Merge Gitleaks rules 2024-08-20 # 00:30

Author: Security Research (r2c-argo)

generic/secrets/gitleaks/clojars-api-token.yaml

@@ -23,4 +23,4 @@ rules:
       technology:
         - gitleaks
   patterns:
-    - pattern-regex: (?i)(CLOJARS_)[a-z0-9]{60}
+    - pattern-regex: (?i)CLOJARS_[a-z0-9]{60}

generic/secrets/gitleaks/doppler-api-token.yaml

@@ -23,4 +23,4 @@ rules:
       technology:
         - gitleaks
   patterns:
-    - pattern-regex: (dp\.pt\.)(?i)[a-z0-9]{43}
+    - pattern-regex: dp\.pt\.(?i)[a-z0-9]{43}

generic/secrets/gitleaks/duffel-api-token.yaml

@@ -23,4 +23,4 @@ rules:
       technology:
         - gitleaks
   patterns:
-    - pattern-regex: duffel_(test|live)_(?i)[a-z0-9_\-=]{43}
+    - pattern-regex: duffel_(?:test|live)_(?i)[a-z0-9_\-=]{43}

generic/secrets/gitleaks/github-app-token.yaml

@@ -23,4 +23,4 @@ rules:
       technology:
         - gitleaks
   patterns:
-    - pattern-regex: (ghu|ghs)_[0-9a-zA-Z]{36}
+    - pattern-regex: (?:ghu|ghs)_[0-9a-zA-Z]{36}

generic/secrets/gitleaks/harness-api-key.yaml

@@ -23,4 +23,4 @@ rules:
       technology:
         - gitleaks
   patterns:
-    - pattern-regex: ((?:pat|sat)\.[a-zA-Z0-9]{22}\.[a-zA-Z0-9]{24}\.[a-zA-Z0-9]{20})
+    - pattern-regex: (?:pat|sat)\.[a-zA-Z0-9]{22}\.[a-zA-Z0-9]{24}\.[a-zA-Z0-9]{20}

generic/secrets/gitleaks/kubernetes-secret-with-data-after.yaml

@@ -0,0 +1,26 @@
+rules:
+- id: kubernetes-secret-with-data-after
+  message: A gitleaks kubernetes-secret-with-data-after was detected which attempts to identify hard-coded credentials. It is not recommended to store credentials in source-code, as this risks secrets being leaked and used by either an internal or external malicious adversary. It is recommended to use environment variables to securely provide credentials or retrieve credentials from a secure vault or HSM (Hardware Security Module).
+  languages:
+    - regex
+  severity: INFO
+  metadata:
+      likelihood: LOW
+      impact: MEDIUM
+      confidence: LOW
+      category: security
+      cwe:
+        - "CWE-798: Use of Hard-coded Credentials"
+      cwe2021-top25: true
+      cwe2022-top25: true
+      owasp:
+        - A07:2021 - Identification and Authentication Failures
+      references:
+        - https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html
+      source-rule-url: https://github.com/zricethezav/gitleaks/tree/master/cmd/generate/config/rules
+      subcategory:
+        - vuln
+      technology:
+        - gitleaks
+  patterns:
+    - pattern-regex: (?i)\b((?i)(?:\bkind:.{0,10}Secret\b)(?:.|\s){0,200}?\b(?:data:)\s*(.+))(?:['|\"|\n|\r|\s|\x60|;]|$)

generic/secrets/gitleaks/kubernetes-secret-with-data-before.yaml

@@ -0,0 +1,26 @@
+rules:
+- id: kubernetes-secret-with-data-before
+  message: A gitleaks kubernetes-secret-with-data-before was detected which attempts to identify hard-coded credentials. It is not recommended to store credentials in source-code, as this risks secrets being leaked and used by either an internal or external malicious adversary. It is recommended to use environment variables to securely provide credentials or retrieve credentials from a secure vault or HSM (Hardware Security Module).
+  languages:
+    - regex
+  severity: INFO
+  metadata:
+      likelihood: LOW
+      impact: MEDIUM
+      confidence: LOW
+      category: security
+      cwe:
+        - "CWE-798: Use of Hard-coded Credentials"
+      cwe2021-top25: true
+      cwe2022-top25: true
+      owasp:
+        - A07:2021 - Identification and Authentication Failures
+      references:
+        - https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html
+      source-rule-url: https://github.com/zricethezav/gitleaks/tree/master/cmd/generate/config/rules
+      subcategory:
+        - vuln
+      technology:
+        - gitleaks
+  patterns:
+    - pattern-regex: (?i)\b((?i)(?:\b(?:data:))(\W+(?:\w+\W+){0,200}?)\bkind:.{0,10}Secret\b)(?:['|\"|\n|\r|\s|\x60|;]|$)

generic/secrets/gitleaks/openshift-user-token.yaml

@@ -0,0 +1,26 @@
+rules:
+- id: openshift-user-token
+  message: A gitleaks openshift-user-token was detected which attempts to identify hard-coded credentials. It is not recommended to store credentials in source-code, as this risks secrets being leaked and used by either an internal or external malicious adversary. It is recommended to use environment variables to securely provide credentials or retrieve credentials from a secure vault or HSM (Hardware Security Module).
+  languages:
+    - regex
+  severity: INFO
+  metadata:
+      likelihood: LOW
+      impact: MEDIUM
+      confidence: LOW
+      category: security
+      cwe:
+        - "CWE-798: Use of Hard-coded Credentials"
+      cwe2021-top25: true
+      cwe2022-top25: true
+      owasp:
+        - A07:2021 - Identification and Authentication Failures
+      references:
+        - https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html
+      source-rule-url: https://github.com/zricethezav/gitleaks/tree/master/cmd/generate/config/rules
+      subcategory:
+        - vuln
+      technology:
+        - gitleaks
+  patterns:
+    - pattern-regex: \b(sha256~[\w-]{43})(?:[^\w-]|\z)

generic/secrets/gitleaks/private-key.yaml

@@ -23,4 +23,4 @@ rules:
       technology:
         - gitleaks
   patterns:
-    - pattern-regex: (?i)-----BEGIN[ A-Z0-9_-]{0,100}PRIVATE KEY( BLOCK)?-----[\s\S-]*KEY( BLOCK)?----
+    - pattern-regex: (?i)-----BEGIN[ A-Z0-9_-]{0,100}PRIVATE KEY(?: BLOCK)?-----[\s\S-]*KEY(?: BLOCK)?----

generic/secrets/gitleaks/sidekiq-sensitive-url.yaml

@@ -23,4 +23,4 @@ rules:
       technology:
         - gitleaks
   patterns:
-    - pattern-regex: (?i)\b(http(?:s??):\/\/)([a-f0-9]{8}:[a-f0-9]{8})@(?:gems.contribsys.com|enterprise.contribsys.com)(?:[\/|\#|\?|:]|$)
+    - pattern-regex: (?i)\bhttps?://([a-f0-9]{8}:[a-f0-9]{8})@(?:gems.contribsys.com|enterprise.contribsys.com)(?:[\/|\#|\?|:]|$)

generic/secrets/gitleaks/slack-app-token.yaml

@@ -23,4 +23,4 @@ rules:
       technology:
         - gitleaks
   patterns:
-    - pattern-regex: (?i)(xapp-\d-[A-Z0-9]+-\d+-[a-z0-9]+)
+    - pattern-regex: (?i)xapp-\d-[A-Z0-9]+-\d+-[a-z0-9]+

generic/secrets/gitleaks/slack-config-access-token.yaml

@@ -23,4 +23,4 @@ rules:
       technology:
         - gitleaks
   patterns:
-    - pattern-regex: (?i)(xoxe.xox[bp]-\d-[A-Z0-9]{163,166})
+    - pattern-regex: (?i)xoxe.xox[bp]-\d-[A-Z0-9]{163,166}

generic/secrets/gitleaks/slack-config-refresh-token.yaml

@@ -23,4 +23,4 @@ rules:
       technology:
         - gitleaks
   patterns:
-    - pattern-regex: (?i)(xoxe-\d-[A-Z0-9]{146})
+    - pattern-regex: (?i)xoxe-\d-[A-Z0-9]{146}

generic/secrets/gitleaks/slack-legacy-token.yaml

@@ -23,4 +23,4 @@ rules:
       technology:
         - gitleaks
   patterns:
-    - pattern-regex: (xox[os]-\d+-\d+-\d+-[a-fA-F\d]+)
+    - pattern-regex: xox[os]-\d+-\d+-\d+-[a-fA-F\d]+

generic/secrets/gitleaks/slack-user-token.yaml

@@ -23,4 +23,4 @@ rules:
       technology:
         - gitleaks
   patterns:
-    - pattern-regex: (xox[pe](?:-[0-9]{10,13}){3}-[a-zA-Z0-9-]{28,34})
+    - pattern-regex: xox[pe](?:-[0-9]{10,13}){3}-[a-zA-Z0-9-]{28,34}

generic/secrets/gitleaks/telegram-bot-api-token.yaml

@@ -23,4 +23,4 @@ rules:
       technology:
         - gitleaks
   patterns:
-    - pattern-regex: (?i:(?:telegr)(?:[0-9a-z\(-_\t .\\]{0,40})(?:[\s|']|[\s|"]){0,3})(?:=|\|\|:|<=|=>|:|\?=|\()(?:'|\"|\s|=|\x60){0,5}([0-9]{5,16}:A[a-z0-9_\-]{34})(?:['|\"|\n|\r|\s|\x60|;|\\]|$)
+    - pattern-regex: (?i:telegr(?:[0-9a-z\(-_\t .\\]{0,40})(?:[\s|']|[\s|"]){0,3})(?:=|\|\|:|<=|=>|:|\?=|\()(?:'|\"|\s|=|\x60){0,5}([0-9]{5,16}:A[a-z0-9_\-]{34})(?:['|\"|\n|\r|\s|\x60|;|\\]|$)