agent-security-scanner-mcp 3.0.0 → 3.2.0
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/README.md +451 -739
- package/analyzer.py +51 -7
- package/index.js +42 -2697
- package/package.json +7 -6
- package/regex_fallback.py +66 -0
- package/rules/__init__.py +124 -36
- package/rules/generic/secrets/gitleaks/adafruit-api-key.yaml +27 -0
- package/rules/generic/secrets/gitleaks/adobe-client-id.yaml +27 -0
- package/rules/generic/secrets/gitleaks/adobe-client-secret.yaml +27 -0
- package/rules/generic/secrets/gitleaks/age-secret-key.yaml +27 -0
- package/rules/generic/secrets/gitleaks/airtable-api-key.yaml +27 -0
- package/rules/generic/secrets/gitleaks/algolia-api-key.yaml +27 -0
- package/rules/generic/secrets/gitleaks/alibaba-access-key-id.yaml +27 -0
- package/rules/generic/secrets/gitleaks/alibaba-secret-key.yaml +27 -0
- package/rules/generic/secrets/gitleaks/asana-client-id.yaml +27 -0
- package/rules/generic/secrets/gitleaks/asana-client-secret.yaml +27 -0
- package/rules/generic/secrets/gitleaks/atlassian-api-token.yaml +27 -0
- package/rules/generic/secrets/gitleaks/authress-service-client-access-key.yaml +27 -0
- package/rules/generic/secrets/gitleaks/aws-access-token.yaml +27 -0
- package/rules/generic/secrets/gitleaks/beamer-api-token.yaml +27 -0
- package/rules/generic/secrets/gitleaks/bitbucket-client-id.yaml +27 -0
- package/rules/generic/secrets/gitleaks/bitbucket-client-secret.yaml +27 -0
- package/rules/generic/secrets/gitleaks/bittrex-access-key.yaml +27 -0
- package/rules/generic/secrets/gitleaks/bittrex-secret-key.yaml +27 -0
- package/rules/generic/secrets/gitleaks/clojars-api-token.yaml +27 -0
- package/rules/generic/secrets/gitleaks/cloudflare-api-key.yaml +27 -0
- package/rules/generic/secrets/gitleaks/cloudflare-global-api-key.yaml +27 -0
- package/rules/generic/secrets/gitleaks/cloudflare-origin-ca-key.yaml +27 -0
- package/rules/generic/secrets/gitleaks/codecov-access-token.yaml +27 -0
- package/rules/generic/secrets/gitleaks/coinbase-access-token.yaml +27 -0
- package/rules/generic/secrets/gitleaks/confluent-access-token.yaml +27 -0
- package/rules/generic/secrets/gitleaks/confluent-secret-key.yaml +27 -0
- package/rules/generic/secrets/gitleaks/contentful-delivery-api-token.yaml +27 -0
- package/rules/generic/secrets/gitleaks/databricks-api-token.yaml +27 -0
- package/rules/generic/secrets/gitleaks/datadog-access-token.yaml +27 -0
- package/rules/generic/secrets/gitleaks/defined-networking-api-token.yaml +27 -0
- package/rules/generic/secrets/gitleaks/digitalocean-access-token.yaml +27 -0
- package/rules/generic/secrets/gitleaks/digitalocean-pat.yaml +27 -0
- package/rules/generic/secrets/gitleaks/digitalocean-refresh-token.yaml +27 -0
- package/rules/generic/secrets/gitleaks/discord-api-token.yaml +27 -0
- package/rules/generic/secrets/gitleaks/discord-client-id.yaml +27 -0
- package/rules/generic/secrets/gitleaks/discord-client-secret.yaml +27 -0
- package/rules/generic/secrets/gitleaks/doppler-api-token.yaml +27 -0
- package/rules/generic/secrets/gitleaks/droneci-access-token.yaml +27 -0
- package/rules/generic/secrets/gitleaks/dropbox-api-token.yaml +27 -0
- package/rules/generic/secrets/gitleaks/dropbox-long-lived-api-token.yaml +27 -0
- package/rules/generic/secrets/gitleaks/dropbox-short-lived-api-token.yaml +27 -0
- package/rules/generic/secrets/gitleaks/duffel-api-token.yaml +27 -0
- package/rules/generic/secrets/gitleaks/dynatrace-api-token.yaml +27 -0
- package/rules/generic/secrets/gitleaks/easypost-api-token.yaml +27 -0
- package/rules/generic/secrets/gitleaks/easypost-test-api-token.yaml +27 -0
- package/rules/generic/secrets/gitleaks/etsy-access-token.yaml +27 -0
- package/rules/generic/secrets/gitleaks/facebook-access-token.yaml +27 -0
- package/rules/generic/secrets/gitleaks/facebook-page-access-token.yaml +27 -0
- package/rules/generic/secrets/gitleaks/facebook-secret.yaml +27 -0
- package/rules/generic/secrets/gitleaks/facebook.yaml +27 -0
- package/rules/generic/secrets/gitleaks/fastly-api-token.yaml +27 -0
- package/rules/generic/secrets/gitleaks/finicity-api-token.yaml +27 -0
- package/rules/generic/secrets/gitleaks/finicity-client-secret.yaml +27 -0
- package/rules/generic/secrets/gitleaks/finnhub-access-token.yaml +27 -0
- package/rules/generic/secrets/gitleaks/flickr-access-token.yaml +27 -0
- package/rules/generic/secrets/gitleaks/flutterwave-encryption-key.yaml +27 -0
- package/rules/generic/secrets/gitleaks/flutterwave-public-key.yaml +27 -0
- package/rules/generic/secrets/gitleaks/flutterwave-secret-key.yaml +27 -0
- package/rules/generic/secrets/gitleaks/frameio-api-token.yaml +27 -0
- package/rules/generic/secrets/gitleaks/freshbooks-access-token.yaml +27 -0
- package/rules/generic/secrets/gitleaks/gcp-api-key.yaml +27 -0
- package/rules/generic/secrets/gitleaks/generic-api-key.yaml +76 -0
- package/rules/generic/secrets/gitleaks/github-app-token.yaml +27 -0
- package/rules/generic/secrets/gitleaks/github-fine-grained-pat.yaml +27 -0
- package/rules/generic/secrets/gitleaks/github-oauth.yaml +27 -0
- package/rules/generic/secrets/gitleaks/github-pat.yaml +27 -0
- package/rules/generic/secrets/gitleaks/github-refresh-token.yaml +27 -0
- package/rules/generic/secrets/gitleaks/gitlab-pat.yaml +27 -0
- package/rules/generic/secrets/gitleaks/gitlab-ptt.yaml +27 -0
- package/rules/generic/secrets/gitleaks/gitlab-rrt.yaml +27 -0
- package/rules/generic/secrets/gitleaks/gitter-access-token.yaml +27 -0
- package/rules/generic/secrets/gitleaks/gocardless-api-token.yaml +27 -0
- package/rules/generic/secrets/gitleaks/grafana-api-key.yaml +27 -0
- package/rules/generic/secrets/gitleaks/grafana-cloud-api-token.yaml +27 -0
- package/rules/generic/secrets/gitleaks/grafana-service-account-token.yaml +27 -0
- package/rules/generic/secrets/gitleaks/harness-api-key.yaml +27 -0
- package/rules/generic/secrets/gitleaks/hashicorp-tf-api-token.yaml +27 -0
- package/rules/generic/secrets/gitleaks/hashicorp-tf-password.yaml +31 -0
- package/rules/generic/secrets/gitleaks/heroku-api-key.yaml +27 -0
- package/rules/generic/secrets/gitleaks/hubspot-api-key.yaml +27 -0
- package/rules/generic/secrets/gitleaks/huggingface-access-token.yaml +27 -0
- package/rules/generic/secrets/gitleaks/huggingface-organization-api-token.yaml +27 -0
- package/rules/generic/secrets/gitleaks/infracost-api-token.yaml +27 -0
- package/rules/generic/secrets/gitleaks/intercom-api-key.yaml +27 -0
- package/rules/generic/secrets/gitleaks/intra42-client-secret.yaml +27 -0
- package/rules/generic/secrets/gitleaks/jfrog-api-key.yaml +27 -0
- package/rules/generic/secrets/gitleaks/jfrog-identity-token.yaml +27 -0
- package/rules/generic/secrets/gitleaks/jwt-base64.yaml +27 -0
- package/rules/generic/secrets/gitleaks/jwt.yaml +27 -0
- package/rules/generic/secrets/gitleaks/kraken-access-token.yaml +27 -0
- package/rules/generic/secrets/gitleaks/kucoin-access-token.yaml +27 -0
- package/rules/generic/secrets/gitleaks/kucoin-secret-key.yaml +27 -0
- package/rules/generic/secrets/gitleaks/launchdarkly-access-token.yaml +27 -0
- package/rules/generic/secrets/gitleaks/linear-api-key.yaml +27 -0
- package/rules/generic/secrets/gitleaks/linear-client-secret.yaml +27 -0
- package/rules/generic/secrets/gitleaks/linkedin-client-id.yaml +27 -0
- package/rules/generic/secrets/gitleaks/linkedin-client-secret.yaml +27 -0
- package/rules/generic/secrets/gitleaks/lob-api-key.yaml +27 -0
- package/rules/generic/secrets/gitleaks/lob-pub-api-key.yaml +27 -0
- package/rules/generic/secrets/gitleaks/mailchimp-api-key.yaml +27 -0
- package/rules/generic/secrets/gitleaks/mailgun-private-api-token.yaml +27 -0
- package/rules/generic/secrets/gitleaks/mailgun-pub-key.yaml +27 -0
- package/rules/generic/secrets/gitleaks/mailgun-signing-key.yaml +27 -0
- package/rules/generic/secrets/gitleaks/mapbox-api-token.yaml +27 -0
- package/rules/generic/secrets/gitleaks/mattermost-access-token.yaml +27 -0
- package/rules/generic/secrets/gitleaks/messagebird-api-token.yaml +27 -0
- package/rules/generic/secrets/gitleaks/messagebird-client-id.yaml +27 -0
- package/rules/generic/secrets/gitleaks/microsoft-teams-webhook.yaml +27 -0
- package/rules/generic/secrets/gitleaks/netlify-access-token.yaml +27 -0
- package/rules/generic/secrets/gitleaks/new-relic-browser-api-token.yaml +27 -0
- package/rules/generic/secrets/gitleaks/new-relic-insert-key.yaml +27 -0
- package/rules/generic/secrets/gitleaks/new-relic-user-api-id.yaml +27 -0
- package/rules/generic/secrets/gitleaks/new-relic-user-api-key.yaml +27 -0
- package/rules/generic/secrets/gitleaks/npm-access-token.yaml +27 -0
- package/rules/generic/secrets/gitleaks/nytimes-access-token.yaml +27 -0
- package/rules/generic/secrets/gitleaks/okta-access-token.yaml +27 -0
- package/rules/generic/secrets/gitleaks/openai-api-key.yaml +27 -0
- package/rules/generic/secrets/gitleaks/plaid-api-token.yaml +27 -0
- package/rules/generic/secrets/gitleaks/plaid-client-id.yaml +27 -0
- package/rules/generic/secrets/gitleaks/plaid-secret-key.yaml +27 -0
- package/rules/generic/secrets/gitleaks/planetscale-api-token.yaml +27 -0
- package/rules/generic/secrets/gitleaks/planetscale-oauth-token.yaml +27 -0
- package/rules/generic/secrets/gitleaks/planetscale-password.yaml +27 -0
- package/rules/generic/secrets/gitleaks/postman-api-token.yaml +27 -0
- package/rules/generic/secrets/gitleaks/prefect-api-token.yaml +27 -0
- package/rules/generic/secrets/gitleaks/private-key.yaml +27 -0
- package/rules/generic/secrets/gitleaks/pulumi-api-token.yaml +27 -0
- package/rules/generic/secrets/gitleaks/pypi-upload-token.yaml +27 -0
- package/rules/generic/secrets/gitleaks/rapidapi-access-token.yaml +27 -0
- package/rules/generic/secrets/gitleaks/readme-api-token.yaml +27 -0
- package/rules/generic/secrets/gitleaks/rubygems-api-token.yaml +27 -0
- package/rules/generic/secrets/gitleaks/scalingo-api-token.yaml +27 -0
- package/rules/generic/secrets/gitleaks/sendbird-access-id.yaml +27 -0
- package/rules/generic/secrets/gitleaks/sendbird-access-token.yaml +27 -0
- package/rules/generic/secrets/gitleaks/sendgrid-api-token.yaml +27 -0
- package/rules/generic/secrets/gitleaks/sendinblue-api-token.yaml +27 -0
- package/rules/generic/secrets/gitleaks/sentry-access-token.yaml +27 -0
- package/rules/generic/secrets/gitleaks/shippo-api-token.yaml +27 -0
- package/rules/generic/secrets/gitleaks/shopify-access-token.yaml +27 -0
- package/rules/generic/secrets/gitleaks/shopify-custom-access-token.yaml +27 -0
- package/rules/generic/secrets/gitleaks/shopify-private-app-access-token.yaml +27 -0
- package/rules/generic/secrets/gitleaks/shopify-shared-secret.yaml +27 -0
- package/rules/generic/secrets/gitleaks/sidekiq-secret.yaml +27 -0
- package/rules/generic/secrets/gitleaks/sidekiq-sensitive-url.yaml +27 -0
- package/rules/generic/secrets/gitleaks/slack-app-token.yaml +27 -0
- package/rules/generic/secrets/gitleaks/slack-bot-token.yaml +27 -0
- package/rules/generic/secrets/gitleaks/slack-config-access-token.yaml +27 -0
- package/rules/generic/secrets/gitleaks/slack-config-refresh-token.yaml +27 -0
- package/rules/generic/secrets/gitleaks/slack-legacy-bot-token.yaml +27 -0
- package/rules/generic/secrets/gitleaks/slack-legacy-token.yaml +27 -0
- package/rules/generic/secrets/gitleaks/slack-legacy-workspace-token.yaml +27 -0
- package/rules/generic/secrets/gitleaks/slack-user-token.yaml +27 -0
- package/rules/generic/secrets/gitleaks/slack-webhook-url.yaml +27 -0
- package/rules/generic/secrets/gitleaks/snyk-api-token.yaml +27 -0
- package/rules/generic/secrets/gitleaks/square-access-token.yaml +27 -0
- package/rules/generic/secrets/gitleaks/squarespace-access-token.yaml +27 -0
- package/rules/generic/secrets/gitleaks/stripe-access-token.yaml +27 -0
- package/rules/generic/secrets/gitleaks/sumologic-access-id.yaml +27 -0
- package/rules/generic/secrets/gitleaks/sumologic-access-token.yaml +27 -0
- package/rules/generic/secrets/gitleaks/telegram-bot-api-token.yaml +27 -0
- package/rules/generic/secrets/gitleaks/travisci-access-token.yaml +27 -0
- package/rules/generic/secrets/gitleaks/twilio-api-key.yaml +27 -0
- package/rules/generic/secrets/gitleaks/twitch-api-token.yaml +27 -0
- package/rules/generic/secrets/gitleaks/twitter-access-secret.yaml +27 -0
- package/rules/generic/secrets/gitleaks/twitter-access-token.yaml +27 -0
- package/rules/generic/secrets/gitleaks/twitter-api-key.yaml +27 -0
- package/rules/generic/secrets/gitleaks/twitter-api-secret.yaml +27 -0
- package/rules/generic/secrets/gitleaks/twitter-bearer-token.yaml +27 -0
- package/rules/generic/secrets/gitleaks/typeform-api-token.yaml +27 -0
- package/rules/generic/secrets/gitleaks/vault-batch-token.yaml +27 -0
- package/rules/generic/secrets/gitleaks/vault-service-token.yaml +27 -0
- package/rules/generic/secrets/gitleaks/yandex-access-token.yaml +27 -0
- package/rules/generic/secrets/gitleaks/yandex-api-key.yaml +27 -0
- package/rules/generic/secrets/gitleaks/yandex-aws-access-token.yaml +27 -0
- package/rules/generic/secrets/gitleaks/zendesk-secret-key.yaml +27 -0
- package/rules/generic/secrets/security/detected-amazon-mws-auth-token.yaml +26 -0
- package/rules/generic/secrets/security/detected-artifactory-password.yaml +47 -0
- package/rules/generic/secrets/security/detected-artifactory-token.yaml +44 -0
- package/rules/generic/secrets/security/detected-aws-access-key-id-value.yaml +29 -0
- package/rules/generic/secrets/security/detected-aws-account-id.yaml +58 -0
- package/rules/generic/secrets/security/detected-aws-appsync-graphql-key.yaml +27 -0
- package/rules/generic/secrets/security/detected-aws-secret-access-key.yaml +30 -0
- package/rules/generic/secrets/security/detected-aws-session-token.yaml +31 -0
- package/rules/generic/secrets/security/detected-bcrypt-hash.yaml +25 -0
- package/rules/generic/secrets/security/detected-codeclimate.yaml +27 -0
- package/rules/generic/secrets/security/detected-etc-shadow.yaml +27 -0
- package/rules/generic/secrets/security/detected-facebook-access-token.yaml +29 -0
- package/rules/generic/secrets/security/detected-facebook-oauth.yaml +27 -0
- package/rules/generic/secrets/security/detected-generic-api-key.yaml +29 -0
- package/rules/generic/secrets/security/detected-generic-secret.yaml +30 -0
- package/rules/generic/secrets/security/detected-github-token.yaml +47 -0
- package/rules/generic/secrets/security/detected-google-api-key.yaml +29 -0
- package/rules/generic/secrets/security/detected-google-cloud-api-key.yaml +27 -0
- package/rules/generic/secrets/security/detected-google-gcm-service-account.yaml +27 -0
- package/rules/generic/secrets/security/detected-google-oauth-access-token.yaml +26 -0
- package/rules/generic/secrets/security/detected-google-oauth.yaml +26 -0
- package/rules/generic/secrets/security/detected-heroku-api-key.yaml +27 -0
- package/rules/generic/secrets/security/detected-hockeyapp.yaml +27 -0
- package/rules/generic/secrets/security/detected-jwt-token.yaml +25 -0
- package/rules/generic/secrets/security/detected-kolide-api-key.yaml +25 -0
- package/rules/generic/secrets/security/detected-mailchimp-api-key.yaml +26 -0
- package/rules/generic/secrets/security/detected-mailgun-api-key.yaml +26 -0
- package/rules/generic/secrets/security/detected-npm-registry-auth-token.yaml +33 -0
- package/rules/generic/secrets/security/detected-onfido-live-api-token.yaml +20 -0
- package/rules/generic/secrets/security/detected-outlook-team.yaml +27 -0
- package/rules/generic/secrets/security/detected-paypal-braintree-access-token.yaml +27 -0
- package/rules/generic/secrets/security/detected-pgp-private-key-block.yaml +28 -0
- package/rules/generic/secrets/security/detected-picatic-api-key.yaml +26 -0
- package/rules/generic/secrets/security/detected-private-key.yaml +39 -0
- package/rules/generic/secrets/security/detected-sauce-token.yaml +27 -0
- package/rules/generic/secrets/security/detected-sendgrid-api-key.yaml +27 -0
- package/rules/generic/secrets/security/detected-slack-token.yaml +28 -0
- package/rules/generic/secrets/security/detected-slack-webhook.yaml +27 -0
- package/rules/generic/secrets/security/detected-snyk-api-key.yaml +26 -0
- package/rules/generic/secrets/security/detected-softlayer-api-key.yaml +27 -0
- package/rules/generic/secrets/security/detected-sonarqube-docs-api-key.yaml +40 -0
- package/rules/generic/secrets/security/detected-square-access-token.yaml +26 -0
- package/rules/generic/secrets/security/detected-square-oauth-secret.yaml +27 -0
- package/rules/generic/secrets/security/detected-ssh-password.yaml +27 -0
- package/rules/generic/secrets/security/detected-stripe-api-key.yaml +26 -0
- package/rules/generic/secrets/security/detected-stripe-restricted-api-key.yaml +26 -0
- package/rules/generic/secrets/security/detected-telegram-bot-api-key.yaml +30 -0
- package/rules/generic/secrets/security/detected-twilio-api-key.yaml +26 -0
- package/rules/generic/secrets/security/detected-username-and-password-in-uri.yaml +35 -0
- package/rules/generic/secrets/security/google-maps-apikeyleak.yaml +25 -0
- package/rules/prompt-injection.security.yaml +4 -0
- package/rules/python/flask/security/injection/flask-injection-sinks.yaml +352 -0
- package/src/analyzer.py +119 -0
- package/src/cli/demo.js +238 -0
- package/src/cli/doctor.js +273 -0
- package/src/cli/init.js +288 -0
- package/src/fix-patterns.js +698 -0
- package/src/tools/check-package.js +169 -0
- package/src/tools/fix-security.js +115 -0
- package/src/tools/scan-packages.js +154 -0
- package/src/tools/scan-prompt.js +570 -0
- package/src/tools/scan-security.js +117 -0
- package/src/utils.js +153 -0
|
@@ -0,0 +1,28 @@
|
|
|
1
|
+
rules:
|
|
2
|
+
- id: detected-slack-token
|
|
3
|
+
pattern-either:
|
|
4
|
+
- pattern-regex: (xox[pboa]-[0-9]{12}-[0-9]{12}-[0-9]{12}-[a-z0-9]{32})
|
|
5
|
+
- pattern-regex: xox.-[0-9]{12}-[0-9]{12}-[0-9a-zA-Z]{24}
|
|
6
|
+
languages: [regex]
|
|
7
|
+
message: Slack Token detected
|
|
8
|
+
severity: ERROR
|
|
9
|
+
metadata:
|
|
10
|
+
cwe:
|
|
11
|
+
- 'CWE-798: Use of Hard-coded Credentials'
|
|
12
|
+
source-rule-url: https://github.com/dxa4481/truffleHogRegexes/blob/master/truffleHogRegexes/regexes.json
|
|
13
|
+
references:
|
|
14
|
+
- https://github.com/davidburkitt/python-secret-scanner/blob/335a1f6dab8de59cf39063e57aea39a58951e939/patterns.txt#L58
|
|
15
|
+
category: security
|
|
16
|
+
technology:
|
|
17
|
+
- secrets
|
|
18
|
+
- slack
|
|
19
|
+
confidence: LOW
|
|
20
|
+
owasp:
|
|
21
|
+
- A07:2021 - Identification and Authentication Failures
|
|
22
|
+
- A07:2025 - Authentication Failures
|
|
23
|
+
cwe2022-top25: true
|
|
24
|
+
cwe2021-top25: true
|
|
25
|
+
subcategory:
|
|
26
|
+
- audit
|
|
27
|
+
likelihood: LOW
|
|
28
|
+
impact: MEDIUM
|
|
@@ -0,0 +1,27 @@
|
|
|
1
|
+
rules:
|
|
2
|
+
- id: detected-slack-webhook
|
|
3
|
+
patterns:
|
|
4
|
+
- pattern-regex: https://hooks\.slack\.com/services/T[a-zA-Z0-9_]{8,10}/B[a-zA-Z0-9_]{8,10}/[a-zA-Z0-9_]{24}
|
|
5
|
+
languages: [regex]
|
|
6
|
+
message: Slack Webhook detected
|
|
7
|
+
severity: ERROR
|
|
8
|
+
metadata:
|
|
9
|
+
references:
|
|
10
|
+
- https://api.slack.com/messaging/webhooks
|
|
11
|
+
source-rule-url: https://github.com/dxa4481/truffleHogRegexes/blob/master/truffleHogRegexes/regexes.json
|
|
12
|
+
category: security
|
|
13
|
+
technology:
|
|
14
|
+
- secrets
|
|
15
|
+
- slack
|
|
16
|
+
confidence: LOW
|
|
17
|
+
owasp:
|
|
18
|
+
- A07:2021 - Identification and Authentication Failures
|
|
19
|
+
- A07:2025 - Authentication Failures
|
|
20
|
+
cwe:
|
|
21
|
+
- 'CWE-798: Use of Hard-coded Credentials'
|
|
22
|
+
cwe2022-top25: true
|
|
23
|
+
cwe2021-top25: true
|
|
24
|
+
subcategory:
|
|
25
|
+
- audit
|
|
26
|
+
likelihood: LOW
|
|
27
|
+
impact: MEDIUM
|
|
@@ -0,0 +1,26 @@
|
|
|
1
|
+
rules:
|
|
2
|
+
- id: detected-snyk-api-key
|
|
3
|
+
pattern-regex: |-
|
|
4
|
+
(?i)snyk.{0,50}['|"|`]?[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}['"\s]?
|
|
5
|
+
languages: [regex]
|
|
6
|
+
message: Snyk API Key detected
|
|
7
|
+
severity: ERROR
|
|
8
|
+
metadata:
|
|
9
|
+
cwe:
|
|
10
|
+
- 'CWE-798: Use of Hard-coded Credentials'
|
|
11
|
+
category: security
|
|
12
|
+
technology:
|
|
13
|
+
- secrets
|
|
14
|
+
- snyk
|
|
15
|
+
confidence: LOW
|
|
16
|
+
owasp:
|
|
17
|
+
- A07:2021 - Identification and Authentication Failures
|
|
18
|
+
- A07:2025 - Authentication Failures
|
|
19
|
+
references:
|
|
20
|
+
- https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures
|
|
21
|
+
cwe2022-top25: true
|
|
22
|
+
cwe2021-top25: true
|
|
23
|
+
subcategory:
|
|
24
|
+
- audit
|
|
25
|
+
likelihood: LOW
|
|
26
|
+
impact: MEDIUM
|
|
@@ -0,0 +1,27 @@
|
|
|
1
|
+
rules:
|
|
2
|
+
- id: detected-softlayer-api-key
|
|
3
|
+
pattern-regex: |-
|
|
4
|
+
(?i)softlayer.{0,50}["|'|`]?[a-z0-9]{64}["|'|`]?
|
|
5
|
+
languages: [regex]
|
|
6
|
+
message: SoftLayer API Key detected
|
|
7
|
+
severity: ERROR
|
|
8
|
+
metadata:
|
|
9
|
+
cwe:
|
|
10
|
+
- 'CWE-798: Use of Hard-coded Credentials'
|
|
11
|
+
source-rule-url: https://github.com/Yelp/detect-secrets/blob/master/detect_secrets/plugins/softlayer.py
|
|
12
|
+
category: security
|
|
13
|
+
technology:
|
|
14
|
+
- secrets
|
|
15
|
+
- softlayer
|
|
16
|
+
confidence: LOW
|
|
17
|
+
owasp:
|
|
18
|
+
- A07:2021 - Identification and Authentication Failures
|
|
19
|
+
- A07:2025 - Authentication Failures
|
|
20
|
+
references:
|
|
21
|
+
- https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures
|
|
22
|
+
cwe2022-top25: true
|
|
23
|
+
cwe2021-top25: true
|
|
24
|
+
subcategory:
|
|
25
|
+
- audit
|
|
26
|
+
likelihood: LOW
|
|
27
|
+
impact: MEDIUM
|
|
@@ -0,0 +1,40 @@
|
|
|
1
|
+
rules:
|
|
2
|
+
- id: detected-sonarqube-docs-api-key
|
|
3
|
+
pattern-regex: |-
|
|
4
|
+
(?i)sonar.{0,50}(\\\"|'|`)?[0-9a-f]{40}(\\\"|'|`)?
|
|
5
|
+
languages: [regex]
|
|
6
|
+
message: SonarQube Docs API Key detected
|
|
7
|
+
severity: ERROR
|
|
8
|
+
paths:
|
|
9
|
+
exclude:
|
|
10
|
+
- "*.svg"
|
|
11
|
+
- "*go.sum"
|
|
12
|
+
- "*cargo.lock"
|
|
13
|
+
- "*package.json"
|
|
14
|
+
- "*yarn.lock"
|
|
15
|
+
- "*package-lock.json"
|
|
16
|
+
- "*bundle.js"
|
|
17
|
+
- "*pnpm-lock*"
|
|
18
|
+
- "*Podfile.lock"
|
|
19
|
+
- "**/*/openssl/*.h"
|
|
20
|
+
- "*.xcscmblueprint"
|
|
21
|
+
metadata:
|
|
22
|
+
cwe:
|
|
23
|
+
- 'CWE-798: Use of Hard-coded Credentials'
|
|
24
|
+
source-rule-url: https://github.com/grab/secret-scanner/blob/master/scanner/signatures/pattern.go
|
|
25
|
+
category: security
|
|
26
|
+
technology:
|
|
27
|
+
- secrets
|
|
28
|
+
- sonarqube
|
|
29
|
+
confidence: LOW
|
|
30
|
+
owasp:
|
|
31
|
+
- A07:2021 - Identification and Authentication Failures
|
|
32
|
+
- A07:2025 - Authentication Failures
|
|
33
|
+
references:
|
|
34
|
+
- https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures
|
|
35
|
+
cwe2022-top25: true
|
|
36
|
+
cwe2021-top25: true
|
|
37
|
+
subcategory:
|
|
38
|
+
- audit
|
|
39
|
+
likelihood: LOW
|
|
40
|
+
impact: MEDIUM
|
|
@@ -0,0 +1,26 @@
|
|
|
1
|
+
rules:
|
|
2
|
+
- id: detected-square-access-token
|
|
3
|
+
pattern-regex: sq0atp-[0-9A-Za-z\-_]{22}
|
|
4
|
+
languages: [regex]
|
|
5
|
+
message: Square Access Token detected
|
|
6
|
+
severity: ERROR
|
|
7
|
+
metadata:
|
|
8
|
+
cwe:
|
|
9
|
+
- 'CWE-798: Use of Hard-coded Credentials'
|
|
10
|
+
source-rule-url: https://github.com/dxa4481/truffleHogRegexes/blob/master/truffleHogRegexes/regexes.json
|
|
11
|
+
category: security
|
|
12
|
+
technology:
|
|
13
|
+
- secrets
|
|
14
|
+
- square
|
|
15
|
+
confidence: LOW
|
|
16
|
+
owasp:
|
|
17
|
+
- A07:2021 - Identification and Authentication Failures
|
|
18
|
+
- A07:2025 - Authentication Failures
|
|
19
|
+
references:
|
|
20
|
+
- https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures
|
|
21
|
+
cwe2022-top25: true
|
|
22
|
+
cwe2021-top25: true
|
|
23
|
+
subcategory:
|
|
24
|
+
- audit
|
|
25
|
+
likelihood: LOW
|
|
26
|
+
impact: MEDIUM
|
|
@@ -0,0 +1,27 @@
|
|
|
1
|
+
rules:
|
|
2
|
+
- id: detected-square-oauth-secret
|
|
3
|
+
pattern-regex: |-
|
|
4
|
+
sq0csp-[0-9A-Za-z\\\-_]{43}
|
|
5
|
+
languages: [regex]
|
|
6
|
+
message: Square OAuth Secret detected
|
|
7
|
+
severity: ERROR
|
|
8
|
+
metadata:
|
|
9
|
+
cwe:
|
|
10
|
+
- 'CWE-798: Use of Hard-coded Credentials'
|
|
11
|
+
source-rule-url: https://github.com/dxa4481/truffleHogRegexes/blob/master/truffleHogRegexes/regexes.json
|
|
12
|
+
references:
|
|
13
|
+
- https://github.com/Yelp/detect-secrets/blob/master/tests/plugins/square_oauth_test.py
|
|
14
|
+
category: security
|
|
15
|
+
technology:
|
|
16
|
+
- secrets
|
|
17
|
+
- square
|
|
18
|
+
confidence: LOW
|
|
19
|
+
owasp:
|
|
20
|
+
- A07:2021 - Identification and Authentication Failures
|
|
21
|
+
- A07:2025 - Authentication Failures
|
|
22
|
+
cwe2022-top25: true
|
|
23
|
+
cwe2021-top25: true
|
|
24
|
+
subcategory:
|
|
25
|
+
- audit
|
|
26
|
+
likelihood: LOW
|
|
27
|
+
impact: MEDIUM
|
|
@@ -0,0 +1,27 @@
|
|
|
1
|
+
rules:
|
|
2
|
+
- id: detected-ssh-password
|
|
3
|
+
pattern-regex: |-
|
|
4
|
+
sshpass -p\s*['|\\\"][^%]
|
|
5
|
+
languages: [regex]
|
|
6
|
+
message: SSH Password detected
|
|
7
|
+
severity: ERROR
|
|
8
|
+
metadata:
|
|
9
|
+
cwe:
|
|
10
|
+
- 'CWE-798: Use of Hard-coded Credentials'
|
|
11
|
+
source-rule-url: https://github.com/grab/secret-scanner/blob/master/scanner/signatures/pattern.go
|
|
12
|
+
category: security
|
|
13
|
+
technology:
|
|
14
|
+
- secrets
|
|
15
|
+
- ssh
|
|
16
|
+
confidence: LOW
|
|
17
|
+
owasp:
|
|
18
|
+
- A07:2021 - Identification and Authentication Failures
|
|
19
|
+
- A07:2025 - Authentication Failures
|
|
20
|
+
references:
|
|
21
|
+
- https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures
|
|
22
|
+
cwe2022-top25: true
|
|
23
|
+
cwe2021-top25: true
|
|
24
|
+
subcategory:
|
|
25
|
+
- audit
|
|
26
|
+
likelihood: LOW
|
|
27
|
+
impact: MEDIUM
|
|
@@ -0,0 +1,26 @@
|
|
|
1
|
+
rules:
|
|
2
|
+
- id: detected-stripe-api-key
|
|
3
|
+
pattern-regex: sk_live_[0-9a-zA-Z]{24}
|
|
4
|
+
languages: [regex]
|
|
5
|
+
message: Stripe API Key detected
|
|
6
|
+
severity: ERROR
|
|
7
|
+
metadata:
|
|
8
|
+
cwe:
|
|
9
|
+
- 'CWE-798: Use of Hard-coded Credentials'
|
|
10
|
+
source-rule-url: https://github.com/dxa4481/truffleHogRegexes/blob/master/truffleHogRegexes/regexes.json
|
|
11
|
+
category: security
|
|
12
|
+
technology:
|
|
13
|
+
- secrets
|
|
14
|
+
- stripe
|
|
15
|
+
confidence: LOW
|
|
16
|
+
owasp:
|
|
17
|
+
- A07:2021 - Identification and Authentication Failures
|
|
18
|
+
- A07:2025 - Authentication Failures
|
|
19
|
+
references:
|
|
20
|
+
- https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures
|
|
21
|
+
cwe2022-top25: true
|
|
22
|
+
cwe2021-top25: true
|
|
23
|
+
subcategory:
|
|
24
|
+
- audit
|
|
25
|
+
likelihood: LOW
|
|
26
|
+
impact: MEDIUM
|
|
@@ -0,0 +1,26 @@
|
|
|
1
|
+
rules:
|
|
2
|
+
- id: detected-stripe-restricted-api-key
|
|
3
|
+
pattern-regex: rk_live_[0-9a-zA-Z]{24}
|
|
4
|
+
languages: [regex]
|
|
5
|
+
message: Stripe Restricted API Key detected
|
|
6
|
+
severity: ERROR
|
|
7
|
+
metadata:
|
|
8
|
+
cwe:
|
|
9
|
+
- 'CWE-798: Use of Hard-coded Credentials'
|
|
10
|
+
source-rule-url: https://github.com/dxa4481/truffleHogRegexes/blob/master/truffleHogRegexes/regexes.json
|
|
11
|
+
category: security
|
|
12
|
+
technology:
|
|
13
|
+
- secrets
|
|
14
|
+
- stripe
|
|
15
|
+
confidence: MEDIUM
|
|
16
|
+
owasp:
|
|
17
|
+
- A07:2021 - Identification and Authentication Failures
|
|
18
|
+
- A07:2025 - Authentication Failures
|
|
19
|
+
references:
|
|
20
|
+
- https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures
|
|
21
|
+
cwe2022-top25: true
|
|
22
|
+
cwe2021-top25: true
|
|
23
|
+
subcategory:
|
|
24
|
+
- audit
|
|
25
|
+
likelihood: LOW
|
|
26
|
+
impact: LOW
|
|
@@ -0,0 +1,30 @@
|
|
|
1
|
+
rules:
|
|
2
|
+
- id: detected-telegram-bot-api-key
|
|
3
|
+
patterns:
|
|
4
|
+
- pattern-regex: '[0-9]+:AA[0-9A-Za-z\-_]{33}'
|
|
5
|
+
- pattern-not-regex: go\.mod.*
|
|
6
|
+
- pattern-not-regex: v[\d]+\.[\d]+\.[\d]+.*
|
|
7
|
+
languages:
|
|
8
|
+
- regex
|
|
9
|
+
message: Telegram Bot API Key detected
|
|
10
|
+
severity: ERROR
|
|
11
|
+
metadata:
|
|
12
|
+
cwe:
|
|
13
|
+
- 'CWE-798: Use of Hard-coded Credentials'
|
|
14
|
+
source-rule-url: https://github.com/dxa4481/truffleHogRegexes/blob/master/truffleHogRegexes/regexes.json
|
|
15
|
+
category: security
|
|
16
|
+
technology:
|
|
17
|
+
- secrets
|
|
18
|
+
- telegram
|
|
19
|
+
confidence: LOW
|
|
20
|
+
owasp:
|
|
21
|
+
- A07:2021 - Identification and Authentication Failures
|
|
22
|
+
- A07:2025 - Authentication Failures
|
|
23
|
+
references:
|
|
24
|
+
- https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures
|
|
25
|
+
cwe2022-top25: true
|
|
26
|
+
cwe2021-top25: true
|
|
27
|
+
subcategory:
|
|
28
|
+
- audit
|
|
29
|
+
likelihood: LOW
|
|
30
|
+
impact: MEDIUM
|
|
@@ -0,0 +1,26 @@
|
|
|
1
|
+
rules:
|
|
2
|
+
- id: detected-twilio-api-key
|
|
3
|
+
pattern-regex: SK[0-9a-fA-F]{32}
|
|
4
|
+
languages: [regex]
|
|
5
|
+
message: Twilio API Key detected
|
|
6
|
+
severity: ERROR
|
|
7
|
+
metadata:
|
|
8
|
+
cwe:
|
|
9
|
+
- 'CWE-798: Use of Hard-coded Credentials'
|
|
10
|
+
source-rule-url: https://github.com/dxa4481/truffleHogRegexes/blob/master/truffleHogRegexes/regexes.json
|
|
11
|
+
category: security
|
|
12
|
+
technology:
|
|
13
|
+
- secrets
|
|
14
|
+
- twilio
|
|
15
|
+
confidence: LOW
|
|
16
|
+
owasp:
|
|
17
|
+
- A07:2021 - Identification and Authentication Failures
|
|
18
|
+
- A07:2025 - Authentication Failures
|
|
19
|
+
references:
|
|
20
|
+
- https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures
|
|
21
|
+
cwe2022-top25: true
|
|
22
|
+
cwe2021-top25: true
|
|
23
|
+
subcategory:
|
|
24
|
+
- audit
|
|
25
|
+
likelihood: LOW
|
|
26
|
+
impact: MEDIUM
|
|
@@ -0,0 +1,35 @@
|
|
|
1
|
+
rules:
|
|
2
|
+
- id: detected-username-and-password-in-uri
|
|
3
|
+
patterns:
|
|
4
|
+
- pattern: $PROTOCOL://$...USERNAME:$...PASSWORD@$END
|
|
5
|
+
- metavariable-regex:
|
|
6
|
+
metavariable: $...USERNAME
|
|
7
|
+
regex: \A({?)([A-Za-z])([A-Za-z0-9_-]){5,31}(}?)\Z
|
|
8
|
+
- metavariable-regex:
|
|
9
|
+
metavariable: $...PASSWORD
|
|
10
|
+
regex: (?!.*[\s])(?=.*[0-9])(?=.*[a-z])(?=.*[A-Z])(?=.*[!"#$%&'()*+,-./:;<=>?@[\]^_`{|}~]){6,32}
|
|
11
|
+
- metavariable-regex:
|
|
12
|
+
metavariable: $PROTOCOL
|
|
13
|
+
regex: (.*http.*)|(.*sql.*)|(.*ftp.*)|(.*smtp.*)
|
|
14
|
+
languages:
|
|
15
|
+
- generic
|
|
16
|
+
message: Username and password in URI detected
|
|
17
|
+
severity: ERROR
|
|
18
|
+
metadata:
|
|
19
|
+
owasp:
|
|
20
|
+
- A07:2021 - Identification and Authentication Failures
|
|
21
|
+
- A07:2025 - Authentication Failures
|
|
22
|
+
cwe:
|
|
23
|
+
- 'CWE-798: Use of Hard-coded Credentials'
|
|
24
|
+
references:
|
|
25
|
+
- https://github.com/grab/secret-scanner/blob/master/scanner/signatures/pattern.go
|
|
26
|
+
category: security
|
|
27
|
+
technology:
|
|
28
|
+
- secrets
|
|
29
|
+
confidence: MEDIUM
|
|
30
|
+
cwe2022-top25: true
|
|
31
|
+
cwe2021-top25: true
|
|
32
|
+
subcategory:
|
|
33
|
+
- vuln
|
|
34
|
+
likelihood: MEDIUM
|
|
35
|
+
impact: MEDIUM
|
|
@@ -0,0 +1,25 @@
|
|
|
1
|
+
rules:
|
|
2
|
+
- id: google-maps-apikeyleak
|
|
3
|
+
patterns:
|
|
4
|
+
- pattern-regex: ^(AIza[0-9A-Za-z_-]{35}(?!\S))$
|
|
5
|
+
message: Detects potential Google Maps API keys in code
|
|
6
|
+
languages:
|
|
7
|
+
- generic
|
|
8
|
+
severity: WARNING
|
|
9
|
+
metadata:
|
|
10
|
+
description: Detects potential Google Maps API keys in code
|
|
11
|
+
severity: MEDIUM
|
|
12
|
+
category: security
|
|
13
|
+
confidence: MEDIUM
|
|
14
|
+
impact: HIGH
|
|
15
|
+
likelihood: MEDIUM
|
|
16
|
+
subcategory:
|
|
17
|
+
- audit
|
|
18
|
+
owasp:
|
|
19
|
+
- A3:2017 Sensitive Data Exposure
|
|
20
|
+
references:
|
|
21
|
+
- https://ozguralp.medium.com/unauthorized-google-maps-api-key-usage-cases-and-why-you-need-to-care-1ccb28bf21e
|
|
22
|
+
cwe:
|
|
23
|
+
- "CWE-538: Insertion of Sensitive Information into Externally-Accessible File or Directory"
|
|
24
|
+
technology:
|
|
25
|
+
- Google Maps
|
|
@@ -530,6 +530,10 @@ rules:
|
|
|
530
530
|
- "(?i)respond\\s+(as|like)\\s+a\\s+(hacker|attacker|criminal)"
|
|
531
531
|
- "(?i)switch\\s+to\\s+unrestricted\\s+mode"
|
|
532
532
|
- "(?i)behave\\s+(as|like)\\s+(a\\s+)?(hacker|attacker|criminal)"
|
|
533
|
+
- "(?i)^system\\s*:\\s*you\\s+are\\s+(a|an)\\s+"
|
|
534
|
+
- "(?i)^(system|assistant|user)\\s*:\\s*(you\\s+are|act\\s+as|pretend|behave\\s+as)"
|
|
535
|
+
- "(?i)you\\s+are\\s+(a|an)\\s+(hacking|malicious|evil|harmful|dangerous)\\s+tool"
|
|
536
|
+
- "(?i)your\\s+(new\\s+)?role\\s+is\\s+(to\\s+)?(hack|attack|exploit|compromise)"
|
|
533
537
|
metadata:
|
|
534
538
|
cwe: "CWE-77"
|
|
535
539
|
owasp: "LLM01 - Prompt Injection"
|