Merge Gitleaks rules 2024-10-01 # 00:32

Security Research (r2c-argo) · Security Research (r2c-argo) · commit 6dd31dc82779 · 2024-10-01T00:32:00.000Z
diff --git a/generic/secrets/gitleaks/clojars-api-token.yaml b/generic/secrets/gitleaks/clojars-api-token.yaml
@@ -23,4 +23,4 @@ rules:
       technology:
         - gitleaks
   patterns:
-    - pattern-regex: (?i)(CLOJARS_)[a-z0-9]{60}
+    - pattern-regex: (?i)CLOJARS_[a-z0-9]{60}
diff --git a/generic/secrets/gitleaks/doppler-api-token.yaml b/generic/secrets/gitleaks/doppler-api-token.yaml
@@ -23,4 +23,4 @@ rules:
       technology:
         - gitleaks
   patterns:
-    - pattern-regex: (dp\.pt\.)(?i)[a-z0-9]{43}
+    - pattern-regex: dp\.pt\.(?i)[a-z0-9]{43}
diff --git a/generic/secrets/gitleaks/duffel-api-token.yaml b/generic/secrets/gitleaks/duffel-api-token.yaml
@@ -23,4 +23,4 @@ rules:
       technology:
         - gitleaks
   patterns:
-    - pattern-regex: duffel_(test|live)_(?i)[a-z0-9_\-=]{43}
+    - pattern-regex: duffel_(?:test|live)_(?i)[a-z0-9_\-=]{43}
diff --git a/generic/secrets/gitleaks/etsy-access-token.yaml b/generic/secrets/gitleaks/etsy-access-token.yaml
@@ -23,4 +23,4 @@ rules:
       technology:
         - gitleaks
   patterns:
-    - pattern-regex: (?i)(?:etsy)(?:[0-9a-z\-_\t .]{0,20})(?:[\s|']|[\s|"]){0,3}(?:=|>|:{1,3}=|\|\|:|<=|=>|:|\?=)(?:'|\"|\s|=|\x60){0,5}([a-z0-9]{24})(?:['|\"|\n|\r|\s|\x60|;]|$)
+    - pattern-regex: (?i)(?:(?-i:ETSY|[Ee]tsy))(?:[0-9a-z\-_\t .]{0,20})(?:[\s|']|[\s|"]){0,3}(?:=|>|:{1,3}=|\|\|:|<=|=>|:|\?=)(?:'|\"|\s|=|\x60){0,5}([a-z0-9]{24})(?:['|\"|\n|\r|\s|\x60|;]|$)
diff --git a/generic/secrets/gitleaks/flyio-access-token.yaml b/generic/secrets/gitleaks/flyio-access-token.yaml
@@ -0,0 +1,26 @@
+rules:
+- id: flyio-access-token
+  message: A gitleaks flyio-access-token was detected which attempts to identify hard-coded credentials. It is not recommended to store credentials in source-code, as this risks secrets being leaked and used by either an internal or external malicious adversary. It is recommended to use environment variables to securely provide credentials or retrieve credentials from a secure vault or HSM (Hardware Security Module).
+  languages:
+    - regex
+  severity: INFO
+  metadata:
+      likelihood: LOW
+      impact: MEDIUM
+      confidence: LOW
+      category: security
+      cwe:
+        - "CWE-798: Use of Hard-coded Credentials"
+      cwe2021-top25: true
+      cwe2022-top25: true
+      owasp:
+        - A07:2021 - Identification and Authentication Failures
+      references:
+        - https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html
+      source-rule-url: https://github.com/zricethezav/gitleaks/tree/master/cmd/generate/config/rules
+      subcategory:
+        - vuln
+      technology:
+        - gitleaks
+  patterns:
+    - pattern-regex: \b((?:fo1_[\w-]{43}|fm1[ar]_[a-zA-Z0-9+\/]{100,}={0,3}|fm2_[a-zA-Z0-9+\/]{100,}={0,3}))(?:['|\"|\n|\r|\s|\x60|;]|$)
diff --git a/generic/secrets/gitleaks/gcp-api-key.yaml b/generic/secrets/gitleaks/gcp-api-key.yaml
@@ -23,4 +23,4 @@ rules:
       technology:
         - gitleaks
   patterns:
-    - pattern-regex: (?i)\b(AIza[0-9A-Za-z\\-_]{35})(?:['|\"|\n|\r|\s|\x60|;]|$)
+    - pattern-regex: \b(AIza[\w-]{35})(?:['|\"|\n|\r|\s|\x60|;]|$)
diff --git a/generic/secrets/gitleaks/github-app-token.yaml b/generic/secrets/gitleaks/github-app-token.yaml
@@ -23,4 +23,4 @@ rules:
       technology:
         - gitleaks
   patterns:
-    - pattern-regex: (ghu|ghs)_[0-9a-zA-Z]{36}
+    - pattern-regex: (?:ghu|ghs)_[0-9a-zA-Z]{36}
diff --git a/generic/secrets/gitleaks/github-fine-grained-pat.yaml b/generic/secrets/gitleaks/github-fine-grained-pat.yaml
@@ -23,4 +23,4 @@ rules:
       technology:
         - gitleaks
   patterns:
-    - pattern-regex: github_pat_[0-9a-zA-Z_]{82}
+    - pattern-regex: github_pat_\w{82}
diff --git a/generic/secrets/gitleaks/harness-api-key.yaml b/generic/secrets/gitleaks/harness-api-key.yaml
@@ -23,4 +23,4 @@ rules:
       technology:
         - gitleaks
   patterns:
-    - pattern-regex: ((?:pat|sat)\.[a-zA-Z0-9]{22}\.[a-zA-Z0-9]{24}\.[a-zA-Z0-9]{20})
+    - pattern-regex: (?:pat|sat)\.[a-zA-Z0-9_-]{22}\.[a-zA-Z0-9]{24}\.[a-zA-Z0-9]{20}
diff --git a/generic/secrets/gitleaks/hashicorp-tf-api-token.yaml b/generic/secrets/gitleaks/hashicorp-tf-api-token.yaml
@@ -23,4 +23,4 @@ rules:
       technology:
         - gitleaks
   patterns:
-    - pattern-regex: (?i)[a-z0-9]{14}\.atlasv1\.[a-z0-9\-_=]{60,70}
+    - pattern-regex: (?i)[a-z0-9]{14}\.(?-i:atlasv1)\.[a-z0-9\-_=]{60,70}
diff --git a/generic/secrets/gitleaks/kubernetes-secret-yaml.yaml b/generic/secrets/gitleaks/kubernetes-secret-yaml.yaml
@@ -0,0 +1,26 @@
+rules:
+- id: kubernetes-secret-yaml
+  message: A gitleaks kubernetes-secret-yaml was detected which attempts to identify hard-coded credentials. It is not recommended to store credentials in source-code, as this risks secrets being leaked and used by either an internal or external malicious adversary. It is recommended to use environment variables to securely provide credentials or retrieve credentials from a secure vault or HSM (Hardware Security Module).
+  languages:
+    - regex
+  severity: INFO
+  metadata:
+      likelihood: LOW
+      impact: MEDIUM
+      confidence: LOW
+      category: security
+      cwe:
+        - "CWE-798: Use of Hard-coded Credentials"
+      cwe2021-top25: true
+      cwe2022-top25: true
+      owasp:
+        - A07:2021 - Identification and Authentication Failures
+      references:
+        - https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html
+      source-rule-url: https://github.com/zricethezav/gitleaks/tree/master/cmd/generate/config/rules
+      subcategory:
+        - vuln
+      technology:
+        - gitleaks
+  patterns:
+    - pattern-regex: (?i)(?:\bkind:[ \t]*["']?secret["']?(?:.|\s){0,200}?\bdata:(?:.|\s){0,100}?\s+([\w.-]+:(?:[ \t]*(?:\||>[-+]?)\s+)?[ \t]*(?:["']?[a-z0-9]{10,}={0,3}["']?|\{\{[ \t\w"|$:=,.-]+}}|""|''))|\bdata:(?:.|\s){0,100}?\s+([\w.-]+:(?:[ \t]*(?:\||>[-+]?)\s+)?[ \t]*(?:["']?[a-z0-9]{10,}={0,3}["']?|\{\{[ \t\w"|$:=,.-]+}}|""|''))(?:.|\s){0,200}?\bkind:[ \t]*["']?secret["']?)
diff --git a/generic/secrets/gitleaks/openshift-user-token.yaml b/generic/secrets/gitleaks/openshift-user-token.yaml
@@ -0,0 +1,26 @@
+rules:
+- id: openshift-user-token
+  message: A gitleaks openshift-user-token was detected which attempts to identify hard-coded credentials. It is not recommended to store credentials in source-code, as this risks secrets being leaked and used by either an internal or external malicious adversary. It is recommended to use environment variables to securely provide credentials or retrieve credentials from a secure vault or HSM (Hardware Security Module).
+  languages:
+    - regex
+  severity: INFO
+  metadata:
+      likelihood: LOW
+      impact: MEDIUM
+      confidence: LOW
+      category: security
+      cwe:
+        - "CWE-798: Use of Hard-coded Credentials"
+      cwe2021-top25: true
+      cwe2022-top25: true
+      owasp:
+        - A07:2021 - Identification and Authentication Failures
+      references:
+        - https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html
+      source-rule-url: https://github.com/zricethezav/gitleaks/tree/master/cmd/generate/config/rules
+      subcategory:
+        - vuln
+      technology:
+        - gitleaks
+  patterns:
+    - pattern-regex: \b(sha256~[\w-]{43})(?:[^\w-]|\z)
diff --git a/generic/secrets/gitleaks/private-key.yaml b/generic/secrets/gitleaks/private-key.yaml
@@ -23,4 +23,4 @@ rules:
       technology:
         - gitleaks
   patterns:
-    - pattern-regex: (?i)-----BEGIN[ A-Z0-9_-]{0,100}PRIVATE KEY( BLOCK)?-----[\s\S-]*KEY( BLOCK)?----
+    - pattern-regex: (?i)-----BEGIN[ A-Z0-9_-]{0,100}PRIVATE KEY(?: BLOCK)?-----[\s\S-]*KEY(?: BLOCK)?----
diff --git a/generic/secrets/gitleaks/sidekiq-sensitive-url.yaml b/generic/secrets/gitleaks/sidekiq-sensitive-url.yaml
@@ -23,4 +23,4 @@ rules:
       technology:
         - gitleaks
   patterns:
-    - pattern-regex: (?i)\b(http(?:s??):\/\/)([a-f0-9]{8}:[a-f0-9]{8})@(?:gems.contribsys.com|enterprise.contribsys.com)(?:[\/|\#|\?|:]|$)
+    - pattern-regex: (?i)\bhttps?://([a-f0-9]{8}:[a-f0-9]{8})@(?:gems.contribsys.com|enterprise.contribsys.com)(?:[\/|\#|\?|:]|$)
diff --git a/generic/secrets/gitleaks/slack-app-token.yaml b/generic/secrets/gitleaks/slack-app-token.yaml
@@ -23,4 +23,4 @@ rules:
       technology:
         - gitleaks
   patterns:
-    - pattern-regex: (?i)(xapp-\d-[A-Z0-9]+-\d+-[a-z0-9]+)
+    - pattern-regex: (?i)xapp-\d-[A-Z0-9]+-\d+-[a-z0-9]+
diff --git a/generic/secrets/gitleaks/slack-config-access-token.yaml b/generic/secrets/gitleaks/slack-config-access-token.yaml
@@ -23,4 +23,4 @@ rules:
       technology:
         - gitleaks
   patterns:
-    - pattern-regex: (?i)(xoxe.xox[bp]-\d-[A-Z0-9]{163,166})
+    - pattern-regex: (?i)xoxe.xox[bp]-\d-[A-Z0-9]{163,166}
diff --git a/generic/secrets/gitleaks/slack-config-refresh-token.yaml b/generic/secrets/gitleaks/slack-config-refresh-token.yaml
@@ -23,4 +23,4 @@ rules:
       technology:
         - gitleaks
   patterns:
-    - pattern-regex: (?i)(xoxe-\d-[A-Z0-9]{146})
+    - pattern-regex: (?i)xoxe-\d-[A-Z0-9]{146}
diff --git a/generic/secrets/gitleaks/slack-legacy-token.yaml b/generic/secrets/gitleaks/slack-legacy-token.yaml
@@ -23,4 +23,4 @@ rules:
       technology:
         - gitleaks
   patterns:
-    - pattern-regex: (xox[os]-\d+-\d+-\d+-[a-fA-F\d]+)
+    - pattern-regex: xox[os]-\d+-\d+-\d+-[a-fA-F\d]+
diff --git a/generic/secrets/gitleaks/slack-user-token.yaml b/generic/secrets/gitleaks/slack-user-token.yaml
@@ -23,4 +23,4 @@ rules:
       technology:
         - gitleaks
   patterns:
-    - pattern-regex: (xox[pe](?:-[0-9]{10,13}){3}-[a-zA-Z0-9-]{28,34})
+    - pattern-regex: xox[pe](?:-[0-9]{10,13}){3}-[a-zA-Z0-9-]{28,34}
diff --git a/generic/secrets/gitleaks/square-access-token.yaml b/generic/secrets/gitleaks/square-access-token.yaml
@@ -23,4 +23,4 @@ rules:
       technology:
         - gitleaks
   patterns:
-    - pattern-regex: (?i)\b((EAAA|sq0atp-)[0-9A-Za-z\-_]{22,60})(?:['|\"|\n|\r|\s|\x60|;]|$)
+    - pattern-regex: \b((?:EAAA|sq0atp-)[\w-]{22,60})(?:['|\"|\n|\r|\s|\x60|;]|$)
diff --git a/generic/secrets/gitleaks/telegram-bot-api-token.yaml b/generic/secrets/gitleaks/telegram-bot-api-token.yaml
@@ -23,4 +23,4 @@ rules:
       technology:
         - gitleaks
   patterns:
-    - pattern-regex: (?i:(?:telegr)(?:[0-9a-z\(-_\t .\\]{0,40})(?:[\s|']|[\s|"]){0,3})(?:=|\|\|:|<=|=>|:|\?=|\()(?:'|\"|\s|=|\x60){0,5}([0-9]{5,16}:A[a-z0-9_\-]{34})(?:['|\"|\n|\r|\s|\x60|;|\\]|$)
+    - pattern-regex: (?i:telegr(?:[0-9a-z\(-_\t .\\]{0,40})(?:[\s|']|[\s|"]){0,3})(?:=|\|\|:|<=|=>|:|\?=|\()(?:'|\"|\s|=|\x60){0,5}([0-9]{5,16}:A[a-z0-9_\-]{34})(?:['|\"|\n|\r|\s|\x60|;|\\]|$)
diff --git a/generic/secrets/gitleaks/vault-service-token.yaml b/generic/secrets/gitleaks/vault-service-token.yaml
@@ -23,4 +23,4 @@ rules:
       technology:
         - gitleaks
   patterns:
-    - pattern-regex: (?i)\b(hvs\.[a-z0-9_-]{90,100})(?:['|\"|\n|\r|\s|\x60|;]|$)
+    - pattern-regex: \b((?:hvs\.[\w-]{90,120}|s\.(?i:[a-z0-9]{24})))(?:['|\"|\n|\r|\s|\x60|;]|$)
