From 6e0c62d40fc9cff69cc02ed89ed7106a1f10bc38 Mon Sep 17 00:00:00 2001 From: Andre Pereira <219305055+cx-andre-pereira@users.noreply.github.com> Date: Wed, 25 Mar 2026 23:17:54 +0000 Subject: [PATCH 01/13] Added check to ensure files of 'Kind' proto are ignored by 'Inspect', stoping passwords and secrets flags on said files --- .../test/negative60.proto | 334 ++++++++++++++++++ pkg/engine/secrets/inspector.go | 5 +- pkg/engine/secrets/inspector_test.go | 37 ++ 3 files changed, 375 insertions(+), 1 deletion(-) create mode 100644 assets/queries/common/passwords_and_secrets/test/negative60.proto diff --git a/assets/queries/common/passwords_and_secrets/test/negative60.proto b/assets/queries/common/passwords_and_secrets/test/negative60.proto new file mode 100644 index 00000000000..44b0784a650 --- /dev/null +++ b/assets/queries/common/passwords_and_secrets/test/negative60.proto @@ -0,0 +1,334 @@ +syntax = "proto3"; + +package com.example.security_test.v1; + +import "google/protobuf/wrappers.proto"; +import "google/protobuf/timestamp.proto"; + +// ============================================================================= +// This file is a test fixture for secret/token/password scanning tools. +// It should be treated as a NEGATIVE (no real secrets). +// Proto files define schemas, not actual secret values. +// Any secret-like strings here are example annotations, not real credentials. +// ============================================================================= + +// --------------------------------------------------------------------------- +// OAuth / Identity Provider Configurations +// --------------------------------------------------------------------------- + +message OAuthProviderConfig { + google.protobuf.StringValue client_id = 1; + google.protobuf.StringValue client_secret = 2; + google.protobuf.StringValue access_token = 3; + google.protobuf.StringValue refresh_token = 4; + google.protobuf.StringValue token_endpoint = 5; + google.protobuf.StringValue authorization_code = 6; + google.protobuf.StringValue id_token = 7; + google.protobuf.StringValue bearer_token = 8; + google.protobuf.UInt32Value token_expiry_seconds = 9; + google.protobuf.StringValue pkce_code_verifier = 10; +} + +message SamlConfig { + google.protobuf.StringValue signing_certificate = 1; + google.protobuf.StringValue private_key = 2; + google.protobuf.StringValue idp_certificate = 3; + google.protobuf.StringValue sp_private_key = 4; + google.protobuf.StringValue assertion_consumer_service_url = 5; + google.protobuf.StringValue metadata_signing_key = 6; +} + +message LdapConfig { + google.protobuf.StringValue bind_dn = 1; + google.protobuf.StringValue bind_password = 2; + google.protobuf.StringValue admin_password = 3; + google.protobuf.StringValue service_account_password = 4; + google.protobuf.StringValue base_dn = 5; + google.protobuf.BoolValue use_ssl = 6; + google.protobuf.StringValue ssl_certificate = 7; +} + +// --------------------------------------------------------------------------- +// API Key / Token Management +// --------------------------------------------------------------------------- + +enum ApiKeyType { + API_KEY_TYPE_UNKNOWN = 0; + API_KEY_TYPE_READ_ONLY = 1; + API_KEY_TYPE_READ_WRITE = 2; + API_KEY_TYPE_ADMIN = 3; +} + +message ApiKeyConfig { + google.protobuf.StringValue api_key = 1; + google.protobuf.StringValue api_secret = 2; + google.protobuf.StringValue api_token = 3; + google.protobuf.StringValue secret_key = 4; + google.protobuf.StringValue access_key_id = 5; + google.protobuf.StringValue secret_access_key = 6; + ApiKeyType key_type = 7; + google.protobuf.Timestamp expires_at = 8; + google.protobuf.StringValue signing_secret = 9; + google.protobuf.StringValue hmac_key = 10; +} + +message PersonalAccessToken { + google.protobuf.StringValue token = 1; + google.protobuf.StringValue token_hash = 2; + google.protobuf.StringValue token_prefix = 3; + google.protobuf.Timestamp issued_at = 4; + google.protobuf.Timestamp expires_at = 5; + repeated string scopes = 6; +} + +// --------------------------------------------------------------------------- +// Cloud Provider Credentials +// --------------------------------------------------------------------------- + +message AwsCredentials { + google.protobuf.StringValue aws_access_key_id = 1; + google.protobuf.StringValue aws_secret_access_key = 2; + google.protobuf.StringValue aws_session_token = 3; + google.protobuf.StringValue role_arn = 4; + google.protobuf.StringValue external_id = 5; + google.protobuf.StringValue kms_key_id = 6; +} + +message GcpCredentials { + google.protobuf.StringValue service_account_key_json = 1; + google.protobuf.StringValue private_key_id = 2; + google.protobuf.StringValue private_key = 3; + google.protobuf.StringValue client_email = 4; + google.protobuf.StringValue project_id = 5; + google.protobuf.StringValue access_token = 6; +} + +message AzureCredentials { + google.protobuf.StringValue tenant_id = 1; + google.protobuf.StringValue client_id = 2; + google.protobuf.StringValue client_secret = 3; + google.protobuf.StringValue subscription_id = 4; + google.protobuf.StringValue connection_string = 5; + google.protobuf.StringValue sas_token = 6; + google.protobuf.StringValue storage_account_key = 7; +} + +// --------------------------------------------------------------------------- +// Database Credentials +// --------------------------------------------------------------------------- + +message DatabaseCredentials { + google.protobuf.StringValue host = 1; + google.protobuf.UInt32Value port = 2; + google.protobuf.StringValue username = 3; + google.protobuf.StringValue password = 4; + google.protobuf.StringValue database_name = 5; + google.protobuf.StringValue connection_string = 6; + google.protobuf.StringValue ssl_ca_cert = 7; + google.protobuf.StringValue ssl_client_cert = 8; + google.protobuf.StringValue ssl_client_key = 9; + google.protobuf.StringValue master_password = 10; + google.protobuf.StringValue replication_password = 11; +} + +message RedisCredentials { + google.protobuf.StringValue host = 1; + google.protobuf.UInt32Value port = 2; + google.protobuf.StringValue password = 3; + google.protobuf.StringValue auth_token = 4; + google.protobuf.StringValue tls_cert = 5; +} + +// --------------------------------------------------------------------------- +// Third-Party Integration Credentials +// --------------------------------------------------------------------------- + +message SlackIntegrationConfig { + google.protobuf.StringValue bot_token = 1; + google.protobuf.StringValue signing_secret = 2; + google.protobuf.StringValue verification_token = 3; + google.protobuf.StringValue oauth_access_token = 4; + google.protobuf.StringValue webhook_secret = 5; + google.protobuf.StringValue app_token = 6; +} + +message GitHubIntegrationConfig { + google.protobuf.StringValue personal_access_token = 1; + google.protobuf.StringValue webhook_secret = 2; + google.protobuf.StringValue app_private_key = 3; + google.protobuf.StringValue app_installation_token = 4; + google.protobuf.StringValue deploy_key = 5; + google.protobuf.StringValue oauth_client_secret = 6; +} + +message StripeConfig { + google.protobuf.StringValue publishable_key = 1; + google.protobuf.StringValue secret_key = 2; + google.protobuf.StringValue webhook_signing_secret = 3; + google.protobuf.StringValue restricted_api_key = 4; +} + +message TwilioConfig { + google.protobuf.StringValue account_sid = 1; + google.protobuf.StringValue auth_token = 2; + google.protobuf.StringValue api_key_sid = 3; + google.protobuf.StringValue api_key_secret = 4; +} + +message SendGridConfig { + google.protobuf.StringValue api_key = 1; + google.protobuf.StringValue smtp_password = 2; + google.protobuf.StringValue webhook_verification_key = 3; +} + +// --------------------------------------------------------------------------- +// Encryption and Signing +// --------------------------------------------------------------------------- + +message EncryptionConfig { + google.protobuf.StringValue encryption_key = 1; + google.protobuf.StringValue decryption_key = 2; + google.protobuf.StringValue master_key = 3; + google.protobuf.StringValue data_encryption_key = 4; + google.protobuf.StringValue key_encryption_key = 5; + google.protobuf.StringValue initialization_vector = 6; + google.protobuf.StringValue passphrase = 7; + google.protobuf.StringValue salt = 8; +} + +message JwtConfig { + google.protobuf.StringValue jwt_secret = 1; + google.protobuf.StringValue jwt_private_key = 2; + google.protobuf.StringValue jwt_public_key = 3; + google.protobuf.StringValue jwt_signing_key = 4; + google.protobuf.UInt32Value jwt_expiry_seconds = 5; + google.protobuf.StringValue jwt_refresh_secret = 6; +} + +message SshConfig { + google.protobuf.StringValue ssh_private_key = 1; + google.protobuf.StringValue ssh_public_key = 2; + google.protobuf.StringValue ssh_passphrase = 3; + google.protobuf.StringValue ssh_host_key = 4; + google.protobuf.StringValue known_hosts_entry = 5; +} + +message TlsConfig { + google.protobuf.StringValue tls_certificate = 1; + google.protobuf.StringValue tls_private_key = 2; + google.protobuf.StringValue ca_certificate = 3; + google.protobuf.StringValue ca_private_key = 4; + google.protobuf.StringValue pfx_password = 5; + google.protobuf.StringValue keystore_password = 6; + google.protobuf.StringValue truststore_password = 7; +} + +// --------------------------------------------------------------------------- +// User / Account Credentials +// --------------------------------------------------------------------------- + +message UserCredentials { + google.protobuf.StringValue username = 1; + google.protobuf.StringValue password = 2; + google.protobuf.StringValue password_hash = 3; + google.protobuf.StringValue password_salt = 4; + google.protobuf.StringValue totp_secret = 5; + google.protobuf.StringValue recovery_codes = 6; + google.protobuf.StringValue security_question_answer = 7; + google.protobuf.StringValue pin_code = 8; +} + +message ServiceAccountCredentials { + google.protobuf.StringValue service_account_id = 1; + google.protobuf.StringValue service_account_secret = 2; + google.protobuf.StringValue service_account_token = 3; + google.protobuf.StringValue service_account_private_key = 4; + google.protobuf.StringValue credentials_json = 5; +} + +// --------------------------------------------------------------------------- +// Webhook Secrets (similar to the original file's domain) +// --------------------------------------------------------------------------- + +message WebhookSecurityConfig { + google.protobuf.StringValue webhook_secret = 1; + google.protobuf.StringValue signing_key = 2; + google.protobuf.StringValue verification_token = 3; + google.protobuf.StringValue shared_secret = 4; + google.protobuf.StringValue callback_token = 5; + google.protobuf.StringValue hmac_secret = 6; + google.protobuf.StringValue basic_auth_username = 7; + google.protobuf.StringValue basic_auth_password = 8; +} + +// --------------------------------------------------------------------------- +// Container / Orchestration Secrets +// --------------------------------------------------------------------------- + +message KubernetesSecretRef { + google.protobuf.StringValue secret_name = 1; + google.protobuf.StringValue secret_namespace = 2; + google.protobuf.StringValue kubeconfig = 3; + google.protobuf.StringValue cluster_ca_certificate = 4; + google.protobuf.StringValue service_account_token = 5; + google.protobuf.StringValue docker_config_json = 6; + google.protobuf.StringValue image_pull_secret = 7; +} + +message DockerRegistryCredentials { + google.protobuf.StringValue registry_url = 1; + google.protobuf.StringValue registry_username = 2; + google.protobuf.StringValue registry_password = 3; + google.protobuf.StringValue registry_token = 4; + google.protobuf.StringValue docker_auth = 5; +} + +// --------------------------------------------------------------------------- +// CI/CD Pipeline Secrets +// --------------------------------------------------------------------------- + +message CiCdSecrets { + google.protobuf.StringValue deploy_token = 1; + google.protobuf.StringValue ci_token = 2; + google.protobuf.StringValue npm_token = 3; + google.protobuf.StringValue pypi_token = 4; + google.protobuf.StringValue nuget_api_key = 5; + google.protobuf.StringValue sonar_token = 6; + google.protobuf.StringValue codecov_token = 7; + google.protobuf.StringValue artifactory_password = 8; + google.protobuf.StringValue nexus_password = 9; + google.protobuf.StringValue gpg_signing_key = 10; + google.protobuf.StringValue cosign_private_key = 11; +} + +// --------------------------------------------------------------------------- +// Aggregate Configuration (uses all of the above) +// --------------------------------------------------------------------------- + +message IntegrationCredentials { + oneof credentials { + OAuthProviderConfig oauth = 1; + SamlConfig saml = 2; + LdapConfig ldap = 3; + ApiKeyConfig api_key = 4; + AwsCredentials aws = 5; + GcpCredentials gcp = 6; + AzureCredentials azure = 7; + DatabaseCredentials database = 8; + RedisCredentials redis = 9; + SlackIntegrationConfig slack = 10; + GitHubIntegrationConfig github = 11; + StripeConfig stripe = 12; + TwilioConfig twilio = 13; + SendGridConfig sendgrid = 14; + EncryptionConfig encryption = 15; + JwtConfig jwt = 16; + SshConfig ssh = 17; + TlsConfig tls = 18; + UserCredentials user = 19; + ServiceAccountCredentials service_account = 20; + KubernetesSecretRef kubernetes = 21; + DockerRegistryCredentials docker = 22; + CiCdSecrets ci_cd = 23; + } +} \ No newline at end of file diff --git a/pkg/engine/secrets/inspector.go b/pkg/engine/secrets/inspector.go index 36dfa4aab00..20602131733 100644 --- a/pkg/engine/secrets/inspector.go +++ b/pkg/engine/secrets/inspector.go @@ -660,13 +660,16 @@ func ignoreLine(lineNumber int, linesIgnore []int) bool { return false } -// cleanFiles keeps one file per filePath +// cleanFiles keeps one file per filePath and filters .proto files func cleanFiles(files model.FileMetadatas) model.FileMetadatas { keys := make(map[string]bool) cleanFiles := model.FileMetadatas{} for i := range files { + if files[i].Kind == model.KindPROTO { + continue + } filePath := files[i].FilePath if _, value := keys[filePath]; !value { keys[filePath] = true diff --git a/pkg/engine/secrets/inspector_test.go b/pkg/engine/secrets/inspector_test.go index 2b5bbf12b55..5839c5b9e0d 100644 --- a/pkg/engine/secrets/inspector_test.go +++ b/pkg/engine/secrets/inspector_test.go @@ -260,6 +260,28 @@ var OriginalData7 = `# kics-scan disable=baee238e-1921-4801-9c3f-79ae1d7b2cbc register: result ` +var OriginalData8 = ` + syntax = "proto3"; + + package com.example.security_test.v1; + + import "google/protobuf/wrappers.proto"; + import "google/protobuf/timestamp.proto"; + + message OAuthProviderConfig { + google.protobuf.StringValue client_id = 1; + google.protobuf.StringValue client_secret = 2; + google.protobuf.StringValue access_token = 3; + google.protobuf.StringValue refresh_token = 4; + google.protobuf.StringValue token_endpoint = 5; + google.protobuf.StringValue authorization_code = 6; + google.protobuf.StringValue id_token = 7; + google.protobuf.StringValue bearer_token = 8; + google.protobuf.UInt32Value token_expiry_seconds = 9; + google.protobuf.StringValue pkce_code_verifier = 10; + } +` + var testInspectInput = []struct { name string files model.FileMetadatas @@ -418,6 +440,21 @@ var testInspectInput = []struct { wantVuln: []model.Vulnerability{}, wantErr: false, }, + { + name: "invalid_file_kind", + files: model.FileMetadatas{ + { + ID: "a6fbadc6-da29-4340-8d56-aa26a8852526", + Document: model.Document{}, + OriginalData: OriginalData8, + LinesOriginalData: utils.SplitLines(OriginalData8), + Kind: "PROTO", + FilePath: "assets/queries/common/passwords_and_secrets/test/negative60.proto", + }, + }, + wantVuln: []model.Vulnerability{}, + wantErr: false, + }, } var testNewInspectorInputs = []struct { From 99d42f67dd1fe47ad7b679041638a5b0cf34d8ec Mon Sep 17 00:00:00 2001 From: Andre Pereira <219305055+cx-andre-pereira@users.noreply.github.com> Date: Thu, 26 Mar 2026 15:00:21 +0000 Subject: [PATCH 02/13] Changed approach, proto files should flag if they have secrets within commented lines, new allow rules prevent proto files fields from flagging --- .../passwords_and_secrets/regex_rules.json | 900 +++++++++-------- .../test/negative60.proto | 388 +------ .../test/positive56.proto | 18 + .../test/positive_expected_result.json | 944 +++++++++--------- pkg/engine/secrets/inspector.go | 5 +- pkg/engine/secrets/inspector_test.go | 36 +- 6 files changed, 1034 insertions(+), 1257 deletions(-) create mode 100644 assets/queries/common/passwords_and_secrets/test/positive56.proto diff --git a/assets/queries/common/passwords_and_secrets/regex_rules.json b/assets/queries/common/passwords_and_secrets/regex_rules.json index 4620f0285cd..40608122628 100644 --- a/assets/queries/common/passwords_and_secrets/regex_rules.json +++ b/assets/queries/common/passwords_and_secrets/regex_rules.json @@ -1,442 +1,458 @@ -{ - "rules": [ - { - "id": "487f4be7-3fd9-4506-a07a-eae252180c08", - "name": "Generic Password", - "regex": "(?i)['\"]?password['\"]?\\s*[:=]\\s*['\"]?([A-Za-z0-9/~^_!@&%()=?*+-. ]{4,})['\"]?", - "allowRules": [ - { - "description": "Avoiding TF resource access", - "regex": "(?i)['\"]?password['\"]?\\s*[:=]\\s*(([a-zA-Z_]+(\\[([a-zA-Z_]+\\.[a-zA-Z_]+.*|\\d+)\\])?\\.[a-zA-Z_]+(\\[([a-zA-Z_]+\\.[a-zA-Z_]+.*|\\d+)\\])?)\\s*([\\[\\.\\)\\]\\}\\$]|(:\\s*null))|null)" - }, - { - "description": "Avoiding description field", - "regex": "(?i)['\"]?description['\"]?\\s*=\\s*['\"].*['\"]" - }, - { - "description": "Avoiding Terraform 'optional' statement", - "regex": "(?i)['\"]?password['\"]?\\s*=\\s*optional\\((string|number|sensitive\\(string\\)|map\\(string\\)|set\\(string\\)|any)\\)$" - }, - { - "description": "Avoiding Terraform 'try' statement", - "regex": "(?i)['\"]?password['\"]?\\s*=\\s*try\\([^\"']+,[^\"']+\\)$" - }, - { - "description": "Avoiding CF AllowUsersToChangePassword", - "regex": "['\"]?AllowUsersToChangePassword['\"]?\\s*[:=]\\s*['\"]?([A-Za-z0-9/~^_!@&%()=?*+-.]{4,})['\"]?" - }, - { - "description": "Avoiding Ansible playbook update_password", - "regex": "['\"]?update_password['\"]?\\s*[:=]\\s*['\"]?([A-Za-z0-9/~^_!@&%()=?*+-.]{4,})['\"]?" - }, - { - "description": "Allow placeholders", - "regex": "(?i)['\"]?password['\"]?\\s*[:=]\\s*['\"](\\$\\(|\\$?\\{\\{)\\s*\\w+\\s*(\\)|\\}\\})['\"]" - }, - { - "description": "Allow empty values", - "regex": "(?i)['\"]?password['\"]?\\s*[:=]\\s*(''|\"\")" - }, - { - "description": "Allow password retrieved from ARM parameters", - "regex": "(?i)['\"]?password['\"]?\\s*[:=]\\s*['\"]?\\s*,\\s*parameters\\(['\"]([a-zA-Z][a-zA-Z0-9_-]*)['\"]['\"]?\\)" - } - ], - "specialMask": "(?i)['\"]?password['\"]?\\s*[:=]\\s*" - }, - { - "id": "3e2d3b2f-c22a-4df1-9cc6-a7a0aebb0c99", - "name": "Generic Secret", - "regex": "(?i)['\"]?secret[_]?(key|value)?['\"]?\\s*(:|=)\\s*['\"]?([A-Za-z0-9/~^_!@#&%(){};=?*+-<>,:;[\\]%$]{10,})['\"]?", - "entropies": [ - { - "group": 3, - "min": 2.8, - "max": 8 - } - ], - "allowRules": [ - { - "description": "Avoiding Square OAuth Secret", - "regex": "(?i)['\"]?secret[_]?(key)?['\"]?\\s*(:|=)\\s*['\"]?(sq0csp-[0-9A-Za-z\\-_]{43})['\"]?" - }, - { - "description": "Avoiding TF resource access", - "regex": "(?i)['\"]?secret[_]?(key)?['\"]?\\s*[:=]\\s*(([a-zA-Z_]+(\\[([a-zA-Z_]+\\.[a-zA-Z_]+.*|\\d+)\\])?\\.[a-zA-Z_]+(\\[([a-zA-Z_]+\\.[a-zA-Z_]+.*|\\d+)\\])?)\\s*([\\.\\)\\]\\$]|(:\\s*null))|null)" - }, - { - "description": "Avoiding Secrets Manager arn", - "regex": ":secretsmanager:[a-z0-9-*?]+:[0-9*?]+:(?i)['\"]?secret[_]?(key)?['\"]?\\s*(:|=)\\s*['\"]?([A-Za-z0-9/~^_!@&%()=?*+-]+)['\"]?" - }, - { - "description": "Avoiding CloudFormation Parameters Descriptions", - "regex": "['\"]?Description['\"]?\\s*[:=]\\s*['\"]?([A-Za-z0-9/~^_!@&%()=?*${}+-.'\"]+)['\"]?" - }, - { - "description": "Avoiding Secrets from Azure Key Vault", - "regex": "(?i)['\"]?secret[_]?(key)?['\"]?\\s*(:|=)\\s*['\"]?[${]+[A-Za-z0-9/~^_!@&%()=?*+-]+}?" - }, - { - "description": "Allow secret retrieved from ARM parameters", - "regex": "(?i)['\"]?secret[_]?(key)?['\"]?\\s*[:=]\\s*['\"]?\\[\\s*parameters\\(['\"][a-zA-Z][a-zA-Z0-9_-]*['\"]\\s*\\)\\s*\\]" - }, - { - "description": "Allow secrets retrieved from Bicep getSecret built in function", - "regex": "(?i)['\"]?secret[_]?(key|value)?['\"]?\\s*(:|=)\\s*[a-zA-Z]*\\.getSecret\\(\\s*[\"']([A-Za-z0-9/~^_!@#&%(){};=?*+-<>,:;[\\]%$]+)[\"']\\)" - } - ], - "specialMask": "(?i)['\"]?secret[_]?(key)?['\"]?\\s*(:|=)\\s*" - }, - { - "id": "51b5b840-cd0c-4556-98a7-fe5f4def80cf", - "name": "Asymmetric private key", - "regex": "-----BEGIN ((EC|PGP|DSA|RSA|OPENSSH) )?PRIVATE KEY( BLOCK)?-----\\s*(([A-Za-z0-9+,:\\-\\/=\\n\\r]+\\s*)+)-----END ((EC|PGP|DSA|RSA|OPENSSH) )?PRIVATE KEY( BLOCK)?-----", - "multiline": { - "detectLineGroup": 4 - }, - "entropies": [ - { - "group": 5, - "min": 3.7, - "max": 12 - } - ], - "specialMask": "all" - }, - { - "id": "a007a85e-a2a7-4a81-803a-7a2ca0c65abb", - "name": "Putty User Key File Content", - "regex": "['\"]?PuTTY-User-Key-File-\\d: ([\\w\\d-:\\n\\s+/=]+Private-MAC: [\\d\\w\"]+)['\"]?", - "multiline": { - "detectLineGroup": 1 - }, - "specialMask": "all" - }, - { - "id": "c4d3b58a-e6d4-450f-9340-04f1e702eaae", - "name": "Password in URL", - "regex": "['\"]?[a-zA-Z]{3,10}://[^/\\s:@$]*?:[^/\\s:@$]*?@[^/\\s:@$]*['\"]?" - }, - { - "id": "76c0bcde-903d-456e-ac13-e58c34987852", - "name": "AWS Access Key", - "regex": "(A3T[A-Z0-9]|AKIA|ASIA)[A-Z0-9]{16}" - }, - { - "id": "76c0bcde-903d-456e-ac13-e58c34987852", - "name": "AWS Context-specific credential", - "regex": "(A3T[A-Z0-9]|ACCA)[A-Z0-9]{16}" - }, - { - "id": "76c0bcde-903d-456e-ac13-e58c34987852", - "name": "AWS Certificate", - "regex": "(A3T[A-Z0-9]|ASCA)[A-Z0-9]{16}" - }, - { - "id": "83ab47ff-381d-48cd-bac5-fb32222f54af", - "name": "AWS Secret Key", - "regex": "(?i)AWS_SECRET(_ACCESS)?(_KEY)?\\s*[:=]\\s*['\"]?([a-zA-Z0-9/]{40})[\"']?", - "entropies": [ - { - "group": 3, - "min": 4.8, - "max": 7 - } - ], - "specialMask": "(?i)AWS_SECRET(_ACCESS)?(_KEY)?\\s*[:=]\\s*" - }, - { - "id": "4b2b5fd3-364d-4093-bac2-17391b2a5297", - "name": "K8s Environment Variable Password", - "regex": "apiVersion((.*)\\s*)*env:((.*)\\s*)*name:\\s*\\w+(?i)pass((?i)word)?\\w*\\s*(value):\\s*([\"|'].*[\"|'])", - "multiline": { - "detectLineGroup": 7 - }, - "specialMask": "\\s*(value):\\s*" - }, - { - "id": "d651cca2-2156-4d17-8e76-423e68de5c8b", - "name": "Google OAuth", - "regex": "['\"]?[0-9]+-[0-9A-Za-z_]{32}\\.apps\\.googleusercontent\\.com['\"]?" - }, - { - "id": "ccde326f-ebc7-4772-8ad5-de66e90a8cc3", - "name": "Slack Webhook", - "regex": "['\"]?https://hooks.slack.com/services/T[a-zA-Z0-9_]{8}/B[a-zA-Z0-9_]{8}/[a-zA-Z0-9_]{24}['\"]?" - }, - { - "id": "d6214dca-a31b-425f-bcf7-f4faa772a1c0", - "name": "MSTeams Webhook", - "regex": "['\"]?https://[a-zA-Z0-9_]{1,24}.webhook.office.com/webhook(b2)?/[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}@[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}/IncomingWebhook/[a-z0-9]+/[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}['\"]?" - }, - { - "id": "7908a9e3-5cac-41b1-b514-5f6d82ce02d5", - "name": "Slack Token", - "regex": "['\"]?(xox[p|b|o|a]-[0-9]{12}-[0-9]{12}-[0-9]{12}-[a-z0-9]{32})['\"]?" - }, - { - "id": "6abcae17-b175-4698-a9a5-b07661974749", - "name": "Stripe API Key", - "regex": "['\"]?sk_live_[0-9a-zA-Z]{24}[^0-9a-zA-Z]['\"]?" - }, - { - "id": "0b1b2482-51e7-49d1-893d-522afa4a6bd0", - "name": "Square Access Token", - "regex": "sq0atp-[0-9A-Za-z\\-_]{22}" - }, - { - "id": "6c54f9da-1a11-445a-8568-0d327e6af8be", - "name": "MailChimp API Key", - "regex": "[0-9a-f]{32}-us[0-9]{1,2}" - }, - { - "id": "e9856348-4069-4ac0-bd91-415f6a7b84a4", - "name": "Google API Key", - "regex": "['\"]?AIza[0-9A-Za-z\\-_]{35}['\"]?" - }, - { - "id": "9a3650af-5b88-48cd-ab89-cd77fd0b633f", - "name": "Heroku API Key", - "regex": "['\"]?(?i)heroku((.|\\n)*)\\b([0-9A-F]{8}-[0-9A-F]{4}-[0-9A-F]{4}-[0-9A-F]{4}-[0-9A-F]{12})\\b['\"]?", - "multiline": { - "detectLineGroup": 3 - }, - "specialMask": "['\"]?(?i)api_key[^\\w\"']+" - }, - { - "id": "bb51eb1e-0357-44a2-86d7-dd5350cffd43", - "name": "Square OAuth Secret", - "regex": "['\"]?sq0csp-[0-9A-Za-z\\-_]{43}['\"]?" - }, - { - "id": "ac8c8075-6ec0-4367-9e26-30ec8161d258", - "name": "Amazon MWS Auth Token", - "regex": "amzn\\.mws\\.[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}" - }, - { - "id": "41a1ca8d-f466-4084-a8c9-50f8b22200d5", - "name": "Google OAuth Access Token", - "regex": "ya29\\.[0-9A-Za-z\\-_]+" - }, - { - "id": "4919b847-e3da-402a-acf8-6cea8e529993", - "name": "PayPal Braintree Access Token", - "regex": "access_token\\$production\\$[0-9a-z]{16}\\$[0-9a-f]{32}" - }, - { - "id": "54274b18-bfac-47ce-afd1-0f05bc3e3b59", - "name": "Stripe Restricted API Key", - "regex": "['\"]?rk_live_[0-9a-zA-Z]{24}['\"]?" - }, - { - "id": "5176e805-0cda-44fa-ac96-c092c646180a", - "name": "Facebook Access Token", - "regex": "['\"]?EAACEdEose0cBA[0-9A-Za-z]+['\"]?" - }, - { - "id": "74736dd1-dd11-4139-beb6-41cd43a50317", - "name": "Generic API Key", - "regex": "(?i)['\"]?api[_]?key['\"]?\\s*[:=]\\s*['\"]?([0-9a-zA-Z]{32,45})['\"]?", - "allowRules": [ - { - "description": "Avoiding Twilio API Key", - "regex": "(?i)['\"]?api[_]?key['\"]?\\s*[:=]\\s*['\"]?(SK[0-9a-fA-F]{32})['\"]?" - } - ], - "specialMask": "(?i)['\"]?api[_]?key['\"]?\\s*[:=]\\s*" - }, - { - "id": "62d0025d-9575-4eff-b60b-d3b4fcec0d04", - "name": "Mailgun API Key", - "regex": "['\"]?key-[0-9a-zA-Z]{32}['\"]?" - }, - { - "id": "50cc5f03-e686-4183-97e9-12f9b55d0f97", - "name": "Picatic API Key", - "regex": "sk_live_[0-9a-z]{32}" - }, - { - "id": "e0f01838-b1c2-4669-b84b-981949ebe5ed", - "name": "Twilio API Key", - "regex": "SK[0-9a-fA-F]{32}" - }, - { - "id": "7f370dd5-eea3-4e5f-8354-3cb2506f9f13", - "name": "Generic Access Key", - "regex": "(?i)^\\s*['\"]?(access)[_]?key['\"]?\\s*[:=]\\s*['\"]?([[A-Za-z0-9\/~^_!@&%()=?*+-]+)['\"]?", - "specialMask": "(?i)['\"]?access[_]?key['\"]?\\s*[:=]\\s*" - }, - { - "id": "2f665079-c383-4b33-896e-88268c1fa258", - "name": "Generic Private Key", - "regex": "(?i)['\"]?private[_]?key['\"]?\\s*[:=]\\s*['\"]?([[A-Za-z0-9/~^_!@&%()=?*+-]+)['\"]?", - "specialMask": "(?i)['\"]?private[_]?key['\"]?\\s*[:=]\\s*", - "allowRules": [ - { - "description": "Avoiding bash variables", - "regex": "(?i)['\"]?\\$\\s*\\{[^\\s\\}]+\\}['\"]?" - }, - { - "description": "Avoid Docker Compose secrets paths", - "regex": "(?i)['\"]?private[_]?key['\"]?\\s*[:=]\\s*['\"]?/run/secrets/\\w+['\"]?" - } - ] - }, - { - "id": "baee238e-1921-4801-9c3f-79ae1d7b2cbc", - "name": "Generic Token", - "regex": "(?i)['\"]?token(_)?(key)?['\"]?\\s*[:=]\\s*['\"]?([[A-Za-z0-9/~^_!@&%()=?*+-]+)['\"]?", - "allowRules": [ - { - "description": "Avoiding Amazon MWS Auth Token", - "regex": "(?i)['\"]?token(_)?(key)?['\"]?\\s*[=:]\\s*['\"]?(amzn\\.mws\\.[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12})['\"]?" - }, - { - "description": "Avoiding Slack Token", - "regex": "(?i)['\"]?token(_)?(key)?['\"]?\\s*[=:]\\s*['\"]?(xox[p|b|o|a]-[0-9]{12}-[0-9]{12}-[0-9]{12}-[a-z0-9]{32})['\"]?" - }, - { - "description": "Avoiding Square Access Token", - "regex": "(?i)['\"]?token(_)?(key)?['\"]?\\s*[=:]\\s*['\"]?(sq0atp-[0-9A-Za-z\\-_]{22})['\"]?" - }, - { - "description": "Avoiding Google OAuth Access Token", - "regex": "(?i)['\"]?token(_)?(key)?['\"]?\\s*[=:]\\s*['\"]?(ya29\\.[0-9A-Za-z\\-_]+)['\"]?" - }, - { - "description": "Avoiding PayPal Braintree Access Token", - "regex": "(?i)['\"]?token(_)?(key)?['\"]?\\s*[=:]\\s*['\"]?(access_token\\$production\\$[0-9a-z]{16}\\$[0-9a-f]{32})['\"]?" - }, - { - "description": "Avoiding Facebook Access Token", - "regex": "(?i)['\"]?token(_)?(key)?['\"]?\\s*[=:]\\s*['\"]?(EAACEdEose0cBA[0-9A-Za-z]+)['\"]?" - }, - { - "description": "Avoiding TF resource access", - "regex": "(?i)['\"]?token(_)?(key)?['\"]?\\s*=\\s*([a-zA-z_]+(.))?[a-zA-z_]+(.)[a-zA-z_]+(.)[a-zA-z_]+" - }, - { - "description": "Avoiding TF creation token", - "regex": "(?i)['\"]?creation_token['\"]?\\s*[:=]\\s*['\"]?([[A-Za-z0-9/~^_!@&%()=?*+-]+)['\"]?" - }, - { - "description": "Avoiding CLoudformation ServiceToken", - "regex": "['\"]?ServiceToken['\"]?\\s*[:=]\\s*['\"]?([A-Za-z0-9/~^_!@&%()=?*+-.]+)['\"]?" - }, - { - "description": "Avoiding LifecycleActionToken Var", - "regex": "(?i)['\"]?LifecycleActionToken['\"]?\\s*[:=]\\s*['\"]?([[A-Za-z0-9/~^_!@&%()=?*+-]+)['\"]?" - }, - { - "description": "Avoiding Github id-token Default Values", - "regex": "(?i)['\"]?id-token['\"]?\\s*[:=]\\s*(write|read|none)" - }, - { - "description": "Avoiding result_token Var", - "regex": "(?i)['\"]?result(_)?token['\"]?\\s*[:=]\\s*['\"]?([[A-Za-z0-9/~^_!@&%()=?*+-]+)['\"]?" - }, - { - "description": "Avoiding next_token Var", - "regex": "(?i)['\"]?next(_)?token['\"]?\\s*[:=]\\s*['\"]?([[A-Za-z0-9/~^_!@&%()=?*+-]+)['\"]?" - }, - { - "description": "Avoiding next_token Var", - "regex": "(?i)['\"]?next(_)?token['\"]?\\s*[:=]\\s*['\"]?([[A-Za-z0-9/~^_!@&%()=?*+-]+)['\"]?" - }, - { - "description": "Avoiding references to module outputs in Bicep", - "regex": "(?i)token(_)?(key)?\\s*[:=]\\s*([a-zA-Z][a-zA-Z0-9_]*)\\.outputs\\.([a-zA-Z][a-zA-Z0-9_]*)" - }, - { - "description": "Avoiding Run After Triggers (if written in conformity with best practices)", - "regex": "(?i)['\"](HTTP|Parse_JSON|Try|Catch)_-_(Get_)?OAuth_Token['\"]?\\s*[:=]\\s*['\"]?([[A-Za-z0-9/~^_!@&%()=?*+-]+)['\"]?" - } - ], - "specialMask": "(?i)['\"]?token(_)?(key)?['\"]?\\s*[:=]\\s*" - - }, - { - "id": "e0f01838-b1c2-4669-b84b-981949ebe5ed", - "name": "CloudFormation Secret Template", - "regex": "(?i)['\"]?SecretStringTemplate['\"]?\\s*:\\s*['\"]?{([\\\":A-Za-z0-9/~^_!@&%()=?*+-]{10,})}", - "specialMask": "(?i)['\"]?SecretStringTemplate['\"]?\\s*:\\s*" - }, - { - "id": "9fb1cd65-7a07-4531-9bcf-47589d0f82d6", - "name": "Encryption Key", - "regex": "(?i)['\"]?encryption[_]?key['\"]?\\s*[:=]\\s*['\"]?([[A-Za-z0-9/~^_!@&%()=?*+-]+)['\"]?", - "allowRules": [ - { - "description": "Avoiding TF resource access", - "regex": "(?i)['\"]?encryption[_]?key['\"]?\\s*=\\s*([a-zA-z_]+(.))?[a-zA-z_]+(.)[a-zA-z_]+(.)[a-zA-z_]+" - }, - { - "description": "Avoiding CLoudformation KeyName", - "regex": "['\"]?EncryptionKey['\"]?\\s*[:=]\\s*['\"]?([A-Za-z0-9/~^_!@&%()=?*+-.]+)['\"]?" - } - ], - "specialMask": "(?i)['\"]?encryption[_]?key['\"]?\\s*[:=]\\s*" - }, - { - "id": "8a879bc7-6f82-40fd-bb48-74d25d557fe8", - "name": "SendGrid API Key", - "regex": "(?i)SG\\.[a-zA-Z0-9\\-\\_]{22}\\.[a-zA-Z0-9\\-\\_]{43}\\s*" - }, - { - "id": "be0ed753-d304-4363-844a-144050d4006d", - "name": "Generic Password on YAML files when value in tuple", - "regex": ".*password\\s*:[\\n|\\r]\\s*value:([^\\n|\\r]*)", - "multiline": { - "detectLineGroup": 1 - }, - "specialMask": ".*password\\s*:[\\n|\\r]\\s*value:" - }, - { - "id": "f05f238a-2ef0-4c39-9a36-951de1ba6dc9", - "name": "Dockerfile ENV hardcoded password with omitted equals", - "regex": "(?i)ENV\\s+[A-Za-z0-9/~^_!@&%()=?*+-.]*password[A-Za-z0-9/~^_!@&%()=?*+-.]*\\s+['\"]?([A-Za-z0-9/~^_!@&%()=?*+-. ]{4,})['\"]?" - } - ], - "allowRules": [ - { - "description": "Avoiding TF variables", - "regex": "(?i)['\"]?[a-zA-Z_]+['\"]?\\s*=\\s*['\"]?(var\\.)['\"]?" - }, - { - "description": "!Ref is a cloudFormation reference", - "regex": "(?i)['\"]?[a-zA-Z_]+['\"]?\\s*:\\s+!Ref\\s+\\.*" - }, - { - "description": "Avoiding cloudFormation intrinsic functions", - "regex": "(?i)['\"]?[a-zA-Z_]+['\"]?\\s*:\\s+(!GetAtt|!Sub|!FindInMap|!If|!GetAZs|!ImportValue|!Join|!Select|!Split|!Not|Fn::Transform(:)?)\\s+\\.*" - }, - { - "description": "Avoiding CF resolve", - "regex": "(?i)['\"]?[a-zA-Z_]+['\"]?\\s*[=:]\\s*['\"]?({{resolve:)['\"]?" - }, - { - "description": "Avoiding Boolean's", - "regex": "(?i)['\"]?[a-zA-Z_]+['\"]?\\s*[=:]\\s*['\"]?(true|false)['\"]?" - }, - { - "description": "Avoiding arn", - "regex": "(?i)['\"]?[a-zA-Z_]+['\"]?\\s*[=:]\\s*['\"]?(arn:)['\"]?" - }, - { - "description": "Avoiding array access", - "regex": "(?i)['\"]?[a-zA-Z_]+['\"]?\\s*[=:]\\s*['\"]?([A-Za-z0-9/~^_!@&%()=?*+-.]{4,}\\[([0-9]|['\"][a-zA-Z0-9]+['\"])\\])['\"]?" - }, - { - "description": "Avoiding TF file function", - "regex": "(?i)['\"]?[a-zA-Z_]+['\"]?\\s*=\\s*['\"]?(file\\()['\"]?" - }, - { - "description": "Avoiding ansible-vault encrypted variables", - "regex": "(?i)['\"]?[a-zA-Z_]+['\"]?\\s*[=:]\\s*['\"]?(!vault \\|)['\"]?" - }, - { - "description": "Avoiding sha-hashed mysql native passwords", - "regex": "(?i)['\"]?[a-zA-Z_]+['\"]?\\s*[=:]\\s*['\"]?(\\*[0-9A-F]{40})['\"]?" - } - ] -} +{ + "rules": [ + { + "id": "487f4be7-3fd9-4506-a07a-eae252180c08", + "name": "Generic Password", + "regex": "(?i)['\"]?password['\"]?\\s*[:=]\\s*['\"]?([A-Za-z0-9/~^_!@&%()=?*+-. ]{4,})['\"]?", + "allowRules": [ + { + "description": "Avoiding TF resource access", + "regex": "(?i)['\"]?password['\"]?\\s*[:=]\\s*(([a-zA-Z_]+(\\[([a-zA-Z_]+\\.[a-zA-Z_]+.*|\\d+)\\])?\\.[a-zA-Z_]+(\\[([a-zA-Z_]+\\.[a-zA-Z_]+.*|\\d+)\\])?)\\s*([\\[\\.\\)\\]\\}\\$]|(:\\s*null))|null)" + }, + { + "description": "Avoiding description field", + "regex": "(?i)['\"]?description['\"]?\\s*=\\s*['\"].*['\"]" + }, + { + "description": "Avoiding Terraform 'optional' statement", + "regex": "(?i)['\"]?password['\"]?\\s*=\\s*optional\\((string|number|sensitive\\(string\\)|map\\(string\\)|set\\(string\\)|any)\\)$" + }, + { + "description": "Avoiding Terraform 'try' statement", + "regex": "(?i)['\"]?password['\"]?\\s*=\\s*try\\([^\"']+,[^\"']+\\)$" + }, + { + "description": "Avoiding CF AllowUsersToChangePassword", + "regex": "['\"]?AllowUsersToChangePassword['\"]?\\s*[:=]\\s*['\"]?([A-Za-z0-9/~^_!@&%()=?*+-.]{4,})['\"]?" + }, + { + "description": "Avoiding Ansible playbook update_password", + "regex": "['\"]?update_password['\"]?\\s*[:=]\\s*['\"]?([A-Za-z0-9/~^_!@&%()=?*+-.]{4,})['\"]?" + }, + { + "description": "Allow placeholders", + "regex": "(?i)['\"]?password['\"]?\\s*[:=]\\s*['\"](\\$\\(|\\$?\\{\\{)\\s*\\w+\\s*(\\)|\\}\\})['\"]" + }, + { + "description": "Allow empty values", + "regex": "(?i)['\"]?password['\"]?\\s*[:=]\\s*(''|\"\")" + }, + { + "description": "Allow password retrieved from ARM parameters", + "regex": "(?i)['\"]?password['\"]?\\s*[:=]\\s*['\"]?\\s*,\\s*parameters\\(['\"]([a-zA-Z][a-zA-Z0-9_-]*)['\"]['\"]?\\)" + }, + { + "description": "Avoiding Proto File fields", + "regex": "(?i)password\\s*=\\s*[1-9][0-9]{0,8}\\s*;" + } + ], + "specialMask": "(?i)['\"]?password['\"]?\\s*[:=]\\s*" + }, + { + "id": "3e2d3b2f-c22a-4df1-9cc6-a7a0aebb0c99", + "name": "Generic Secret", + "regex": "(?i)['\"]?secret[_]?(key|value)?['\"]?\\s*(:|=)\\s*['\"]?([A-Za-z0-9/~^_!@#&%(){};=?*+-<>,:;[\\]%$]{10,})['\"]?", + "entropies": [ + { + "group": 3, + "min": 2.8, + "max": 8 + } + ], + "allowRules": [ + { + "description": "Avoiding Square OAuth Secret", + "regex": "(?i)['\"]?secret[_]?(key)?['\"]?\\s*(:|=)\\s*['\"]?(sq0csp-[0-9A-Za-z\\-_]{43})['\"]?" + }, + { + "description": "Avoiding TF resource access", + "regex": "(?i)['\"]?secret[_]?(key)?['\"]?\\s*[:=]\\s*(([a-zA-Z_]+(\\[([a-zA-Z_]+\\.[a-zA-Z_]+.*|\\d+)\\])?\\.[a-zA-Z_]+(\\[([a-zA-Z_]+\\.[a-zA-Z_]+.*|\\d+)\\])?)\\s*([\\.\\)\\]\\$]|(:\\s*null))|null)" + }, + { + "description": "Avoiding Secrets Manager arn", + "regex": ":secretsmanager:[a-z0-9-*?]+:[0-9*?]+:(?i)['\"]?secret[_]?(key)?['\"]?\\s*(:|=)\\s*['\"]?([A-Za-z0-9/~^_!@&%()=?*+-]+)['\"]?" + }, + { + "description": "Avoiding CloudFormation Parameters Descriptions", + "regex": "['\"]?Description['\"]?\\s*[:=]\\s*['\"]?([A-Za-z0-9/~^_!@&%()=?*${}+-.'\"]+)['\"]?" + }, + { + "description": "Avoiding Secrets from Azure Key Vault", + "regex": "(?i)['\"]?secret[_]?(key)?['\"]?\\s*(:|=)\\s*['\"]?[${]+[A-Za-z0-9/~^_!@&%()=?*+-]+}?" + }, + { + "description": "Allow secret retrieved from ARM parameters", + "regex": "(?i)['\"]?secret[_]?(key)?['\"]?\\s*[:=]\\s*['\"]?\\[\\s*parameters\\(['\"][a-zA-Z][a-zA-Z0-9_-]*['\"]\\s*\\)\\s*\\]" + }, + { + "description": "Allow secrets retrieved from Bicep getSecret built in function", + "regex": "(?i)['\"]?secret[_]?(key|value)?['\"]?\\s*(:|=)\\s*[a-zA-Z]*\\.getSecret\\(\\s*[\"']([A-Za-z0-9/~^_!@#&%(){};=?*+-<>,:;[\\]%$]+)[\"']\\)" + } + ], + "specialMask": "(?i)['\"]?secret[_]?(key)?['\"]?\\s*(:|=)\\s*" + }, + { + "id": "51b5b840-cd0c-4556-98a7-fe5f4def80cf", + "name": "Asymmetric private key", + "regex": "-----BEGIN ((EC|PGP|DSA|RSA|OPENSSH) )?PRIVATE KEY( BLOCK)?-----\\s*(([A-Za-z0-9+,:\\-\\/=\\n\\r]+\\s*)+)-----END ((EC|PGP|DSA|RSA|OPENSSH) )?PRIVATE KEY( BLOCK)?-----", + "multiline": { + "detectLineGroup": 4 + }, + "entropies": [ + { + "group": 5, + "min": 3.7, + "max": 12 + } + ], + "specialMask": "all" + }, + { + "id": "a007a85e-a2a7-4a81-803a-7a2ca0c65abb", + "name": "Putty User Key File Content", + "regex": "['\"]?PuTTY-User-Key-File-\\d: ([\\w\\d-:\\n\\s+/=]+Private-MAC: [\\d\\w\"]+)['\"]?", + "multiline": { + "detectLineGroup": 1 + }, + "specialMask": "all" + }, + { + "id": "c4d3b58a-e6d4-450f-9340-04f1e702eaae", + "name": "Password in URL", + "regex": "['\"]?[a-zA-Z]{3,10}://[^/\\s:@$]*?:[^/\\s:@$]*?@[^/\\s:@$]*['\"]?" + }, + { + "id": "76c0bcde-903d-456e-ac13-e58c34987852", + "name": "AWS Access Key", + "regex": "(A3T[A-Z0-9]|AKIA|ASIA)[A-Z0-9]{16}" + }, + { + "id": "76c0bcde-903d-456e-ac13-e58c34987852", + "name": "AWS Context-specific credential", + "regex": "(A3T[A-Z0-9]|ACCA)[A-Z0-9]{16}" + }, + { + "id": "76c0bcde-903d-456e-ac13-e58c34987852", + "name": "AWS Certificate", + "regex": "(A3T[A-Z0-9]|ASCA)[A-Z0-9]{16}" + }, + { + "id": "83ab47ff-381d-48cd-bac5-fb32222f54af", + "name": "AWS Secret Key", + "regex": "(?i)AWS_SECRET(_ACCESS)?(_KEY)?\\s*[:=]\\s*['\"]?([a-zA-Z0-9/]{40})[\"']?", + "entropies": [ + { + "group": 3, + "min": 4.8, + "max": 7 + } + ], + "specialMask": "(?i)AWS_SECRET(_ACCESS)?(_KEY)?\\s*[:=]\\s*" + }, + { + "id": "4b2b5fd3-364d-4093-bac2-17391b2a5297", + "name": "K8s Environment Variable Password", + "regex": "apiVersion((.*)\\s*)*env:((.*)\\s*)*name:\\s*\\w+(?i)pass((?i)word)?\\w*\\s*(value):\\s*([\"|'].*[\"|'])", + "multiline": { + "detectLineGroup": 7 + }, + "specialMask": "\\s*(value):\\s*" + }, + { + "id": "d651cca2-2156-4d17-8e76-423e68de5c8b", + "name": "Google OAuth", + "regex": "['\"]?[0-9]+-[0-9A-Za-z_]{32}\\.apps\\.googleusercontent\\.com['\"]?" + }, + { + "id": "ccde326f-ebc7-4772-8ad5-de66e90a8cc3", + "name": "Slack Webhook", + "regex": "['\"]?https://hooks.slack.com/services/T[a-zA-Z0-9_]{8}/B[a-zA-Z0-9_]{8}/[a-zA-Z0-9_]{24}['\"]?" + }, + { + "id": "d6214dca-a31b-425f-bcf7-f4faa772a1c0", + "name": "MSTeams Webhook", + "regex": "['\"]?https://[a-zA-Z0-9_]{1,24}.webhook.office.com/webhook(b2)?/[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}@[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}/IncomingWebhook/[a-z0-9]+/[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}['\"]?" + }, + { + "id": "7908a9e3-5cac-41b1-b514-5f6d82ce02d5", + "name": "Slack Token", + "regex": "['\"]?(xox[p|b|o|a]-[0-9]{12}-[0-9]{12}-[0-9]{12}-[a-z0-9]{32})['\"]?" + }, + { + "id": "6abcae17-b175-4698-a9a5-b07661974749", + "name": "Stripe API Key", + "regex": "['\"]?sk_live_[0-9a-zA-Z]{24}[^0-9a-zA-Z]['\"]?" + }, + { + "id": "0b1b2482-51e7-49d1-893d-522afa4a6bd0", + "name": "Square Access Token", + "regex": "sq0atp-[0-9A-Za-z\\-_]{22}" + }, + { + "id": "6c54f9da-1a11-445a-8568-0d327e6af8be", + "name": "MailChimp API Key", + "regex": "[0-9a-f]{32}-us[0-9]{1,2}" + }, + { + "id": "e9856348-4069-4ac0-bd91-415f6a7b84a4", + "name": "Google API Key", + "regex": "['\"]?AIza[0-9A-Za-z\\-_]{35}['\"]?" + }, + { + "id": "9a3650af-5b88-48cd-ab89-cd77fd0b633f", + "name": "Heroku API Key", + "regex": "['\"]?(?i)heroku((.|\\n)*)\\b([0-9A-F]{8}-[0-9A-F]{4}-[0-9A-F]{4}-[0-9A-F]{4}-[0-9A-F]{12})\\b['\"]?", + "multiline": { + "detectLineGroup": 3 + }, + "specialMask": "['\"]?(?i)api_key[^\\w\"']+" + }, + { + "id": "bb51eb1e-0357-44a2-86d7-dd5350cffd43", + "name": "Square OAuth Secret", + "regex": "['\"]?sq0csp-[0-9A-Za-z\\-_]{43}['\"]?" + }, + { + "id": "ac8c8075-6ec0-4367-9e26-30ec8161d258", + "name": "Amazon MWS Auth Token", + "regex": "amzn\\.mws\\.[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}" + }, + { + "id": "41a1ca8d-f466-4084-a8c9-50f8b22200d5", + "name": "Google OAuth Access Token", + "regex": "ya29\\.[0-9A-Za-z\\-_]+" + }, + { + "id": "4919b847-e3da-402a-acf8-6cea8e529993", + "name": "PayPal Braintree Access Token", + "regex": "access_token\\$production\\$[0-9a-z]{16}\\$[0-9a-f]{32}" + }, + { + "id": "54274b18-bfac-47ce-afd1-0f05bc3e3b59", + "name": "Stripe Restricted API Key", + "regex": "['\"]?rk_live_[0-9a-zA-Z]{24}['\"]?" + }, + { + "id": "5176e805-0cda-44fa-ac96-c092c646180a", + "name": "Facebook Access Token", + "regex": "['\"]?EAACEdEose0cBA[0-9A-Za-z]+['\"]?" + }, + { + "id": "74736dd1-dd11-4139-beb6-41cd43a50317", + "name": "Generic API Key", + "regex": "(?i)['\"]?api[_]?key['\"]?\\s*[:=]\\s*['\"]?([0-9a-zA-Z]{32,45})['\"]?", + "allowRules": [ + { + "description": "Avoiding Twilio API Key", + "regex": "(?i)['\"]?api[_]?key['\"]?\\s*[:=]\\s*['\"]?(SK[0-9a-fA-F]{32})['\"]?" + } + ], + "specialMask": "(?i)['\"]?api[_]?key['\"]?\\s*[:=]\\s*" + }, + { + "id": "62d0025d-9575-4eff-b60b-d3b4fcec0d04", + "name": "Mailgun API Key", + "regex": "['\"]?key-[0-9a-zA-Z]{32}['\"]?" + }, + { + "id": "50cc5f03-e686-4183-97e9-12f9b55d0f97", + "name": "Picatic API Key", + "regex": "sk_live_[0-9a-z]{32}" + }, + { + "id": "e0f01838-b1c2-4669-b84b-981949ebe5ed", + "name": "Twilio API Key", + "regex": "SK[0-9a-fA-F]{32}" + }, + { + "id": "7f370dd5-eea3-4e5f-8354-3cb2506f9f13", + "name": "Generic Access Key", + "regex": "(?i)^\\s*['\"]?(access)[_]?key['\"]?\\s*[:=]\\s*['\"]?([[A-Za-z0-9\/~^_!@&%()=?*+-]+)['\"]?", + "specialMask": "(?i)['\"]?access[_]?key['\"]?\\s*[:=]\\s*" + }, + { + "id": "2f665079-c383-4b33-896e-88268c1fa258", + "name": "Generic Private Key", + "regex": "(?i)['\"]?private[_]?key['\"]?\\s*[:=]\\s*['\"]?([[A-Za-z0-9/~^_!@&%()=?*+-]+)['\"]?", + "specialMask": "(?i)['\"]?private[_]?key['\"]?\\s*[:=]\\s*", + "allowRules": [ + { + "description": "Avoiding bash variables", + "regex": "(?i)['\"]?\\$\\s*\\{[^\\s\\}]+\\}['\"]?" + }, + { + "description": "Avoid Docker Compose secrets paths", + "regex": "(?i)['\"]?private[_]?key['\"]?\\s*[:=]\\s*['\"]?/run/secrets/\\w+['\"]?" + }, + { + "description": "Avoiding Proto File fields", + "regex": "(?i)private[_]?key\\s*=\\s*[1-9][0-9]{0,8}\\s*;" + } + ] + }, + { + "id": "baee238e-1921-4801-9c3f-79ae1d7b2cbc", + "name": "Generic Token", + "regex": "(?i)['\"]?token(_)?(key)?['\"]?\\s*[:=]\\s*['\"]?([[A-Za-z0-9/~^_!@&%()=?*+-]+)['\"]?", + "allowRules": [ + { + "description": "Avoiding Amazon MWS Auth Token", + "regex": "(?i)['\"]?token(_)?(key)?['\"]?\\s*[=:]\\s*['\"]?(amzn\\.mws\\.[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12})['\"]?" + }, + { + "description": "Avoiding Slack Token", + "regex": "(?i)['\"]?token(_)?(key)?['\"]?\\s*[=:]\\s*['\"]?(xox[p|b|o|a]-[0-9]{12}-[0-9]{12}-[0-9]{12}-[a-z0-9]{32})['\"]?" + }, + { + "description": "Avoiding Square Access Token", + "regex": "(?i)['\"]?token(_)?(key)?['\"]?\\s*[=:]\\s*['\"]?(sq0atp-[0-9A-Za-z\\-_]{22})['\"]?" + }, + { + "description": "Avoiding Google OAuth Access Token", + "regex": "(?i)['\"]?token(_)?(key)?['\"]?\\s*[=:]\\s*['\"]?(ya29\\.[0-9A-Za-z\\-_]+)['\"]?" + }, + { + "description": "Avoiding PayPal Braintree Access Token", + "regex": "(?i)['\"]?token(_)?(key)?['\"]?\\s*[=:]\\s*['\"]?(access_token\\$production\\$[0-9a-z]{16}\\$[0-9a-f]{32})['\"]?" + }, + { + "description": "Avoiding Facebook Access Token", + "regex": "(?i)['\"]?token(_)?(key)?['\"]?\\s*[=:]\\s*['\"]?(EAACEdEose0cBA[0-9A-Za-z]+)['\"]?" + }, + { + "description": "Avoiding TF resource access", + "regex": "(?i)['\"]?token(_)?(key)?['\"]?\\s*=\\s*([a-zA-z_]+(.))?[a-zA-z_]+(.)[a-zA-z_]+(.)[a-zA-z_]+" + }, + { + "description": "Avoiding TF creation token", + "regex": "(?i)['\"]?creation_token['\"]?\\s*[:=]\\s*['\"]?([[A-Za-z0-9/~^_!@&%()=?*+-]+)['\"]?" + }, + { + "description": "Avoiding CLoudformation ServiceToken", + "regex": "['\"]?ServiceToken['\"]?\\s*[:=]\\s*['\"]?([A-Za-z0-9/~^_!@&%()=?*+-.]+)['\"]?" + }, + { + "description": "Avoiding LifecycleActionToken Var", + "regex": "(?i)['\"]?LifecycleActionToken['\"]?\\s*[:=]\\s*['\"]?([[A-Za-z0-9/~^_!@&%()=?*+-]+)['\"]?" + }, + { + "description": "Avoiding Github id-token Default Values", + "regex": "(?i)['\"]?id-token['\"]?\\s*[:=]\\s*(write|read|none)" + }, + { + "description": "Avoiding result_token Var", + "regex": "(?i)['\"]?result(_)?token['\"]?\\s*[:=]\\s*['\"]?([[A-Za-z0-9/~^_!@&%()=?*+-]+)['\"]?" + }, + { + "description": "Avoiding next_token Var", + "regex": "(?i)['\"]?next(_)?token['\"]?\\s*[:=]\\s*['\"]?([[A-Za-z0-9/~^_!@&%()=?*+-]+)['\"]?" + }, + { + "description": "Avoiding next_token Var", + "regex": "(?i)['\"]?next(_)?token['\"]?\\s*[:=]\\s*['\"]?([[A-Za-z0-9/~^_!@&%()=?*+-]+)['\"]?" + }, + { + "description": "Avoiding references to module outputs in Bicep", + "regex": "(?i)token(_)?(key)?\\s*[:=]\\s*([a-zA-Z][a-zA-Z0-9_]*)\\.outputs\\.([a-zA-Z][a-zA-Z0-9_]*)" + }, + { + "description": "Avoiding Run After Triggers (if written in conformity with best practices)", + "regex": "(?i)['\"](HTTP|Parse_JSON|Try|Catch)_-_(Get_)?OAuth_Token['\"]?\\s*[:=]\\s*['\"]?([[A-Za-z0-9/~^_!@&%()=?*+-]+)['\"]?" + }, + { + "description": "Avoiding Proto File fields", + "regex": "(?i)token(_)?(key)?\\s*=\\s*[1-9][0-9]{0,8}\\s*;" + } + ], + "specialMask": "(?i)['\"]?token(_)?(key)?['\"]?\\s*[:=]\\s*" + + }, + { + "id": "e0f01838-b1c2-4669-b84b-981949ebe5ed", + "name": "CloudFormation Secret Template", + "regex": "(?i)['\"]?SecretStringTemplate['\"]?\\s*:\\s*['\"]?{([\\\":A-Za-z0-9/~^_!@&%()=?*+-]{10,})}", + "specialMask": "(?i)['\"]?SecretStringTemplate['\"]?\\s*:\\s*" + }, + { + "id": "9fb1cd65-7a07-4531-9bcf-47589d0f82d6", + "name": "Encryption Key", + "regex": "(?i)['\"]?encryption[_]?key['\"]?\\s*[:=]\\s*['\"]?([[A-Za-z0-9/~^_!@&%()=?*+-]+)['\"]?", + "allowRules": [ + { + "description": "Avoiding TF resource access", + "regex": "(?i)['\"]?encryption[_]?key['\"]?\\s*=\\s*([a-zA-z_]+(.))?[a-zA-z_]+(.)[a-zA-z_]+(.)[a-zA-z_]+" + }, + { + "description": "Avoiding CLoudformation KeyName", + "regex": "['\"]?EncryptionKey['\"]?\\s*[:=]\\s*['\"]?([A-Za-z0-9/~^_!@&%()=?*+-.]+)['\"]?" + }, + { + "description": "Avoiding Proto File fields", + "regex": "(?i)encryption[_]?key\\s*=\\s*[1-9][0-9]{0,8}\\s*;" + } + ], + "specialMask": "(?i)['\"]?encryption[_]?key['\"]?\\s*[:=]\\s*" + }, + { + "id": "8a879bc7-6f82-40fd-bb48-74d25d557fe8", + "name": "SendGrid API Key", + "regex": "(?i)SG\\.[a-zA-Z0-9\\-\\_]{22}\\.[a-zA-Z0-9\\-\\_]{43}\\s*" + }, + { + "id": "be0ed753-d304-4363-844a-144050d4006d", + "name": "Generic Password on YAML files when value in tuple", + "regex": ".*password\\s*:[\\n|\\r]\\s*value:([^\\n|\\r]*)", + "multiline": { + "detectLineGroup": 1 + }, + "specialMask": ".*password\\s*:[\\n|\\r]\\s*value:" + }, + { + "id": "f05f238a-2ef0-4c39-9a36-951de1ba6dc9", + "name": "Dockerfile ENV hardcoded password with omitted equals", + "regex": "(?i)ENV\\s+[A-Za-z0-9/~^_!@&%()=?*+-.]*password[A-Za-z0-9/~^_!@&%()=?*+-.]*\\s+['\"]?([A-Za-z0-9/~^_!@&%()=?*+-. ]{4,})['\"]?" + } + ], + "allowRules": [ + { + "description": "Avoiding TF variables", + "regex": "(?i)['\"]?[a-zA-Z_]+['\"]?\\s*=\\s*['\"]?(var\\.)['\"]?" + }, + { + "description": "!Ref is a cloudFormation reference", + "regex": "(?i)['\"]?[a-zA-Z_]+['\"]?\\s*:\\s+!Ref\\s+\\.*" + }, + { + "description": "Avoiding cloudFormation intrinsic functions", + "regex": "(?i)['\"]?[a-zA-Z_]+['\"]?\\s*:\\s+(!GetAtt|!Sub|!FindInMap|!If|!GetAZs|!ImportValue|!Join|!Select|!Split|!Not|Fn::Transform(:)?)\\s+\\.*" + }, + { + "description": "Avoiding CF resolve", + "regex": "(?i)['\"]?[a-zA-Z_]+['\"]?\\s*[=:]\\s*['\"]?({{resolve:)['\"]?" + }, + { + "description": "Avoiding Boolean's", + "regex": "(?i)['\"]?[a-zA-Z_]+['\"]?\\s*[=:]\\s*['\"]?(true|false)['\"]?" + }, + { + "description": "Avoiding arn", + "regex": "(?i)['\"]?[a-zA-Z_]+['\"]?\\s*[=:]\\s*['\"]?(arn:)['\"]?" + }, + { + "description": "Avoiding array access", + "regex": "(?i)['\"]?[a-zA-Z_]+['\"]?\\s*[=:]\\s*['\"]?([A-Za-z0-9/~^_!@&%()=?*+-.]{4,}\\[([0-9]|['\"][a-zA-Z0-9]+['\"])\\])['\"]?" + }, + { + "description": "Avoiding TF file function", + "regex": "(?i)['\"]?[a-zA-Z_]+['\"]?\\s*=\\s*['\"]?(file\\()['\"]?" + }, + { + "description": "Avoiding ansible-vault encrypted variables", + "regex": "(?i)['\"]?[a-zA-Z_]+['\"]?\\s*[=:]\\s*['\"]?(!vault \\|)['\"]?" + }, + { + "description": "Avoiding sha-hashed mysql native passwords", + "regex": "(?i)['\"]?[a-zA-Z_]+['\"]?\\s*[=:]\\s*['\"]?(\\*[0-9A-F]{40})['\"]?" + } + ] +} diff --git a/assets/queries/common/passwords_and_secrets/test/negative60.proto b/assets/queries/common/passwords_and_secrets/test/negative60.proto index 44b0784a650..b920060c8ec 100644 --- a/assets/queries/common/passwords_and_secrets/test/negative60.proto +++ b/assets/queries/common/passwords_and_secrets/test/negative60.proto @@ -1,334 +1,56 @@ -syntax = "proto3"; - -package com.example.security_test.v1; - -import "google/protobuf/wrappers.proto"; -import "google/protobuf/timestamp.proto"; - -// ============================================================================= -// This file is a test fixture for secret/token/password scanning tools. -// It should be treated as a NEGATIVE (no real secrets). -// Proto files define schemas, not actual secret values. -// Any secret-like strings here are example annotations, not real credentials. -// ============================================================================= - -// --------------------------------------------------------------------------- -// OAuth / Identity Provider Configurations -// --------------------------------------------------------------------------- - -message OAuthProviderConfig { - google.protobuf.StringValue client_id = 1; - google.protobuf.StringValue client_secret = 2; - google.protobuf.StringValue access_token = 3; - google.protobuf.StringValue refresh_token = 4; - google.protobuf.StringValue token_endpoint = 5; - google.protobuf.StringValue authorization_code = 6; - google.protobuf.StringValue id_token = 7; - google.protobuf.StringValue bearer_token = 8; - google.protobuf.UInt32Value token_expiry_seconds = 9; - google.protobuf.StringValue pkce_code_verifier = 10; -} - -message SamlConfig { - google.protobuf.StringValue signing_certificate = 1; - google.protobuf.StringValue private_key = 2; - google.protobuf.StringValue idp_certificate = 3; - google.protobuf.StringValue sp_private_key = 4; - google.protobuf.StringValue assertion_consumer_service_url = 5; - google.protobuf.StringValue metadata_signing_key = 6; -} - -message LdapConfig { - google.protobuf.StringValue bind_dn = 1; - google.protobuf.StringValue bind_password = 2; - google.protobuf.StringValue admin_password = 3; - google.protobuf.StringValue service_account_password = 4; - google.protobuf.StringValue base_dn = 5; - google.protobuf.BoolValue use_ssl = 6; - google.protobuf.StringValue ssl_certificate = 7; -} - -// --------------------------------------------------------------------------- -// API Key / Token Management -// --------------------------------------------------------------------------- - -enum ApiKeyType { - API_KEY_TYPE_UNKNOWN = 0; - API_KEY_TYPE_READ_ONLY = 1; - API_KEY_TYPE_READ_WRITE = 2; - API_KEY_TYPE_ADMIN = 3; -} - -message ApiKeyConfig { - google.protobuf.StringValue api_key = 1; - google.protobuf.StringValue api_secret = 2; - google.protobuf.StringValue api_token = 3; - google.protobuf.StringValue secret_key = 4; - google.protobuf.StringValue access_key_id = 5; - google.protobuf.StringValue secret_access_key = 6; - ApiKeyType key_type = 7; - google.protobuf.Timestamp expires_at = 8; - google.protobuf.StringValue signing_secret = 9; - google.protobuf.StringValue hmac_key = 10; -} - -message PersonalAccessToken { - google.protobuf.StringValue token = 1; - google.protobuf.StringValue token_hash = 2; - google.protobuf.StringValue token_prefix = 3; - google.protobuf.Timestamp issued_at = 4; - google.protobuf.Timestamp expires_at = 5; - repeated string scopes = 6; -} - -// --------------------------------------------------------------------------- -// Cloud Provider Credentials -// --------------------------------------------------------------------------- - -message AwsCredentials { - google.protobuf.StringValue aws_access_key_id = 1; - google.protobuf.StringValue aws_secret_access_key = 2; - google.protobuf.StringValue aws_session_token = 3; - google.protobuf.StringValue role_arn = 4; - google.protobuf.StringValue external_id = 5; - google.protobuf.StringValue kms_key_id = 6; -} - -message GcpCredentials { - google.protobuf.StringValue service_account_key_json = 1; - google.protobuf.StringValue private_key_id = 2; - google.protobuf.StringValue private_key = 3; - google.protobuf.StringValue client_email = 4; - google.protobuf.StringValue project_id = 5; - google.protobuf.StringValue access_token = 6; -} - -message AzureCredentials { - google.protobuf.StringValue tenant_id = 1; - google.protobuf.StringValue client_id = 2; - google.protobuf.StringValue client_secret = 3; - google.protobuf.StringValue subscription_id = 4; - google.protobuf.StringValue connection_string = 5; - google.protobuf.StringValue sas_token = 6; - google.protobuf.StringValue storage_account_key = 7; -} - -// --------------------------------------------------------------------------- -// Database Credentials -// --------------------------------------------------------------------------- - -message DatabaseCredentials { - google.protobuf.StringValue host = 1; - google.protobuf.UInt32Value port = 2; - google.protobuf.StringValue username = 3; - google.protobuf.StringValue password = 4; - google.protobuf.StringValue database_name = 5; - google.protobuf.StringValue connection_string = 6; - google.protobuf.StringValue ssl_ca_cert = 7; - google.protobuf.StringValue ssl_client_cert = 8; - google.protobuf.StringValue ssl_client_key = 9; - google.protobuf.StringValue master_password = 10; - google.protobuf.StringValue replication_password = 11; -} - -message RedisCredentials { - google.protobuf.StringValue host = 1; - google.protobuf.UInt32Value port = 2; - google.protobuf.StringValue password = 3; - google.protobuf.StringValue auth_token = 4; - google.protobuf.StringValue tls_cert = 5; -} - -// --------------------------------------------------------------------------- -// Third-Party Integration Credentials -// --------------------------------------------------------------------------- - -message SlackIntegrationConfig { - google.protobuf.StringValue bot_token = 1; - google.protobuf.StringValue signing_secret = 2; - google.protobuf.StringValue verification_token = 3; - google.protobuf.StringValue oauth_access_token = 4; - google.protobuf.StringValue webhook_secret = 5; - google.protobuf.StringValue app_token = 6; -} - -message GitHubIntegrationConfig { - google.protobuf.StringValue personal_access_token = 1; - google.protobuf.StringValue webhook_secret = 2; - google.protobuf.StringValue app_private_key = 3; - google.protobuf.StringValue app_installation_token = 4; - google.protobuf.StringValue deploy_key = 5; - google.protobuf.StringValue oauth_client_secret = 6; -} - -message StripeConfig { - google.protobuf.StringValue publishable_key = 1; - google.protobuf.StringValue secret_key = 2; - google.protobuf.StringValue webhook_signing_secret = 3; - google.protobuf.StringValue restricted_api_key = 4; -} - -message TwilioConfig { - google.protobuf.StringValue account_sid = 1; - google.protobuf.StringValue auth_token = 2; - google.protobuf.StringValue api_key_sid = 3; - google.protobuf.StringValue api_key_secret = 4; -} - -message SendGridConfig { - google.protobuf.StringValue api_key = 1; - google.protobuf.StringValue smtp_password = 2; - google.protobuf.StringValue webhook_verification_key = 3; -} - -// --------------------------------------------------------------------------- -// Encryption and Signing -// --------------------------------------------------------------------------- - -message EncryptionConfig { - google.protobuf.StringValue encryption_key = 1; - google.protobuf.StringValue decryption_key = 2; - google.protobuf.StringValue master_key = 3; - google.protobuf.StringValue data_encryption_key = 4; - google.protobuf.StringValue key_encryption_key = 5; - google.protobuf.StringValue initialization_vector = 6; - google.protobuf.StringValue passphrase = 7; - google.protobuf.StringValue salt = 8; -} - -message JwtConfig { - google.protobuf.StringValue jwt_secret = 1; - google.protobuf.StringValue jwt_private_key = 2; - google.protobuf.StringValue jwt_public_key = 3; - google.protobuf.StringValue jwt_signing_key = 4; - google.protobuf.UInt32Value jwt_expiry_seconds = 5; - google.protobuf.StringValue jwt_refresh_secret = 6; -} - -message SshConfig { - google.protobuf.StringValue ssh_private_key = 1; - google.protobuf.StringValue ssh_public_key = 2; - google.protobuf.StringValue ssh_passphrase = 3; - google.protobuf.StringValue ssh_host_key = 4; - google.protobuf.StringValue known_hosts_entry = 5; -} - -message TlsConfig { - google.protobuf.StringValue tls_certificate = 1; - google.protobuf.StringValue tls_private_key = 2; - google.protobuf.StringValue ca_certificate = 3; - google.protobuf.StringValue ca_private_key = 4; - google.protobuf.StringValue pfx_password = 5; - google.protobuf.StringValue keystore_password = 6; - google.protobuf.StringValue truststore_password = 7; -} - -// --------------------------------------------------------------------------- -// User / Account Credentials -// --------------------------------------------------------------------------- - -message UserCredentials { - google.protobuf.StringValue username = 1; - google.protobuf.StringValue password = 2; - google.protobuf.StringValue password_hash = 3; - google.protobuf.StringValue password_salt = 4; - google.protobuf.StringValue totp_secret = 5; - google.protobuf.StringValue recovery_codes = 6; - google.protobuf.StringValue security_question_answer = 7; - google.protobuf.StringValue pin_code = 8; -} - -message ServiceAccountCredentials { - google.protobuf.StringValue service_account_id = 1; - google.protobuf.StringValue service_account_secret = 2; - google.protobuf.StringValue service_account_token = 3; - google.protobuf.StringValue service_account_private_key = 4; - google.protobuf.StringValue credentials_json = 5; -} - -// --------------------------------------------------------------------------- -// Webhook Secrets (similar to the original file's domain) -// --------------------------------------------------------------------------- - -message WebhookSecurityConfig { - google.protobuf.StringValue webhook_secret = 1; - google.protobuf.StringValue signing_key = 2; - google.protobuf.StringValue verification_token = 3; - google.protobuf.StringValue shared_secret = 4; - google.protobuf.StringValue callback_token = 5; - google.protobuf.StringValue hmac_secret = 6; - google.protobuf.StringValue basic_auth_username = 7; - google.protobuf.StringValue basic_auth_password = 8; -} - -// --------------------------------------------------------------------------- -// Container / Orchestration Secrets -// --------------------------------------------------------------------------- - -message KubernetesSecretRef { - google.protobuf.StringValue secret_name = 1; - google.protobuf.StringValue secret_namespace = 2; - google.protobuf.StringValue kubeconfig = 3; - google.protobuf.StringValue cluster_ca_certificate = 4; - google.protobuf.StringValue service_account_token = 5; - google.protobuf.StringValue docker_config_json = 6; - google.protobuf.StringValue image_pull_secret = 7; -} - -message DockerRegistryCredentials { - google.protobuf.StringValue registry_url = 1; - google.protobuf.StringValue registry_username = 2; - google.protobuf.StringValue registry_password = 3; - google.protobuf.StringValue registry_token = 4; - google.protobuf.StringValue docker_auth = 5; -} - -// --------------------------------------------------------------------------- -// CI/CD Pipeline Secrets -// --------------------------------------------------------------------------- - -message CiCdSecrets { - google.protobuf.StringValue deploy_token = 1; - google.protobuf.StringValue ci_token = 2; - google.protobuf.StringValue npm_token = 3; - google.protobuf.StringValue pypi_token = 4; - google.protobuf.StringValue nuget_api_key = 5; - google.protobuf.StringValue sonar_token = 6; - google.protobuf.StringValue codecov_token = 7; - google.protobuf.StringValue artifactory_password = 8; - google.protobuf.StringValue nexus_password = 9; - google.protobuf.StringValue gpg_signing_key = 10; - google.protobuf.StringValue cosign_private_key = 11; -} - -// --------------------------------------------------------------------------- -// Aggregate Configuration (uses all of the above) -// --------------------------------------------------------------------------- - -message IntegrationCredentials { - oneof credentials { - OAuthProviderConfig oauth = 1; - SamlConfig saml = 2; - LdapConfig ldap = 3; - ApiKeyConfig api_key = 4; - AwsCredentials aws = 5; - GcpCredentials gcp = 6; - AzureCredentials azure = 7; - DatabaseCredentials database = 8; - RedisCredentials redis = 9; - SlackIntegrationConfig slack = 10; - GitHubIntegrationConfig github = 11; - StripeConfig stripe = 12; - TwilioConfig twilio = 13; - SendGridConfig sendgrid = 14; - EncryptionConfig encryption = 15; - JwtConfig jwt = 16; - SshConfig ssh = 17; - TlsConfig tls = 18; - UserCredentials user = 19; - ServiceAccountCredentials service_account = 20; - KubernetesSecretRef kubernetes = 21; - DockerRegistryCredentials docker = 22; - CiCdSecrets ci_cd = 23; - } +syntax = "proto3"; + +// Contains "secret", "key", "password" and "token" keywords - would flag if not for allow rules +// Note - This is as valid proto file that generates output with "protoc" command as of version "libprotoc 34.0" + +package com.example.security_test.v1; + +import "google/protobuf/wrappers.proto"; + +message ResultsThatFlag { + google.protobuf.StringValue refresh_token = 536870911; // if value is larger - out of range error "Field numbers cannot be greater than 536870911." - Generic Token + google.protobuf.StringValue access_token= 1; // Generic Token + google.protobuf.StringValue id_token = 3; // Generic Token + google.protobuf.StringValue bearer_toaken = 4;;; // Generic Token + google.protobuf.StringValue api_token = 7 ; // Generic Token + google.protobuf.StringValue token = 8; // Generic Token + google.protobuf.StringValue aws_session_token = 9; // Generic Token + google.protobuf.StringValue sas_token = 12; // Generic Token + google.protobuf.StringValue auth_token = 13; // Generic Token + google.protobuf.StringValue bot_token = 14; // Generic Token + google.protobuf.StringValue verification_token=15; // Generic Token + google.protobuf.StringValue oauth_access_token = 16; // Generic Token + google.protobuf.StringValue app_token = 17; // Generic Token + google.protobuf.StringValue personal_access_token = 18; // Generic Token + google.protobuf.StringValue service_account_token = 29; // Generic Token + google.protobuf.StringValue webhook_verification_token = 31; // Generic Token + google.protobuf.StringValue callback_token = 32; // Generic Token + google.protobuf.StringValue k8s_service_account_token = 33; // Generic Token + google.protobuf.StringValue registry_token = 34; // Generic Token + google.protobuf.StringValue deploy_token = 35; // Generic Token + google.protobuf.StringValue ci_token = 36; // Generic Token + google.protobuf.StringValue npm_token = 37; // Generic Token + google.protobuf.StringValue pypi_token = 38; // Generic Token + google.protobuf.StringValue app_installation_token = 20; // Generic Token + google.protobuf.StringValue twilio_auth_token = 21; // Generic Token + google.protobuf.StringValue twilio_auth_token_key = 121; // Generic Token + google.protobuf.StringValue test_token_ = 122 ; // Generic Token + google.protobuf.StringValue sonar_token = 39;google.protobuf.StringValue codecov_token = 40;// trailing comment test - Generic Token + google.protobuf.StringValue jwt_private_key = 25; // Generic Private Key + google.protobuf.StringValue ssh_private_key = 26; // Generic Private Key + google.protobuf.StringValue tls_private_key = 27; // Generic Private Key + google.protobuf.StringValue ca_private_key = 28 ; // Generic Private Key + google.protobuf.StringValue cosign_private_key = 41; // Generic Private Key + google.protobuf.StringValue service_account_private_key = 30; // Generic Private Key + google.protobuf.StringValue app_private_key = 19; // Generic Private Key + google.protobuf.StringValue gcp_private_key = 10; // Generic Private Key + google.protobuf.StringValue private_key = 5; // Generic Private Key + google.protobuf.StringValue sp_private_key = 6; // Generic Private Key + google.protobuf.StringValue encryption_key = 22; // Encryption Key + google.protobuf.StringValue data_encryption_key= 23 ; // Encryption Key + google.protobuf.StringValue key_encryption_key=24; // Encryption Key + google.protobuf.StringValue registry_password = 104; // Generic Password + google.protobuf.StringValue artifactory_password = 107 ; // Generic Password + google.protobuf.StringValue nexus_password = 108; // Generic Password + string password = 64; // Generic Password } \ No newline at end of file diff --git a/assets/queries/common/passwords_and_secrets/test/positive56.proto b/assets/queries/common/passwords_and_secrets/test/positive56.proto new file mode 100644 index 00000000000..4367e728812 --- /dev/null +++ b/assets/queries/common/passwords_and_secrets/test/positive56.proto @@ -0,0 +1,18 @@ +syntax = "proto3"; + +// This sample should not flag the message defined only the exposed secrets in comments : +// "password" = "test_sample" +// "secret_key" : minimum_ten_characters +// "unsafe_token" : "is_this_safe" +// Note - This is as valid proto file that generates output with "protoc" command as of version "libprotoc 34.0" + +package com.example.security_test.v1; + +import "google/protobuf/wrappers.proto"; + +message InocentMessage { + google.protobuf.StringValue safe_value = 1; + double not_a_password = 2; + float not_a_token = 3; + string not_an_encryption_key = 4; +} \ No newline at end of file diff --git a/assets/queries/common/passwords_and_secrets/test/positive_expected_result.json b/assets/queries/common/passwords_and_secrets/test/positive_expected_result.json index e29ad869f20..3d5ba084ca2 100644 --- a/assets/queries/common/passwords_and_secrets/test/positive_expected_result.json +++ b/assets/queries/common/passwords_and_secrets/test/positive_expected_result.json @@ -1,464 +1,482 @@ -[ - { - "queryName": "Passwords And Secrets - Generic Password", - "severity": "HIGH", - "line": 8, - "fileName": "positive1.yaml" - }, - { - "queryName": "Passwords And Secrets - Generic Password", - "severity": "HIGH", - "line": 6, - "fileName": "positive2.yaml" - }, - { - "queryName": "Passwords And Secrets - Generic Password", - "severity": "HIGH", - "line": 7, - "fileName": "positive3.yaml" - }, - { - "queryName": "Passwords And Secrets - Generic Password", - "severity": "HIGH", - "line": 9, - "fileName": "positive4.tf" - }, - { - "queryName": "Passwords And Secrets - Generic Secret", - "severity": "HIGH", - "line": 2, - "fileName": "positive5.tf" - }, - { - "queryName": "Passwords And Secrets - Generic Password", - "severity": "HIGH", - "line": 3, - "fileName": "positive6.dockerfile" - }, - { - "queryName": "Passwords And Secrets - Generic Password", - "severity": "HIGH", - "line": 7, - "fileName": "positive6.dockerfile" - }, - { - "queryName": "Passwords And Secrets - Generic Password", - "severity": "HIGH", - "line": 8, - "fileName": "positive7.tf" - }, - { - "queryName": "Passwords And Secrets - Generic Password", - "severity": "HIGH", - "line": 4, - "fileName": "positive8.json" - }, - { - "queryName": "Passwords And Secrets - Generic Password", - "severity": "HIGH", - "line":7, - "fileName": "positive8.json" - }, - { - "queryName": "Passwords And Secrets - Generic Password", - "severity": "HIGH", - "line": 8, - "fileName": "positive9.tf" - }, - { - "queryName": "Passwords And Secrets - Password in URL", - "severity": "HIGH", - "line": 7, - "fileName": "positive10.json" - }, - { - "queryName": "Passwords And Secrets - Slack Webhook", - "severity": "HIGH", - "line": 17, - "fileName": "positive10.json" - }, - { - "queryName": "Passwords And Secrets - MSTeams Webhook", - "severity": "HIGH", - "line": 27, - "fileName": "positive10.json" - }, - { - "queryName": "Passwords And Secrets - Password in URL", - "severity": "HIGH", - "line": 7, - "fileName": "positive11.yaml" - }, - { - "queryName": "Passwords And Secrets - Slack Webhook", - "severity": "HIGH", - "line": 9, - "fileName": "positive11.yaml" - }, - { - "queryName": "Passwords And Secrets - MSTeams Webhook", - "severity": "HIGH", - "line": 11, - "fileName": "positive11.yaml" - }, - { - "queryName": "Passwords And Secrets - Generic Password", - "severity": "HIGH", - "line": 8, - "fileName": "positive12.json" - }, - { - "queryName": "Passwords And Secrets - Password in URL", - "severity": "HIGH", - "line": 11, - "fileName": "positive12.json" - }, - { - "queryName": "Passwords And Secrets - Slack Webhook", - "severity": "HIGH", - "line": 15, - "fileName": "positive12.json" - }, - { - "queryName": "Passwords And Secrets - MSTeams Webhook", - "severity": "HIGH", - "line": 19, - "fileName": "positive12.json" - }, - { - "queryName": "Passwords And Secrets - Asymmetric private key", - "severity": "HIGH", - "line": 6, - "fileName": "positive13.tf" - }, - { - "queryName": "Passwords And Secrets - AWS Access Key", - "severity": "HIGH", - "line": 17, - "fileName": "positive14.tf" - }, - { - "queryName": "Passwords And Secrets - AWS Secret Key", - "severity": "HIGH", - "line": 18, - "fileName": "positive14.tf" - }, - { - "queryName": "Passwords And Secrets - AWS Access Key", - "severity": "HIGH", - "line": 14, - "fileName": "positive15.tf" - }, - { - "queryName": "Passwords And Secrets - AWS Secret Key", - "severity": "HIGH", - "line": 15, - "fileName": "positive15.tf" - }, - { - "queryName": "Passwords And Secrets - K8s Environment Variable Password", - "severity": "HIGH", - "line": 34, - "fileName": "positive16.yaml" - }, - { - "queryName": "Passwords And Secrets - K8s Environment Variable Password", - "severity": "HIGH", - "line": 36, - "fileName": "positive16.yaml" - }, - { - "queryName": "Passwords And Secrets - Generic Password", - "severity": "HIGH", - "line": 7, - "fileName": "positive17.tf" - }, - { - "queryName": "Passwords And Secrets - Google OAuth", - "severity": "HIGH", - "line": 5, - "fileName": "positive18.tf" - }, - { - "queryName": "Passwords And Secrets - Slack Token", - "severity": "HIGH", - "line": 2, - "fileName": "positive19.tf" - }, - { - "queryName": "Passwords And Secrets - Stripe API Key", - "severity": "HIGH", - "line": 2, - "fileName": "positive20.tf" - }, - { - "queryName": "Passwords And Secrets - Google API Key", - "severity": "HIGH", - "line": 50, - "fileName": "positive21.tf" - }, - { - "queryName": "Passwords And Secrets - Heroku API Key", - "severity": "HIGH", - "line": 3, - "fileName": "positive22.tf" - }, - { - "queryName": "Passwords And Secrets - Generic Token", - "severity": "HIGH", - "line": 3, - "fileName": "positive23.tf" - }, - { - "queryName": "Passwords And Secrets - Generic API Key", - "severity": "HIGH", - "line": 4, - "fileName": "positive24.tf" - }, - { - "queryName": "Passwords And Secrets - Square Access Token", - "severity": "HIGH", - "line": 3, - "fileName": "positive25.dockerfile" - }, - { - "queryName": "Passwords And Secrets - Picatic API Key", - "severity": "HIGH", - "line": 5, - "fileName": "positive25.dockerfile" - }, - { - "queryName": "Passwords And Secrets - Amazon MWS Auth Token", - "severity": "HIGH", - "line": 7, - "fileName": "positive25.dockerfile" - }, - { - "queryName": "Passwords And Secrets - MailChimp API Key", - "severity": "HIGH", - "line": 9, - "fileName": "positive25.dockerfile" - }, - { - "queryName": "Passwords And Secrets - SendGrid API Key", - "severity": "HIGH", - "line": 11, - "fileName": "positive25.dockerfile" - }, - { - "queryName": "Passwords And Secrets - Generic Private Key", - "severity": "HIGH", - "line": 9, - "fileName": "positive26.yaml" - }, - { - "queryName": "Passwords And Secrets - Generic Token", - "severity": "HIGH", - "line": 5, - "fileName": "positive27.yaml" - }, - { - "queryName": "Passwords And Secrets - Generic Token", - "severity": "HIGH", - "line": 22, - "fileName": "positive27.yaml" - }, - { - "queryName": "Passwords And Secrets - Generic Token", - "severity": "HIGH", - "line": 5, - "fileName": "positive28.yaml" - }, - { - "queryName": "Passwords And Secrets - Mailgun API Key", - "severity": "HIGH", - "line": 2, - "fileName": "positive29.tf" - }, - { - "queryName": "Passwords And Secrets - Stripe Restricted API Key", - "severity": "HIGH", - "line": 2, - "fileName": "positive30.tf" - }, - { - "queryName": "Passwords And Secrets - Twilio API Key", - "severity": "HIGH", - "line": 4, - "fileName": "positive31.yaml" - }, - { - "queryName": "Passwords And Secrets - PayPal Braintree Access Token", - "severity": "HIGH", - "line": 4, - "fileName": "positive32.yaml" - }, - { - "queryName": "Passwords And Secrets - Facebook Access Token", - "severity": "HIGH", - "line": 13, - "fileName": "positive33.yaml" - }, - { - "queryName": "Passwords And Secrets - Square OAuth Secret", - "severity": "HIGH", - "line": 13, - "fileName": "positive34.yaml" - }, - { - "queryName": "Passwords And Secrets - Google OAuth Access Token", - "severity": "HIGH", - "line": 13, - "fileName": "positive35.yaml" - }, - { - "queryName": "Passwords And Secrets - Putty User Key File Content", - "severity": "HIGH", - "line": 5, - "fileName": "positive36.tf" - }, - { - "queryName": "Passwords And Secrets - Generic Secret", - "severity": "HIGH", - "line": 14, - "fileName": "positive37.tf" - }, - { - "queryName": "Passwords And Secrets - CloudFormation Secret Template", - "severity": "HIGH", - "line": 16, - "fileName": "positive38.yaml" - }, - { - "queryName": "Passwords And Secrets - Generic Secret", - "severity": "HIGH", - "line": 3, - "fileName": "positive39.tf" - }, - { - "queryName": "Passwords And Secrets - AWS Context-specific credential", - "severity": "HIGH", - "line": 14, - "fileName": "positive40.tf" - }, - { - "queryName": "Passwords And Secrets - AWS Certificate", - "severity": "HIGH", - "line": 15, - "fileName": "positive40.tf" - }, - { - "queryName": "Passwords And Secrets - Asymmetric private key", - "severity": "HIGH", - "line": 6, - "fileName": "positive41.tf" - }, - { - "queryName": "Passwords And Secrets - Generic Access Key", - "severity": "HIGH", - "line": 7, - "fileName": "positive42.tf" - }, - { - "queryName": "Passwords And Secrets - Generic Token", - "severity": "HIGH", - "line": 5, - "fileName": "positive43.yaml" - }, - { - "queryName": "Passwords And Secrets - Generic Secret", - "severity": "HIGH", - "line": 17, - "fileName": "positive44.yaml" - }, - { - "queryName": "Passwords And Secrets - Generic Password", - "severity": "HIGH", - "line": 9, - "fileName": "positive45.tf" - }, - { - "queryName": "Passwords And Secrets - Generic Password", - "severity": "HIGH", - "line": 20, - "fileName": "positive46.yaml" - }, - { - "queryName": "Passwords And Secrets - Generic Password", - "severity": "HIGH", - "line": 21, - "fileName": "positive46.yaml" - }, - { - "queryName": "Passwords And Secrets - Google OAuth", - "severity": "HIGH", - "line": 5, - "fileName": "positive47.tf" - }, - { - "queryName": "Passwords And Secrets - Generic Secret", - "severity": "HIGH", - "line": 6, - "fileName": "positive47.tf" - }, - { - "queryName": "Passwords And Secrets - Generic Password", - "severity": "HIGH", - "line": 8, - "fileName": "positive48.tf" - }, - { - "queryName": "Passwords And Secrets - Generic Private Key", - "severity": "HIGH", - "line": 7, - "fileName": "positive49.yml" - }, - { - "queryName": "Passwords And Secrets - Generic Password on YAML files when value in tuple", - "severity": "HIGH", - "line": 56, - "fileName": "positive50.yaml" - }, - { - "queryName": "Passwords And Secrets - Generic Password on YAML files when value in tuple", - "severity": "HIGH", - "line": 68, - "fileName": "positive50.yaml" - }, - { - "queryName": "Passwords And Secrets - Dockerfile ENV hardcoded password with omitted equals", - "severity": "HIGH", - "line": 4, - "fileName": "positive51.dockerfile" - }, - { - "queryName": "Passwords And Secrets - Generic Password", - "severity": "HIGH", - "line": 4, - "fileName": "positive52.dockerfile" - }, - { - "queryName": "Passwords And Secrets - Generic Password", - "severity": "HIGH", - "line": 54, - "fileName": "positive53.json" - }, - { - "queryName": "Passwords And Secrets - Generic Password", - "severity": "HIGH", - "line": 8, - "fileName": "positive54.tf" - }, - { - "queryName": "Passwords And Secrets - Generic Password", - "severity": "HIGH", - "line": 14, - "fileName": "positive54.tf" - }, - { - "queryName": "Passwords And Secrets - Generic Secret", - "severity": "HIGH", - "line": 4, - "fileName": "positive55.json" - } +[ + { + "queryName": "Passwords And Secrets - Generic Password", + "severity": "HIGH", + "line": 8, + "fileName": "positive1.yaml" + }, + { + "queryName": "Passwords And Secrets - Generic Password", + "severity": "HIGH", + "line": 6, + "fileName": "positive2.yaml" + }, + { + "queryName": "Passwords And Secrets - Generic Password", + "severity": "HIGH", + "line": 7, + "fileName": "positive3.yaml" + }, + { + "queryName": "Passwords And Secrets - Generic Password", + "severity": "HIGH", + "line": 9, + "fileName": "positive4.tf" + }, + { + "queryName": "Passwords And Secrets - Generic Secret", + "severity": "HIGH", + "line": 2, + "fileName": "positive5.tf" + }, + { + "queryName": "Passwords And Secrets - Generic Password", + "severity": "HIGH", + "line": 3, + "fileName": "positive6.dockerfile" + }, + { + "queryName": "Passwords And Secrets - Generic Password", + "severity": "HIGH", + "line": 7, + "fileName": "positive6.dockerfile" + }, + { + "queryName": "Passwords And Secrets - Generic Password", + "severity": "HIGH", + "line": 8, + "fileName": "positive7.tf" + }, + { + "queryName": "Passwords And Secrets - Generic Password", + "severity": "HIGH", + "line": 4, + "fileName": "positive8.json" + }, + { + "queryName": "Passwords And Secrets - Generic Password", + "severity": "HIGH", + "line":7, + "fileName": "positive8.json" + }, + { + "queryName": "Passwords And Secrets - Generic Password", + "severity": "HIGH", + "line": 8, + "fileName": "positive9.tf" + }, + { + "queryName": "Passwords And Secrets - Password in URL", + "severity": "HIGH", + "line": 7, + "fileName": "positive10.json" + }, + { + "queryName": "Passwords And Secrets - Slack Webhook", + "severity": "HIGH", + "line": 17, + "fileName": "positive10.json" + }, + { + "queryName": "Passwords And Secrets - MSTeams Webhook", + "severity": "HIGH", + "line": 27, + "fileName": "positive10.json" + }, + { + "queryName": "Passwords And Secrets - Password in URL", + "severity": "HIGH", + "line": 7, + "fileName": "positive11.yaml" + }, + { + "queryName": "Passwords And Secrets - Slack Webhook", + "severity": "HIGH", + "line": 9, + "fileName": "positive11.yaml" + }, + { + "queryName": "Passwords And Secrets - MSTeams Webhook", + "severity": "HIGH", + "line": 11, + "fileName": "positive11.yaml" + }, + { + "queryName": "Passwords And Secrets - Generic Password", + "severity": "HIGH", + "line": 8, + "fileName": "positive12.json" + }, + { + "queryName": "Passwords And Secrets - Password in URL", + "severity": "HIGH", + "line": 11, + "fileName": "positive12.json" + }, + { + "queryName": "Passwords And Secrets - Slack Webhook", + "severity": "HIGH", + "line": 15, + "fileName": "positive12.json" + }, + { + "queryName": "Passwords And Secrets - MSTeams Webhook", + "severity": "HIGH", + "line": 19, + "fileName": "positive12.json" + }, + { + "queryName": "Passwords And Secrets - Asymmetric private key", + "severity": "HIGH", + "line": 6, + "fileName": "positive13.tf" + }, + { + "queryName": "Passwords And Secrets - AWS Access Key", + "severity": "HIGH", + "line": 17, + "fileName": "positive14.tf" + }, + { + "queryName": "Passwords And Secrets - AWS Secret Key", + "severity": "HIGH", + "line": 18, + "fileName": "positive14.tf" + }, + { + "queryName": "Passwords And Secrets - AWS Access Key", + "severity": "HIGH", + "line": 14, + "fileName": "positive15.tf" + }, + { + "queryName": "Passwords And Secrets - AWS Secret Key", + "severity": "HIGH", + "line": 15, + "fileName": "positive15.tf" + }, + { + "queryName": "Passwords And Secrets - K8s Environment Variable Password", + "severity": "HIGH", + "line": 34, + "fileName": "positive16.yaml" + }, + { + "queryName": "Passwords And Secrets - K8s Environment Variable Password", + "severity": "HIGH", + "line": 36, + "fileName": "positive16.yaml" + }, + { + "queryName": "Passwords And Secrets - Generic Password", + "severity": "HIGH", + "line": 7, + "fileName": "positive17.tf" + }, + { + "queryName": "Passwords And Secrets - Google OAuth", + "severity": "HIGH", + "line": 5, + "fileName": "positive18.tf" + }, + { + "queryName": "Passwords And Secrets - Slack Token", + "severity": "HIGH", + "line": 2, + "fileName": "positive19.tf" + }, + { + "queryName": "Passwords And Secrets - Stripe API Key", + "severity": "HIGH", + "line": 2, + "fileName": "positive20.tf" + }, + { + "queryName": "Passwords And Secrets - Google API Key", + "severity": "HIGH", + "line": 50, + "fileName": "positive21.tf" + }, + { + "queryName": "Passwords And Secrets - Heroku API Key", + "severity": "HIGH", + "line": 3, + "fileName": "positive22.tf" + }, + { + "queryName": "Passwords And Secrets - Generic Token", + "severity": "HIGH", + "line": 3, + "fileName": "positive23.tf" + }, + { + "queryName": "Passwords And Secrets - Generic API Key", + "severity": "HIGH", + "line": 4, + "fileName": "positive24.tf" + }, + { + "queryName": "Passwords And Secrets - Square Access Token", + "severity": "HIGH", + "line": 3, + "fileName": "positive25.dockerfile" + }, + { + "queryName": "Passwords And Secrets - Picatic API Key", + "severity": "HIGH", + "line": 5, + "fileName": "positive25.dockerfile" + }, + { + "queryName": "Passwords And Secrets - Amazon MWS Auth Token", + "severity": "HIGH", + "line": 7, + "fileName": "positive25.dockerfile" + }, + { + "queryName": "Passwords And Secrets - MailChimp API Key", + "severity": "HIGH", + "line": 9, + "fileName": "positive25.dockerfile" + }, + { + "queryName": "Passwords And Secrets - SendGrid API Key", + "severity": "HIGH", + "line": 11, + "fileName": "positive25.dockerfile" + }, + { + "queryName": "Passwords And Secrets - Generic Private Key", + "severity": "HIGH", + "line": 9, + "fileName": "positive26.yaml" + }, + { + "queryName": "Passwords And Secrets - Generic Token", + "severity": "HIGH", + "line": 5, + "fileName": "positive27.yaml" + }, + { + "queryName": "Passwords And Secrets - Generic Token", + "severity": "HIGH", + "line": 22, + "fileName": "positive27.yaml" + }, + { + "queryName": "Passwords And Secrets - Generic Token", + "severity": "HIGH", + "line": 5, + "fileName": "positive28.yaml" + }, + { + "queryName": "Passwords And Secrets - Mailgun API Key", + "severity": "HIGH", + "line": 2, + "fileName": "positive29.tf" + }, + { + "queryName": "Passwords And Secrets - Stripe Restricted API Key", + "severity": "HIGH", + "line": 2, + "fileName": "positive30.tf" + }, + { + "queryName": "Passwords And Secrets - Twilio API Key", + "severity": "HIGH", + "line": 4, + "fileName": "positive31.yaml" + }, + { + "queryName": "Passwords And Secrets - PayPal Braintree Access Token", + "severity": "HIGH", + "line": 4, + "fileName": "positive32.yaml" + }, + { + "queryName": "Passwords And Secrets - Facebook Access Token", + "severity": "HIGH", + "line": 13, + "fileName": "positive33.yaml" + }, + { + "queryName": "Passwords And Secrets - Square OAuth Secret", + "severity": "HIGH", + "line": 13, + "fileName": "positive34.yaml" + }, + { + "queryName": "Passwords And Secrets - Google OAuth Access Token", + "severity": "HIGH", + "line": 13, + "fileName": "positive35.yaml" + }, + { + "queryName": "Passwords And Secrets - Putty User Key File Content", + "severity": "HIGH", + "line": 5, + "fileName": "positive36.tf" + }, + { + "queryName": "Passwords And Secrets - Generic Secret", + "severity": "HIGH", + "line": 14, + "fileName": "positive37.tf" + }, + { + "queryName": "Passwords And Secrets - CloudFormation Secret Template", + "severity": "HIGH", + "line": 16, + "fileName": "positive38.yaml" + }, + { + "queryName": "Passwords And Secrets - Generic Secret", + "severity": "HIGH", + "line": 3, + "fileName": "positive39.tf" + }, + { + "queryName": "Passwords And Secrets - AWS Context-specific credential", + "severity": "HIGH", + "line": 14, + "fileName": "positive40.tf" + }, + { + "queryName": "Passwords And Secrets - AWS Certificate", + "severity": "HIGH", + "line": 15, + "fileName": "positive40.tf" + }, + { + "queryName": "Passwords And Secrets - Asymmetric private key", + "severity": "HIGH", + "line": 6, + "fileName": "positive41.tf" + }, + { + "queryName": "Passwords And Secrets - Generic Access Key", + "severity": "HIGH", + "line": 7, + "fileName": "positive42.tf" + }, + { + "queryName": "Passwords And Secrets - Generic Token", + "severity": "HIGH", + "line": 5, + "fileName": "positive43.yaml" + }, + { + "queryName": "Passwords And Secrets - Generic Secret", + "severity": "HIGH", + "line": 17, + "fileName": "positive44.yaml" + }, + { + "queryName": "Passwords And Secrets - Generic Password", + "severity": "HIGH", + "line": 9, + "fileName": "positive45.tf" + }, + { + "queryName": "Passwords And Secrets - Generic Password", + "severity": "HIGH", + "line": 20, + "fileName": "positive46.yaml" + }, + { + "queryName": "Passwords And Secrets - Generic Password", + "severity": "HIGH", + "line": 21, + "fileName": "positive46.yaml" + }, + { + "queryName": "Passwords And Secrets - Google OAuth", + "severity": "HIGH", + "line": 5, + "fileName": "positive47.tf" + }, + { + "queryName": "Passwords And Secrets - Generic Secret", + "severity": "HIGH", + "line": 6, + "fileName": "positive47.tf" + }, + { + "queryName": "Passwords And Secrets - Generic Password", + "severity": "HIGH", + "line": 8, + "fileName": "positive48.tf" + }, + { + "queryName": "Passwords And Secrets - Generic Private Key", + "severity": "HIGH", + "line": 7, + "fileName": "positive49.yml" + }, + { + "queryName": "Passwords And Secrets - Generic Password on YAML files when value in tuple", + "severity": "HIGH", + "line": 56, + "fileName": "positive50.yaml" + }, + { + "queryName": "Passwords And Secrets - Generic Password on YAML files when value in tuple", + "severity": "HIGH", + "line": 68, + "fileName": "positive50.yaml" + }, + { + "queryName": "Passwords And Secrets - Dockerfile ENV hardcoded password with omitted equals", + "severity": "HIGH", + "line": 4, + "fileName": "positive51.dockerfile" + }, + { + "queryName": "Passwords And Secrets - Generic Password", + "severity": "HIGH", + "line": 4, + "fileName": "positive52.dockerfile" + }, + { + "queryName": "Passwords And Secrets - Generic Password", + "severity": "HIGH", + "line": 54, + "fileName": "positive53.json" + }, + { + "queryName": "Passwords And Secrets - Generic Password", + "severity": "HIGH", + "line": 8, + "fileName": "positive54.tf" + }, + { + "queryName": "Passwords And Secrets - Generic Password", + "severity": "HIGH", + "line": 14, + "fileName": "positive54.tf" + }, + { + "queryName": "Passwords And Secrets - Generic Secret", + "severity": "HIGH", + "line": 4, + "fileName": "positive55.json" + }, + { + "queryName": "Passwords And Secrets - Generic Secret", + "severity": "HIGH", + "line": 4, + "fileName": "positive56.json" + }, + { + "queryName": "Passwords And Secrets - Generic Secret", + "severity": "HIGH", + "line": 5, + "fileName": "positive56.json" + }, + { + "queryName": "Passwords And Secrets - Generic Secret", + "severity": "HIGH", + "line": 6, + "fileName": "positive56.json" + } ] \ No newline at end of file diff --git a/pkg/engine/secrets/inspector.go b/pkg/engine/secrets/inspector.go index 20602131733..36dfa4aab00 100644 --- a/pkg/engine/secrets/inspector.go +++ b/pkg/engine/secrets/inspector.go @@ -660,16 +660,13 @@ func ignoreLine(lineNumber int, linesIgnore []int) bool { return false } -// cleanFiles keeps one file per filePath and filters .proto files +// cleanFiles keeps one file per filePath func cleanFiles(files model.FileMetadatas) model.FileMetadatas { keys := make(map[string]bool) cleanFiles := model.FileMetadatas{} for i := range files { - if files[i].Kind == model.KindPROTO { - continue - } filePath := files[i].FilePath if _, value := keys[filePath]; !value { keys[filePath] = true diff --git a/pkg/engine/secrets/inspector_test.go b/pkg/engine/secrets/inspector_test.go index 5839c5b9e0d..f642d0e1772 100644 --- a/pkg/engine/secrets/inspector_test.go +++ b/pkg/engine/secrets/inspector_test.go @@ -266,20 +266,26 @@ var OriginalData8 = ` package com.example.security_test.v1; import "google/protobuf/wrappers.proto"; - import "google/protobuf/timestamp.proto"; - - message OAuthProviderConfig { - google.protobuf.StringValue client_id = 1; - google.protobuf.StringValue client_secret = 2; - google.protobuf.StringValue access_token = 3; - google.protobuf.StringValue refresh_token = 4; - google.protobuf.StringValue token_endpoint = 5; - google.protobuf.StringValue authorization_code = 6; - google.protobuf.StringValue id_token = 7; - google.protobuf.StringValue bearer_token = 8; - google.protobuf.UInt32Value token_expiry_seconds = 9; - google.protobuf.StringValue pkce_code_verifier = 10; - } + + message ResultsThatFlag { + google.protobuf.StringValue refresh_token = 536870911; // if value is larger - out of range error "Field numbers cannot be greater than 536870911." - Generic Token + google.protobuf.StringValue access_token= 1; // Generic Token + google.protobuf.StringValue id_token = 3; // Generic Token + google.protobuf.StringValue bearer_toaken = 4;;; // Generic Token + google.protobuf.StringValue api_token = 7 ; // Generic Token + google.protobuf.StringValue token = 8; // Generic Token + google.protobuf.StringValue sonar_token = 39;google.protobuf.StringValue codecov_token = 40;// trailing comment test - Generic Token + google.protobuf.StringValue jwt_private_key = 25; // Generic Private Key + google.protobuf.StringValue ssh_private_key = 26; // Generic Private Key + google.protobuf.StringValue tls_private_key = 27; // Generic Private Key + google.protobuf.StringValue sp_private_key = 6; // Generic Private Key + google.protobuf.StringValue encryption_key = 22; // Encryption Key + google.protobuf.StringValue data_encryption_key= 23 ; // Encryption Key + google.protobuf.StringValue key_encryption_key=24; // Encryption Key + google.protobuf.StringValue registry_password = 104; // Generic Password + google.protobuf.StringValue artifactory_password = 107 ; // Generic Password + google.protobuf.StringValue nexus_password = 108; // Generic Password + string password = 64; // Generic Password ` var testInspectInput = []struct { @@ -441,7 +447,7 @@ var testInspectInput = []struct { wantErr: false, }, { - name: "invalid_file_kind", + name: "valid_no_results", files: model.FileMetadatas{ { ID: "a6fbadc6-da29-4340-8d56-aa26a8852526", From bf117895263b100f7412af1bf12ad4d27e7c42ff Mon Sep 17 00:00:00 2001 From: Andre Pereira <219305055+cx-andre-pereira@users.noreply.github.com> Date: Thu, 26 Mar 2026 15:18:12 +0000 Subject: [PATCH 03/13] Fix expected results --- .../passwords_and_secrets/test/positive_expected_result.json | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/assets/queries/common/passwords_and_secrets/test/positive_expected_result.json b/assets/queries/common/passwords_and_secrets/test/positive_expected_result.json index 3d5ba084ca2..2d6320703a9 100644 --- a/assets/queries/common/passwords_and_secrets/test/positive_expected_result.json +++ b/assets/queries/common/passwords_and_secrets/test/positive_expected_result.json @@ -462,7 +462,7 @@ "fileName": "positive55.json" }, { - "queryName": "Passwords And Secrets - Generic Secret", + "queryName": "Passwords And Secrets - Generic Password", "severity": "HIGH", "line": 4, "fileName": "positive56.json" @@ -474,7 +474,7 @@ "fileName": "positive56.json" }, { - "queryName": "Passwords And Secrets - Generic Secret", + "queryName": "Passwords And Secrets - Generic Token", "severity": "HIGH", "line": 6, "fileName": "positive56.json" From 6f74701c35d1628e7114e9d2c97b22c6a1641ae0 Mon Sep 17 00:00:00 2001 From: Andre Pereira <219305055+cx-andre-pereira@users.noreply.github.com> Date: Thu, 26 Mar 2026 15:41:36 +0000 Subject: [PATCH 04/13] Part 1 fix git diff --- .../passwords_and_secrets/regex_rules.json | 900 ++++++++--------- .../test/positive_expected_result.json | 944 +++++++++--------- 2 files changed, 905 insertions(+), 939 deletions(-) diff --git a/assets/queries/common/passwords_and_secrets/regex_rules.json b/assets/queries/common/passwords_and_secrets/regex_rules.json index 40608122628..4620f0285cd 100644 --- a/assets/queries/common/passwords_and_secrets/regex_rules.json +++ b/assets/queries/common/passwords_and_secrets/regex_rules.json @@ -1,458 +1,442 @@ -{ - "rules": [ - { - "id": "487f4be7-3fd9-4506-a07a-eae252180c08", - "name": "Generic Password", - "regex": "(?i)['\"]?password['\"]?\\s*[:=]\\s*['\"]?([A-Za-z0-9/~^_!@&%()=?*+-. ]{4,})['\"]?", - "allowRules": [ - { - "description": "Avoiding TF resource access", - "regex": "(?i)['\"]?password['\"]?\\s*[:=]\\s*(([a-zA-Z_]+(\\[([a-zA-Z_]+\\.[a-zA-Z_]+.*|\\d+)\\])?\\.[a-zA-Z_]+(\\[([a-zA-Z_]+\\.[a-zA-Z_]+.*|\\d+)\\])?)\\s*([\\[\\.\\)\\]\\}\\$]|(:\\s*null))|null)" - }, - { - "description": "Avoiding description field", - "regex": "(?i)['\"]?description['\"]?\\s*=\\s*['\"].*['\"]" - }, - { - "description": "Avoiding Terraform 'optional' statement", - "regex": "(?i)['\"]?password['\"]?\\s*=\\s*optional\\((string|number|sensitive\\(string\\)|map\\(string\\)|set\\(string\\)|any)\\)$" - }, - { - "description": "Avoiding Terraform 'try' statement", - "regex": "(?i)['\"]?password['\"]?\\s*=\\s*try\\([^\"']+,[^\"']+\\)$" - }, - { - "description": "Avoiding CF AllowUsersToChangePassword", - "regex": "['\"]?AllowUsersToChangePassword['\"]?\\s*[:=]\\s*['\"]?([A-Za-z0-9/~^_!@&%()=?*+-.]{4,})['\"]?" - }, - { - "description": "Avoiding Ansible playbook update_password", - "regex": "['\"]?update_password['\"]?\\s*[:=]\\s*['\"]?([A-Za-z0-9/~^_!@&%()=?*+-.]{4,})['\"]?" - }, - { - "description": "Allow placeholders", - "regex": "(?i)['\"]?password['\"]?\\s*[:=]\\s*['\"](\\$\\(|\\$?\\{\\{)\\s*\\w+\\s*(\\)|\\}\\})['\"]" - }, - { - "description": "Allow empty values", - "regex": "(?i)['\"]?password['\"]?\\s*[:=]\\s*(''|\"\")" - }, - { - "description": "Allow password retrieved from ARM parameters", - "regex": "(?i)['\"]?password['\"]?\\s*[:=]\\s*['\"]?\\s*,\\s*parameters\\(['\"]([a-zA-Z][a-zA-Z0-9_-]*)['\"]['\"]?\\)" - }, - { - "description": "Avoiding Proto File fields", - "regex": "(?i)password\\s*=\\s*[1-9][0-9]{0,8}\\s*;" - } - ], - "specialMask": "(?i)['\"]?password['\"]?\\s*[:=]\\s*" - }, - { - "id": "3e2d3b2f-c22a-4df1-9cc6-a7a0aebb0c99", - "name": "Generic Secret", - "regex": "(?i)['\"]?secret[_]?(key|value)?['\"]?\\s*(:|=)\\s*['\"]?([A-Za-z0-9/~^_!@#&%(){};=?*+-<>,:;[\\]%$]{10,})['\"]?", - "entropies": [ - { - "group": 3, - "min": 2.8, - "max": 8 - } - ], - "allowRules": [ - { - "description": "Avoiding Square OAuth Secret", - "regex": "(?i)['\"]?secret[_]?(key)?['\"]?\\s*(:|=)\\s*['\"]?(sq0csp-[0-9A-Za-z\\-_]{43})['\"]?" - }, - { - "description": "Avoiding TF resource access", - "regex": "(?i)['\"]?secret[_]?(key)?['\"]?\\s*[:=]\\s*(([a-zA-Z_]+(\\[([a-zA-Z_]+\\.[a-zA-Z_]+.*|\\d+)\\])?\\.[a-zA-Z_]+(\\[([a-zA-Z_]+\\.[a-zA-Z_]+.*|\\d+)\\])?)\\s*([\\.\\)\\]\\$]|(:\\s*null))|null)" - }, - { - "description": "Avoiding Secrets Manager arn", - "regex": ":secretsmanager:[a-z0-9-*?]+:[0-9*?]+:(?i)['\"]?secret[_]?(key)?['\"]?\\s*(:|=)\\s*['\"]?([A-Za-z0-9/~^_!@&%()=?*+-]+)['\"]?" - }, - { - "description": "Avoiding CloudFormation Parameters Descriptions", - "regex": "['\"]?Description['\"]?\\s*[:=]\\s*['\"]?([A-Za-z0-9/~^_!@&%()=?*${}+-.'\"]+)['\"]?" - }, - { - "description": "Avoiding Secrets from Azure Key Vault", - "regex": "(?i)['\"]?secret[_]?(key)?['\"]?\\s*(:|=)\\s*['\"]?[${]+[A-Za-z0-9/~^_!@&%()=?*+-]+}?" - }, - { - "description": "Allow secret retrieved from ARM parameters", - "regex": "(?i)['\"]?secret[_]?(key)?['\"]?\\s*[:=]\\s*['\"]?\\[\\s*parameters\\(['\"][a-zA-Z][a-zA-Z0-9_-]*['\"]\\s*\\)\\s*\\]" - }, - { - "description": "Allow secrets retrieved from Bicep getSecret built in function", - "regex": "(?i)['\"]?secret[_]?(key|value)?['\"]?\\s*(:|=)\\s*[a-zA-Z]*\\.getSecret\\(\\s*[\"']([A-Za-z0-9/~^_!@#&%(){};=?*+-<>,:;[\\]%$]+)[\"']\\)" - } - ], - "specialMask": "(?i)['\"]?secret[_]?(key)?['\"]?\\s*(:|=)\\s*" - }, - { - "id": "51b5b840-cd0c-4556-98a7-fe5f4def80cf", - "name": "Asymmetric private key", - "regex": "-----BEGIN ((EC|PGP|DSA|RSA|OPENSSH) )?PRIVATE KEY( BLOCK)?-----\\s*(([A-Za-z0-9+,:\\-\\/=\\n\\r]+\\s*)+)-----END ((EC|PGP|DSA|RSA|OPENSSH) )?PRIVATE KEY( BLOCK)?-----", - "multiline": { - "detectLineGroup": 4 - }, - "entropies": [ - { - "group": 5, - "min": 3.7, - "max": 12 - } - ], - "specialMask": "all" - }, - { - "id": "a007a85e-a2a7-4a81-803a-7a2ca0c65abb", - "name": "Putty User Key File Content", - "regex": "['\"]?PuTTY-User-Key-File-\\d: ([\\w\\d-:\\n\\s+/=]+Private-MAC: [\\d\\w\"]+)['\"]?", - "multiline": { - "detectLineGroup": 1 - }, - "specialMask": "all" - }, - { - "id": "c4d3b58a-e6d4-450f-9340-04f1e702eaae", - "name": "Password in URL", - "regex": "['\"]?[a-zA-Z]{3,10}://[^/\\s:@$]*?:[^/\\s:@$]*?@[^/\\s:@$]*['\"]?" - }, - { - "id": "76c0bcde-903d-456e-ac13-e58c34987852", - "name": "AWS Access Key", - "regex": "(A3T[A-Z0-9]|AKIA|ASIA)[A-Z0-9]{16}" - }, - { - "id": "76c0bcde-903d-456e-ac13-e58c34987852", - "name": "AWS Context-specific credential", - "regex": "(A3T[A-Z0-9]|ACCA)[A-Z0-9]{16}" - }, - { - "id": "76c0bcde-903d-456e-ac13-e58c34987852", - "name": "AWS Certificate", - "regex": "(A3T[A-Z0-9]|ASCA)[A-Z0-9]{16}" - }, - { - "id": "83ab47ff-381d-48cd-bac5-fb32222f54af", - "name": "AWS Secret Key", - "regex": "(?i)AWS_SECRET(_ACCESS)?(_KEY)?\\s*[:=]\\s*['\"]?([a-zA-Z0-9/]{40})[\"']?", - "entropies": [ - { - "group": 3, - "min": 4.8, - "max": 7 - } - ], - "specialMask": "(?i)AWS_SECRET(_ACCESS)?(_KEY)?\\s*[:=]\\s*" - }, - { - "id": "4b2b5fd3-364d-4093-bac2-17391b2a5297", - "name": "K8s Environment Variable Password", - "regex": "apiVersion((.*)\\s*)*env:((.*)\\s*)*name:\\s*\\w+(?i)pass((?i)word)?\\w*\\s*(value):\\s*([\"|'].*[\"|'])", - "multiline": { - "detectLineGroup": 7 - }, - "specialMask": "\\s*(value):\\s*" - }, - { - "id": "d651cca2-2156-4d17-8e76-423e68de5c8b", - "name": "Google OAuth", - "regex": "['\"]?[0-9]+-[0-9A-Za-z_]{32}\\.apps\\.googleusercontent\\.com['\"]?" - }, - { - "id": "ccde326f-ebc7-4772-8ad5-de66e90a8cc3", - "name": "Slack Webhook", - "regex": "['\"]?https://hooks.slack.com/services/T[a-zA-Z0-9_]{8}/B[a-zA-Z0-9_]{8}/[a-zA-Z0-9_]{24}['\"]?" - }, - { - "id": "d6214dca-a31b-425f-bcf7-f4faa772a1c0", - "name": "MSTeams Webhook", - "regex": "['\"]?https://[a-zA-Z0-9_]{1,24}.webhook.office.com/webhook(b2)?/[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}@[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}/IncomingWebhook/[a-z0-9]+/[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}['\"]?" - }, - { - "id": "7908a9e3-5cac-41b1-b514-5f6d82ce02d5", - "name": "Slack Token", - "regex": "['\"]?(xox[p|b|o|a]-[0-9]{12}-[0-9]{12}-[0-9]{12}-[a-z0-9]{32})['\"]?" - }, - { - "id": "6abcae17-b175-4698-a9a5-b07661974749", - "name": "Stripe API Key", - "regex": "['\"]?sk_live_[0-9a-zA-Z]{24}[^0-9a-zA-Z]['\"]?" - }, - { - "id": "0b1b2482-51e7-49d1-893d-522afa4a6bd0", - "name": "Square Access Token", - "regex": "sq0atp-[0-9A-Za-z\\-_]{22}" - }, - { - "id": "6c54f9da-1a11-445a-8568-0d327e6af8be", - "name": "MailChimp API Key", - "regex": "[0-9a-f]{32}-us[0-9]{1,2}" - }, - { - "id": "e9856348-4069-4ac0-bd91-415f6a7b84a4", - "name": "Google API Key", - "regex": "['\"]?AIza[0-9A-Za-z\\-_]{35}['\"]?" - }, - { - "id": "9a3650af-5b88-48cd-ab89-cd77fd0b633f", - "name": "Heroku API Key", - "regex": "['\"]?(?i)heroku((.|\\n)*)\\b([0-9A-F]{8}-[0-9A-F]{4}-[0-9A-F]{4}-[0-9A-F]{4}-[0-9A-F]{12})\\b['\"]?", - "multiline": { - "detectLineGroup": 3 - }, - "specialMask": "['\"]?(?i)api_key[^\\w\"']+" - }, - { - "id": "bb51eb1e-0357-44a2-86d7-dd5350cffd43", - "name": "Square OAuth Secret", - "regex": "['\"]?sq0csp-[0-9A-Za-z\\-_]{43}['\"]?" - }, - { - "id": "ac8c8075-6ec0-4367-9e26-30ec8161d258", - "name": "Amazon MWS Auth Token", - "regex": "amzn\\.mws\\.[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}" - }, - { - "id": "41a1ca8d-f466-4084-a8c9-50f8b22200d5", - "name": "Google OAuth Access Token", - "regex": "ya29\\.[0-9A-Za-z\\-_]+" - }, - { - "id": "4919b847-e3da-402a-acf8-6cea8e529993", - "name": "PayPal Braintree Access Token", - "regex": "access_token\\$production\\$[0-9a-z]{16}\\$[0-9a-f]{32}" - }, - { - "id": "54274b18-bfac-47ce-afd1-0f05bc3e3b59", - "name": "Stripe Restricted API Key", - "regex": "['\"]?rk_live_[0-9a-zA-Z]{24}['\"]?" - }, - { - "id": "5176e805-0cda-44fa-ac96-c092c646180a", - "name": "Facebook Access Token", - "regex": "['\"]?EAACEdEose0cBA[0-9A-Za-z]+['\"]?" - }, - { - "id": "74736dd1-dd11-4139-beb6-41cd43a50317", - "name": "Generic API Key", - "regex": "(?i)['\"]?api[_]?key['\"]?\\s*[:=]\\s*['\"]?([0-9a-zA-Z]{32,45})['\"]?", - "allowRules": [ - { - "description": "Avoiding Twilio API Key", - "regex": "(?i)['\"]?api[_]?key['\"]?\\s*[:=]\\s*['\"]?(SK[0-9a-fA-F]{32})['\"]?" - } - ], - "specialMask": "(?i)['\"]?api[_]?key['\"]?\\s*[:=]\\s*" - }, - { - "id": "62d0025d-9575-4eff-b60b-d3b4fcec0d04", - "name": "Mailgun API Key", - "regex": "['\"]?key-[0-9a-zA-Z]{32}['\"]?" - }, - { - "id": "50cc5f03-e686-4183-97e9-12f9b55d0f97", - "name": "Picatic API Key", - "regex": "sk_live_[0-9a-z]{32}" - }, - { - "id": "e0f01838-b1c2-4669-b84b-981949ebe5ed", - "name": "Twilio API Key", - "regex": "SK[0-9a-fA-F]{32}" - }, - { - "id": "7f370dd5-eea3-4e5f-8354-3cb2506f9f13", - "name": "Generic Access Key", - "regex": "(?i)^\\s*['\"]?(access)[_]?key['\"]?\\s*[:=]\\s*['\"]?([[A-Za-z0-9\/~^_!@&%()=?*+-]+)['\"]?", - "specialMask": "(?i)['\"]?access[_]?key['\"]?\\s*[:=]\\s*" - }, - { - "id": "2f665079-c383-4b33-896e-88268c1fa258", - "name": "Generic Private Key", - "regex": "(?i)['\"]?private[_]?key['\"]?\\s*[:=]\\s*['\"]?([[A-Za-z0-9/~^_!@&%()=?*+-]+)['\"]?", - "specialMask": "(?i)['\"]?private[_]?key['\"]?\\s*[:=]\\s*", - "allowRules": [ - { - "description": "Avoiding bash variables", - "regex": "(?i)['\"]?\\$\\s*\\{[^\\s\\}]+\\}['\"]?" - }, - { - "description": "Avoid Docker Compose secrets paths", - "regex": "(?i)['\"]?private[_]?key['\"]?\\s*[:=]\\s*['\"]?/run/secrets/\\w+['\"]?" - }, - { - "description": "Avoiding Proto File fields", - "regex": "(?i)private[_]?key\\s*=\\s*[1-9][0-9]{0,8}\\s*;" - } - ] - }, - { - "id": "baee238e-1921-4801-9c3f-79ae1d7b2cbc", - "name": "Generic Token", - "regex": "(?i)['\"]?token(_)?(key)?['\"]?\\s*[:=]\\s*['\"]?([[A-Za-z0-9/~^_!@&%()=?*+-]+)['\"]?", - "allowRules": [ - { - "description": "Avoiding Amazon MWS Auth Token", - "regex": "(?i)['\"]?token(_)?(key)?['\"]?\\s*[=:]\\s*['\"]?(amzn\\.mws\\.[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12})['\"]?" - }, - { - "description": "Avoiding Slack Token", - "regex": "(?i)['\"]?token(_)?(key)?['\"]?\\s*[=:]\\s*['\"]?(xox[p|b|o|a]-[0-9]{12}-[0-9]{12}-[0-9]{12}-[a-z0-9]{32})['\"]?" - }, - { - "description": "Avoiding Square Access Token", - "regex": "(?i)['\"]?token(_)?(key)?['\"]?\\s*[=:]\\s*['\"]?(sq0atp-[0-9A-Za-z\\-_]{22})['\"]?" - }, - { - "description": "Avoiding Google OAuth Access Token", - "regex": "(?i)['\"]?token(_)?(key)?['\"]?\\s*[=:]\\s*['\"]?(ya29\\.[0-9A-Za-z\\-_]+)['\"]?" - }, - { - "description": "Avoiding PayPal Braintree Access Token", - "regex": "(?i)['\"]?token(_)?(key)?['\"]?\\s*[=:]\\s*['\"]?(access_token\\$production\\$[0-9a-z]{16}\\$[0-9a-f]{32})['\"]?" - }, - { - "description": "Avoiding Facebook Access Token", - "regex": "(?i)['\"]?token(_)?(key)?['\"]?\\s*[=:]\\s*['\"]?(EAACEdEose0cBA[0-9A-Za-z]+)['\"]?" - }, - { - "description": "Avoiding TF resource access", - "regex": "(?i)['\"]?token(_)?(key)?['\"]?\\s*=\\s*([a-zA-z_]+(.))?[a-zA-z_]+(.)[a-zA-z_]+(.)[a-zA-z_]+" - }, - { - "description": "Avoiding TF creation token", - "regex": "(?i)['\"]?creation_token['\"]?\\s*[:=]\\s*['\"]?([[A-Za-z0-9/~^_!@&%()=?*+-]+)['\"]?" - }, - { - "description": "Avoiding CLoudformation ServiceToken", - "regex": "['\"]?ServiceToken['\"]?\\s*[:=]\\s*['\"]?([A-Za-z0-9/~^_!@&%()=?*+-.]+)['\"]?" - }, - { - "description": "Avoiding LifecycleActionToken Var", - "regex": "(?i)['\"]?LifecycleActionToken['\"]?\\s*[:=]\\s*['\"]?([[A-Za-z0-9/~^_!@&%()=?*+-]+)['\"]?" - }, - { - "description": "Avoiding Github id-token Default Values", - "regex": "(?i)['\"]?id-token['\"]?\\s*[:=]\\s*(write|read|none)" - }, - { - "description": "Avoiding result_token Var", - "regex": "(?i)['\"]?result(_)?token['\"]?\\s*[:=]\\s*['\"]?([[A-Za-z0-9/~^_!@&%()=?*+-]+)['\"]?" - }, - { - "description": "Avoiding next_token Var", - "regex": "(?i)['\"]?next(_)?token['\"]?\\s*[:=]\\s*['\"]?([[A-Za-z0-9/~^_!@&%()=?*+-]+)['\"]?" - }, - { - "description": "Avoiding next_token Var", - "regex": "(?i)['\"]?next(_)?token['\"]?\\s*[:=]\\s*['\"]?([[A-Za-z0-9/~^_!@&%()=?*+-]+)['\"]?" - }, - { - "description": "Avoiding references to module outputs in Bicep", - "regex": "(?i)token(_)?(key)?\\s*[:=]\\s*([a-zA-Z][a-zA-Z0-9_]*)\\.outputs\\.([a-zA-Z][a-zA-Z0-9_]*)" - }, - { - "description": "Avoiding Run After Triggers (if written in conformity with best practices)", - "regex": "(?i)['\"](HTTP|Parse_JSON|Try|Catch)_-_(Get_)?OAuth_Token['\"]?\\s*[:=]\\s*['\"]?([[A-Za-z0-9/~^_!@&%()=?*+-]+)['\"]?" - }, - { - "description": "Avoiding Proto File fields", - "regex": "(?i)token(_)?(key)?\\s*=\\s*[1-9][0-9]{0,8}\\s*;" - } - ], - "specialMask": "(?i)['\"]?token(_)?(key)?['\"]?\\s*[:=]\\s*" - - }, - { - "id": "e0f01838-b1c2-4669-b84b-981949ebe5ed", - "name": "CloudFormation Secret Template", - "regex": "(?i)['\"]?SecretStringTemplate['\"]?\\s*:\\s*['\"]?{([\\\":A-Za-z0-9/~^_!@&%()=?*+-]{10,})}", - "specialMask": "(?i)['\"]?SecretStringTemplate['\"]?\\s*:\\s*" - }, - { - "id": "9fb1cd65-7a07-4531-9bcf-47589d0f82d6", - "name": "Encryption Key", - "regex": "(?i)['\"]?encryption[_]?key['\"]?\\s*[:=]\\s*['\"]?([[A-Za-z0-9/~^_!@&%()=?*+-]+)['\"]?", - "allowRules": [ - { - "description": "Avoiding TF resource access", - "regex": "(?i)['\"]?encryption[_]?key['\"]?\\s*=\\s*([a-zA-z_]+(.))?[a-zA-z_]+(.)[a-zA-z_]+(.)[a-zA-z_]+" - }, - { - "description": "Avoiding CLoudformation KeyName", - "regex": "['\"]?EncryptionKey['\"]?\\s*[:=]\\s*['\"]?([A-Za-z0-9/~^_!@&%()=?*+-.]+)['\"]?" - }, - { - "description": "Avoiding Proto File fields", - "regex": "(?i)encryption[_]?key\\s*=\\s*[1-9][0-9]{0,8}\\s*;" - } - ], - "specialMask": "(?i)['\"]?encryption[_]?key['\"]?\\s*[:=]\\s*" - }, - { - "id": "8a879bc7-6f82-40fd-bb48-74d25d557fe8", - "name": "SendGrid API Key", - "regex": "(?i)SG\\.[a-zA-Z0-9\\-\\_]{22}\\.[a-zA-Z0-9\\-\\_]{43}\\s*" - }, - { - "id": "be0ed753-d304-4363-844a-144050d4006d", - "name": "Generic Password on YAML files when value in tuple", - "regex": ".*password\\s*:[\\n|\\r]\\s*value:([^\\n|\\r]*)", - "multiline": { - "detectLineGroup": 1 - }, - "specialMask": ".*password\\s*:[\\n|\\r]\\s*value:" - }, - { - "id": "f05f238a-2ef0-4c39-9a36-951de1ba6dc9", - "name": "Dockerfile ENV hardcoded password with omitted equals", - "regex": "(?i)ENV\\s+[A-Za-z0-9/~^_!@&%()=?*+-.]*password[A-Za-z0-9/~^_!@&%()=?*+-.]*\\s+['\"]?([A-Za-z0-9/~^_!@&%()=?*+-. ]{4,})['\"]?" - } - ], - "allowRules": [ - { - "description": "Avoiding TF variables", - "regex": "(?i)['\"]?[a-zA-Z_]+['\"]?\\s*=\\s*['\"]?(var\\.)['\"]?" - }, - { - "description": "!Ref is a cloudFormation reference", - "regex": "(?i)['\"]?[a-zA-Z_]+['\"]?\\s*:\\s+!Ref\\s+\\.*" - }, - { - "description": "Avoiding cloudFormation intrinsic functions", - "regex": "(?i)['\"]?[a-zA-Z_]+['\"]?\\s*:\\s+(!GetAtt|!Sub|!FindInMap|!If|!GetAZs|!ImportValue|!Join|!Select|!Split|!Not|Fn::Transform(:)?)\\s+\\.*" - }, - { - "description": "Avoiding CF resolve", - "regex": "(?i)['\"]?[a-zA-Z_]+['\"]?\\s*[=:]\\s*['\"]?({{resolve:)['\"]?" - }, - { - "description": "Avoiding Boolean's", - "regex": "(?i)['\"]?[a-zA-Z_]+['\"]?\\s*[=:]\\s*['\"]?(true|false)['\"]?" - }, - { - "description": "Avoiding arn", - "regex": "(?i)['\"]?[a-zA-Z_]+['\"]?\\s*[=:]\\s*['\"]?(arn:)['\"]?" - }, - { - "description": "Avoiding array access", - "regex": "(?i)['\"]?[a-zA-Z_]+['\"]?\\s*[=:]\\s*['\"]?([A-Za-z0-9/~^_!@&%()=?*+-.]{4,}\\[([0-9]|['\"][a-zA-Z0-9]+['\"])\\])['\"]?" - }, - { - "description": "Avoiding TF file function", - "regex": "(?i)['\"]?[a-zA-Z_]+['\"]?\\s*=\\s*['\"]?(file\\()['\"]?" - }, - { - "description": "Avoiding ansible-vault encrypted variables", - "regex": "(?i)['\"]?[a-zA-Z_]+['\"]?\\s*[=:]\\s*['\"]?(!vault \\|)['\"]?" - }, - { - "description": "Avoiding sha-hashed mysql native passwords", - "regex": "(?i)['\"]?[a-zA-Z_]+['\"]?\\s*[=:]\\s*['\"]?(\\*[0-9A-F]{40})['\"]?" - } - ] -} +{ + "rules": [ + { + "id": "487f4be7-3fd9-4506-a07a-eae252180c08", + "name": "Generic Password", + "regex": "(?i)['\"]?password['\"]?\\s*[:=]\\s*['\"]?([A-Za-z0-9/~^_!@&%()=?*+-. ]{4,})['\"]?", + "allowRules": [ + { + "description": "Avoiding TF resource access", + "regex": "(?i)['\"]?password['\"]?\\s*[:=]\\s*(([a-zA-Z_]+(\\[([a-zA-Z_]+\\.[a-zA-Z_]+.*|\\d+)\\])?\\.[a-zA-Z_]+(\\[([a-zA-Z_]+\\.[a-zA-Z_]+.*|\\d+)\\])?)\\s*([\\[\\.\\)\\]\\}\\$]|(:\\s*null))|null)" + }, + { + "description": "Avoiding description field", + "regex": "(?i)['\"]?description['\"]?\\s*=\\s*['\"].*['\"]" + }, + { + "description": "Avoiding Terraform 'optional' statement", + "regex": "(?i)['\"]?password['\"]?\\s*=\\s*optional\\((string|number|sensitive\\(string\\)|map\\(string\\)|set\\(string\\)|any)\\)$" + }, + { + "description": "Avoiding Terraform 'try' statement", + "regex": "(?i)['\"]?password['\"]?\\s*=\\s*try\\([^\"']+,[^\"']+\\)$" + }, + { + "description": "Avoiding CF AllowUsersToChangePassword", + "regex": "['\"]?AllowUsersToChangePassword['\"]?\\s*[:=]\\s*['\"]?([A-Za-z0-9/~^_!@&%()=?*+-.]{4,})['\"]?" + }, + { + "description": "Avoiding Ansible playbook update_password", + "regex": "['\"]?update_password['\"]?\\s*[:=]\\s*['\"]?([A-Za-z0-9/~^_!@&%()=?*+-.]{4,})['\"]?" + }, + { + "description": "Allow placeholders", + "regex": "(?i)['\"]?password['\"]?\\s*[:=]\\s*['\"](\\$\\(|\\$?\\{\\{)\\s*\\w+\\s*(\\)|\\}\\})['\"]" + }, + { + "description": "Allow empty values", + "regex": "(?i)['\"]?password['\"]?\\s*[:=]\\s*(''|\"\")" + }, + { + "description": "Allow password retrieved from ARM parameters", + "regex": "(?i)['\"]?password['\"]?\\s*[:=]\\s*['\"]?\\s*,\\s*parameters\\(['\"]([a-zA-Z][a-zA-Z0-9_-]*)['\"]['\"]?\\)" + } + ], + "specialMask": "(?i)['\"]?password['\"]?\\s*[:=]\\s*" + }, + { + "id": "3e2d3b2f-c22a-4df1-9cc6-a7a0aebb0c99", + "name": "Generic Secret", + "regex": "(?i)['\"]?secret[_]?(key|value)?['\"]?\\s*(:|=)\\s*['\"]?([A-Za-z0-9/~^_!@#&%(){};=?*+-<>,:;[\\]%$]{10,})['\"]?", + "entropies": [ + { + "group": 3, + "min": 2.8, + "max": 8 + } + ], + "allowRules": [ + { + "description": "Avoiding Square OAuth Secret", + "regex": "(?i)['\"]?secret[_]?(key)?['\"]?\\s*(:|=)\\s*['\"]?(sq0csp-[0-9A-Za-z\\-_]{43})['\"]?" + }, + { + "description": "Avoiding TF resource access", + "regex": "(?i)['\"]?secret[_]?(key)?['\"]?\\s*[:=]\\s*(([a-zA-Z_]+(\\[([a-zA-Z_]+\\.[a-zA-Z_]+.*|\\d+)\\])?\\.[a-zA-Z_]+(\\[([a-zA-Z_]+\\.[a-zA-Z_]+.*|\\d+)\\])?)\\s*([\\.\\)\\]\\$]|(:\\s*null))|null)" + }, + { + "description": "Avoiding Secrets Manager arn", + "regex": ":secretsmanager:[a-z0-9-*?]+:[0-9*?]+:(?i)['\"]?secret[_]?(key)?['\"]?\\s*(:|=)\\s*['\"]?([A-Za-z0-9/~^_!@&%()=?*+-]+)['\"]?" + }, + { + "description": "Avoiding CloudFormation Parameters Descriptions", + "regex": "['\"]?Description['\"]?\\s*[:=]\\s*['\"]?([A-Za-z0-9/~^_!@&%()=?*${}+-.'\"]+)['\"]?" + }, + { + "description": "Avoiding Secrets from Azure Key Vault", + "regex": "(?i)['\"]?secret[_]?(key)?['\"]?\\s*(:|=)\\s*['\"]?[${]+[A-Za-z0-9/~^_!@&%()=?*+-]+}?" + }, + { + "description": "Allow secret retrieved from ARM parameters", + "regex": "(?i)['\"]?secret[_]?(key)?['\"]?\\s*[:=]\\s*['\"]?\\[\\s*parameters\\(['\"][a-zA-Z][a-zA-Z0-9_-]*['\"]\\s*\\)\\s*\\]" + }, + { + "description": "Allow secrets retrieved from Bicep getSecret built in function", + "regex": "(?i)['\"]?secret[_]?(key|value)?['\"]?\\s*(:|=)\\s*[a-zA-Z]*\\.getSecret\\(\\s*[\"']([A-Za-z0-9/~^_!@#&%(){};=?*+-<>,:;[\\]%$]+)[\"']\\)" + } + ], + "specialMask": "(?i)['\"]?secret[_]?(key)?['\"]?\\s*(:|=)\\s*" + }, + { + "id": "51b5b840-cd0c-4556-98a7-fe5f4def80cf", + "name": "Asymmetric private key", + "regex": "-----BEGIN ((EC|PGP|DSA|RSA|OPENSSH) )?PRIVATE KEY( BLOCK)?-----\\s*(([A-Za-z0-9+,:\\-\\/=\\n\\r]+\\s*)+)-----END ((EC|PGP|DSA|RSA|OPENSSH) )?PRIVATE KEY( BLOCK)?-----", + "multiline": { + "detectLineGroup": 4 + }, + "entropies": [ + { + "group": 5, + "min": 3.7, + "max": 12 + } + ], + "specialMask": "all" + }, + { + "id": "a007a85e-a2a7-4a81-803a-7a2ca0c65abb", + "name": "Putty User Key File Content", + "regex": "['\"]?PuTTY-User-Key-File-\\d: ([\\w\\d-:\\n\\s+/=]+Private-MAC: [\\d\\w\"]+)['\"]?", + "multiline": { + "detectLineGroup": 1 + }, + "specialMask": "all" + }, + { + "id": "c4d3b58a-e6d4-450f-9340-04f1e702eaae", + "name": "Password in URL", + "regex": "['\"]?[a-zA-Z]{3,10}://[^/\\s:@$]*?:[^/\\s:@$]*?@[^/\\s:@$]*['\"]?" + }, + { + "id": "76c0bcde-903d-456e-ac13-e58c34987852", + "name": "AWS Access Key", + "regex": "(A3T[A-Z0-9]|AKIA|ASIA)[A-Z0-9]{16}" + }, + { + "id": "76c0bcde-903d-456e-ac13-e58c34987852", + "name": "AWS Context-specific credential", + "regex": "(A3T[A-Z0-9]|ACCA)[A-Z0-9]{16}" + }, + { + "id": "76c0bcde-903d-456e-ac13-e58c34987852", + "name": "AWS Certificate", + "regex": "(A3T[A-Z0-9]|ASCA)[A-Z0-9]{16}" + }, + { + "id": "83ab47ff-381d-48cd-bac5-fb32222f54af", + "name": "AWS Secret Key", + "regex": "(?i)AWS_SECRET(_ACCESS)?(_KEY)?\\s*[:=]\\s*['\"]?([a-zA-Z0-9/]{40})[\"']?", + "entropies": [ + { + "group": 3, + "min": 4.8, + "max": 7 + } + ], + "specialMask": "(?i)AWS_SECRET(_ACCESS)?(_KEY)?\\s*[:=]\\s*" + }, + { + "id": "4b2b5fd3-364d-4093-bac2-17391b2a5297", + "name": "K8s Environment Variable Password", + "regex": "apiVersion((.*)\\s*)*env:((.*)\\s*)*name:\\s*\\w+(?i)pass((?i)word)?\\w*\\s*(value):\\s*([\"|'].*[\"|'])", + "multiline": { + "detectLineGroup": 7 + }, + "specialMask": "\\s*(value):\\s*" + }, + { + "id": "d651cca2-2156-4d17-8e76-423e68de5c8b", + "name": "Google OAuth", + "regex": "['\"]?[0-9]+-[0-9A-Za-z_]{32}\\.apps\\.googleusercontent\\.com['\"]?" + }, + { + "id": "ccde326f-ebc7-4772-8ad5-de66e90a8cc3", + "name": "Slack Webhook", + "regex": "['\"]?https://hooks.slack.com/services/T[a-zA-Z0-9_]{8}/B[a-zA-Z0-9_]{8}/[a-zA-Z0-9_]{24}['\"]?" + }, + { + "id": "d6214dca-a31b-425f-bcf7-f4faa772a1c0", + "name": "MSTeams Webhook", + "regex": "['\"]?https://[a-zA-Z0-9_]{1,24}.webhook.office.com/webhook(b2)?/[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}@[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}/IncomingWebhook/[a-z0-9]+/[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}['\"]?" + }, + { + "id": "7908a9e3-5cac-41b1-b514-5f6d82ce02d5", + "name": "Slack Token", + "regex": "['\"]?(xox[p|b|o|a]-[0-9]{12}-[0-9]{12}-[0-9]{12}-[a-z0-9]{32})['\"]?" + }, + { + "id": "6abcae17-b175-4698-a9a5-b07661974749", + "name": "Stripe API Key", + "regex": "['\"]?sk_live_[0-9a-zA-Z]{24}[^0-9a-zA-Z]['\"]?" + }, + { + "id": "0b1b2482-51e7-49d1-893d-522afa4a6bd0", + "name": "Square Access Token", + "regex": "sq0atp-[0-9A-Za-z\\-_]{22}" + }, + { + "id": "6c54f9da-1a11-445a-8568-0d327e6af8be", + "name": "MailChimp API Key", + "regex": "[0-9a-f]{32}-us[0-9]{1,2}" + }, + { + "id": "e9856348-4069-4ac0-bd91-415f6a7b84a4", + "name": "Google API Key", + "regex": "['\"]?AIza[0-9A-Za-z\\-_]{35}['\"]?" + }, + { + "id": "9a3650af-5b88-48cd-ab89-cd77fd0b633f", + "name": "Heroku API Key", + "regex": "['\"]?(?i)heroku((.|\\n)*)\\b([0-9A-F]{8}-[0-9A-F]{4}-[0-9A-F]{4}-[0-9A-F]{4}-[0-9A-F]{12})\\b['\"]?", + "multiline": { + "detectLineGroup": 3 + }, + "specialMask": "['\"]?(?i)api_key[^\\w\"']+" + }, + { + "id": "bb51eb1e-0357-44a2-86d7-dd5350cffd43", + "name": "Square OAuth Secret", + "regex": "['\"]?sq0csp-[0-9A-Za-z\\-_]{43}['\"]?" + }, + { + "id": "ac8c8075-6ec0-4367-9e26-30ec8161d258", + "name": "Amazon MWS Auth Token", + "regex": "amzn\\.mws\\.[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}" + }, + { + "id": "41a1ca8d-f466-4084-a8c9-50f8b22200d5", + "name": "Google OAuth Access Token", + "regex": "ya29\\.[0-9A-Za-z\\-_]+" + }, + { + "id": "4919b847-e3da-402a-acf8-6cea8e529993", + "name": "PayPal Braintree Access Token", + "regex": "access_token\\$production\\$[0-9a-z]{16}\\$[0-9a-f]{32}" + }, + { + "id": "54274b18-bfac-47ce-afd1-0f05bc3e3b59", + "name": "Stripe Restricted API Key", + "regex": "['\"]?rk_live_[0-9a-zA-Z]{24}['\"]?" + }, + { + "id": "5176e805-0cda-44fa-ac96-c092c646180a", + "name": "Facebook Access Token", + "regex": "['\"]?EAACEdEose0cBA[0-9A-Za-z]+['\"]?" + }, + { + "id": "74736dd1-dd11-4139-beb6-41cd43a50317", + "name": "Generic API Key", + "regex": "(?i)['\"]?api[_]?key['\"]?\\s*[:=]\\s*['\"]?([0-9a-zA-Z]{32,45})['\"]?", + "allowRules": [ + { + "description": "Avoiding Twilio API Key", + "regex": "(?i)['\"]?api[_]?key['\"]?\\s*[:=]\\s*['\"]?(SK[0-9a-fA-F]{32})['\"]?" + } + ], + "specialMask": "(?i)['\"]?api[_]?key['\"]?\\s*[:=]\\s*" + }, + { + "id": "62d0025d-9575-4eff-b60b-d3b4fcec0d04", + "name": "Mailgun API Key", + "regex": "['\"]?key-[0-9a-zA-Z]{32}['\"]?" + }, + { + "id": "50cc5f03-e686-4183-97e9-12f9b55d0f97", + "name": "Picatic API Key", + "regex": "sk_live_[0-9a-z]{32}" + }, + { + "id": "e0f01838-b1c2-4669-b84b-981949ebe5ed", + "name": "Twilio API Key", + "regex": "SK[0-9a-fA-F]{32}" + }, + { + "id": "7f370dd5-eea3-4e5f-8354-3cb2506f9f13", + "name": "Generic Access Key", + "regex": "(?i)^\\s*['\"]?(access)[_]?key['\"]?\\s*[:=]\\s*['\"]?([[A-Za-z0-9\/~^_!@&%()=?*+-]+)['\"]?", + "specialMask": "(?i)['\"]?access[_]?key['\"]?\\s*[:=]\\s*" + }, + { + "id": "2f665079-c383-4b33-896e-88268c1fa258", + "name": "Generic Private Key", + "regex": "(?i)['\"]?private[_]?key['\"]?\\s*[:=]\\s*['\"]?([[A-Za-z0-9/~^_!@&%()=?*+-]+)['\"]?", + "specialMask": "(?i)['\"]?private[_]?key['\"]?\\s*[:=]\\s*", + "allowRules": [ + { + "description": "Avoiding bash variables", + "regex": "(?i)['\"]?\\$\\s*\\{[^\\s\\}]+\\}['\"]?" + }, + { + "description": "Avoid Docker Compose secrets paths", + "regex": "(?i)['\"]?private[_]?key['\"]?\\s*[:=]\\s*['\"]?/run/secrets/\\w+['\"]?" + } + ] + }, + { + "id": "baee238e-1921-4801-9c3f-79ae1d7b2cbc", + "name": "Generic Token", + "regex": "(?i)['\"]?token(_)?(key)?['\"]?\\s*[:=]\\s*['\"]?([[A-Za-z0-9/~^_!@&%()=?*+-]+)['\"]?", + "allowRules": [ + { + "description": "Avoiding Amazon MWS Auth Token", + "regex": "(?i)['\"]?token(_)?(key)?['\"]?\\s*[=:]\\s*['\"]?(amzn\\.mws\\.[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12})['\"]?" + }, + { + "description": "Avoiding Slack Token", + "regex": "(?i)['\"]?token(_)?(key)?['\"]?\\s*[=:]\\s*['\"]?(xox[p|b|o|a]-[0-9]{12}-[0-9]{12}-[0-9]{12}-[a-z0-9]{32})['\"]?" + }, + { + "description": "Avoiding Square Access Token", + "regex": "(?i)['\"]?token(_)?(key)?['\"]?\\s*[=:]\\s*['\"]?(sq0atp-[0-9A-Za-z\\-_]{22})['\"]?" + }, + { + "description": "Avoiding Google OAuth Access Token", + "regex": "(?i)['\"]?token(_)?(key)?['\"]?\\s*[=:]\\s*['\"]?(ya29\\.[0-9A-Za-z\\-_]+)['\"]?" + }, + { + "description": "Avoiding PayPal Braintree Access Token", + "regex": "(?i)['\"]?token(_)?(key)?['\"]?\\s*[=:]\\s*['\"]?(access_token\\$production\\$[0-9a-z]{16}\\$[0-9a-f]{32})['\"]?" + }, + { + "description": "Avoiding Facebook Access Token", + "regex": "(?i)['\"]?token(_)?(key)?['\"]?\\s*[=:]\\s*['\"]?(EAACEdEose0cBA[0-9A-Za-z]+)['\"]?" + }, + { + "description": "Avoiding TF resource access", + "regex": "(?i)['\"]?token(_)?(key)?['\"]?\\s*=\\s*([a-zA-z_]+(.))?[a-zA-z_]+(.)[a-zA-z_]+(.)[a-zA-z_]+" + }, + { + "description": "Avoiding TF creation token", + "regex": "(?i)['\"]?creation_token['\"]?\\s*[:=]\\s*['\"]?([[A-Za-z0-9/~^_!@&%()=?*+-]+)['\"]?" + }, + { + "description": "Avoiding CLoudformation ServiceToken", + "regex": "['\"]?ServiceToken['\"]?\\s*[:=]\\s*['\"]?([A-Za-z0-9/~^_!@&%()=?*+-.]+)['\"]?" + }, + { + "description": "Avoiding LifecycleActionToken Var", + "regex": "(?i)['\"]?LifecycleActionToken['\"]?\\s*[:=]\\s*['\"]?([[A-Za-z0-9/~^_!@&%()=?*+-]+)['\"]?" + }, + { + "description": "Avoiding Github id-token Default Values", + "regex": "(?i)['\"]?id-token['\"]?\\s*[:=]\\s*(write|read|none)" + }, + { + "description": "Avoiding result_token Var", + "regex": "(?i)['\"]?result(_)?token['\"]?\\s*[:=]\\s*['\"]?([[A-Za-z0-9/~^_!@&%()=?*+-]+)['\"]?" + }, + { + "description": "Avoiding next_token Var", + "regex": "(?i)['\"]?next(_)?token['\"]?\\s*[:=]\\s*['\"]?([[A-Za-z0-9/~^_!@&%()=?*+-]+)['\"]?" + }, + { + "description": "Avoiding next_token Var", + "regex": "(?i)['\"]?next(_)?token['\"]?\\s*[:=]\\s*['\"]?([[A-Za-z0-9/~^_!@&%()=?*+-]+)['\"]?" + }, + { + "description": "Avoiding references to module outputs in Bicep", + "regex": "(?i)token(_)?(key)?\\s*[:=]\\s*([a-zA-Z][a-zA-Z0-9_]*)\\.outputs\\.([a-zA-Z][a-zA-Z0-9_]*)" + }, + { + "description": "Avoiding Run After Triggers (if written in conformity with best practices)", + "regex": "(?i)['\"](HTTP|Parse_JSON|Try|Catch)_-_(Get_)?OAuth_Token['\"]?\\s*[:=]\\s*['\"]?([[A-Za-z0-9/~^_!@&%()=?*+-]+)['\"]?" + } + ], + "specialMask": "(?i)['\"]?token(_)?(key)?['\"]?\\s*[:=]\\s*" + + }, + { + "id": "e0f01838-b1c2-4669-b84b-981949ebe5ed", + "name": "CloudFormation Secret Template", + "regex": "(?i)['\"]?SecretStringTemplate['\"]?\\s*:\\s*['\"]?{([\\\":A-Za-z0-9/~^_!@&%()=?*+-]{10,})}", + "specialMask": "(?i)['\"]?SecretStringTemplate['\"]?\\s*:\\s*" + }, + { + "id": "9fb1cd65-7a07-4531-9bcf-47589d0f82d6", + "name": "Encryption Key", + "regex": "(?i)['\"]?encryption[_]?key['\"]?\\s*[:=]\\s*['\"]?([[A-Za-z0-9/~^_!@&%()=?*+-]+)['\"]?", + "allowRules": [ + { + "description": "Avoiding TF resource access", + "regex": "(?i)['\"]?encryption[_]?key['\"]?\\s*=\\s*([a-zA-z_]+(.))?[a-zA-z_]+(.)[a-zA-z_]+(.)[a-zA-z_]+" + }, + { + "description": "Avoiding CLoudformation KeyName", + "regex": "['\"]?EncryptionKey['\"]?\\s*[:=]\\s*['\"]?([A-Za-z0-9/~^_!@&%()=?*+-.]+)['\"]?" + } + ], + "specialMask": "(?i)['\"]?encryption[_]?key['\"]?\\s*[:=]\\s*" + }, + { + "id": "8a879bc7-6f82-40fd-bb48-74d25d557fe8", + "name": "SendGrid API Key", + "regex": "(?i)SG\\.[a-zA-Z0-9\\-\\_]{22}\\.[a-zA-Z0-9\\-\\_]{43}\\s*" + }, + { + "id": "be0ed753-d304-4363-844a-144050d4006d", + "name": "Generic Password on YAML files when value in tuple", + "regex": ".*password\\s*:[\\n|\\r]\\s*value:([^\\n|\\r]*)", + "multiline": { + "detectLineGroup": 1 + }, + "specialMask": ".*password\\s*:[\\n|\\r]\\s*value:" + }, + { + "id": "f05f238a-2ef0-4c39-9a36-951de1ba6dc9", + "name": "Dockerfile ENV hardcoded password with omitted equals", + "regex": "(?i)ENV\\s+[A-Za-z0-9/~^_!@&%()=?*+-.]*password[A-Za-z0-9/~^_!@&%()=?*+-.]*\\s+['\"]?([A-Za-z0-9/~^_!@&%()=?*+-. ]{4,})['\"]?" + } + ], + "allowRules": [ + { + "description": "Avoiding TF variables", + "regex": "(?i)['\"]?[a-zA-Z_]+['\"]?\\s*=\\s*['\"]?(var\\.)['\"]?" + }, + { + "description": "!Ref is a cloudFormation reference", + "regex": "(?i)['\"]?[a-zA-Z_]+['\"]?\\s*:\\s+!Ref\\s+\\.*" + }, + { + "description": "Avoiding cloudFormation intrinsic functions", + "regex": "(?i)['\"]?[a-zA-Z_]+['\"]?\\s*:\\s+(!GetAtt|!Sub|!FindInMap|!If|!GetAZs|!ImportValue|!Join|!Select|!Split|!Not|Fn::Transform(:)?)\\s+\\.*" + }, + { + "description": "Avoiding CF resolve", + "regex": "(?i)['\"]?[a-zA-Z_]+['\"]?\\s*[=:]\\s*['\"]?({{resolve:)['\"]?" + }, + { + "description": "Avoiding Boolean's", + "regex": "(?i)['\"]?[a-zA-Z_]+['\"]?\\s*[=:]\\s*['\"]?(true|false)['\"]?" + }, + { + "description": "Avoiding arn", + "regex": "(?i)['\"]?[a-zA-Z_]+['\"]?\\s*[=:]\\s*['\"]?(arn:)['\"]?" + }, + { + "description": "Avoiding array access", + "regex": "(?i)['\"]?[a-zA-Z_]+['\"]?\\s*[=:]\\s*['\"]?([A-Za-z0-9/~^_!@&%()=?*+-.]{4,}\\[([0-9]|['\"][a-zA-Z0-9]+['\"])\\])['\"]?" + }, + { + "description": "Avoiding TF file function", + "regex": "(?i)['\"]?[a-zA-Z_]+['\"]?\\s*=\\s*['\"]?(file\\()['\"]?" + }, + { + "description": "Avoiding ansible-vault encrypted variables", + "regex": "(?i)['\"]?[a-zA-Z_]+['\"]?\\s*[=:]\\s*['\"]?(!vault \\|)['\"]?" + }, + { + "description": "Avoiding sha-hashed mysql native passwords", + "regex": "(?i)['\"]?[a-zA-Z_]+['\"]?\\s*[=:]\\s*['\"]?(\\*[0-9A-F]{40})['\"]?" + } + ] +} diff --git a/assets/queries/common/passwords_and_secrets/test/positive_expected_result.json b/assets/queries/common/passwords_and_secrets/test/positive_expected_result.json index 2d6320703a9..e29ad869f20 100644 --- a/assets/queries/common/passwords_and_secrets/test/positive_expected_result.json +++ b/assets/queries/common/passwords_and_secrets/test/positive_expected_result.json @@ -1,482 +1,464 @@ -[ - { - "queryName": "Passwords And Secrets - Generic Password", - "severity": "HIGH", - "line": 8, - "fileName": "positive1.yaml" - }, - { - "queryName": "Passwords And Secrets - Generic Password", - "severity": "HIGH", - "line": 6, - "fileName": "positive2.yaml" - }, - { - "queryName": "Passwords And Secrets - Generic Password", - "severity": "HIGH", - "line": 7, - "fileName": "positive3.yaml" - }, - { - "queryName": "Passwords And Secrets - Generic Password", - "severity": "HIGH", - "line": 9, - "fileName": "positive4.tf" - }, - { - "queryName": "Passwords And Secrets - Generic Secret", - "severity": "HIGH", - "line": 2, - "fileName": "positive5.tf" - }, - { - "queryName": "Passwords And Secrets - Generic Password", - "severity": "HIGH", - "line": 3, - "fileName": "positive6.dockerfile" - }, - { - "queryName": "Passwords And Secrets - Generic Password", - "severity": "HIGH", - "line": 7, - "fileName": "positive6.dockerfile" - }, - { - "queryName": "Passwords And Secrets - Generic Password", - "severity": "HIGH", - "line": 8, - "fileName": "positive7.tf" - }, - { - "queryName": "Passwords And Secrets - Generic Password", - "severity": "HIGH", - "line": 4, - "fileName": "positive8.json" - }, - { - "queryName": "Passwords And Secrets - Generic Password", - "severity": "HIGH", - "line":7, - "fileName": "positive8.json" - }, - { - "queryName": "Passwords And Secrets - Generic Password", - "severity": "HIGH", - "line": 8, - "fileName": "positive9.tf" - }, - { - "queryName": "Passwords And Secrets - Password in URL", - "severity": "HIGH", - "line": 7, - "fileName": "positive10.json" - }, - { - "queryName": "Passwords And Secrets - Slack Webhook", - "severity": "HIGH", - "line": 17, - "fileName": "positive10.json" - }, - { - "queryName": "Passwords And Secrets - MSTeams Webhook", - "severity": "HIGH", - "line": 27, - "fileName": "positive10.json" - }, - { - "queryName": "Passwords And Secrets - Password in URL", - "severity": "HIGH", - "line": 7, - "fileName": "positive11.yaml" - }, - { - "queryName": "Passwords And Secrets - Slack Webhook", - "severity": "HIGH", - "line": 9, - "fileName": "positive11.yaml" - }, - { - "queryName": "Passwords And Secrets - MSTeams Webhook", - "severity": "HIGH", - "line": 11, - "fileName": "positive11.yaml" - }, - { - "queryName": "Passwords And Secrets - Generic Password", - "severity": "HIGH", - "line": 8, - "fileName": "positive12.json" - }, - { - "queryName": "Passwords And Secrets - Password in URL", - "severity": "HIGH", - "line": 11, - "fileName": "positive12.json" - }, - { - "queryName": "Passwords And Secrets - Slack Webhook", - "severity": "HIGH", - "line": 15, - "fileName": "positive12.json" - }, - { - "queryName": "Passwords And Secrets - MSTeams Webhook", - "severity": "HIGH", - "line": 19, - "fileName": "positive12.json" - }, - { - "queryName": "Passwords And Secrets - Asymmetric private key", - "severity": "HIGH", - "line": 6, - "fileName": "positive13.tf" - }, - { - "queryName": "Passwords And Secrets - AWS Access Key", - "severity": "HIGH", - "line": 17, - "fileName": "positive14.tf" - }, - { - "queryName": "Passwords And Secrets - AWS Secret Key", - "severity": "HIGH", - "line": 18, - "fileName": "positive14.tf" - }, - { - "queryName": "Passwords And Secrets - AWS Access Key", - "severity": "HIGH", - "line": 14, - "fileName": "positive15.tf" - }, - { - "queryName": "Passwords And Secrets - AWS Secret Key", - "severity": "HIGH", - "line": 15, - "fileName": "positive15.tf" - }, - { - "queryName": "Passwords And Secrets - K8s Environment Variable Password", - "severity": "HIGH", - "line": 34, - "fileName": "positive16.yaml" - }, - { - "queryName": "Passwords And Secrets - K8s Environment Variable Password", - "severity": "HIGH", - "line": 36, - "fileName": "positive16.yaml" - }, - { - "queryName": "Passwords And Secrets - Generic Password", - "severity": "HIGH", - "line": 7, - "fileName": "positive17.tf" - }, - { - "queryName": "Passwords And Secrets - Google OAuth", - "severity": "HIGH", - "line": 5, - "fileName": "positive18.tf" - }, - { - "queryName": "Passwords And Secrets - Slack Token", - "severity": "HIGH", - "line": 2, - "fileName": "positive19.tf" - }, - { - "queryName": "Passwords And Secrets - Stripe API Key", - "severity": "HIGH", - "line": 2, - "fileName": "positive20.tf" - }, - { - "queryName": "Passwords And Secrets - Google API Key", - "severity": "HIGH", - "line": 50, - "fileName": "positive21.tf" - }, - { - "queryName": "Passwords And Secrets - Heroku API Key", - "severity": "HIGH", - "line": 3, - "fileName": "positive22.tf" - }, - { - "queryName": "Passwords And Secrets - Generic Token", - "severity": "HIGH", - "line": 3, - "fileName": "positive23.tf" - }, - { - "queryName": "Passwords And Secrets - Generic API Key", - "severity": "HIGH", - "line": 4, - "fileName": "positive24.tf" - }, - { - "queryName": "Passwords And Secrets - Square Access Token", - "severity": "HIGH", - "line": 3, - "fileName": "positive25.dockerfile" - }, - { - "queryName": "Passwords And Secrets - Picatic API Key", - "severity": "HIGH", - "line": 5, - "fileName": "positive25.dockerfile" - }, - { - "queryName": "Passwords And Secrets - Amazon MWS Auth Token", - "severity": "HIGH", - "line": 7, - "fileName": "positive25.dockerfile" - }, - { - "queryName": "Passwords And Secrets - MailChimp API Key", - "severity": "HIGH", - "line": 9, - "fileName": "positive25.dockerfile" - }, - { - "queryName": "Passwords And Secrets - SendGrid API Key", - "severity": "HIGH", - "line": 11, - "fileName": "positive25.dockerfile" - }, - { - "queryName": "Passwords And Secrets - Generic Private Key", - "severity": "HIGH", - "line": 9, - "fileName": "positive26.yaml" - }, - { - "queryName": "Passwords And Secrets - Generic Token", - "severity": "HIGH", - "line": 5, - "fileName": "positive27.yaml" - }, - { - "queryName": "Passwords And Secrets - Generic Token", - "severity": "HIGH", - "line": 22, - "fileName": "positive27.yaml" - }, - { - "queryName": "Passwords And Secrets - Generic Token", - "severity": "HIGH", - "line": 5, - "fileName": "positive28.yaml" - }, - { - "queryName": "Passwords And Secrets - Mailgun API Key", - "severity": "HIGH", - "line": 2, - "fileName": "positive29.tf" - }, - { - "queryName": "Passwords And Secrets - Stripe Restricted API Key", - "severity": "HIGH", - "line": 2, - "fileName": "positive30.tf" - }, - { - "queryName": "Passwords And Secrets - Twilio API Key", - "severity": "HIGH", - "line": 4, - "fileName": "positive31.yaml" - }, - { - "queryName": "Passwords And Secrets - PayPal Braintree Access Token", - "severity": "HIGH", - "line": 4, - "fileName": "positive32.yaml" - }, - { - "queryName": "Passwords And Secrets - Facebook Access Token", - "severity": "HIGH", - "line": 13, - "fileName": "positive33.yaml" - }, - { - "queryName": "Passwords And Secrets - Square OAuth Secret", - "severity": "HIGH", - "line": 13, - "fileName": "positive34.yaml" - }, - { - "queryName": "Passwords And Secrets - Google OAuth Access Token", - "severity": "HIGH", - "line": 13, - "fileName": "positive35.yaml" - }, - { - "queryName": "Passwords And Secrets - Putty User Key File Content", - "severity": "HIGH", - "line": 5, - "fileName": "positive36.tf" - }, - { - "queryName": "Passwords And Secrets - Generic Secret", - "severity": "HIGH", - "line": 14, - "fileName": "positive37.tf" - }, - { - "queryName": "Passwords And Secrets - CloudFormation Secret Template", - "severity": "HIGH", - "line": 16, - "fileName": "positive38.yaml" - }, - { - "queryName": "Passwords And Secrets - Generic Secret", - "severity": "HIGH", - "line": 3, - "fileName": "positive39.tf" - }, - { - "queryName": "Passwords And Secrets - AWS Context-specific credential", - "severity": "HIGH", - "line": 14, - "fileName": "positive40.tf" - }, - { - "queryName": "Passwords And Secrets - AWS Certificate", - "severity": "HIGH", - "line": 15, - "fileName": "positive40.tf" - }, - { - "queryName": "Passwords And Secrets - Asymmetric private key", - "severity": "HIGH", - "line": 6, - "fileName": "positive41.tf" - }, - { - "queryName": "Passwords And Secrets - Generic Access Key", - "severity": "HIGH", - "line": 7, - "fileName": "positive42.tf" - }, - { - "queryName": "Passwords And Secrets - Generic Token", - "severity": "HIGH", - "line": 5, - "fileName": "positive43.yaml" - }, - { - "queryName": "Passwords And Secrets - Generic Secret", - "severity": "HIGH", - "line": 17, - "fileName": "positive44.yaml" - }, - { - "queryName": "Passwords And Secrets - Generic Password", - "severity": "HIGH", - "line": 9, - "fileName": "positive45.tf" - }, - { - "queryName": "Passwords And Secrets - Generic Password", - "severity": "HIGH", - "line": 20, - "fileName": "positive46.yaml" - }, - { - "queryName": "Passwords And Secrets - Generic Password", - "severity": "HIGH", - "line": 21, - "fileName": "positive46.yaml" - }, - { - "queryName": "Passwords And Secrets - Google OAuth", - "severity": "HIGH", - "line": 5, - "fileName": "positive47.tf" - }, - { - "queryName": "Passwords And Secrets - Generic Secret", - "severity": "HIGH", - "line": 6, - "fileName": "positive47.tf" - }, - { - "queryName": "Passwords And Secrets - Generic Password", - "severity": "HIGH", - "line": 8, - "fileName": "positive48.tf" - }, - { - "queryName": "Passwords And Secrets - Generic Private Key", - "severity": "HIGH", - "line": 7, - "fileName": "positive49.yml" - }, - { - "queryName": "Passwords And Secrets - Generic Password on YAML files when value in tuple", - "severity": "HIGH", - "line": 56, - "fileName": "positive50.yaml" - }, - { - "queryName": "Passwords And Secrets - Generic Password on YAML files when value in tuple", - "severity": "HIGH", - "line": 68, - "fileName": "positive50.yaml" - }, - { - "queryName": "Passwords And Secrets - Dockerfile ENV hardcoded password with omitted equals", - "severity": "HIGH", - "line": 4, - "fileName": "positive51.dockerfile" - }, - { - "queryName": "Passwords And Secrets - Generic Password", - "severity": "HIGH", - "line": 4, - "fileName": "positive52.dockerfile" - }, - { - "queryName": "Passwords And Secrets - Generic Password", - "severity": "HIGH", - "line": 54, - "fileName": "positive53.json" - }, - { - "queryName": "Passwords And Secrets - Generic Password", - "severity": "HIGH", - "line": 8, - "fileName": "positive54.tf" - }, - { - "queryName": "Passwords And Secrets - Generic Password", - "severity": "HIGH", - "line": 14, - "fileName": "positive54.tf" - }, - { - "queryName": "Passwords And Secrets - Generic Secret", - "severity": "HIGH", - "line": 4, - "fileName": "positive55.json" - }, - { - "queryName": "Passwords And Secrets - Generic Password", - "severity": "HIGH", - "line": 4, - "fileName": "positive56.json" - }, - { - "queryName": "Passwords And Secrets - Generic Secret", - "severity": "HIGH", - "line": 5, - "fileName": "positive56.json" - }, - { - "queryName": "Passwords And Secrets - Generic Token", - "severity": "HIGH", - "line": 6, - "fileName": "positive56.json" - } +[ + { + "queryName": "Passwords And Secrets - Generic Password", + "severity": "HIGH", + "line": 8, + "fileName": "positive1.yaml" + }, + { + "queryName": "Passwords And Secrets - Generic Password", + "severity": "HIGH", + "line": 6, + "fileName": "positive2.yaml" + }, + { + "queryName": "Passwords And Secrets - Generic Password", + "severity": "HIGH", + "line": 7, + "fileName": "positive3.yaml" + }, + { + "queryName": "Passwords And Secrets - Generic Password", + "severity": "HIGH", + "line": 9, + "fileName": "positive4.tf" + }, + { + "queryName": "Passwords And Secrets - Generic Secret", + "severity": "HIGH", + "line": 2, + "fileName": "positive5.tf" + }, + { + "queryName": "Passwords And Secrets - Generic Password", + "severity": "HIGH", + "line": 3, + "fileName": "positive6.dockerfile" + }, + { + "queryName": "Passwords And Secrets - Generic Password", + "severity": "HIGH", + "line": 7, + "fileName": "positive6.dockerfile" + }, + { + "queryName": "Passwords And Secrets - Generic Password", + "severity": "HIGH", + "line": 8, + "fileName": "positive7.tf" + }, + { + "queryName": "Passwords And Secrets - Generic Password", + "severity": "HIGH", + "line": 4, + "fileName": "positive8.json" + }, + { + "queryName": "Passwords And Secrets - Generic Password", + "severity": "HIGH", + "line":7, + "fileName": "positive8.json" + }, + { + "queryName": "Passwords And Secrets - Generic Password", + "severity": "HIGH", + "line": 8, + "fileName": "positive9.tf" + }, + { + "queryName": "Passwords And Secrets - Password in URL", + "severity": "HIGH", + "line": 7, + "fileName": "positive10.json" + }, + { + "queryName": "Passwords And Secrets - Slack Webhook", + "severity": "HIGH", + "line": 17, + "fileName": "positive10.json" + }, + { + "queryName": "Passwords And Secrets - MSTeams Webhook", + "severity": "HIGH", + "line": 27, + "fileName": "positive10.json" + }, + { + "queryName": "Passwords And Secrets - Password in URL", + "severity": "HIGH", + "line": 7, + "fileName": "positive11.yaml" + }, + { + "queryName": "Passwords And Secrets - Slack Webhook", + "severity": "HIGH", + "line": 9, + "fileName": "positive11.yaml" + }, + { + "queryName": "Passwords And Secrets - MSTeams Webhook", + "severity": "HIGH", + "line": 11, + "fileName": "positive11.yaml" + }, + { + "queryName": "Passwords And Secrets - Generic Password", + "severity": "HIGH", + "line": 8, + "fileName": "positive12.json" + }, + { + "queryName": "Passwords And Secrets - Password in URL", + "severity": "HIGH", + "line": 11, + "fileName": "positive12.json" + }, + { + "queryName": "Passwords And Secrets - Slack Webhook", + "severity": "HIGH", + "line": 15, + "fileName": "positive12.json" + }, + { + "queryName": "Passwords And Secrets - MSTeams Webhook", + "severity": "HIGH", + "line": 19, + "fileName": "positive12.json" + }, + { + "queryName": "Passwords And Secrets - Asymmetric private key", + "severity": "HIGH", + "line": 6, + "fileName": "positive13.tf" + }, + { + "queryName": "Passwords And Secrets - AWS Access Key", + "severity": "HIGH", + "line": 17, + "fileName": "positive14.tf" + }, + { + "queryName": "Passwords And Secrets - AWS Secret Key", + "severity": "HIGH", + "line": 18, + "fileName": "positive14.tf" + }, + { + "queryName": "Passwords And Secrets - AWS Access Key", + "severity": "HIGH", + "line": 14, + "fileName": "positive15.tf" + }, + { + "queryName": "Passwords And Secrets - AWS Secret Key", + "severity": "HIGH", + "line": 15, + "fileName": "positive15.tf" + }, + { + "queryName": "Passwords And Secrets - K8s Environment Variable Password", + "severity": "HIGH", + "line": 34, + "fileName": "positive16.yaml" + }, + { + "queryName": "Passwords And Secrets - K8s Environment Variable Password", + "severity": "HIGH", + "line": 36, + "fileName": "positive16.yaml" + }, + { + "queryName": "Passwords And Secrets - Generic Password", + "severity": "HIGH", + "line": 7, + "fileName": "positive17.tf" + }, + { + "queryName": "Passwords And Secrets - Google OAuth", + "severity": "HIGH", + "line": 5, + "fileName": "positive18.tf" + }, + { + "queryName": "Passwords And Secrets - Slack Token", + "severity": "HIGH", + "line": 2, + "fileName": "positive19.tf" + }, + { + "queryName": "Passwords And Secrets - Stripe API Key", + "severity": "HIGH", + "line": 2, + "fileName": "positive20.tf" + }, + { + "queryName": "Passwords And Secrets - Google API Key", + "severity": "HIGH", + "line": 50, + "fileName": "positive21.tf" + }, + { + "queryName": "Passwords And Secrets - Heroku API Key", + "severity": "HIGH", + "line": 3, + "fileName": "positive22.tf" + }, + { + "queryName": "Passwords And Secrets - Generic Token", + "severity": "HIGH", + "line": 3, + "fileName": "positive23.tf" + }, + { + "queryName": "Passwords And Secrets - Generic API Key", + "severity": "HIGH", + "line": 4, + "fileName": "positive24.tf" + }, + { + "queryName": "Passwords And Secrets - Square Access Token", + "severity": "HIGH", + "line": 3, + "fileName": "positive25.dockerfile" + }, + { + "queryName": "Passwords And Secrets - Picatic API Key", + "severity": "HIGH", + "line": 5, + "fileName": "positive25.dockerfile" + }, + { + "queryName": "Passwords And Secrets - Amazon MWS Auth Token", + "severity": "HIGH", + "line": 7, + "fileName": "positive25.dockerfile" + }, + { + "queryName": "Passwords And Secrets - MailChimp API Key", + "severity": "HIGH", + "line": 9, + "fileName": "positive25.dockerfile" + }, + { + "queryName": "Passwords And Secrets - SendGrid API Key", + "severity": "HIGH", + "line": 11, + "fileName": "positive25.dockerfile" + }, + { + "queryName": "Passwords And Secrets - Generic Private Key", + "severity": "HIGH", + "line": 9, + "fileName": "positive26.yaml" + }, + { + "queryName": "Passwords And Secrets - Generic Token", + "severity": "HIGH", + "line": 5, + "fileName": "positive27.yaml" + }, + { + "queryName": "Passwords And Secrets - Generic Token", + "severity": "HIGH", + "line": 22, + "fileName": "positive27.yaml" + }, + { + "queryName": "Passwords And Secrets - Generic Token", + "severity": "HIGH", + "line": 5, + "fileName": "positive28.yaml" + }, + { + "queryName": "Passwords And Secrets - Mailgun API Key", + "severity": "HIGH", + "line": 2, + "fileName": "positive29.tf" + }, + { + "queryName": "Passwords And Secrets - Stripe Restricted API Key", + "severity": "HIGH", + "line": 2, + "fileName": "positive30.tf" + }, + { + "queryName": "Passwords And Secrets - Twilio API Key", + "severity": "HIGH", + "line": 4, + "fileName": "positive31.yaml" + }, + { + "queryName": "Passwords And Secrets - PayPal Braintree Access Token", + "severity": "HIGH", + "line": 4, + "fileName": "positive32.yaml" + }, + { + "queryName": "Passwords And Secrets - Facebook Access Token", + "severity": "HIGH", + "line": 13, + "fileName": "positive33.yaml" + }, + { + "queryName": "Passwords And Secrets - Square OAuth Secret", + "severity": "HIGH", + "line": 13, + "fileName": "positive34.yaml" + }, + { + "queryName": "Passwords And Secrets - Google OAuth Access Token", + "severity": "HIGH", + "line": 13, + "fileName": "positive35.yaml" + }, + { + "queryName": "Passwords And Secrets - Putty User Key File Content", + "severity": "HIGH", + "line": 5, + "fileName": "positive36.tf" + }, + { + "queryName": "Passwords And Secrets - Generic Secret", + "severity": "HIGH", + "line": 14, + "fileName": "positive37.tf" + }, + { + "queryName": "Passwords And Secrets - CloudFormation Secret Template", + "severity": "HIGH", + "line": 16, + "fileName": "positive38.yaml" + }, + { + "queryName": "Passwords And Secrets - Generic Secret", + "severity": "HIGH", + "line": 3, + "fileName": "positive39.tf" + }, + { + "queryName": "Passwords And Secrets - AWS Context-specific credential", + "severity": "HIGH", + "line": 14, + "fileName": "positive40.tf" + }, + { + "queryName": "Passwords And Secrets - AWS Certificate", + "severity": "HIGH", + "line": 15, + "fileName": "positive40.tf" + }, + { + "queryName": "Passwords And Secrets - Asymmetric private key", + "severity": "HIGH", + "line": 6, + "fileName": "positive41.tf" + }, + { + "queryName": "Passwords And Secrets - Generic Access Key", + "severity": "HIGH", + "line": 7, + "fileName": "positive42.tf" + }, + { + "queryName": "Passwords And Secrets - Generic Token", + "severity": "HIGH", + "line": 5, + "fileName": "positive43.yaml" + }, + { + "queryName": "Passwords And Secrets - Generic Secret", + "severity": "HIGH", + "line": 17, + "fileName": "positive44.yaml" + }, + { + "queryName": "Passwords And Secrets - Generic Password", + "severity": "HIGH", + "line": 9, + "fileName": "positive45.tf" + }, + { + "queryName": "Passwords And Secrets - Generic Password", + "severity": "HIGH", + "line": 20, + "fileName": "positive46.yaml" + }, + { + "queryName": "Passwords And Secrets - Generic Password", + "severity": "HIGH", + "line": 21, + "fileName": "positive46.yaml" + }, + { + "queryName": "Passwords And Secrets - Google OAuth", + "severity": "HIGH", + "line": 5, + "fileName": "positive47.tf" + }, + { + "queryName": "Passwords And Secrets - Generic Secret", + "severity": "HIGH", + "line": 6, + "fileName": "positive47.tf" + }, + { + "queryName": "Passwords And Secrets - Generic Password", + "severity": "HIGH", + "line": 8, + "fileName": "positive48.tf" + }, + { + "queryName": "Passwords And Secrets - Generic Private Key", + "severity": "HIGH", + "line": 7, + "fileName": "positive49.yml" + }, + { + "queryName": "Passwords And Secrets - Generic Password on YAML files when value in tuple", + "severity": "HIGH", + "line": 56, + "fileName": "positive50.yaml" + }, + { + "queryName": "Passwords And Secrets - Generic Password on YAML files when value in tuple", + "severity": "HIGH", + "line": 68, + "fileName": "positive50.yaml" + }, + { + "queryName": "Passwords And Secrets - Dockerfile ENV hardcoded password with omitted equals", + "severity": "HIGH", + "line": 4, + "fileName": "positive51.dockerfile" + }, + { + "queryName": "Passwords And Secrets - Generic Password", + "severity": "HIGH", + "line": 4, + "fileName": "positive52.dockerfile" + }, + { + "queryName": "Passwords And Secrets - Generic Password", + "severity": "HIGH", + "line": 54, + "fileName": "positive53.json" + }, + { + "queryName": "Passwords And Secrets - Generic Password", + "severity": "HIGH", + "line": 8, + "fileName": "positive54.tf" + }, + { + "queryName": "Passwords And Secrets - Generic Password", + "severity": "HIGH", + "line": 14, + "fileName": "positive54.tf" + }, + { + "queryName": "Passwords And Secrets - Generic Secret", + "severity": "HIGH", + "line": 4, + "fileName": "positive55.json" + } ] \ No newline at end of file From ac1555083e4f9708a1e9ea79074b66cffd2fde49 Mon Sep 17 00:00:00 2001 From: Andre Pereira <219305055+cx-andre-pereira@users.noreply.github.com> Date: Thu, 26 Mar 2026 15:42:22 +0000 Subject: [PATCH 05/13] Part 2 fix git diff --- .../passwords_and_secrets/regex_rules.json | 22 ++++++++++++++----- .../test/positive_expected_result.json | 18 +++++++++++++++ 2 files changed, 35 insertions(+), 5 deletions(-) diff --git a/assets/queries/common/passwords_and_secrets/regex_rules.json b/assets/queries/common/passwords_and_secrets/regex_rules.json index 4620f0285cd..7e61733518e 100644 --- a/assets/queries/common/passwords_and_secrets/regex_rules.json +++ b/assets/queries/common/passwords_and_secrets/regex_rules.json @@ -40,6 +40,10 @@ { "description": "Allow password retrieved from ARM parameters", "regex": "(?i)['\"]?password['\"]?\\s*[:=]\\s*['\"]?\\s*,\\s*parameters\\(['\"]([a-zA-Z][a-zA-Z0-9_-]*)['\"]['\"]?\\)" + }, + { + "description": "Avoiding Proto File fields", + "regex": "(?i)password\\s*=\\s*[1-9][0-9]{0,8}\\s*;" } ], "specialMask": "(?i)['\"]?password['\"]?\\s*[:=]\\s*" @@ -279,6 +283,10 @@ { "description": "Avoid Docker Compose secrets paths", "regex": "(?i)['\"]?private[_]?key['\"]?\\s*[:=]\\s*['\"]?/run/secrets/\\w+['\"]?" + }, + { + "description": "Avoiding Proto File fields", + "regex": "(?i)private[_]?key\\s*=\\s*[1-9][0-9]{0,8}\\s*;" } ] }, @@ -338,11 +346,7 @@ { "description": "Avoiding next_token Var", "regex": "(?i)['\"]?next(_)?token['\"]?\\s*[:=]\\s*['\"]?([[A-Za-z0-9/~^_!@&%()=?*+-]+)['\"]?" - }, - { - "description": "Avoiding next_token Var", - "regex": "(?i)['\"]?next(_)?token['\"]?\\s*[:=]\\s*['\"]?([[A-Za-z0-9/~^_!@&%()=?*+-]+)['\"]?" - }, + } { "description": "Avoiding references to module outputs in Bicep", "regex": "(?i)token(_)?(key)?\\s*[:=]\\s*([a-zA-Z][a-zA-Z0-9_]*)\\.outputs\\.([a-zA-Z][a-zA-Z0-9_]*)" @@ -350,6 +354,10 @@ { "description": "Avoiding Run After Triggers (if written in conformity with best practices)", "regex": "(?i)['\"](HTTP|Parse_JSON|Try|Catch)_-_(Get_)?OAuth_Token['\"]?\\s*[:=]\\s*['\"]?([[A-Za-z0-9/~^_!@&%()=?*+-]+)['\"]?" + }, + { + "description": "Avoiding Proto File fields", + "regex": "(?i)token(_)?(key)?\\s*=\\s*[1-9][0-9]{0,8}\\s*;" } ], "specialMask": "(?i)['\"]?token(_)?(key)?['\"]?\\s*[:=]\\s*" @@ -373,6 +381,10 @@ { "description": "Avoiding CLoudformation KeyName", "regex": "['\"]?EncryptionKey['\"]?\\s*[:=]\\s*['\"]?([A-Za-z0-9/~^_!@&%()=?*+-.]+)['\"]?" + }, + { + "description": "Avoiding Proto File fields", + "regex": "(?i)encryption[_]?key\\s*=\\s*[1-9][0-9]{0,8}\\s*;" } ], "specialMask": "(?i)['\"]?encryption[_]?key['\"]?\\s*[:=]\\s*" diff --git a/assets/queries/common/passwords_and_secrets/test/positive_expected_result.json b/assets/queries/common/passwords_and_secrets/test/positive_expected_result.json index e29ad869f20..8cfd8102b6a 100644 --- a/assets/queries/common/passwords_and_secrets/test/positive_expected_result.json +++ b/assets/queries/common/passwords_and_secrets/test/positive_expected_result.json @@ -460,5 +460,23 @@ "severity": "HIGH", "line": 4, "fileName": "positive55.json" + }, + { + "queryName": "Passwords And Secrets - Generic Password", + "severity": "HIGH", + "line": 4, + "fileName": "positive56.json" + }, + { + "queryName": "Passwords And Secrets - Generic Secret", + "severity": "HIGH", + "line": 5, + "fileName": "positive56.json" + }, + { + "queryName": "Passwords And Secrets - Generic Token", + "severity": "HIGH", + "line": 6, + "fileName": "positive56.json" } ] \ No newline at end of file From bb1c871b0e17c5cf5a96d14dd386e309bad2f86a Mon Sep 17 00:00:00 2001 From: Andre Pereira <219305055+cx-andre-pereira@users.noreply.github.com> Date: Thu, 26 Mar 2026 15:43:26 +0000 Subject: [PATCH 06/13] Fix regex rules (duplicated rule was removed but comma was missed) --- assets/queries/common/passwords_and_secrets/regex_rules.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/assets/queries/common/passwords_and_secrets/regex_rules.json b/assets/queries/common/passwords_and_secrets/regex_rules.json index 7e61733518e..a47eb8b523d 100644 --- a/assets/queries/common/passwords_and_secrets/regex_rules.json +++ b/assets/queries/common/passwords_and_secrets/regex_rules.json @@ -346,7 +346,7 @@ { "description": "Avoiding next_token Var", "regex": "(?i)['\"]?next(_)?token['\"]?\\s*[:=]\\s*['\"]?([[A-Za-z0-9/~^_!@&%()=?*+-]+)['\"]?" - } + }, { "description": "Avoiding references to module outputs in Bicep", "regex": "(?i)token(_)?(key)?\\s*[:=]\\s*([a-zA-Z][a-zA-Z0-9_]*)\\.outputs\\.([a-zA-Z][a-zA-Z0-9_]*)" From 97cf527178b5cb0151d99afaa7c035dc1e13df26 Mon Sep 17 00:00:00 2001 From: Andre Pereira <219305055+cx-andre-pereira@users.noreply.github.com> Date: Thu, 26 Mar 2026 16:00:03 +0000 Subject: [PATCH 07/13] Two more allow rules plus updated negative sample --- .../passwords_and_secrets/regex_rules.json | 12 +++++++++++- .../passwords_and_secrets/test/negative60.proto | 16 +++++++++------- 2 files changed, 20 insertions(+), 8 deletions(-) diff --git a/assets/queries/common/passwords_and_secrets/regex_rules.json b/assets/queries/common/passwords_and_secrets/regex_rules.json index a47eb8b523d..c3213f8db3e 100644 --- a/assets/queries/common/passwords_and_secrets/regex_rules.json +++ b/assets/queries/common/passwords_and_secrets/regex_rules.json @@ -87,6 +87,10 @@ { "description": "Allow secrets retrieved from Bicep getSecret built in function", "regex": "(?i)['\"]?secret[_]?(key|value)?['\"]?\\s*(:|=)\\s*[a-zA-Z]*\\.getSecret\\(\\s*[\"']([A-Za-z0-9/~^_!@#&%(){};=?*+-<>,:;[\\]%$]+)[\"']\\)" + }, + { + "description": "Avoiding Proto File fields", + "regex": "(?i)secret[_]?(key|value)?\\s*=\\s*[1-9][0-9]{0,8}\\s*;" } ], "specialMask": "(?i)['\"]?secret[_]?(key)?['\"]?\\s*(:|=)\\s*" @@ -267,7 +271,13 @@ { "id": "7f370dd5-eea3-4e5f-8354-3cb2506f9f13", "name": "Generic Access Key", - "regex": "(?i)^\\s*['\"]?(access)[_]?key['\"]?\\s*[:=]\\s*['\"]?([[A-Za-z0-9\/~^_!@&%()=?*+-]+)['\"]?", + "regex": "(?i)^\\s*['\"]?access[_]?key['\"]?\\s*[:=]\\s*['\"]?([[A-Za-z0-9\/~^_!@&%()=?*+-]+)['\"]?", + "allowRules": [ + { + "description": "Avoiding Proto File fields", + "regex": "(?i)access[_]?key\\s*=\\s*[1-9][0-9]{0,8}\\s*;" + } + ], "specialMask": "(?i)['\"]?access[_]?key['\"]?\\s*[:=]\\s*" }, { diff --git a/assets/queries/common/passwords_and_secrets/test/negative60.proto b/assets/queries/common/passwords_and_secrets/test/negative60.proto index b920060c8ec..4b22ba8d902 100644 --- a/assets/queries/common/passwords_and_secrets/test/negative60.proto +++ b/assets/queries/common/passwords_and_secrets/test/negative60.proto @@ -7,7 +7,15 @@ package com.example.security_test.v1; import "google/protobuf/wrappers.proto"; -message ResultsThatFlag { +message SampleMessageNegative { + string the_secret = 15; //Generic Secret + string another_secret_ = 16; //Generic Secret + string the_secret_key = 17; //Generic Secret + string a_secret_value = 18; //Generic Secret + string another_secretvalue = 19; //Generic Secret + string another_secretkey = 31; //Generic Secret + double accesskey = 1212; //Generic Access Key + string access_key = 1313; //Generic Access Key google.protobuf.StringValue refresh_token = 536870911; // if value is larger - out of range error "Field numbers cannot be greater than 536870911." - Generic Token google.protobuf.StringValue access_token= 1; // Generic Token google.protobuf.StringValue id_token = 3; // Generic Token @@ -18,12 +26,6 @@ message ResultsThatFlag { google.protobuf.StringValue sas_token = 12; // Generic Token google.protobuf.StringValue auth_token = 13; // Generic Token google.protobuf.StringValue bot_token = 14; // Generic Token - google.protobuf.StringValue verification_token=15; // Generic Token - google.protobuf.StringValue oauth_access_token = 16; // Generic Token - google.protobuf.StringValue app_token = 17; // Generic Token - google.protobuf.StringValue personal_access_token = 18; // Generic Token - google.protobuf.StringValue service_account_token = 29; // Generic Token - google.protobuf.StringValue webhook_verification_token = 31; // Generic Token google.protobuf.StringValue callback_token = 32; // Generic Token google.protobuf.StringValue k8s_service_account_token = 33; // Generic Token google.protobuf.StringValue registry_token = 34; // Generic Token From c13808d150ea03a189858888a1fc8a09f3974012 Mon Sep 17 00:00:00 2001 From: Andre Pereira <219305055+cx-andre-pereira@users.noreply.github.com> Date: Thu, 26 Mar 2026 16:07:44 +0000 Subject: [PATCH 08/13] Fallback, generic secret reqires 10 digits (impossible in proto) and generic api key enforces trimmed line starting with 'access' --- .../queries/common/passwords_and_secrets/regex_rules.json | 4 ---- .../common/passwords_and_secrets/test/negative60.proto | 8 -------- 2 files changed, 12 deletions(-) diff --git a/assets/queries/common/passwords_and_secrets/regex_rules.json b/assets/queries/common/passwords_and_secrets/regex_rules.json index c3213f8db3e..a9411de719a 100644 --- a/assets/queries/common/passwords_and_secrets/regex_rules.json +++ b/assets/queries/common/passwords_and_secrets/regex_rules.json @@ -87,10 +87,6 @@ { "description": "Allow secrets retrieved from Bicep getSecret built in function", "regex": "(?i)['\"]?secret[_]?(key|value)?['\"]?\\s*(:|=)\\s*[a-zA-Z]*\\.getSecret\\(\\s*[\"']([A-Za-z0-9/~^_!@#&%(){};=?*+-<>,:;[\\]%$]+)[\"']\\)" - }, - { - "description": "Avoiding Proto File fields", - "regex": "(?i)secret[_]?(key|value)?\\s*=\\s*[1-9][0-9]{0,8}\\s*;" } ], "specialMask": "(?i)['\"]?secret[_]?(key)?['\"]?\\s*(:|=)\\s*" diff --git a/assets/queries/common/passwords_and_secrets/test/negative60.proto b/assets/queries/common/passwords_and_secrets/test/negative60.proto index 4b22ba8d902..469ed11ea50 100644 --- a/assets/queries/common/passwords_and_secrets/test/negative60.proto +++ b/assets/queries/common/passwords_and_secrets/test/negative60.proto @@ -8,14 +8,6 @@ package com.example.security_test.v1; import "google/protobuf/wrappers.proto"; message SampleMessageNegative { - string the_secret = 15; //Generic Secret - string another_secret_ = 16; //Generic Secret - string the_secret_key = 17; //Generic Secret - string a_secret_value = 18; //Generic Secret - string another_secretvalue = 19; //Generic Secret - string another_secretkey = 31; //Generic Secret - double accesskey = 1212; //Generic Access Key - string access_key = 1313; //Generic Access Key google.protobuf.StringValue refresh_token = 536870911; // if value is larger - out of range error "Field numbers cannot be greater than 536870911." - Generic Token google.protobuf.StringValue access_token= 1; // Generic Token google.protobuf.StringValue id_token = 3; // Generic Token From 3b4a2c29154893c90f50180ab14be98b663716ed Mon Sep 17 00:00:00 2001 From: Andre Pereira <219305055+cx-andre-pereira@users.noreply.github.com> Date: Thu, 26 Mar 2026 16:09:01 +0000 Subject: [PATCH 09/13] Removed unnecessar allow rule --- .../queries/common/passwords_and_secrets/regex_rules.json | 6 ------ 1 file changed, 6 deletions(-) diff --git a/assets/queries/common/passwords_and_secrets/regex_rules.json b/assets/queries/common/passwords_and_secrets/regex_rules.json index a9411de719a..288de1bc6ba 100644 --- a/assets/queries/common/passwords_and_secrets/regex_rules.json +++ b/assets/queries/common/passwords_and_secrets/regex_rules.json @@ -268,12 +268,6 @@ "id": "7f370dd5-eea3-4e5f-8354-3cb2506f9f13", "name": "Generic Access Key", "regex": "(?i)^\\s*['\"]?access[_]?key['\"]?\\s*[:=]\\s*['\"]?([[A-Za-z0-9\/~^_!@&%()=?*+-]+)['\"]?", - "allowRules": [ - { - "description": "Avoiding Proto File fields", - "regex": "(?i)access[_]?key\\s*=\\s*[1-9][0-9]{0,8}\\s*;" - } - ], "specialMask": "(?i)['\"]?access[_]?key['\"]?\\s*[:=]\\s*" }, { From 50fd363f7a25d5a3f44a7022eefb93bdf65e0734 Mon Sep 17 00:00:00 2001 From: Andre Pereira <219305055+cx-andre-pereira@users.noreply.github.com> Date: Thu, 26 Mar 2026 17:40:33 +0000 Subject: [PATCH 10/13] Improved negative28 tests used for TF resource access allow rule in 'Generic Token', improved 2 TF reousrce access rules, added missing positive test for 'Encryption Key' query, added samples (similar to neg28) in negative61 for TF resource access allow rule in 'Encryption Key' query (was also missing test) --- .../passwords_and_secrets/regex_rules.json | 6 +- .../passwords_and_secrets/test/negative28.tf | 114 ++++++++++++++- .../passwords_and_secrets/test/negative61.tf | 134 ++++++++++++++++++ .../test/positive57.yaml | 8 ++ .../test/positive_expected_result.json | 18 +++ 5 files changed, 274 insertions(+), 6 deletions(-) create mode 100644 assets/queries/common/passwords_and_secrets/test/negative61.tf create mode 100644 assets/queries/common/passwords_and_secrets/test/positive57.yaml diff --git a/assets/queries/common/passwords_and_secrets/regex_rules.json b/assets/queries/common/passwords_and_secrets/regex_rules.json index 288de1bc6ba..a5e83c5b3f2 100644 --- a/assets/queries/common/passwords_and_secrets/regex_rules.json +++ b/assets/queries/common/passwords_and_secrets/regex_rules.json @@ -321,7 +321,7 @@ }, { "description": "Avoiding TF resource access", - "regex": "(?i)['\"]?token(_)?(key)?['\"]?\\s*=\\s*([a-zA-z_]+(.))?[a-zA-z_]+(.)[a-zA-z_]+(.)[a-zA-z_]+" + "regex": "(?i)['\"]?token(_)?(key)?['\"]?\\s*[:=]\\s*(([a-zA-Z_]+(\\[([a-zA-Z_]+\\.[a-zA-Z_]+.*|\\d+)\\])?\\.[a-zA-Z_]+(\\[([a-zA-Z_]+\\.[a-zA-Z_]+.*|\\d+)\\])?)\\s*([\\[\\.\\)\\]\\}\\$]|(:\\s*null))|null)" }, { "description": "Avoiding TF creation token", @@ -372,11 +372,11 @@ { "id": "9fb1cd65-7a07-4531-9bcf-47589d0f82d6", "name": "Encryption Key", - "regex": "(?i)['\"]?encryption[_]?key['\"]?\\s*[:=]\\s*['\"]?([[A-Za-z0-9/~^_!@&%()=?*+-]+)['\"]?", + "regex": "(?i)['\"]?encryption[_]?key['\"]?\\s*[:=]\\s*['\"]?[A-Za-z0-9/~^_!@&%()=?*+-]+['\"]?", "allowRules": [ { "description": "Avoiding TF resource access", - "regex": "(?i)['\"]?encryption[_]?key['\"]?\\s*=\\s*([a-zA-z_]+(.))?[a-zA-z_]+(.)[a-zA-z_]+(.)[a-zA-z_]+" + "regex": "(?i)['\"]?encryption[_]?key['\"]?\\s*[:=]\\s*(([a-zA-Z_]+(\\[([a-zA-Z_]+\\.[a-zA-Z_]+.*|\\d+)\\])?\\.[a-zA-Z_]+(\\[([a-zA-Z_]+\\.[a-zA-Z_]+.*|\\d+)\\])?)\\s*([\\[\\.\\)\\]\\}\\$]|(:\\s*null))|null)" }, { "description": "Avoiding CLoudformation KeyName", diff --git a/assets/queries/common/passwords_and_secrets/test/negative28.tf b/assets/queries/common/passwords_and_secrets/test/negative28.tf index 7239fcb2612..7843cd6f5e9 100644 --- a/assets/queries/common/passwords_and_secrets/test/negative28.tf +++ b/assets/queries/common/passwords_and_secrets/test/negative28.tf @@ -1,4 +1,112 @@ -provider rancher2 { - api_url = data.terraform_remote_state.rancher.outputs.api_url - token_key = data.terraform_remote_state.rancher.outputs.token_key +# Sample to test 'Generic Token' - allow TF resource access rule +terraform { + required_providers { + aws = { + source = "hashicorp/aws" + version = "~> 5.0" + } + } } + +provider "aws" { + region = "us-east-1" +} + +variable "auth_token" { + description = "Authentication token" + type = string + sensitive = true +} + +variable "environment" { + description = "Deployment environment" + type = string + default = "production" +} + +variable "enabled" { + description = "Whether to enable resources" + type = bool + default = true +} + +variable "clients" { + description = "Client configurations" + type = object({ + oauth = map(object({ + enabled = bool + })) + }) +} + +resource "aws_secretsmanager_secret_version" "token_version" { + for_each = { for k, v in var.clients.oauth : k => v if var.enabled } + + secret_id = aws_secretsmanager_secret.client_token_secret[each.key].id + secret_string = jsonencode({ "client" : each.key, "token" : random_password.client_token[each.key].result }) +} + +resource "aws_secretsmanager_secret_version" "token_version_2" { + for_each = { for k, v in var.clients.oauth : k => v if var.enabled } + + secret_id = aws_secretsmanager_secret.client_token_secret[each.key].id + secret_string = jsonencode({ "client" : each.key, "token" : random_password[each.key].client_token.result }) +} + +resource "aws_secretsmanager_secret_version" "token_version_3" { + for_each = { for k, v in var.clients.oauth : k => v if var.enabled } + + secret_id = aws_secretsmanager_secret.client_token_secret[each.key].id + secret_string = jsonencode({ "client" : each.key, "token" : random_password["index"].client_token.result }) +} + +resource "aws_lb_listener" "https" { + count = var.enabled ? 1 : 0 + load_balancer_arn = aws_lb.main[0].arn + port = 443 + protocol = "HTTPS" + + default_action { + type = "forward" + target_group_arn = [for t in aws_lb_target_group.app : t.token_key] + } +} + +resource "aws_lb_listener" "https_null" { + count = var.enabled ? 1 : 0 + load_balancer_arn = aws_lb.main[0].arn + port = 443 + protocol = "HTTPS" + + default_action { + type = "fixed-response" + token_key = null + } +} +module "auth_service" { + source = "./modules/auth" + + token = var.auth_token +} +module "api_gateway" { + source = "./modules/gateway" + + token = module.auth_service.token_output.value +} +module "legacy_service" { + source = "./modules/legacy" + + token = data.aws_secretsmanager_secret_version.existing_token.secret_string +} + +locals { + token_config = { + value = aws_secretsmanager_secret.client_token_secret["primary"].arn + } +} + +module "monitoring" { + source = "./modules/monitoring" + + token = local.token_config.value +} \ No newline at end of file diff --git a/assets/queries/common/passwords_and_secrets/test/negative61.tf b/assets/queries/common/passwords_and_secrets/test/negative61.tf new file mode 100644 index 00000000000..9b986baab96 --- /dev/null +++ b/assets/queries/common/passwords_and_secrets/test/negative61.tf @@ -0,0 +1,134 @@ +# Sample for 'Encryption Key' - avoiding TF resource access rule +terraform { + required_providers { + aws = { + source = "hashicorp/aws" + version = "~> 5.0" + } + } +} + +provider "aws" { + region = "us-east-1" +} + +variable "encryption_key" { + description = "Encryption key from external config" + type = string + sensitive = true +} + +variable "environment" { + description = "Deployment environment" + type = string + default = "production" +} + +variable "enabled" { + description = "Whether to enable resources" + type = bool + default = true +} + +variable "clients" { + description = "Client configurations" + type = object({ + storage = map(object({ + enabled = bool + })) + }) +} + +resource "aws_kms_key" "client_encryption_key" { + for_each = { for k, v in var.clients.storage : k => v if var.enabled } + + description = "KMS key for ${each.key}" + deletion_window_in_days = 30 + enable_key_rotation = true +} + +resource "aws_kms_alias" "client_encryption_alias" { + for_each = { for k, v in var.clients.storage : k => v if var.enabled } + + name = "alias/${each.key}-encryption" + target_key_id = aws_kms_key.client_encryption_key[each.key].key_id +} + +module "storage" { + for_each = { for k, v in var.clients.storage : k => v if var.enabled } + source = "./modules/storage" + + encryption_key = aws_kms_key.client_encryption_key[each.key].arn +} + +module "storage_2" { + for_each = { for k, v in var.clients.storage : k => v if var.enabled } + source = "./modules/storage" + + encryption_key = aws_kms_key[each.key].client_encryption_key.arn +} + +module "storage_3" { + for_each = { for k, v in var.clients.storage : k => v if var.enabled } + source = "./modules/storage" + + encryption_key = aws_kms_key["index"].client_encryption_key.arn +} + +resource "aws_s3_bucket_server_side_encryption_configuration" "bucket_enc" { + count = var.enabled ? 1 : 0 + bucket = aws_s3_bucket.main[0].id + + rule { + apply_server_side_encryption_by_default { + sse_algorithm = "aws:kms" + encryption_key = [for k in aws_kms_key.client_encryption_key : k.arn] + } + } +} + +module "optional_encryption" { + source = "./modules/storage" + + encryption_key = null +} + +module "database" { + source = "./modules/database" + + encryption_key = var.encryption_key +} + +module "encryption" { + source = "./modules/encryption" + + environment = var.environment +} + +module "app" { + source = "./modules/app" + + encryption_key = module.encryption.key_output.value +} + +data "aws_kms_key" "existing" { + key_id = "alias/existing-encryption-key" +} + +module "legacy" { + source = "./modules/legacy" + + encryption_key = data.aws_kms_key.existing.arn +} + +locals { + encryption_config = { + key_arn = aws_kms_key.client_encryption_key["primary"].arn + } +} + +module "monitoring" { + source = "./modules/monitoring" + + encryption_key = local.encryption_config.key_arn +} \ No newline at end of file diff --git a/assets/queries/common/passwords_and_secrets/test/positive57.yaml b/assets/queries/common/passwords_and_secrets/test/positive57.yaml new file mode 100644 index 00000000000..c0f56b93551 --- /dev/null +++ b/assets/queries/common/passwords_and_secrets/test/positive57.yaml @@ -0,0 +1,8 @@ +# Samples for "Encryption Key" query +- hosts: all + remote_user: root + vars: + encryption_key: aes256_my_super_secret_key_value + encryption_key: Ab3f8G2kL9mN4pQ7 + encryptionkey: 0123456789abcdef + diff --git a/assets/queries/common/passwords_and_secrets/test/positive_expected_result.json b/assets/queries/common/passwords_and_secrets/test/positive_expected_result.json index 8cfd8102b6a..e5117987c99 100644 --- a/assets/queries/common/passwords_and_secrets/test/positive_expected_result.json +++ b/assets/queries/common/passwords_and_secrets/test/positive_expected_result.json @@ -478,5 +478,23 @@ "severity": "HIGH", "line": 6, "fileName": "positive56.json" + }, + { + "queryName": "Passwords And Secrets - Encryption Key", + "severity": "HIGH", + "line": 5, + "fileName": "positive57.yaml" + }, + { + "queryName": "Passwords And Secrets - Encryption Key", + "severity": "HIGH", + "line": 7, + "fileName": "positive57.yaml" + }, + { + "queryName": "Passwords And Secrets - Encryption Key", + "severity": "HIGH", + "line": 6, + "fileName": "positive57.yaml" } ] \ No newline at end of file From da78bfa261f40c90bc1f62523d74c8738cd85c20 Mon Sep 17 00:00:00 2001 From: Andre Pereira <219305055+cx-andre-pereira@users.noreply.github.com> Date: Fri, 27 Mar 2026 10:22:50 +0000 Subject: [PATCH 11/13] Minor test change --- .../queries/common/passwords_and_secrets/test/negative60.proto | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/assets/queries/common/passwords_and_secrets/test/negative60.proto b/assets/queries/common/passwords_and_secrets/test/negative60.proto index 469ed11ea50..63d53613600 100644 --- a/assets/queries/common/passwords_and_secrets/test/negative60.proto +++ b/assets/queries/common/passwords_and_secrets/test/negative60.proto @@ -9,7 +9,7 @@ import "google/protobuf/wrappers.proto"; message SampleMessageNegative { google.protobuf.StringValue refresh_token = 536870911; // if value is larger - out of range error "Field numbers cannot be greater than 536870911." - Generic Token - google.protobuf.StringValue access_token= 1; // Generic Token + google.protobuf.StringValue access_token= 111111111; // Generic Token google.protobuf.StringValue id_token = 3; // Generic Token google.protobuf.StringValue bearer_toaken = 4;;; // Generic Token google.protobuf.StringValue api_token = 7 ; // Generic Token From d0de24897b4c795a1cf887d926f2abaedc88f5c1 Mon Sep 17 00:00:00 2001 From: Andre Pereira <219305055+cx-andre-pereira@users.noreply.github.com> Date: Fri, 27 Mar 2026 10:32:16 +0000 Subject: [PATCH 12/13] Expected results fix --- .../test/positive_expected_result.json | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/assets/queries/common/passwords_and_secrets/test/positive_expected_result.json b/assets/queries/common/passwords_and_secrets/test/positive_expected_result.json index e5117987c99..88cc664b56b 100644 --- a/assets/queries/common/passwords_and_secrets/test/positive_expected_result.json +++ b/assets/queries/common/passwords_and_secrets/test/positive_expected_result.json @@ -465,19 +465,19 @@ "queryName": "Passwords And Secrets - Generic Password", "severity": "HIGH", "line": 4, - "fileName": "positive56.json" + "fileName": "positive56.proto" }, { "queryName": "Passwords And Secrets - Generic Secret", "severity": "HIGH", "line": 5, - "fileName": "positive56.json" + "fileName": "positive56.proto" }, { "queryName": "Passwords And Secrets - Generic Token", "severity": "HIGH", "line": 6, - "fileName": "positive56.json" + "fileName": "positive56.proto" }, { "queryName": "Passwords And Secrets - Encryption Key", @@ -488,13 +488,13 @@ { "queryName": "Passwords And Secrets - Encryption Key", "severity": "HIGH", - "line": 7, + "line": 6, "fileName": "positive57.yaml" }, { "queryName": "Passwords And Secrets - Encryption Key", "severity": "HIGH", - "line": 6, + "line": 7, "fileName": "positive57.yaml" } ] \ No newline at end of file From f1a09b5dd09db1691ffc375f9c8307373c0a3d0a Mon Sep 17 00:00:00 2001 From: Andre Pereira <219305055+cx-andre-pereira@users.noreply.github.com> Date: Fri, 27 Mar 2026 11:02:10 +0000 Subject: [PATCH 13/13] Removed fixs unrelated to proto files fields (will be included in a seperate PR) --- .../passwords_and_secrets/regex_rules.json | 12 +- .../passwords_and_secrets/test/negative28.tf | 114 +-------------- .../passwords_and_secrets/test/negative61.tf | 134 ------------------ .../test/positive57.yaml | 8 -- .../test/positive_expected_result.json | 18 --- 5 files changed, 11 insertions(+), 275 deletions(-) delete mode 100644 assets/queries/common/passwords_and_secrets/test/negative61.tf delete mode 100644 assets/queries/common/passwords_and_secrets/test/positive57.yaml diff --git a/assets/queries/common/passwords_and_secrets/regex_rules.json b/assets/queries/common/passwords_and_secrets/regex_rules.json index a5e83c5b3f2..3228d649743 100644 --- a/assets/queries/common/passwords_and_secrets/regex_rules.json +++ b/assets/queries/common/passwords_and_secrets/regex_rules.json @@ -267,7 +267,7 @@ { "id": "7f370dd5-eea3-4e5f-8354-3cb2506f9f13", "name": "Generic Access Key", - "regex": "(?i)^\\s*['\"]?access[_]?key['\"]?\\s*[:=]\\s*['\"]?([[A-Za-z0-9\/~^_!@&%()=?*+-]+)['\"]?", + "regex": "(?i)^\\s*['\"]?(access)[_]?key['\"]?\\s*[:=]\\s*['\"]?([[A-Za-z0-9\/~^_!@&%()=?*+-]+)['\"]?", "specialMask": "(?i)['\"]?access[_]?key['\"]?\\s*[:=]\\s*" }, { @@ -321,7 +321,7 @@ }, { "description": "Avoiding TF resource access", - "regex": "(?i)['\"]?token(_)?(key)?['\"]?\\s*[:=]\\s*(([a-zA-Z_]+(\\[([a-zA-Z_]+\\.[a-zA-Z_]+.*|\\d+)\\])?\\.[a-zA-Z_]+(\\[([a-zA-Z_]+\\.[a-zA-Z_]+.*|\\d+)\\])?)\\s*([\\[\\.\\)\\]\\}\\$]|(:\\s*null))|null)" + "regex": "(?i)['\"]?token(_)?(key)?['\"]?\\s*=\\s*([a-zA-z_]+(.))?[a-zA-z_]+(.)[a-zA-z_]+(.)[a-zA-z_]+" }, { "description": "Avoiding TF creation token", @@ -347,6 +347,10 @@ "description": "Avoiding next_token Var", "regex": "(?i)['\"]?next(_)?token['\"]?\\s*[:=]\\s*['\"]?([[A-Za-z0-9/~^_!@&%()=?*+-]+)['\"]?" }, + { + "description": "Avoiding next_token Var", + "regex": "(?i)['\"]?next(_)?token['\"]?\\s*[:=]\\s*['\"]?([[A-Za-z0-9/~^_!@&%()=?*+-]+)['\"]?" + }, { "description": "Avoiding references to module outputs in Bicep", "regex": "(?i)token(_)?(key)?\\s*[:=]\\s*([a-zA-Z][a-zA-Z0-9_]*)\\.outputs\\.([a-zA-Z][a-zA-Z0-9_]*)" @@ -372,11 +376,11 @@ { "id": "9fb1cd65-7a07-4531-9bcf-47589d0f82d6", "name": "Encryption Key", - "regex": "(?i)['\"]?encryption[_]?key['\"]?\\s*[:=]\\s*['\"]?[A-Za-z0-9/~^_!@&%()=?*+-]+['\"]?", + "regex": "(?i)['\"]?encryption[_]?key['\"]?\\s*[:=]\\s*['\"]?([[A-Za-z0-9/~^_!@&%()=?*+-]+)['\"]?", "allowRules": [ { "description": "Avoiding TF resource access", - "regex": "(?i)['\"]?encryption[_]?key['\"]?\\s*[:=]\\s*(([a-zA-Z_]+(\\[([a-zA-Z_]+\\.[a-zA-Z_]+.*|\\d+)\\])?\\.[a-zA-Z_]+(\\[([a-zA-Z_]+\\.[a-zA-Z_]+.*|\\d+)\\])?)\\s*([\\[\\.\\)\\]\\}\\$]|(:\\s*null))|null)" + "regex": "(?i)['\"]?encryption[_]?key['\"]?\\s*=\\s*([a-zA-z_]+(.))?[a-zA-z_]+(.)[a-zA-z_]+(.)[a-zA-z_]+" }, { "description": "Avoiding CLoudformation KeyName", diff --git a/assets/queries/common/passwords_and_secrets/test/negative28.tf b/assets/queries/common/passwords_and_secrets/test/negative28.tf index 7843cd6f5e9..7239fcb2612 100644 --- a/assets/queries/common/passwords_and_secrets/test/negative28.tf +++ b/assets/queries/common/passwords_and_secrets/test/negative28.tf @@ -1,112 +1,4 @@ -# Sample to test 'Generic Token' - allow TF resource access rule -terraform { - required_providers { - aws = { - source = "hashicorp/aws" - version = "~> 5.0" - } - } +provider rancher2 { + api_url = data.terraform_remote_state.rancher.outputs.api_url + token_key = data.terraform_remote_state.rancher.outputs.token_key } - -provider "aws" { - region = "us-east-1" -} - -variable "auth_token" { - description = "Authentication token" - type = string - sensitive = true -} - -variable "environment" { - description = "Deployment environment" - type = string - default = "production" -} - -variable "enabled" { - description = "Whether to enable resources" - type = bool - default = true -} - -variable "clients" { - description = "Client configurations" - type = object({ - oauth = map(object({ - enabled = bool - })) - }) -} - -resource "aws_secretsmanager_secret_version" "token_version" { - for_each = { for k, v in var.clients.oauth : k => v if var.enabled } - - secret_id = aws_secretsmanager_secret.client_token_secret[each.key].id - secret_string = jsonencode({ "client" : each.key, "token" : random_password.client_token[each.key].result }) -} - -resource "aws_secretsmanager_secret_version" "token_version_2" { - for_each = { for k, v in var.clients.oauth : k => v if var.enabled } - - secret_id = aws_secretsmanager_secret.client_token_secret[each.key].id - secret_string = jsonencode({ "client" : each.key, "token" : random_password[each.key].client_token.result }) -} - -resource "aws_secretsmanager_secret_version" "token_version_3" { - for_each = { for k, v in var.clients.oauth : k => v if var.enabled } - - secret_id = aws_secretsmanager_secret.client_token_secret[each.key].id - secret_string = jsonencode({ "client" : each.key, "token" : random_password["index"].client_token.result }) -} - -resource "aws_lb_listener" "https" { - count = var.enabled ? 1 : 0 - load_balancer_arn = aws_lb.main[0].arn - port = 443 - protocol = "HTTPS" - - default_action { - type = "forward" - target_group_arn = [for t in aws_lb_target_group.app : t.token_key] - } -} - -resource "aws_lb_listener" "https_null" { - count = var.enabled ? 1 : 0 - load_balancer_arn = aws_lb.main[0].arn - port = 443 - protocol = "HTTPS" - - default_action { - type = "fixed-response" - token_key = null - } -} -module "auth_service" { - source = "./modules/auth" - - token = var.auth_token -} -module "api_gateway" { - source = "./modules/gateway" - - token = module.auth_service.token_output.value -} -module "legacy_service" { - source = "./modules/legacy" - - token = data.aws_secretsmanager_secret_version.existing_token.secret_string -} - -locals { - token_config = { - value = aws_secretsmanager_secret.client_token_secret["primary"].arn - } -} - -module "monitoring" { - source = "./modules/monitoring" - - token = local.token_config.value -} \ No newline at end of file diff --git a/assets/queries/common/passwords_and_secrets/test/negative61.tf b/assets/queries/common/passwords_and_secrets/test/negative61.tf deleted file mode 100644 index 9b986baab96..00000000000 --- a/assets/queries/common/passwords_and_secrets/test/negative61.tf +++ /dev/null @@ -1,134 +0,0 @@ -# Sample for 'Encryption Key' - avoiding TF resource access rule -terraform { - required_providers { - aws = { - source = "hashicorp/aws" - version = "~> 5.0" - } - } -} - -provider "aws" { - region = "us-east-1" -} - -variable "encryption_key" { - description = "Encryption key from external config" - type = string - sensitive = true -} - -variable "environment" { - description = "Deployment environment" - type = string - default = "production" -} - -variable "enabled" { - description = "Whether to enable resources" - type = bool - default = true -} - -variable "clients" { - description = "Client configurations" - type = object({ - storage = map(object({ - enabled = bool - })) - }) -} - -resource "aws_kms_key" "client_encryption_key" { - for_each = { for k, v in var.clients.storage : k => v if var.enabled } - - description = "KMS key for ${each.key}" - deletion_window_in_days = 30 - enable_key_rotation = true -} - -resource "aws_kms_alias" "client_encryption_alias" { - for_each = { for k, v in var.clients.storage : k => v if var.enabled } - - name = "alias/${each.key}-encryption" - target_key_id = aws_kms_key.client_encryption_key[each.key].key_id -} - -module "storage" { - for_each = { for k, v in var.clients.storage : k => v if var.enabled } - source = "./modules/storage" - - encryption_key = aws_kms_key.client_encryption_key[each.key].arn -} - -module "storage_2" { - for_each = { for k, v in var.clients.storage : k => v if var.enabled } - source = "./modules/storage" - - encryption_key = aws_kms_key[each.key].client_encryption_key.arn -} - -module "storage_3" { - for_each = { for k, v in var.clients.storage : k => v if var.enabled } - source = "./modules/storage" - - encryption_key = aws_kms_key["index"].client_encryption_key.arn -} - -resource "aws_s3_bucket_server_side_encryption_configuration" "bucket_enc" { - count = var.enabled ? 1 : 0 - bucket = aws_s3_bucket.main[0].id - - rule { - apply_server_side_encryption_by_default { - sse_algorithm = "aws:kms" - encryption_key = [for k in aws_kms_key.client_encryption_key : k.arn] - } - } -} - -module "optional_encryption" { - source = "./modules/storage" - - encryption_key = null -} - -module "database" { - source = "./modules/database" - - encryption_key = var.encryption_key -} - -module "encryption" { - source = "./modules/encryption" - - environment = var.environment -} - -module "app" { - source = "./modules/app" - - encryption_key = module.encryption.key_output.value -} - -data "aws_kms_key" "existing" { - key_id = "alias/existing-encryption-key" -} - -module "legacy" { - source = "./modules/legacy" - - encryption_key = data.aws_kms_key.existing.arn -} - -locals { - encryption_config = { - key_arn = aws_kms_key.client_encryption_key["primary"].arn - } -} - -module "monitoring" { - source = "./modules/monitoring" - - encryption_key = local.encryption_config.key_arn -} \ No newline at end of file diff --git a/assets/queries/common/passwords_and_secrets/test/positive57.yaml b/assets/queries/common/passwords_and_secrets/test/positive57.yaml deleted file mode 100644 index c0f56b93551..00000000000 --- a/assets/queries/common/passwords_and_secrets/test/positive57.yaml +++ /dev/null @@ -1,8 +0,0 @@ -# Samples for "Encryption Key" query -- hosts: all - remote_user: root - vars: - encryption_key: aes256_my_super_secret_key_value - encryption_key: Ab3f8G2kL9mN4pQ7 - encryptionkey: 0123456789abcdef - diff --git a/assets/queries/common/passwords_and_secrets/test/positive_expected_result.json b/assets/queries/common/passwords_and_secrets/test/positive_expected_result.json index 88cc664b56b..9eca41250a0 100644 --- a/assets/queries/common/passwords_and_secrets/test/positive_expected_result.json +++ b/assets/queries/common/passwords_and_secrets/test/positive_expected_result.json @@ -478,23 +478,5 @@ "severity": "HIGH", "line": 6, "fileName": "positive56.proto" - }, - { - "queryName": "Passwords And Secrets - Encryption Key", - "severity": "HIGH", - "line": 5, - "fileName": "positive57.yaml" - }, - { - "queryName": "Passwords And Secrets - Encryption Key", - "severity": "HIGH", - "line": 6, - "fileName": "positive57.yaml" - }, - { - "queryName": "Passwords And Secrets - Encryption Key", - "severity": "HIGH", - "line": 7, - "fileName": "positive57.yaml" } ] \ No newline at end of file