Authentication Failures
|
|
20
|
+
references:
|
|
21
|
+
- https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures
|
|
22
|
+
cwe2022-top25: true
|
|
23
|
+
cwe2021-top25: true
|
|
24
|
+
subcategory:
|
|
25
|
+
- audit
|
|
26
|
+
likelihood: LOW
|
|
27
|
+
impact: MEDIUM
|