agent-security-scanner-mcp 3.0.0 → 3.2.0
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/README.md +451 -739
- package/analyzer.py +51 -7
- package/index.js +42 -2697
- package/package.json +7 -6
- package/regex_fallback.py +66 -0
- package/rules/__init__.py +124 -36
- package/rules/generic/secrets/gitleaks/adafruit-api-key.yaml +27 -0
- package/rules/generic/secrets/gitleaks/adobe-client-id.yaml +27 -0
- package/rules/generic/secrets/gitleaks/adobe-client-secret.yaml +27 -0
- package/rules/generic/secrets/gitleaks/age-secret-key.yaml +27 -0
- package/rules/generic/secrets/gitleaks/airtable-api-key.yaml +27 -0
- package/rules/generic/secrets/gitleaks/algolia-api-key.yaml +27 -0
- package/rules/generic/secrets/gitleaks/alibaba-access-key-id.yaml +27 -0
- package/rules/generic/secrets/gitleaks/alibaba-secret-key.yaml +27 -0
- package/rules/generic/secrets/gitleaks/asana-client-id.yaml +27 -0
- package/rules/generic/secrets/gitleaks/asana-client-secret.yaml +27 -0
- package/rules/generic/secrets/gitleaks/atlassian-api-token.yaml +27 -0
- package/rules/generic/secrets/gitleaks/authress-service-client-access-key.yaml +27 -0
- package/rules/generic/secrets/gitleaks/aws-access-token.yaml +27 -0
- package/rules/generic/secrets/gitleaks/beamer-api-token.yaml +27 -0
- package/rules/generic/secrets/gitleaks/bitbucket-client-id.yaml +27 -0
- package/rules/generic/secrets/gitleaks/bitbucket-client-secret.yaml +27 -0
- package/rules/generic/secrets/gitleaks/bittrex-access-key.yaml +27 -0
- package/rules/generic/secrets/gitleaks/bittrex-secret-key.yaml +27 -0
- package/rules/generic/secrets/gitleaks/clojars-api-token.yaml +27 -0
- package/rules/generic/secrets/gitleaks/cloudflare-api-key.yaml +27 -0
- package/rules/generic/secrets/gitleaks/cloudflare-global-api-key.yaml +27 -0
- package/rules/generic/secrets/gitleaks/cloudflare-origin-ca-key.yaml +27 -0
- package/rules/generic/secrets/gitleaks/codecov-access-token.yaml +27 -0
- package/rules/generic/secrets/gitleaks/coinbase-access-token.yaml +27 -0
- package/rules/generic/secrets/gitleaks/confluent-access-token.yaml +27 -0
- package/rules/generic/secrets/gitleaks/confluent-secret-key.yaml +27 -0
- package/rules/generic/secrets/gitleaks/contentful-delivery-api-token.yaml +27 -0
- package/rules/generic/secrets/gitleaks/databricks-api-token.yaml +27 -0
- package/rules/generic/secrets/gitleaks/datadog-access-token.yaml +27 -0
- package/rules/generic/secrets/gitleaks/defined-networking-api-token.yaml +27 -0
- package/rules/generic/secrets/gitleaks/digitalocean-access-token.yaml +27 -0
- package/rules/generic/secrets/gitleaks/digitalocean-pat.yaml +27 -0
- package/rules/generic/secrets/gitleaks/digitalocean-refresh-token.yaml +27 -0
- package/rules/generic/secrets/gitleaks/discord-api-token.yaml +27 -0
- package/rules/generic/secrets/gitleaks/discord-client-id.yaml +27 -0
- package/rules/generic/secrets/gitleaks/discord-client-secret.yaml +27 -0
- package/rules/generic/secrets/gitleaks/doppler-api-token.yaml +27 -0
- package/rules/generic/secrets/gitleaks/droneci-access-token.yaml +27 -0
- package/rules/generic/secrets/gitleaks/dropbox-api-token.yaml +27 -0
- package/rules/generic/secrets/gitleaks/dropbox-long-lived-api-token.yaml +27 -0
- package/rules/generic/secrets/gitleaks/dropbox-short-lived-api-token.yaml +27 -0
- package/rules/generic/secrets/gitleaks/duffel-api-token.yaml +27 -0
- package/rules/generic/secrets/gitleaks/dynatrace-api-token.yaml +27 -0
- package/rules/generic/secrets/gitleaks/easypost-api-token.yaml +27 -0
- package/rules/generic/secrets/gitleaks/easypost-test-api-token.yaml +27 -0
- package/rules/generic/secrets/gitleaks/etsy-access-token.yaml +27 -0
- package/rules/generic/secrets/gitleaks/facebook-access-token.yaml +27 -0
- package/rules/generic/secrets/gitleaks/facebook-page-access-token.yaml +27 -0
- package/rules/generic/secrets/gitleaks/facebook-secret.yaml +27 -0
- package/rules/generic/secrets/gitleaks/facebook.yaml +27 -0
- package/rules/generic/secrets/gitleaks/fastly-api-token.yaml +27 -0
- package/rules/generic/secrets/gitleaks/finicity-api-token.yaml +27 -0
- package/rules/generic/secrets/gitleaks/finicity-client-secret.yaml +27 -0
- package/rules/generic/secrets/gitleaks/finnhub-access-token.yaml +27 -0
- package/rules/generic/secrets/gitleaks/flickr-access-token.yaml +27 -0
- package/rules/generic/secrets/gitleaks/flutterwave-encryption-key.yaml +27 -0
- package/rules/generic/secrets/gitleaks/flutterwave-public-key.yaml +27 -0
- package/rules/generic/secrets/gitleaks/flutterwave-secret-key.yaml +27 -0
- package/rules/generic/secrets/gitleaks/frameio-api-token.yaml +27 -0
- package/rules/generic/secrets/gitleaks/freshbooks-access-token.yaml +27 -0
- package/rules/generic/secrets/gitleaks/gcp-api-key.yaml +27 -0
- package/rules/generic/secrets/gitleaks/generic-api-key.yaml +76 -0
- package/rules/generic/secrets/gitleaks/github-app-token.yaml +27 -0
- package/rules/generic/secrets/gitleaks/github-fine-grained-pat.yaml +27 -0
- package/rules/generic/secrets/gitleaks/github-oauth.yaml +27 -0
- package/rules/generic/secrets/gitleaks/github-pat.yaml +27 -0
- package/rules/generic/secrets/gitleaks/github-refresh-token.yaml +27 -0
- package/rules/generic/secrets/gitleaks/gitlab-pat.yaml +27 -0
- package/rules/generic/secrets/gitleaks/gitlab-ptt.yaml +27 -0
- package/rules/generic/secrets/gitleaks/gitlab-rrt.yaml +27 -0
- package/rules/generic/secrets/gitleaks/gitter-access-token.yaml +27 -0
- package/rules/generic/secrets/gitleaks/gocardless-api-token.yaml +27 -0
- package/rules/generic/secrets/gitleaks/grafana-api-key.yaml +27 -0
- package/rules/generic/secrets/gitleaks/grafana-cloud-api-token.yaml +27 -0
- package/rules/generic/secrets/gitleaks/grafana-service-account-token.yaml +27 -0
- package/rules/generic/secrets/gitleaks/harness-api-key.yaml +27 -0
- package/rules/generic/secrets/gitleaks/hashicorp-tf-api-token.yaml +27 -0
- package/rules/generic/secrets/gitleaks/hashicorp-tf-password.yaml +31 -0
- package/rules/generic/secrets/gitleaks/heroku-api-key.yaml +27 -0
- package/rules/generic/secrets/gitleaks/hubspot-api-key.yaml +27 -0
- package/rules/generic/secrets/gitleaks/huggingface-access-token.yaml +27 -0
- package/rules/generic/secrets/gitleaks/huggingface-organization-api-token.yaml +27 -0
- package/rules/generic/secrets/gitleaks/infracost-api-token.yaml +27 -0
- package/rules/generic/secrets/gitleaks/intercom-api-key.yaml +27 -0
- package/rules/generic/secrets/gitleaks/intra42-client-secret.yaml +27 -0
- package/rules/generic/secrets/gitleaks/jfrog-api-key.yaml +27 -0
- package/rules/generic/secrets/gitleaks/jfrog-identity-token.yaml +27 -0
- package/rules/generic/secrets/gitleaks/jwt-base64.yaml +27 -0
- package/rules/generic/secrets/gitleaks/jwt.yaml +27 -0
- package/rules/generic/secrets/gitleaks/kraken-access-token.yaml +27 -0
- package/rules/generic/secrets/gitleaks/kucoin-access-token.yaml +27 -0
- package/rules/generic/secrets/gitleaks/kucoin-secret-key.yaml +27 -0
- package/rules/generic/secrets/gitleaks/launchdarkly-access-token.yaml +27 -0
- package/rules/generic/secrets/gitleaks/linear-api-key.yaml +27 -0
- package/rules/generic/secrets/gitleaks/linear-client-secret.yaml +27 -0
- package/rules/generic/secrets/gitleaks/linkedin-client-id.yaml +27 -0
- package/rules/generic/secrets/gitleaks/linkedin-client-secret.yaml +27 -0
- package/rules/generic/secrets/gitleaks/lob-api-key.yaml +27 -0
- package/rules/generic/secrets/gitleaks/lob-pub-api-key.yaml +27 -0
- package/rules/generic/secrets/gitleaks/mailchimp-api-key.yaml +27 -0
- package/rules/generic/secrets/gitleaks/mailgun-private-api-token.yaml +27 -0
- package/rules/generic/secrets/gitleaks/mailgun-pub-key.yaml +27 -0
- package/rules/generic/secrets/gitleaks/mailgun-signing-key.yaml +27 -0
- package/rules/generic/secrets/gitleaks/mapbox-api-token.yaml +27 -0
- package/rules/generic/secrets/gitleaks/mattermost-access-token.yaml +27 -0
- package/rules/generic/secrets/gitleaks/messagebird-api-token.yaml +27 -0
- package/rules/generic/secrets/gitleaks/messagebird-client-id.yaml +27 -0
- package/rules/generic/secrets/gitleaks/microsoft-teams-webhook.yaml +27 -0
- package/rules/generic/secrets/gitleaks/netlify-access-token.yaml +27 -0
- package/rules/generic/secrets/gitleaks/new-relic-browser-api-token.yaml +27 -0
- package/rules/generic/secrets/gitleaks/new-relic-insert-key.yaml +27 -0
- package/rules/generic/secrets/gitleaks/new-relic-user-api-id.yaml +27 -0
- package/rules/generic/secrets/gitleaks/new-relic-user-api-key.yaml +27 -0
- package/rules/generic/secrets/gitleaks/npm-access-token.yaml +27 -0
- package/rules/generic/secrets/gitleaks/nytimes-access-token.yaml +27 -0
- package/rules/generic/secrets/gitleaks/okta-access-token.yaml +27 -0
- package/rules/generic/secrets/gitleaks/openai-api-key.yaml +27 -0
- package/rules/generic/secrets/gitleaks/plaid-api-token.yaml +27 -0
- package/rules/generic/secrets/gitleaks/plaid-client-id.yaml +27 -0
- package/rules/generic/secrets/gitleaks/plaid-secret-key.yaml +27 -0
- package/rules/generic/secrets/gitleaks/planetscale-api-token.yaml +27 -0
- package/rules/generic/secrets/gitleaks/planetscale-oauth-token.yaml +27 -0
- package/rules/generic/secrets/gitleaks/planetscale-password.yaml +27 -0
- package/rules/generic/secrets/gitleaks/postman-api-token.yaml +27 -0
- package/rules/generic/secrets/gitleaks/prefect-api-token.yaml +27 -0
- package/rules/generic/secrets/gitleaks/private-key.yaml +27 -0
- package/rules/generic/secrets/gitleaks/pulumi-api-token.yaml +27 -0
- package/rules/generic/secrets/gitleaks/pypi-upload-token.yaml +27 -0
- package/rules/generic/secrets/gitleaks/rapidapi-access-token.yaml +27 -0
- package/rules/generic/secrets/gitleaks/readme-api-token.yaml +27 -0
- package/rules/generic/secrets/gitleaks/rubygems-api-token.yaml +27 -0
- package/rules/generic/secrets/gitleaks/scalingo-api-token.yaml +27 -0
- package/rules/generic/secrets/gitleaks/sendbird-access-id.yaml +27 -0
- package/rules/generic/secrets/gitleaks/sendbird-access-token.yaml +27 -0
- package/rules/generic/secrets/gitleaks/sendgrid-api-token.yaml +27 -0
- package/rules/generic/secrets/gitleaks/sendinblue-api-token.yaml +27 -0
- package/rules/generic/secrets/gitleaks/sentry-access-token.yaml +27 -0
- package/rules/generic/secrets/gitleaks/shippo-api-token.yaml +27 -0
- package/rules/generic/secrets/gitleaks/shopify-access-token.yaml +27 -0
- package/rules/generic/secrets/gitleaks/shopify-custom-access-token.yaml +27 -0
- package/rules/generic/secrets/gitleaks/shopify-private-app-access-token.yaml +27 -0
- package/rules/generic/secrets/gitleaks/shopify-shared-secret.yaml +27 -0
- package/rules/generic/secrets/gitleaks/sidekiq-secret.yaml +27 -0
- package/rules/generic/secrets/gitleaks/sidekiq-sensitive-url.yaml +27 -0
- package/rules/generic/secrets/gitleaks/slack-app-token.yaml +27 -0
- package/rules/generic/secrets/gitleaks/slack-bot-token.yaml +27 -0
- package/rules/generic/secrets/gitleaks/slack-config-access-token.yaml +27 -0
- package/rules/generic/secrets/gitleaks/slack-config-refresh-token.yaml +27 -0
- package/rules/generic/secrets/gitleaks/slack-legacy-bot-token.yaml +27 -0
- package/rules/generic/secrets/gitleaks/slack-legacy-token.yaml +27 -0
- package/rules/generic/secrets/gitleaks/slack-legacy-workspace-token.yaml +27 -0
- package/rules/generic/secrets/gitleaks/slack-user-token.yaml +27 -0
- package/rules/generic/secrets/gitleaks/slack-webhook-url.yaml +27 -0
- package/rules/generic/secrets/gitleaks/snyk-api-token.yaml +27 -0
- package/rules/generic/secrets/gitleaks/square-access-token.yaml +27 -0
- package/rules/generic/secrets/gitleaks/squarespace-access-token.yaml +27 -0
- package/rules/generic/secrets/gitleaks/stripe-access-token.yaml +27 -0
- package/rules/generic/secrets/gitleaks/sumologic-access-id.yaml +27 -0
- package/rules/generic/secrets/gitleaks/sumologic-access-token.yaml +27 -0
- package/rules/generic/secrets/gitleaks/telegram-bot-api-token.yaml +27 -0
- package/rules/generic/secrets/gitleaks/travisci-access-token.yaml +27 -0
- package/rules/generic/secrets/gitleaks/twilio-api-key.yaml +27 -0
- package/rules/generic/secrets/gitleaks/twitch-api-token.yaml +27 -0
- package/rules/generic/secrets/gitleaks/twitter-access-secret.yaml +27 -0
- package/rules/generic/secrets/gitleaks/twitter-access-token.yaml +27 -0
- package/rules/generic/secrets/gitleaks/twitter-api-key.yaml +27 -0
- package/rules/generic/secrets/gitleaks/twitter-api-secret.yaml +27 -0
- package/rules/generic/secrets/gitleaks/twitter-bearer-token.yaml +27 -0
- package/rules/generic/secrets/gitleaks/typeform-api-token.yaml +27 -0
- package/rules/generic/secrets/gitleaks/vault-batch-token.yaml +27 -0
- package/rules/generic/secrets/gitleaks/vault-service-token.yaml +27 -0
- package/rules/generic/secrets/gitleaks/yandex-access-token.yaml +27 -0
- package/rules/generic/secrets/gitleaks/yandex-api-key.yaml +27 -0
- package/rules/generic/secrets/gitleaks/yandex-aws-access-token.yaml +27 -0
- package/rules/generic/secrets/gitleaks/zendesk-secret-key.yaml +27 -0
- package/rules/generic/secrets/security/detected-amazon-mws-auth-token.yaml +26 -0
- package/rules/generic/secrets/security/detected-artifactory-password.yaml +47 -0
- package/rules/generic/secrets/security/detected-artifactory-token.yaml +44 -0
- package/rules/generic/secrets/security/detected-aws-access-key-id-value.yaml +29 -0
- package/rules/generic/secrets/security/detected-aws-account-id.yaml +58 -0
- package/rules/generic/secrets/security/detected-aws-appsync-graphql-key.yaml +27 -0
- package/rules/generic/secrets/security/detected-aws-secret-access-key.yaml +30 -0
- package/rules/generic/secrets/security/detected-aws-session-token.yaml +31 -0
- package/rules/generic/secrets/security/detected-bcrypt-hash.yaml +25 -0
- package/rules/generic/secrets/security/detected-codeclimate.yaml +27 -0
- package/rules/generic/secrets/security/detected-etc-shadow.yaml +27 -0
- package/rules/generic/secrets/security/detected-facebook-access-token.yaml +29 -0
- package/rules/generic/secrets/security/detected-facebook-oauth.yaml +27 -0
- package/rules/generic/secrets/security/detected-generic-api-key.yaml +29 -0
- package/rules/generic/secrets/security/detected-generic-secret.yaml +30 -0
- package/rules/generic/secrets/security/detected-github-token.yaml +47 -0
- package/rules/generic/secrets/security/detected-google-api-key.yaml +29 -0
- package/rules/generic/secrets/security/detected-google-cloud-api-key.yaml +27 -0
- package/rules/generic/secrets/security/detected-google-gcm-service-account.yaml +27 -0
- package/rules/generic/secrets/security/detected-google-oauth-access-token.yaml +26 -0
- package/rules/generic/secrets/security/detected-google-oauth.yaml +26 -0
- package/rules/generic/secrets/security/detected-heroku-api-key.yaml +27 -0
- package/rules/generic/secrets/security/detected-hockeyapp.yaml +27 -0
- package/rules/generic/secrets/security/detected-jwt-token.yaml +25 -0
- package/rules/generic/secrets/security/detected-kolide-api-key.yaml +25 -0
- package/rules/generic/secrets/security/detected-mailchimp-api-key.yaml +26 -0
- package/rules/generic/secrets/security/detected-mailgun-api-key.yaml +26 -0
- package/rules/generic/secrets/security/detected-npm-registry-auth-token.yaml +33 -0
- package/rules/generic/secrets/security/detected-onfido-live-api-token.yaml +20 -0
- package/rules/generic/secrets/security/detected-outlook-team.yaml +27 -0
- package/rules/generic/secrets/security/detected-paypal-braintree-access-token.yaml +27 -0
- package/rules/generic/secrets/security/detected-pgp-private-key-block.yaml +28 -0
- package/rules/generic/secrets/security/detected-picatic-api-key.yaml +26 -0
- package/rules/generic/secrets/security/detected-private-key.yaml +39 -0
- package/rules/generic/secrets/security/detected-sauce-token.yaml +27 -0
- package/rules/generic/secrets/security/detected-sendgrid-api-key.yaml +27 -0
- package/rules/generic/secrets/security/detected-slack-token.yaml +28 -0
- package/rules/generic/secrets/security/detected-slack-webhook.yaml +27 -0
- package/rules/generic/secrets/security/detected-snyk-api-key.yaml +26 -0
- package/rules/generic/secrets/security/detected-softlayer-api-key.yaml +27 -0
- package/rules/generic/secrets/security/detected-sonarqube-docs-api-key.yaml +40 -0
- package/rules/generic/secrets/security/detected-square-access-token.yaml +26 -0
- package/rules/generic/secrets/security/detected-square-oauth-secret.yaml +27 -0
- package/rules/generic/secrets/security/detected-ssh-password.yaml +27 -0
- package/rules/generic/secrets/security/detected-stripe-api-key.yaml +26 -0
- package/rules/generic/secrets/security/detected-stripe-restricted-api-key.yaml +26 -0
- package/rules/generic/secrets/security/detected-telegram-bot-api-key.yaml +30 -0
- package/rules/generic/secrets/security/detected-twilio-api-key.yaml +26 -0
- package/rules/generic/secrets/security/detected-username-and-password-in-uri.yaml +35 -0
- package/rules/generic/secrets/security/google-maps-apikeyleak.yaml +25 -0
- package/rules/prompt-injection.security.yaml +4 -0
- package/rules/python/flask/security/injection/flask-injection-sinks.yaml +352 -0
- package/src/analyzer.py +119 -0
- package/src/cli/demo.js +238 -0
- package/src/cli/doctor.js +273 -0
- package/src/cli/init.js +288 -0
- package/src/fix-patterns.js +698 -0
- package/src/tools/check-package.js +169 -0
- package/src/tools/fix-security.js +115 -0
- package/src/tools/scan-packages.js +154 -0
- package/src/tools/scan-prompt.js +570 -0
- package/src/tools/scan-security.js +117 -0
- package/src/utils.js +153 -0
package/package.json
CHANGED
|
@@ -1,8 +1,8 @@
|
|
|
1
1
|
{
|
|
2
2
|
"name": "agent-security-scanner-mcp",
|
|
3
|
-
"version": "3.
|
|
3
|
+
"version": "3.2.0",
|
|
4
4
|
"mcpName": "io.github.sinewaveai/agent-security-scanner-mcp",
|
|
5
|
-
"description": "Security scanner MCP server for AI coding agents.
|
|
5
|
+
"description": "Security scanner MCP server for AI coding agents. Prompt injection firewall, package hallucination detection (4.3M+ packages), 1000+ vulnerability rules with AST & taint analysis, auto-fix. For Claude Code, Cursor, Windsurf, Cline.",
|
|
6
6
|
"main": "index.js",
|
|
7
7
|
"type": "module",
|
|
8
8
|
"bin": {
|
|
@@ -52,10 +52,7 @@
|
|
|
52
52
|
"zed",
|
|
53
53
|
"prompt-firewall",
|
|
54
54
|
"auto-fix",
|
|
55
|
-
"hallucination"
|
|
56
|
-
"sarif",
|
|
57
|
-
"github-code-scanning",
|
|
58
|
-
"gitlab-sast"
|
|
55
|
+
"hallucination"
|
|
59
56
|
],
|
|
60
57
|
"author": "Sinewave AI <divya@sinewave.ai>",
|
|
61
58
|
"license": "MIT",
|
|
@@ -79,6 +76,10 @@
|
|
|
79
76
|
"LICENSE",
|
|
80
77
|
"server.json",
|
|
81
78
|
"index.js",
|
|
79
|
+
"src/tools/*.js",
|
|
80
|
+
"src/cli/*.js",
|
|
81
|
+
"src/fix-patterns.js",
|
|
82
|
+
"src/utils.js",
|
|
82
83
|
"analyzer.py",
|
|
83
84
|
"ast_parser.py",
|
|
84
85
|
"generic_ast.py",
|
package/regex_fallback.py
CHANGED
|
@@ -46,6 +46,10 @@ def apply_regex_fallback(source: str, language: str, file_path: str = "") -> Lis
|
|
|
46
46
|
return _scan_kubernetes(lines)
|
|
47
47
|
if language == "terraform":
|
|
48
48
|
return _scan_terraform(lines)
|
|
49
|
+
if language == "rust":
|
|
50
|
+
return _scan_rust(lines)
|
|
51
|
+
if language == "csharp":
|
|
52
|
+
return _scan_csharp(lines)
|
|
49
53
|
if language == "generic":
|
|
50
54
|
return _scan_generic(lines)
|
|
51
55
|
|
|
@@ -442,6 +446,68 @@ def _scan_terraform(lines: List[str]) -> List[Dict]:
|
|
|
442
446
|
return findings
|
|
443
447
|
|
|
444
448
|
|
|
449
|
+
def _scan_rust(lines: List[str]) -> List[Dict]:
|
|
450
|
+
findings: List[Dict] = []
|
|
451
|
+
for i, line in enumerate(lines):
|
|
452
|
+
if re.search(r"\bunsafe\s*\{", line):
|
|
453
|
+
findings.append(_make_finding("unsafe-block", i, line))
|
|
454
|
+
if re.search(r"\.unwrap\s*\(", line):
|
|
455
|
+
findings.append(_make_finding("unwrap-usage", i, line))
|
|
456
|
+
if re.search(r"\bstd::process::Command\b", line):
|
|
457
|
+
findings.append(_make_finding("command-injection", i, line))
|
|
458
|
+
if re.search(r"\*const\s+\w|\*mut\s+\w", line):
|
|
459
|
+
findings.append(_make_finding("raw-pointer-deref", i, line))
|
|
460
|
+
if re.search(r"\bpassword\b\s*=\s*\"[^\"]+\"", line, re.IGNORECASE):
|
|
461
|
+
findings.append(_make_finding("hardcoded-password", i, line))
|
|
462
|
+
if re.search(r"\bapi_key\b\s*=\s*\"[^\"]+\"", line, re.IGNORECASE):
|
|
463
|
+
findings.append(_make_finding("hardcoded-api-key", i, line))
|
|
464
|
+
if re.search(r"\bmd5\b", line, re.IGNORECASE):
|
|
465
|
+
findings.append(_make_finding("weak-hash-md5", i, line))
|
|
466
|
+
if re.search(r"\bsha1\b", line, re.IGNORECASE) and not re.search(r"\bsha1(28|92|256)\b", line, re.IGNORECASE):
|
|
467
|
+
findings.append(_make_finding("weak-hash-sha1", i, line))
|
|
468
|
+
if re.search(r"\blibc::(system|popen)\b", line):
|
|
469
|
+
findings.append(_make_finding("libc-system-call", i, line))
|
|
470
|
+
if re.search(r"\bpanic!\s*\(", line):
|
|
471
|
+
findings.append(_make_finding("panic-usage", i, line))
|
|
472
|
+
return findings
|
|
473
|
+
|
|
474
|
+
|
|
475
|
+
def _scan_csharp(lines: List[str]) -> List[Dict]:
|
|
476
|
+
findings: List[Dict] = []
|
|
477
|
+
for i, line in enumerate(lines):
|
|
478
|
+
if re.search(r"\bSqlCommand\b.*\+\s*\w", line):
|
|
479
|
+
findings.append(_make_finding("sql-injection-sqlcommand", i, line))
|
|
480
|
+
if re.search(r"\bSqlQuery\b.*\+\s*\w", line):
|
|
481
|
+
findings.append(_make_finding("sql-injection-sqlquery", i, line))
|
|
482
|
+
if re.search(r"\"SELECT\b.*\"\s*\+\s*\w", line, re.IGNORECASE):
|
|
483
|
+
findings.append(_make_finding("sql-injection-concat", i, line))
|
|
484
|
+
if re.search(r"\bProcess\.Start\s*\(", line):
|
|
485
|
+
findings.append(_make_finding("command-injection-process-start", i, line))
|
|
486
|
+
if re.search(r"\bBinaryFormatter\b", line):
|
|
487
|
+
findings.append(_make_finding("insecure-deserialization-binaryformatter", i, line))
|
|
488
|
+
if re.search(r"\bXmlSerializer\b.*\bDeserialize\b", line):
|
|
489
|
+
findings.append(_make_finding("insecure-deserialization-xmlserializer", i, line))
|
|
490
|
+
if re.search(r"\.innerHTML\s*=", line):
|
|
491
|
+
findings.append(_make_finding("xss-innerhtml", i, line))
|
|
492
|
+
if re.search(r"\bResponse\.Write\s*\(", line):
|
|
493
|
+
findings.append(_make_finding("xss-response-write", i, line))
|
|
494
|
+
if re.search(r"\bConnectionString\b\s*=\s*\"[^\"]+\"", line, re.IGNORECASE):
|
|
495
|
+
findings.append(_make_finding("hardcoded-connection-string", i, line))
|
|
496
|
+
if re.search(r"\bpassword\b\s*=\s*\"[^\"]+\"", line, re.IGNORECASE):
|
|
497
|
+
findings.append(_make_finding("hardcoded-password", i, line))
|
|
498
|
+
if re.search(r"\bMD5\.Create\s*\(", line):
|
|
499
|
+
findings.append(_make_finding("weak-hash-md5", i, line))
|
|
500
|
+
if re.search(r"\bSHA1\.Create\s*\(", line):
|
|
501
|
+
findings.append(_make_finding("weak-hash-sha1", i, line))
|
|
502
|
+
if re.search(r"\bDirectory\.Delete\s*\(", line):
|
|
503
|
+
findings.append(_make_finding("path-traversal-directory-delete", i, line))
|
|
504
|
+
if re.search(r"\bFile\.Delete\s*\(", line):
|
|
505
|
+
findings.append(_make_finding("path-traversal-file-delete", i, line))
|
|
506
|
+
if re.search(r"\bFile\.ReadAllText\s*\(.*\+\s*\w", line):
|
|
507
|
+
findings.append(_make_finding("path-traversal-file-read", i, line))
|
|
508
|
+
return findings
|
|
509
|
+
|
|
510
|
+
|
|
445
511
|
def _scan_generic(lines: List[str]) -> List[Dict]:
|
|
446
512
|
findings: List[Dict] = []
|
|
447
513
|
for i, line in enumerate(lines):
|
package/rules/__init__.py
CHANGED
|
@@ -1,5 +1,6 @@
|
|
|
1
1
|
# Rule loader for YAML-based security rules
|
|
2
2
|
# Aligned with Semgrep registry format
|
|
3
|
+
# Recursively loads rules from subdirectories (csharp/, rust/, c/, etc.)
|
|
3
4
|
|
|
4
5
|
import os
|
|
5
6
|
import re
|
|
@@ -12,38 +13,117 @@ except ImportError:
|
|
|
12
13
|
|
|
13
14
|
RULES_DIR = os.path.dirname(os.path.abspath(__file__))
|
|
14
15
|
|
|
16
|
+
|
|
17
|
+
def _is_semgrep_ast_pattern(s):
|
|
18
|
+
"""Check if a string is a Semgrep AST pattern (not a regex)."""
|
|
19
|
+
semgrep_indicators = ['...', '$', 'pattern-not', 'pattern-inside', 'metavariable']
|
|
20
|
+
return any(ind in s for ind in semgrep_indicators)
|
|
21
|
+
|
|
22
|
+
|
|
23
|
+
def _extract_patterns_from_semgrep_rule(rule_data):
|
|
24
|
+
"""Extract regex patterns from Semgrep-format rule definitions.
|
|
25
|
+
|
|
26
|
+
Handles:
|
|
27
|
+
- patterns: [list of regex strings] -> use directly (skip Semgrep AST patterns)
|
|
28
|
+
- pattern: single string -> extract if no $metavariables or ...
|
|
29
|
+
- pattern-regex: string -> use as regex
|
|
30
|
+
- pattern-either with pattern-regex items -> extract regex patterns
|
|
31
|
+
- Complex metavariable/AST patterns -> skip
|
|
32
|
+
"""
|
|
33
|
+
patterns = []
|
|
34
|
+
|
|
35
|
+
# Standard format: list of regex strings
|
|
36
|
+
if 'patterns' in rule_data:
|
|
37
|
+
raw = rule_data['patterns']
|
|
38
|
+
if isinstance(raw, list):
|
|
39
|
+
for item in raw:
|
|
40
|
+
if isinstance(item, str):
|
|
41
|
+
# Skip Semgrep AST patterns (contain ... or $)
|
|
42
|
+
if not _is_semgrep_ast_pattern(item):
|
|
43
|
+
patterns.append(item)
|
|
44
|
+
elif isinstance(item, dict):
|
|
45
|
+
# Semgrep-style pattern-either or pattern-regex inside patterns list
|
|
46
|
+
patterns.extend(_extract_from_dict(item))
|
|
47
|
+
|
|
48
|
+
# Single pattern string (Semgrep format)
|
|
49
|
+
if 'pattern' in rule_data and isinstance(rule_data['pattern'], str):
|
|
50
|
+
p = rule_data['pattern']
|
|
51
|
+
if not _is_semgrep_ast_pattern(p):
|
|
52
|
+
patterns.append(re.escape(p) if not _looks_like_regex(p) else p)
|
|
53
|
+
|
|
54
|
+
# Explicit regex pattern
|
|
55
|
+
if 'pattern-regex' in rule_data and isinstance(rule_data['pattern-regex'], str):
|
|
56
|
+
patterns.append(rule_data['pattern-regex'])
|
|
57
|
+
|
|
58
|
+
return patterns
|
|
59
|
+
|
|
60
|
+
|
|
61
|
+
def _extract_from_dict(d):
|
|
62
|
+
"""Extract patterns from a Semgrep dict node (pattern-either, etc.)."""
|
|
63
|
+
patterns = []
|
|
64
|
+
if 'pattern-regex' in d and isinstance(d['pattern-regex'], str):
|
|
65
|
+
patterns.append(d['pattern-regex'])
|
|
66
|
+
if 'pattern' in d and isinstance(d['pattern'], str):
|
|
67
|
+
p = d['pattern']
|
|
68
|
+
if not _is_semgrep_ast_pattern(p):
|
|
69
|
+
patterns.append(re.escape(p) if not _looks_like_regex(p) else p)
|
|
70
|
+
if 'pattern-either' in d and isinstance(d['pattern-either'], list):
|
|
71
|
+
for item in d['pattern-either']:
|
|
72
|
+
if isinstance(item, dict):
|
|
73
|
+
patterns.extend(_extract_from_dict(item))
|
|
74
|
+
elif isinstance(item, str) and not _is_semgrep_ast_pattern(item):
|
|
75
|
+
patterns.append(item)
|
|
76
|
+
return patterns
|
|
77
|
+
|
|
78
|
+
|
|
79
|
+
def _looks_like_regex(s):
|
|
80
|
+
"""Heuristic: check if a string looks like it's already a regex."""
|
|
81
|
+
regex_chars = set(r'\.*+?[](){}|^$')
|
|
82
|
+
return any(c in regex_chars for c in s)
|
|
83
|
+
|
|
84
|
+
|
|
15
85
|
def load_yaml_rules():
|
|
16
|
-
"""Load all YAML rule files from the rules directory"""
|
|
86
|
+
"""Load all YAML rule files from the rules directory, recursively."""
|
|
17
87
|
rules = {}
|
|
18
|
-
|
|
88
|
+
|
|
19
89
|
if not HAS_YAML:
|
|
20
90
|
print("Warning: PyYAML not installed. Using fallback rules.")
|
|
21
91
|
return rules
|
|
22
|
-
|
|
23
|
-
for
|
|
24
|
-
|
|
25
|
-
|
|
92
|
+
|
|
93
|
+
for dirpath, _dirnames, filenames in os.walk(RULES_DIR):
|
|
94
|
+
for filename in filenames:
|
|
95
|
+
if not (filename.endswith('.yaml') or filename.endswith('.yml')):
|
|
96
|
+
continue
|
|
97
|
+
filepath = os.path.join(dirpath, filename)
|
|
26
98
|
try:
|
|
27
99
|
with open(filepath, 'r', encoding='utf-8') as f:
|
|
28
100
|
data = yaml.safe_load(f)
|
|
29
|
-
if data
|
|
30
|
-
|
|
31
|
-
|
|
32
|
-
|
|
33
|
-
|
|
34
|
-
|
|
35
|
-
|
|
36
|
-
|
|
37
|
-
|
|
38
|
-
|
|
39
|
-
|
|
40
|
-
|
|
41
|
-
|
|
101
|
+
if not data or 'rules' not in data:
|
|
102
|
+
continue
|
|
103
|
+
for rule in data['rules']:
|
|
104
|
+
rule_id = rule.get('id', '')
|
|
105
|
+
if not rule_id:
|
|
106
|
+
continue
|
|
107
|
+
|
|
108
|
+
extracted = _extract_patterns_from_semgrep_rule(rule)
|
|
109
|
+
if not extracted:
|
|
110
|
+
continue
|
|
111
|
+
|
|
112
|
+
rules[rule_id] = {
|
|
113
|
+
'id': rule_id,
|
|
114
|
+
'name': rule_id.split('.')[-1].replace('-', ' ').title(),
|
|
115
|
+
'patterns': extracted,
|
|
116
|
+
'message': rule.get('message', ''),
|
|
117
|
+
'severity': rule.get('severity', 'WARNING').lower(),
|
|
118
|
+
'languages': rule.get('languages', ['generic']),
|
|
119
|
+
'metadata': rule.get('metadata', {})
|
|
120
|
+
}
|
|
42
121
|
except Exception as e:
|
|
43
|
-
print(f"Error loading {
|
|
44
|
-
|
|
122
|
+
print(f"Error loading {filepath}: {e}")
|
|
123
|
+
|
|
45
124
|
return rules
|
|
46
125
|
|
|
126
|
+
|
|
47
127
|
# Fallback rules if YAML is not available
|
|
48
128
|
FALLBACK_RULES = {
|
|
49
129
|
'python.lang.security.audit.sql-injection': {
|
|
@@ -103,65 +183,73 @@ FALLBACK_RULES = {
|
|
|
103
183
|
}
|
|
104
184
|
}
|
|
105
185
|
|
|
186
|
+
|
|
106
187
|
def get_rules():
|
|
107
|
-
"""Get all rules -
|
|
188
|
+
"""Get all rules - merge YAML rules with fallback rules.
|
|
189
|
+
Fallback rules provide regex-based detection baseline.
|
|
190
|
+
YAML rules add additional patterns (prompt injection, subdirectory rules).
|
|
191
|
+
"""
|
|
192
|
+
rules = dict(FALLBACK_RULES)
|
|
108
193
|
yaml_rules = load_yaml_rules()
|
|
109
|
-
|
|
110
|
-
|
|
111
|
-
|
|
194
|
+
rules.update(yaml_rules)
|
|
195
|
+
return rules
|
|
196
|
+
|
|
112
197
|
|
|
113
198
|
def get_rules_for_language(language):
|
|
114
199
|
"""Get rules applicable to a specific language"""
|
|
115
200
|
all_rules = get_rules()
|
|
116
201
|
applicable_rules = {}
|
|
117
|
-
|
|
202
|
+
|
|
118
203
|
language = language.lower()
|
|
119
|
-
|
|
204
|
+
|
|
120
205
|
for rule_id, rule in all_rules.items():
|
|
121
206
|
rule_languages = [lang.lower() for lang in rule.get('languages', ['generic'])]
|
|
122
207
|
if language in rule_languages or 'generic' in rule_languages:
|
|
123
208
|
applicable_rules[rule_id] = rule
|
|
124
|
-
|
|
209
|
+
|
|
125
210
|
return applicable_rules
|
|
126
211
|
|
|
212
|
+
|
|
127
213
|
def get_rules_by_category(category):
|
|
128
214
|
"""Get rules by category (e.g., 'injection', 'crypto', 'secrets')"""
|
|
129
215
|
all_rules = get_rules()
|
|
130
216
|
category_rules = {}
|
|
131
|
-
|
|
217
|
+
|
|
132
218
|
category = category.lower()
|
|
133
|
-
|
|
219
|
+
|
|
134
220
|
for rule_id, rule in all_rules.items():
|
|
135
221
|
if category in rule_id.lower():
|
|
136
222
|
category_rules[rule_id] = rule
|
|
137
|
-
|
|
223
|
+
|
|
138
224
|
return category_rules
|
|
139
225
|
|
|
226
|
+
|
|
140
227
|
def get_rule_stats():
|
|
141
228
|
"""Get statistics about loaded rules"""
|
|
142
229
|
all_rules = get_rules()
|
|
143
|
-
|
|
230
|
+
|
|
144
231
|
stats = {
|
|
145
232
|
'total': len(all_rules),
|
|
146
233
|
'by_severity': {'error': 0, 'warning': 0, 'info': 0},
|
|
147
234
|
'by_language': {},
|
|
148
235
|
'by_category': {}
|
|
149
236
|
}
|
|
150
|
-
|
|
237
|
+
|
|
151
238
|
for rule_id, rule in all_rules.items():
|
|
152
239
|
severity = rule.get('severity', 'warning').lower()
|
|
153
240
|
stats['by_severity'][severity] = stats['by_severity'].get(severity, 0) + 1
|
|
154
|
-
|
|
241
|
+
|
|
155
242
|
for lang in rule.get('languages', ['generic']):
|
|
156
243
|
lang = lang.lower()
|
|
157
244
|
stats['by_language'][lang] = stats['by_language'].get(lang, 0) + 1
|
|
158
|
-
|
|
245
|
+
|
|
159
246
|
parts = rule_id.split('.')
|
|
160
247
|
if len(parts) >= 3:
|
|
161
248
|
category = parts[2] if parts[2] != 'lang' else parts[3] if len(parts) > 3 else parts[2]
|
|
162
249
|
stats['by_category'][category] = stats['by_category'].get(category, 0) + 1
|
|
163
|
-
|
|
250
|
+
|
|
164
251
|
return stats
|
|
165
252
|
|
|
253
|
+
|
|
166
254
|
# Export for backward compatibility
|
|
167
255
|
RULES = get_rules()
|
|
@@ -0,0 +1,27 @@
|
|
|
1
|
+
rules:
|
|
2
|
+
- id: adafruit-api-key
|
|
3
|
+
message: A gitleaks adafruit-api-key was detected which attempts to identify hard-coded credentials. It is not recommended to store credentials in source-code, as this risks secrets being leaked and used by either an internal or external malicious adversary. It is recommended to use environment variables to securely provide credentials or retrieve credentials from a secure vault or HSM (Hardware Security Module).
|
|
4
|
+
languages:
|
|
5
|
+
- regex
|
|
6
|
+
severity: INFO
|
|
7
|
+
metadata:
|
|
8
|
+
likelihood: LOW
|
|
9
|
+
impact: MEDIUM
|
|
10
|
+
confidence: LOW
|
|
11
|
+
category: security
|
|
12
|
+
cwe:
|
|
13
|
+
- "CWE-798: Use of Hard-coded Credentials"
|
|
14
|
+
cwe2021-top25: true
|
|
15
|
+
cwe2022-top25: true
|
|
16
|
+
owasp:
|
|
17
|
+
- A07:2021 - Identification and Authentication Failures
|
|
18
|
+
- A07:2025 - Authentication Failures
|
|
19
|
+
references:
|
|
20
|
+
- https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html
|
|
21
|
+
source-rule-url: https://github.com/zricethezav/gitleaks/tree/master/cmd/generate/config/rules
|
|
22
|
+
subcategory:
|
|
23
|
+
- vuln
|
|
24
|
+
technology:
|
|
25
|
+
- gitleaks
|
|
26
|
+
patterns:
|
|
27
|
+
- pattern-regex: (?i)(?:adafruit)(?:[0-9a-z\-_\t .]{0,20})(?:[\s|']|[\s|"]){0,3}(?:=|>|:{1,3}=|\|\|:|<=|=>|:|\?=)(?:'|\"|\s|=|\x60){0,5}([a-z0-9_-]{32})(?:['|\"|\n|\r|\s|\x60|;]|$)
|
|
@@ -0,0 +1,27 @@
|
|
|
1
|
+
rules:
|
|
2
|
+
- id: adobe-client-id
|
|
3
|
+
message: A gitleaks adobe-client-id was detected which attempts to identify hard-coded credentials. It is not recommended to store credentials in source-code, as this risks secrets being leaked and used by either an internal or external malicious adversary. It is recommended to use environment variables to securely provide credentials or retrieve credentials from a secure vault or HSM (Hardware Security Module).
|
|
4
|
+
languages:
|
|
5
|
+
- regex
|
|
6
|
+
severity: INFO
|
|
7
|
+
metadata:
|
|
8
|
+
likelihood: LOW
|
|
9
|
+
impact: MEDIUM
|
|
10
|
+
confidence: LOW
|
|
11
|
+
category: security
|
|
12
|
+
cwe:
|
|
13
|
+
- "CWE-798: Use of Hard-coded Credentials"
|
|
14
|
+
cwe2021-top25: true
|
|
15
|
+
cwe2022-top25: true
|
|
16
|
+
owasp:
|
|
17
|
+
- A07:2021 - Identification and Authentication Failures
|
|
18
|
+
- A07:2025 - Authentication Failures
|
|
19
|
+
references:
|
|
20
|
+
- https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html
|
|
21
|
+
source-rule-url: https://github.com/zricethezav/gitleaks/tree/master/cmd/generate/config/rules
|
|
22
|
+
subcategory:
|
|
23
|
+
- vuln
|
|
24
|
+
technology:
|
|
25
|
+
- gitleaks
|
|
26
|
+
patterns:
|
|
27
|
+
- pattern-regex: (?i)(?:adobe)(?:[0-9a-z\-_\t .]{0,20})(?:[\s|']|[\s|"]){0,3}(?:=|>|:{1,3}=|\|\|:|<=|=>|:|\?=)(?:'|\"|\s|=|\x60){0,5}([a-f0-9]{32})(?:['|\"|\n|\r|\s|\x60|;]|$)
|
|
@@ -0,0 +1,27 @@
|
|
|
1
|
+
rules:
|
|
2
|
+
- id: adobe-client-secret
|
|
3
|
+
message: A gitleaks adobe-client-secret was detected which attempts to identify hard-coded credentials. It is not recommended to store credentials in source-code, as this risks secrets being leaked and used by either an internal or external malicious adversary. It is recommended to use environment variables to securely provide credentials or retrieve credentials from a secure vault or HSM (Hardware Security Module).
|
|
4
|
+
languages:
|
|
5
|
+
- regex
|
|
6
|
+
severity: INFO
|
|
7
|
+
metadata:
|
|
8
|
+
likelihood: LOW
|
|
9
|
+
impact: MEDIUM
|
|
10
|
+
confidence: LOW
|
|
11
|
+
category: security
|
|
12
|
+
cwe:
|
|
13
|
+
- "CWE-798: Use of Hard-coded Credentials"
|
|
14
|
+
cwe2021-top25: true
|
|
15
|
+
cwe2022-top25: true
|
|
16
|
+
owasp:
|
|
17
|
+
- A07:2021 - Identification and Authentication Failures
|
|
18
|
+
- A07:2025 - Authentication Failures
|
|
19
|
+
references:
|
|
20
|
+
- https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html
|
|
21
|
+
source-rule-url: https://github.com/zricethezav/gitleaks/tree/master/cmd/generate/config/rules
|
|
22
|
+
subcategory:
|
|
23
|
+
- vuln
|
|
24
|
+
technology:
|
|
25
|
+
- gitleaks
|
|
26
|
+
patterns:
|
|
27
|
+
- pattern-regex: (?i)\b((p8e-)(?i)[a-z0-9]{32})(?:['|\"|\n|\r|\s|\x60|;]|$)
|
|
@@ -0,0 +1,27 @@
|
|
|
1
|
+
rules:
|
|
2
|
+
- id: age-secret-key
|
|
3
|
+
message: A gitleaks age-secret-key was detected which attempts to identify hard-coded credentials. It is not recommended to store credentials in source-code, as this risks secrets being leaked and used by either an internal or external malicious adversary. It is recommended to use environment variables to securely provide credentials or retrieve credentials from a secure vault or HSM (Hardware Security Module).
|
|
4
|
+
languages:
|
|
5
|
+
- regex
|
|
6
|
+
severity: INFO
|
|
7
|
+
metadata:
|
|
8
|
+
likelihood: LOW
|
|
9
|
+
impact: MEDIUM
|
|
10
|
+
confidence: LOW
|
|
11
|
+
category: security
|
|
12
|
+
cwe:
|
|
13
|
+
- "CWE-798: Use of Hard-coded Credentials"
|
|
14
|
+
cwe2021-top25: true
|
|
15
|
+
cwe2022-top25: true
|
|
16
|
+
owasp:
|
|
17
|
+
- A07:2021 - Identification and Authentication Failures
|
|
18
|
+
- A07:2025 - Authentication Failures
|
|
19
|
+
references:
|
|
20
|
+
- https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html
|
|
21
|
+
source-rule-url: https://github.com/zricethezav/gitleaks/tree/master/cmd/generate/config/rules
|
|
22
|
+
subcategory:
|
|
23
|
+
- vuln
|
|
24
|
+
technology:
|
|
25
|
+
- gitleaks
|
|
26
|
+
patterns:
|
|
27
|
+
- pattern-regex: AGE-SECRET-KEY-1[QPZRY9X8GF2TVDW0S3JN54KHCE6MUA7L]{58}
|
|
@@ -0,0 +1,27 @@
|
|
|
1
|
+
rules:
|
|
2
|
+
- id: airtable-api-key
|
|
3
|
+
message: A gitleaks airtable-api-key was detected which attempts to identify hard-coded credentials. It is not recommended to store credentials in source-code, as this risks secrets being leaked and used by either an internal or external malicious adversary. It is recommended to use environment variables to securely provide credentials or retrieve credentials from a secure vault or HSM (Hardware Security Module).
|
|
4
|
+
languages:
|
|
5
|
+
- regex
|
|
6
|
+
severity: INFO
|
|
7
|
+
metadata:
|
|
8
|
+
likelihood: LOW
|
|
9
|
+
impact: MEDIUM
|
|
10
|
+
confidence: LOW
|
|
11
|
+
category: security
|
|
12
|
+
cwe:
|
|
13
|
+
- "CWE-798: Use of Hard-coded Credentials"
|
|
14
|
+
cwe2021-top25: true
|
|
15
|
+
cwe2022-top25: true
|
|
16
|
+
owasp:
|
|
17
|
+
- A07:2021 - Identification and Authentication Failures
|
|
18
|
+
- A07:2025 - Authentication Failures
|
|
19
|
+
references:
|
|
20
|
+
- https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html
|
|
21
|
+
source-rule-url: https://github.com/zricethezav/gitleaks/tree/master/cmd/generate/config/rules
|
|
22
|
+
subcategory:
|
|
23
|
+
- vuln
|
|
24
|
+
technology:
|
|
25
|
+
- gitleaks
|
|
26
|
+
patterns:
|
|
27
|
+
- pattern-regex: (?i)(?:airtable)(?:[0-9a-z\-_\t .]{0,20})(?:[\s|']|[\s|"]){0,3}(?:=|>|:{1,3}=|\|\|:|<=|=>|:|\?=)(?:'|\"|\s|=|\x60){0,5}([a-z0-9]{17})(?:['|\"|\n|\r|\s|\x60|;]|$)
|
|
@@ -0,0 +1,27 @@
|
|
|
1
|
+
rules:
|
|
2
|
+
- id: algolia-api-key
|
|
3
|
+
message: A gitleaks algolia-api-key was detected which attempts to identify hard-coded credentials. It is not recommended to store credentials in source-code, as this risks secrets being leaked and used by either an internal or external malicious adversary. It is recommended to use environment variables to securely provide credentials or retrieve credentials from a secure vault or HSM (Hardware Security Module).
|
|
4
|
+
languages:
|
|
5
|
+
- regex
|
|
6
|
+
severity: INFO
|
|
7
|
+
metadata:
|
|
8
|
+
likelihood: LOW
|
|
9
|
+
impact: MEDIUM
|
|
10
|
+
confidence: LOW
|
|
11
|
+
category: security
|
|
12
|
+
cwe:
|
|
13
|
+
- "CWE-798: Use of Hard-coded Credentials"
|
|
14
|
+
cwe2021-top25: true
|
|
15
|
+
cwe2022-top25: true
|
|
16
|
+
owasp:
|
|
17
|
+
- A07:2021 - Identification and Authentication Failures
|
|
18
|
+
- A07:2025 - Authentication Failures
|
|
19
|
+
references:
|
|
20
|
+
- https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html
|
|
21
|
+
source-rule-url: https://github.com/zricethezav/gitleaks/tree/master/cmd/generate/config/rules
|
|
22
|
+
subcategory:
|
|
23
|
+
- vuln
|
|
24
|
+
technology:
|
|
25
|
+
- gitleaks
|
|
26
|
+
patterns:
|
|
27
|
+
- pattern-regex: (?i)(?:algolia)(?:[0-9a-z\-_\t .]{0,20})(?:[\s|']|[\s|"]){0,3}(?:=|>|:{1,3}=|\|\|:|<=|=>|:|\?=)(?:'|\"|\s|=|\x60){0,5}([a-z0-9]{32})(?:['|\"|\n|\r|\s|\x60|;]|$)
|
|
@@ -0,0 +1,27 @@
|
|
|
1
|
+
rules:
|
|
2
|
+
- id: alibaba-access-key-id
|
|
3
|
+
message: A gitleaks alibaba-access-key-id was detected which attempts to identify hard-coded credentials. It is not recommended to store credentials in source-code, as this risks secrets being leaked and used by either an internal or external malicious adversary. It is recommended to use environment variables to securely provide credentials or retrieve credentials from a secure vault or HSM (Hardware Security Module).
|
|
4
|
+
languages:
|
|
5
|
+
- regex
|
|
6
|
+
severity: INFO
|
|
7
|
+
metadata:
|
|
8
|
+
likelihood: LOW
|
|
9
|
+
impact: MEDIUM
|
|
10
|
+
confidence: LOW
|
|
11
|
+
category: security
|
|
12
|
+
cwe:
|
|
13
|
+
- "CWE-798: Use of Hard-coded Credentials"
|
|
14
|
+
cwe2021-top25: true
|
|
15
|
+
cwe2022-top25: true
|
|
16
|
+
owasp:
|
|
17
|
+
- A07:2021 - Identification and Authentication Failures
|
|
18
|
+
- A07:2025 - Authentication Failures
|
|
19
|
+
references:
|
|
20
|
+
- https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html
|
|
21
|
+
source-rule-url: https://github.com/zricethezav/gitleaks/tree/master/cmd/generate/config/rules
|
|
22
|
+
subcategory:
|
|
23
|
+
- vuln
|
|
24
|
+
technology:
|
|
25
|
+
- gitleaks
|
|
26
|
+
patterns:
|
|
27
|
+
- pattern-regex: (?i)\b((LTAI)(?i)[a-z0-9]{20})(?:['|\"|\n|\r|\s|\x60|;]|$)
|
|
@@ -0,0 +1,27 @@
|
|
|
1
|
+
rules:
|
|
2
|
+
- id: alibaba-secret-key
|
|
3
|
+
message: A gitleaks alibaba-secret-key was detected which attempts to identify hard-coded credentials. It is not recommended to store credentials in source-code, as this risks secrets being leaked and used by either an internal or external malicious adversary. It is recommended to use environment variables to securely provide credentials or retrieve credentials from a secure vault or HSM (Hardware Security Module).
|
|
4
|
+
languages:
|
|
5
|
+
- regex
|
|
6
|
+
severity: INFO
|
|
7
|
+
metadata:
|
|
8
|
+
likelihood: LOW
|
|
9
|
+
impact: MEDIUM
|
|
10
|
+
confidence: LOW
|
|
11
|
+
category: security
|
|
12
|
+
cwe:
|
|
13
|
+
- "CWE-798: Use of Hard-coded Credentials"
|
|
14
|
+
cwe2021-top25: true
|
|
15
|
+
cwe2022-top25: true
|
|
16
|
+
owasp:
|
|
17
|
+
- A07:2021 - Identification and Authentication Failures
|
|
18
|
+
- A07:2025 - Authentication Failures
|
|
19
|
+
references:
|
|
20
|
+
- https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html
|
|
21
|
+
source-rule-url: https://github.com/zricethezav/gitleaks/tree/master/cmd/generate/config/rules
|
|
22
|
+
subcategory:
|
|
23
|
+
- vuln
|
|
24
|
+
technology:
|
|
25
|
+
- gitleaks
|
|
26
|
+
patterns:
|
|
27
|
+
- pattern-regex: (?i)(?:alibaba)(?:[0-9a-z\-_\t .]{0,20})(?:[\s|']|[\s|"]){0,3}(?:=|>|:{1,3}=|\|\|:|<=|=>|:|\?=)(?:'|\"|\s|=|\x60){0,5}([a-z0-9]{30})(?:['|\"|\n|\r|\s|\x60|;]|$)
|
|
@@ -0,0 +1,27 @@
|
|
|
1
|
+
rules:
|
|
2
|
+
- id: asana-client-id
|
|
3
|
+
message: A gitleaks asana-client-id was detected which attempts to identify hard-coded credentials. It is not recommended to store credentials in source-code, as this risks secrets being leaked and used by either an internal or external malicious adversary. It is recommended to use environment variables to securely provide credentials or retrieve credentials from a secure vault or HSM (Hardware Security Module).
|
|
4
|
+
languages:
|
|
5
|
+
- regex
|
|
6
|
+
severity: INFO
|
|
7
|
+
metadata:
|
|
8
|
+
likelihood: LOW
|
|
9
|
+
impact: MEDIUM
|
|
10
|
+
confidence: LOW
|
|
11
|
+
category: security
|
|
12
|
+
cwe:
|
|
13
|
+
- "CWE-798: Use of Hard-coded Credentials"
|
|
14
|
+
cwe2021-top25: true
|
|
15
|
+
cwe2022-top25: true
|
|
16
|
+
owasp:
|
|
17
|
+
- A07:2021 - Identification and Authentication Failures
|
|
18
|
+
- A07:2025 - Authentication Failures
|
|
19
|
+
references:
|
|
20
|
+
- https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html
|
|
21
|
+
source-rule-url: https://github.com/zricethezav/gitleaks/tree/master/cmd/generate/config/rules
|
|
22
|
+
subcategory:
|
|
23
|
+
- vuln
|
|
24
|
+
technology:
|
|
25
|
+
- gitleaks
|
|
26
|
+
patterns:
|
|
27
|
+
- pattern-regex: (?i)(?:asana)(?:[0-9a-z\-_\t .]{0,20})(?:[\s|']|[\s|"]){0,3}(?:=|>|:{1,3}=|\|\|:|<=|=>|:|\?=)(?:'|\"|\s|=|\x60){0,5}([0-9]{16})(?:['|\"|\n|\r|\s|\x60|;]|$)
|
|
@@ -0,0 +1,27 @@
|
|
|
1
|
+
rules:
|
|
2
|
+
- id: asana-client-secret
|
|
3
|
+
message: A gitleaks asana-client-secret was detected which attempts to identify hard-coded credentials. It is not recommended to store credentials in source-code, as this risks secrets being leaked and used by either an internal or external malicious adversary. It is recommended to use environment variables to securely provide credentials or retrieve credentials from a secure vault or HSM (Hardware Security Module).
|
|
4
|
+
languages:
|
|
5
|
+
- regex
|
|
6
|
+
severity: INFO
|
|
7
|
+
metadata:
|
|
8
|
+
likelihood: LOW
|
|
9
|
+
impact: MEDIUM
|
|
10
|
+
confidence: LOW
|
|
11
|
+
category: security
|
|
12
|
+
cwe:
|
|
13
|
+
- "CWE-798: Use of Hard-coded Credentials"
|
|
14
|
+
cwe2021-top25: true
|
|
15
|
+
cwe2022-top25: true
|
|
16
|
+
owasp:
|
|
17
|
+
- A07:2021 - Identification and Authentication Failures
|
|
18
|
+
- A07:2025 - Authentication Failures
|
|
19
|
+
references:
|
|
20
|
+
- https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html
|
|
21
|
+
source-rule-url: https://github.com/zricethezav/gitleaks/tree/master/cmd/generate/config/rules
|
|
22
|
+
subcategory:
|
|
23
|
+
- vuln
|
|
24
|
+
technology:
|
|
25
|
+
- gitleaks
|
|
26
|
+
patterns:
|
|
27
|
+
- pattern-regex: (?i)(?:asana)(?:[0-9a-z\-_\t .]{0,20})(?:[\s|']|[\s|"]){0,3}(?:=|>|:{1,3}=|\|\|:|<=|=>|:|\?=)(?:'|\"|\s|=|\x60){0,5}([a-z0-9]{32})(?:['|\"|\n|\r|\s|\x60|;]|$)
|
|
@@ -0,0 +1,27 @@
|
|
|
1
|
+
rules:
|
|
2
|
+
- id: atlassian-api-token
|
|
3
|
+
message: A gitleaks atlassian-api-token was detected which attempts to identify hard-coded credentials. It is not recommended to store credentials in source-code, as this risks secrets being leaked and used by either an internal or external malicious adversary. It is recommended to use environment variables to securely provide credentials or retrieve credentials from a secure vault or HSM (Hardware Security Module).
|
|
4
|
+
languages:
|
|
5
|
+
- regex
|
|
6
|
+
severity: INFO
|
|
7
|
+
metadata:
|
|
8
|
+
likelihood: LOW
|
|
9
|
+
impact: MEDIUM
|
|
10
|
+
confidence: LOW
|
|
11
|
+
category: security
|
|
12
|
+
cwe:
|
|
13
|
+
- "CWE-798: Use of Hard-coded Credentials"
|
|
14
|
+
cwe2021-top25: true
|
|
15
|
+
cwe2022-top25: true
|
|
16
|
+
owasp:
|
|
17
|
+
- A07:2021 - Identification and Authentication Failures
|
|
18
|
+
- A07:2025 - Authentication Failures
|
|
19
|
+
references:
|
|
20
|
+
- https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html
|
|
21
|
+
source-rule-url: https://github.com/zricethezav/gitleaks/tree/master/cmd/generate/config/rules
|
|
22
|
+
subcategory:
|
|
23
|
+
- vuln
|
|
24
|
+
technology:
|
|
25
|
+
- gitleaks
|
|
26
|
+
patterns:
|
|
27
|
+
- pattern-regex: (?i)(?:atlassian|confluence|jira)(?:[0-9a-z\-_\t .]{0,20})(?:[\s|']|[\s|"]){0,3}(?:=|>|:{1,3}=|\|\|:|<=|=>|:|\?=)(?:'|\"|\s|=|\x60){0,5}([a-z0-9]{24})(?:['|\"|\n|\r|\s|\x60|;]|$)
|