Skip to content

Latest commit

 

History

History
 
 

Configuration Secrets

Hardcoded Database Passwords

version: v0.1

Comments / Notes:

  • Only support for Postgres and MySQL password strings
  • Checks if the password is null / length of 0
  • Supports quoted passwords
  • Not case sensative
Pattern Format

[^\r\n\p{Cc}]+

Start Pattern

(?:[^0-9A-Za-z]|\A)(?i)(?:postgres|mysql|mysql_root)_password[\t ]*[=:][\t ]*['"]

End Pattern

\z|[\r\n'"]

Hardcoded Spring SQL passwords

Hardcoded JDBC / Spring datasource passwords which typically are in property files or passed in at runtime

version: v0.1

Pattern Format

[^\r\n'"\p{Cc}]+

Start Pattern

(?:spring\.datasource|jdbc)\.password[ \t]*=[ \t]*['"]?

End Pattern

\z|['"\r\n]

Django Secret Key

version: v0.1

Comments / Notes:

  • If the secret is at the start of the file, its not picked up
Pattern Format

[^\r\n"']+

Start Pattern

\bSECRET_KEY[ \t]*=[ \t]*["']

End Pattern

['"]

YAML Static Password Fields

⚠️ WARNING: THIS RULE IS EXPERIMENTAL AND MIGHT CAUSE A HIGH FALSE POSITIVE RATE (test before commiting to org level) ⚠️ Pattern to find Static passwords in YAML configuration files

version: v0.1

Comments / Notes:

  • The hardcoded password is between 12 and 32 chars long
  • Some false positives in Code might appear
  • The pattern only checks for certain key words to begin the pattern (secret, password, etc.)
Pattern Format

[^\r\n'"]+

Start Pattern

(?:\n|\A)[ \t]*(?:secret|service_pass(wd|word|code|phrase)|pass(?:wd|word|code|phrase)?|key)[ \t]*:[ \t]*['"]?

End Pattern

['"\r\n]|\z

Additional Matches

Add these additional matches to the [Secret Scanning Custom Pattern](https://docs.github.com/en/enterprise-cloud@latest/code-security/secret-scanning/defining-custom-patterns-for-secret-scanning#example-of-a-custom-pattern-specified-using-additional-requirements).

  • Not Match: ^(?:keyPassphrase|password|key|[ \t]+|\$\{[A-Za-z0-9_-]+\}|(?:str|string|int|bool)( +#.*)?),?$
  • Not Match: ^(?:.* = )?(?:None|[Tt]rue|[Ff]alse|[Nn]ull|Default(?:Type)?|Event|[A-Z]+_KEY|VERSION|NAME|update|destroy|(?:dis|en)ableEventListeners|\.\.\.),?$
  • Not Match: ^(?:(?:this|self|obj)\.)(?:[A-Za-z_]+\,|[A-Za-z_].*)$
  • Not Match: ^(?:[a-zA-Z_]+(?:\(\))?\.)*[a-zA-Z_]+\(\)$
  • Not Match: ^\s*(?:typing\.)?(?:[Tt]uple|[Ll]ist|[Dd]ict|Callable|Iterable|Sequence|Optional|Union)\[.*$

GitHub Actions SHA Checker

version: v0.1

Comments / Notes:

  • Checks for all github action susing a version that isn't a pinned SHA-1 commit hash
  • Checks for uses: org name / repo name @ string under 40 characters
  • Not case sensative
  • exclude all actions in actions, github and advanced-security repo
Pattern Format

[a-z0-9_-]{1,39}\/[a-z0-9_-]{1,100}@[a-z0-9._-]{1,39}

Start Pattern

\buses:[ \t]{1,5}

End Pattern

\s|\z

Additional Matches

Add these additional matches to the [Secret Scanning Custom Pattern](https://docs.github.com/en/enterprise-cloud@latest/code-security/secret-scanning/defining-custom-patterns-for-secret-scanning#example-of-a-custom-pattern-specified-using-additional-requirements).

  • Not Match: ^(actions|github|advanced-security)/

.NET Configuration file

version: v0.1

Comments / Notes:

  • XML key/value format,
Pattern Format

[^"\x00\x08]+

Start Pattern

<add\s+key="[^"]*(?i)(password|secret|pass(?:wd|word|code|phrase)?|key|token)"\s+value="

End Pattern

\"

.NET MachineKey

version: v0.1

Comments / Notes:

  • contents of the validationKey or decryptionKey of a machineKey XML element
Pattern Format

[A-Fa-f0-9]+

Start Pattern

<machineKey\s+[^>]*(validation|decryption)Key="

End Pattern

\"