From 6e0c62d40fc9cff69cc02ed89ed7106a1f10bc38 Mon Sep 17 00:00:00 2001
From: Andre Pereira <219305055+cx-andre-pereira@users.noreply.github.com>
Date: Wed, 25 Mar 2026 23:17:54 +0000
Subject: [PATCH 01/30] Added check to ensure files of 'Kind' proto are ignored
by 'Inspect', stoping passwords and secrets flags on said files
---
.../test/negative60.proto | 334 ++++++++++++++++++
pkg/engine/secrets/inspector.go | 5 +-
pkg/engine/secrets/inspector_test.go | 37 ++
3 files changed, 375 insertions(+), 1 deletion(-)
create mode 100644 assets/queries/common/passwords_and_secrets/test/negative60.proto
diff --git a/assets/queries/common/passwords_and_secrets/test/negative60.proto b/assets/queries/common/passwords_and_secrets/test/negative60.proto
new file mode 100644
index 00000000000..44b0784a650
--- /dev/null
+++ b/assets/queries/common/passwords_and_secrets/test/negative60.proto
@@ -0,0 +1,334 @@
+syntax = "proto3";
+
+package com.example.security_test.v1;
+
+import "google/protobuf/wrappers.proto";
+import "google/protobuf/timestamp.proto";
+
+// =============================================================================
+// This file is a test fixture for secret/token/password scanning tools.
+// It should be treated as a NEGATIVE (no real secrets).
+// Proto files define schemas, not actual secret values.
+// Any secret-like strings here are example annotations, not real credentials.
+// =============================================================================
+
+// ---------------------------------------------------------------------------
+// OAuth / Identity Provider Configurations
+// ---------------------------------------------------------------------------
+
+message OAuthProviderConfig {
+ google.protobuf.StringValue client_id = 1;
+ google.protobuf.StringValue client_secret = 2;
+ google.protobuf.StringValue access_token = 3;
+ google.protobuf.StringValue refresh_token = 4;
+ google.protobuf.StringValue token_endpoint = 5;
+ google.protobuf.StringValue authorization_code = 6;
+ google.protobuf.StringValue id_token = 7;
+ google.protobuf.StringValue bearer_token = 8;
+ google.protobuf.UInt32Value token_expiry_seconds = 9;
+ google.protobuf.StringValue pkce_code_verifier = 10;
+}
+
+message SamlConfig {
+ google.protobuf.StringValue signing_certificate = 1;
+ google.protobuf.StringValue private_key = 2;
+ google.protobuf.StringValue idp_certificate = 3;
+ google.protobuf.StringValue sp_private_key = 4;
+ google.protobuf.StringValue assertion_consumer_service_url = 5;
+ google.protobuf.StringValue metadata_signing_key = 6;
+}
+
+message LdapConfig {
+ google.protobuf.StringValue bind_dn = 1;
+ google.protobuf.StringValue bind_password = 2;
+ google.protobuf.StringValue admin_password = 3;
+ google.protobuf.StringValue service_account_password = 4;
+ google.protobuf.StringValue base_dn = 5;
+ google.protobuf.BoolValue use_ssl = 6;
+ google.protobuf.StringValue ssl_certificate = 7;
+}
+
+// ---------------------------------------------------------------------------
+// API Key / Token Management
+// ---------------------------------------------------------------------------
+
+enum ApiKeyType {
+ API_KEY_TYPE_UNKNOWN = 0;
+ API_KEY_TYPE_READ_ONLY = 1;
+ API_KEY_TYPE_READ_WRITE = 2;
+ API_KEY_TYPE_ADMIN = 3;
+}
+
+message ApiKeyConfig {
+ google.protobuf.StringValue api_key = 1;
+ google.protobuf.StringValue api_secret = 2;
+ google.protobuf.StringValue api_token = 3;
+ google.protobuf.StringValue secret_key = 4;
+ google.protobuf.StringValue access_key_id = 5;
+ google.protobuf.StringValue secret_access_key = 6;
+ ApiKeyType key_type = 7;
+ google.protobuf.Timestamp expires_at = 8;
+ google.protobuf.StringValue signing_secret = 9;
+ google.protobuf.StringValue hmac_key = 10;
+}
+
+message PersonalAccessToken {
+ google.protobuf.StringValue token = 1;
+ google.protobuf.StringValue token_hash = 2;
+ google.protobuf.StringValue token_prefix = 3;
+ google.protobuf.Timestamp issued_at = 4;
+ google.protobuf.Timestamp expires_at = 5;
+ repeated string scopes = 6;
+}
+
+// ---------------------------------------------------------------------------
+// Cloud Provider Credentials
+// ---------------------------------------------------------------------------
+
+message AwsCredentials {
+ google.protobuf.StringValue aws_access_key_id = 1;
+ google.protobuf.StringValue aws_secret_access_key = 2;
+ google.protobuf.StringValue aws_session_token = 3;
+ google.protobuf.StringValue role_arn = 4;
+ google.protobuf.StringValue external_id = 5;
+ google.protobuf.StringValue kms_key_id = 6;
+}
+
+message GcpCredentials {
+ google.protobuf.StringValue service_account_key_json = 1;
+ google.protobuf.StringValue private_key_id = 2;
+ google.protobuf.StringValue private_key = 3;
+ google.protobuf.StringValue client_email = 4;
+ google.protobuf.StringValue project_id = 5;
+ google.protobuf.StringValue access_token = 6;
+}
+
+message AzureCredentials {
+ google.protobuf.StringValue tenant_id = 1;
+ google.protobuf.StringValue client_id = 2;
+ google.protobuf.StringValue client_secret = 3;
+ google.protobuf.StringValue subscription_id = 4;
+ google.protobuf.StringValue connection_string = 5;
+ google.protobuf.StringValue sas_token = 6;
+ google.protobuf.StringValue storage_account_key = 7;
+}
+
+// ---------------------------------------------------------------------------
+// Database Credentials
+// ---------------------------------------------------------------------------
+
+message DatabaseCredentials {
+ google.protobuf.StringValue host = 1;
+ google.protobuf.UInt32Value port = 2;
+ google.protobuf.StringValue username = 3;
+ google.protobuf.StringValue password = 4;
+ google.protobuf.StringValue database_name = 5;
+ google.protobuf.StringValue connection_string = 6;
+ google.protobuf.StringValue ssl_ca_cert = 7;
+ google.protobuf.StringValue ssl_client_cert = 8;
+ google.protobuf.StringValue ssl_client_key = 9;
+ google.protobuf.StringValue master_password = 10;
+ google.protobuf.StringValue replication_password = 11;
+}
+
+message RedisCredentials {
+ google.protobuf.StringValue host = 1;
+ google.protobuf.UInt32Value port = 2;
+ google.protobuf.StringValue password = 3;
+ google.protobuf.StringValue auth_token = 4;
+ google.protobuf.StringValue tls_cert = 5;
+}
+
+// ---------------------------------------------------------------------------
+// Third-Party Integration Credentials
+// ---------------------------------------------------------------------------
+
+message SlackIntegrationConfig {
+ google.protobuf.StringValue bot_token = 1;
+ google.protobuf.StringValue signing_secret = 2;
+ google.protobuf.StringValue verification_token = 3;
+ google.protobuf.StringValue oauth_access_token = 4;
+ google.protobuf.StringValue webhook_secret = 5;
+ google.protobuf.StringValue app_token = 6;
+}
+
+message GitHubIntegrationConfig {
+ google.protobuf.StringValue personal_access_token = 1;
+ google.protobuf.StringValue webhook_secret = 2;
+ google.protobuf.StringValue app_private_key = 3;
+ google.protobuf.StringValue app_installation_token = 4;
+ google.protobuf.StringValue deploy_key = 5;
+ google.protobuf.StringValue oauth_client_secret = 6;
+}
+
+message StripeConfig {
+ google.protobuf.StringValue publishable_key = 1;
+ google.protobuf.StringValue secret_key = 2;
+ google.protobuf.StringValue webhook_signing_secret = 3;
+ google.protobuf.StringValue restricted_api_key = 4;
+}
+
+message TwilioConfig {
+ google.protobuf.StringValue account_sid = 1;
+ google.protobuf.StringValue auth_token = 2;
+ google.protobuf.StringValue api_key_sid = 3;
+ google.protobuf.StringValue api_key_secret = 4;
+}
+
+message SendGridConfig {
+ google.protobuf.StringValue api_key = 1;
+ google.protobuf.StringValue smtp_password = 2;
+ google.protobuf.StringValue webhook_verification_key = 3;
+}
+
+// ---------------------------------------------------------------------------
+// Encryption and Signing
+// ---------------------------------------------------------------------------
+
+message EncryptionConfig {
+ google.protobuf.StringValue encryption_key = 1;
+ google.protobuf.StringValue decryption_key = 2;
+ google.protobuf.StringValue master_key = 3;
+ google.protobuf.StringValue data_encryption_key = 4;
+ google.protobuf.StringValue key_encryption_key = 5;
+ google.protobuf.StringValue initialization_vector = 6;
+ google.protobuf.StringValue passphrase = 7;
+ google.protobuf.StringValue salt = 8;
+}
+
+message JwtConfig {
+ google.protobuf.StringValue jwt_secret = 1;
+ google.protobuf.StringValue jwt_private_key = 2;
+ google.protobuf.StringValue jwt_public_key = 3;
+ google.protobuf.StringValue jwt_signing_key = 4;
+ google.protobuf.UInt32Value jwt_expiry_seconds = 5;
+ google.protobuf.StringValue jwt_refresh_secret = 6;
+}
+
+message SshConfig {
+ google.protobuf.StringValue ssh_private_key = 1;
+ google.protobuf.StringValue ssh_public_key = 2;
+ google.protobuf.StringValue ssh_passphrase = 3;
+ google.protobuf.StringValue ssh_host_key = 4;
+ google.protobuf.StringValue known_hosts_entry = 5;
+}
+
+message TlsConfig {
+ google.protobuf.StringValue tls_certificate = 1;
+ google.protobuf.StringValue tls_private_key = 2;
+ google.protobuf.StringValue ca_certificate = 3;
+ google.protobuf.StringValue ca_private_key = 4;
+ google.protobuf.StringValue pfx_password = 5;
+ google.protobuf.StringValue keystore_password = 6;
+ google.protobuf.StringValue truststore_password = 7;
+}
+
+// ---------------------------------------------------------------------------
+// User / Account Credentials
+// ---------------------------------------------------------------------------
+
+message UserCredentials {
+ google.protobuf.StringValue username = 1;
+ google.protobuf.StringValue password = 2;
+ google.protobuf.StringValue password_hash = 3;
+ google.protobuf.StringValue password_salt = 4;
+ google.protobuf.StringValue totp_secret = 5;
+ google.protobuf.StringValue recovery_codes = 6;
+ google.protobuf.StringValue security_question_answer = 7;
+ google.protobuf.StringValue pin_code = 8;
+}
+
+message ServiceAccountCredentials {
+ google.protobuf.StringValue service_account_id = 1;
+ google.protobuf.StringValue service_account_secret = 2;
+ google.protobuf.StringValue service_account_token = 3;
+ google.protobuf.StringValue service_account_private_key = 4;
+ google.protobuf.StringValue credentials_json = 5;
+}
+
+// ---------------------------------------------------------------------------
+// Webhook Secrets (similar to the original file's domain)
+// ---------------------------------------------------------------------------
+
+message WebhookSecurityConfig {
+ google.protobuf.StringValue webhook_secret = 1;
+ google.protobuf.StringValue signing_key = 2;
+ google.protobuf.StringValue verification_token = 3;
+ google.protobuf.StringValue shared_secret = 4;
+ google.protobuf.StringValue callback_token = 5;
+ google.protobuf.StringValue hmac_secret = 6;
+ google.protobuf.StringValue basic_auth_username = 7;
+ google.protobuf.StringValue basic_auth_password = 8;
+}
+
+// ---------------------------------------------------------------------------
+// Container / Orchestration Secrets
+// ---------------------------------------------------------------------------
+
+message KubernetesSecretRef {
+ google.protobuf.StringValue secret_name = 1;
+ google.protobuf.StringValue secret_namespace = 2;
+ google.protobuf.StringValue kubeconfig = 3;
+ google.protobuf.StringValue cluster_ca_certificate = 4;
+ google.protobuf.StringValue service_account_token = 5;
+ google.protobuf.StringValue docker_config_json = 6;
+ google.protobuf.StringValue image_pull_secret = 7;
+}
+
+message DockerRegistryCredentials {
+ google.protobuf.StringValue registry_url = 1;
+ google.protobuf.StringValue registry_username = 2;
+ google.protobuf.StringValue registry_password = 3;
+ google.protobuf.StringValue registry_token = 4;
+ google.protobuf.StringValue docker_auth = 5;
+}
+
+// ---------------------------------------------------------------------------
+// CI/CD Pipeline Secrets
+// ---------------------------------------------------------------------------
+
+message CiCdSecrets {
+ google.protobuf.StringValue deploy_token = 1;
+ google.protobuf.StringValue ci_token = 2;
+ google.protobuf.StringValue npm_token = 3;
+ google.protobuf.StringValue pypi_token = 4;
+ google.protobuf.StringValue nuget_api_key = 5;
+ google.protobuf.StringValue sonar_token = 6;
+ google.protobuf.StringValue codecov_token = 7;
+ google.protobuf.StringValue artifactory_password = 8;
+ google.protobuf.StringValue nexus_password = 9;
+ google.protobuf.StringValue gpg_signing_key = 10;
+ google.protobuf.StringValue cosign_private_key = 11;
+}
+
+// ---------------------------------------------------------------------------
+// Aggregate Configuration (uses all of the above)
+// ---------------------------------------------------------------------------
+
+message IntegrationCredentials {
+ oneof credentials {
+ OAuthProviderConfig oauth = 1;
+ SamlConfig saml = 2;
+ LdapConfig ldap = 3;
+ ApiKeyConfig api_key = 4;
+ AwsCredentials aws = 5;
+ GcpCredentials gcp = 6;
+ AzureCredentials azure = 7;
+ DatabaseCredentials database = 8;
+ RedisCredentials redis = 9;
+ SlackIntegrationConfig slack = 10;
+ GitHubIntegrationConfig github = 11;
+ StripeConfig stripe = 12;
+ TwilioConfig twilio = 13;
+ SendGridConfig sendgrid = 14;
+ EncryptionConfig encryption = 15;
+ JwtConfig jwt = 16;
+ SshConfig ssh = 17;
+ TlsConfig tls = 18;
+ UserCredentials user = 19;
+ ServiceAccountCredentials service_account = 20;
+ KubernetesSecretRef kubernetes = 21;
+ DockerRegistryCredentials docker = 22;
+ CiCdSecrets ci_cd = 23;
+ }
+}
\ No newline at end of file
diff --git a/pkg/engine/secrets/inspector.go b/pkg/engine/secrets/inspector.go
index 36dfa4aab00..20602131733 100644
--- a/pkg/engine/secrets/inspector.go
+++ b/pkg/engine/secrets/inspector.go
@@ -660,13 +660,16 @@ func ignoreLine(lineNumber int, linesIgnore []int) bool {
return false
}
-// cleanFiles keeps one file per filePath
+// cleanFiles keeps one file per filePath and filters .proto files
func cleanFiles(files model.FileMetadatas) model.FileMetadatas {
keys := make(map[string]bool)
cleanFiles := model.FileMetadatas{}
for i := range files {
+ if files[i].Kind == model.KindPROTO {
+ continue
+ }
filePath := files[i].FilePath
if _, value := keys[filePath]; !value {
keys[filePath] = true
diff --git a/pkg/engine/secrets/inspector_test.go b/pkg/engine/secrets/inspector_test.go
index 2b5bbf12b55..5839c5b9e0d 100644
--- a/pkg/engine/secrets/inspector_test.go
+++ b/pkg/engine/secrets/inspector_test.go
@@ -260,6 +260,28 @@ var OriginalData7 = `# kics-scan disable=baee238e-1921-4801-9c3f-79ae1d7b2cbc
register: result
`
+var OriginalData8 = `
+ syntax = "proto3";
+
+ package com.example.security_test.v1;
+
+ import "google/protobuf/wrappers.proto";
+ import "google/protobuf/timestamp.proto";
+
+ message OAuthProviderConfig {
+ google.protobuf.StringValue client_id = 1;
+ google.protobuf.StringValue client_secret = 2;
+ google.protobuf.StringValue access_token = 3;
+ google.protobuf.StringValue refresh_token = 4;
+ google.protobuf.StringValue token_endpoint = 5;
+ google.protobuf.StringValue authorization_code = 6;
+ google.protobuf.StringValue id_token = 7;
+ google.protobuf.StringValue bearer_token = 8;
+ google.protobuf.UInt32Value token_expiry_seconds = 9;
+ google.protobuf.StringValue pkce_code_verifier = 10;
+ }
+`
+
var testInspectInput = []struct {
name string
files model.FileMetadatas
@@ -418,6 +440,21 @@ var testInspectInput = []struct {
wantVuln: []model.Vulnerability{},
wantErr: false,
},
+ {
+ name: "invalid_file_kind",
+ files: model.FileMetadatas{
+ {
+ ID: "a6fbadc6-da29-4340-8d56-aa26a8852526",
+ Document: model.Document{},
+ OriginalData: OriginalData8,
+ LinesOriginalData: utils.SplitLines(OriginalData8),
+ Kind: "PROTO",
+ FilePath: "assets/queries/common/passwords_and_secrets/test/negative60.proto",
+ },
+ },
+ wantVuln: []model.Vulnerability{},
+ wantErr: false,
+ },
}
var testNewInspectorInputs = []struct {
From 99d42f67dd1fe47ad7b679041638a5b0cf34d8ec Mon Sep 17 00:00:00 2001
From: Andre Pereira <219305055+cx-andre-pereira@users.noreply.github.com>
Date: Thu, 26 Mar 2026 15:00:21 +0000
Subject: [PATCH 02/30] Changed approach, proto files should flag if they have
secrets within commented lines, new allow rules prevent proto files fields
from flagging
---
.../passwords_and_secrets/regex_rules.json | 900 +++++++++--------
.../test/negative60.proto | 388 +------
.../test/positive56.proto | 18 +
.../test/positive_expected_result.json | 944 +++++++++---------
pkg/engine/secrets/inspector.go | 5 +-
pkg/engine/secrets/inspector_test.go | 36 +-
6 files changed, 1034 insertions(+), 1257 deletions(-)
create mode 100644 assets/queries/common/passwords_and_secrets/test/positive56.proto
diff --git a/assets/queries/common/passwords_and_secrets/regex_rules.json b/assets/queries/common/passwords_and_secrets/regex_rules.json
index 4620f0285cd..40608122628 100644
--- a/assets/queries/common/passwords_and_secrets/regex_rules.json
+++ b/assets/queries/common/passwords_and_secrets/regex_rules.json
@@ -1,442 +1,458 @@
-{
- "rules": [
- {
- "id": "487f4be7-3fd9-4506-a07a-eae252180c08",
- "name": "Generic Password",
- "regex": "(?i)['\"]?password['\"]?\\s*[:=]\\s*['\"]?([A-Za-z0-9/~^_!@&%()=?*+-. ]{4,})['\"]?",
- "allowRules": [
- {
- "description": "Avoiding TF resource access",
- "regex": "(?i)['\"]?password['\"]?\\s*[:=]\\s*(([a-zA-Z_]+(\\[([a-zA-Z_]+\\.[a-zA-Z_]+.*|\\d+)\\])?\\.[a-zA-Z_]+(\\[([a-zA-Z_]+\\.[a-zA-Z_]+.*|\\d+)\\])?)\\s*([\\[\\.\\)\\]\\}\\$]|(:\\s*null))|null)"
- },
- {
- "description": "Avoiding description field",
- "regex": "(?i)['\"]?description['\"]?\\s*=\\s*['\"].*['\"]"
- },
- {
- "description": "Avoiding Terraform 'optional' statement",
- "regex": "(?i)['\"]?password['\"]?\\s*=\\s*optional\\((string|number|sensitive\\(string\\)|map\\(string\\)|set\\(string\\)|any)\\)$"
- },
- {
- "description": "Avoiding Terraform 'try' statement",
- "regex": "(?i)['\"]?password['\"]?\\s*=\\s*try\\([^\"']+,[^\"']+\\)$"
- },
- {
- "description": "Avoiding CF AllowUsersToChangePassword",
- "regex": "['\"]?AllowUsersToChangePassword['\"]?\\s*[:=]\\s*['\"]?([A-Za-z0-9/~^_!@&%()=?*+-.]{4,})['\"]?"
- },
- {
- "description": "Avoiding Ansible playbook update_password",
- "regex": "['\"]?update_password['\"]?\\s*[:=]\\s*['\"]?([A-Za-z0-9/~^_!@&%()=?*+-.]{4,})['\"]?"
- },
- {
- "description": "Allow placeholders",
- "regex": "(?i)['\"]?password['\"]?\\s*[:=]\\s*['\"](\\$\\(|\\$?\\{\\{)\\s*\\w+\\s*(\\)|\\}\\})['\"]"
- },
- {
- "description": "Allow empty values",
- "regex": "(?i)['\"]?password['\"]?\\s*[:=]\\s*(''|\"\")"
- },
- {
- "description": "Allow password retrieved from ARM parameters",
- "regex": "(?i)['\"]?password['\"]?\\s*[:=]\\s*['\"]?\\s*,\\s*parameters\\(['\"]([a-zA-Z][a-zA-Z0-9_-]*)['\"]['\"]?\\)"
- }
- ],
- "specialMask": "(?i)['\"]?password['\"]?\\s*[:=]\\s*"
- },
- {
- "id": "3e2d3b2f-c22a-4df1-9cc6-a7a0aebb0c99",
- "name": "Generic Secret",
- "regex": "(?i)['\"]?secret[_]?(key|value)?['\"]?\\s*(:|=)\\s*['\"]?([A-Za-z0-9/~^_!@#&%(){};=?*+-<>,:;[\\]%$]{10,})['\"]?",
- "entropies": [
- {
- "group": 3,
- "min": 2.8,
- "max": 8
- }
- ],
- "allowRules": [
- {
- "description": "Avoiding Square OAuth Secret",
- "regex": "(?i)['\"]?secret[_]?(key)?['\"]?\\s*(:|=)\\s*['\"]?(sq0csp-[0-9A-Za-z\\-_]{43})['\"]?"
- },
- {
- "description": "Avoiding TF resource access",
- "regex": "(?i)['\"]?secret[_]?(key)?['\"]?\\s*[:=]\\s*(([a-zA-Z_]+(\\[([a-zA-Z_]+\\.[a-zA-Z_]+.*|\\d+)\\])?\\.[a-zA-Z_]+(\\[([a-zA-Z_]+\\.[a-zA-Z_]+.*|\\d+)\\])?)\\s*([\\.\\)\\]\\$]|(:\\s*null))|null)"
- },
- {
- "description": "Avoiding Secrets Manager arn",
- "regex": ":secretsmanager:[a-z0-9-*?]+:[0-9*?]+:(?i)['\"]?secret[_]?(key)?['\"]?\\s*(:|=)\\s*['\"]?([A-Za-z0-9/~^_!@&%()=?*+-]+)['\"]?"
- },
- {
- "description": "Avoiding CloudFormation Parameters Descriptions",
- "regex": "['\"]?Description['\"]?\\s*[:=]\\s*['\"]?([A-Za-z0-9/~^_!@&%()=?*${}+-.'\"]+)['\"]?"
- },
- {
- "description": "Avoiding Secrets from Azure Key Vault",
- "regex": "(?i)['\"]?secret[_]?(key)?['\"]?\\s*(:|=)\\s*['\"]?[${]+[A-Za-z0-9/~^_!@&%()=?*+-]+}?"
- },
- {
- "description": "Allow secret retrieved from ARM parameters",
- "regex": "(?i)['\"]?secret[_]?(key)?['\"]?\\s*[:=]\\s*['\"]?\\[\\s*parameters\\(['\"][a-zA-Z][a-zA-Z0-9_-]*['\"]\\s*\\)\\s*\\]"
- },
- {
- "description": "Allow secrets retrieved from Bicep getSecret built in function",
- "regex": "(?i)['\"]?secret[_]?(key|value)?['\"]?\\s*(:|=)\\s*[a-zA-Z]*\\.getSecret\\(\\s*[\"']([A-Za-z0-9/~^_!@#&%(){};=?*+-<>,:;[\\]%$]+)[\"']\\)"
- }
- ],
- "specialMask": "(?i)['\"]?secret[_]?(key)?['\"]?\\s*(:|=)\\s*"
- },
- {
- "id": "51b5b840-cd0c-4556-98a7-fe5f4def80cf",
- "name": "Asymmetric private key",
- "regex": "-----BEGIN ((EC|PGP|DSA|RSA|OPENSSH) )?PRIVATE KEY( BLOCK)?-----\\s*(([A-Za-z0-9+,:\\-\\/=\\n\\r]+\\s*)+)-----END ((EC|PGP|DSA|RSA|OPENSSH) )?PRIVATE KEY( BLOCK)?-----",
- "multiline": {
- "detectLineGroup": 4
- },
- "entropies": [
- {
- "group": 5,
- "min": 3.7,
- "max": 12
- }
- ],
- "specialMask": "all"
- },
- {
- "id": "a007a85e-a2a7-4a81-803a-7a2ca0c65abb",
- "name": "Putty User Key File Content",
- "regex": "['\"]?PuTTY-User-Key-File-\\d: ([\\w\\d-:\\n\\s+/=]+Private-MAC: [\\d\\w\"]+)['\"]?",
- "multiline": {
- "detectLineGroup": 1
- },
- "specialMask": "all"
- },
- {
- "id": "c4d3b58a-e6d4-450f-9340-04f1e702eaae",
- "name": "Password in URL",
- "regex": "['\"]?[a-zA-Z]{3,10}://[^/\\s:@$]*?:[^/\\s:@$]*?@[^/\\s:@$]*['\"]?"
- },
- {
- "id": "76c0bcde-903d-456e-ac13-e58c34987852",
- "name": "AWS Access Key",
- "regex": "(A3T[A-Z0-9]|AKIA|ASIA)[A-Z0-9]{16}"
- },
- {
- "id": "76c0bcde-903d-456e-ac13-e58c34987852",
- "name": "AWS Context-specific credential",
- "regex": "(A3T[A-Z0-9]|ACCA)[A-Z0-9]{16}"
- },
- {
- "id": "76c0bcde-903d-456e-ac13-e58c34987852",
- "name": "AWS Certificate",
- "regex": "(A3T[A-Z0-9]|ASCA)[A-Z0-9]{16}"
- },
- {
- "id": "83ab47ff-381d-48cd-bac5-fb32222f54af",
- "name": "AWS Secret Key",
- "regex": "(?i)AWS_SECRET(_ACCESS)?(_KEY)?\\s*[:=]\\s*['\"]?([a-zA-Z0-9/]{40})[\"']?",
- "entropies": [
- {
- "group": 3,
- "min": 4.8,
- "max": 7
- }
- ],
- "specialMask": "(?i)AWS_SECRET(_ACCESS)?(_KEY)?\\s*[:=]\\s*"
- },
- {
- "id": "4b2b5fd3-364d-4093-bac2-17391b2a5297",
- "name": "K8s Environment Variable Password",
- "regex": "apiVersion((.*)\\s*)*env:((.*)\\s*)*name:\\s*\\w+(?i)pass((?i)word)?\\w*\\s*(value):\\s*([\"|'].*[\"|'])",
- "multiline": {
- "detectLineGroup": 7
- },
- "specialMask": "\\s*(value):\\s*"
- },
- {
- "id": "d651cca2-2156-4d17-8e76-423e68de5c8b",
- "name": "Google OAuth",
- "regex": "['\"]?[0-9]+-[0-9A-Za-z_]{32}\\.apps\\.googleusercontent\\.com['\"]?"
- },
- {
- "id": "ccde326f-ebc7-4772-8ad5-de66e90a8cc3",
- "name": "Slack Webhook",
- "regex": "['\"]?https://hooks.slack.com/services/T[a-zA-Z0-9_]{8}/B[a-zA-Z0-9_]{8}/[a-zA-Z0-9_]{24}['\"]?"
- },
- {
- "id": "d6214dca-a31b-425f-bcf7-f4faa772a1c0",
- "name": "MSTeams Webhook",
- "regex": "['\"]?https://[a-zA-Z0-9_]{1,24}.webhook.office.com/webhook(b2)?/[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}@[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}/IncomingWebhook/[a-z0-9]+/[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}['\"]?"
- },
- {
- "id": "7908a9e3-5cac-41b1-b514-5f6d82ce02d5",
- "name": "Slack Token",
- "regex": "['\"]?(xox[p|b|o|a]-[0-9]{12}-[0-9]{12}-[0-9]{12}-[a-z0-9]{32})['\"]?"
- },
- {
- "id": "6abcae17-b175-4698-a9a5-b07661974749",
- "name": "Stripe API Key",
- "regex": "['\"]?sk_live_[0-9a-zA-Z]{24}[^0-9a-zA-Z]['\"]?"
- },
- {
- "id": "0b1b2482-51e7-49d1-893d-522afa4a6bd0",
- "name": "Square Access Token",
- "regex": "sq0atp-[0-9A-Za-z\\-_]{22}"
- },
- {
- "id": "6c54f9da-1a11-445a-8568-0d327e6af8be",
- "name": "MailChimp API Key",
- "regex": "[0-9a-f]{32}-us[0-9]{1,2}"
- },
- {
- "id": "e9856348-4069-4ac0-bd91-415f6a7b84a4",
- "name": "Google API Key",
- "regex": "['\"]?AIza[0-9A-Za-z\\-_]{35}['\"]?"
- },
- {
- "id": "9a3650af-5b88-48cd-ab89-cd77fd0b633f",
- "name": "Heroku API Key",
- "regex": "['\"]?(?i)heroku((.|\\n)*)\\b([0-9A-F]{8}-[0-9A-F]{4}-[0-9A-F]{4}-[0-9A-F]{4}-[0-9A-F]{12})\\b['\"]?",
- "multiline": {
- "detectLineGroup": 3
- },
- "specialMask": "['\"]?(?i)api_key[^\\w\"']+"
- },
- {
- "id": "bb51eb1e-0357-44a2-86d7-dd5350cffd43",
- "name": "Square OAuth Secret",
- "regex": "['\"]?sq0csp-[0-9A-Za-z\\-_]{43}['\"]?"
- },
- {
- "id": "ac8c8075-6ec0-4367-9e26-30ec8161d258",
- "name": "Amazon MWS Auth Token",
- "regex": "amzn\\.mws\\.[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}"
- },
- {
- "id": "41a1ca8d-f466-4084-a8c9-50f8b22200d5",
- "name": "Google OAuth Access Token",
- "regex": "ya29\\.[0-9A-Za-z\\-_]+"
- },
- {
- "id": "4919b847-e3da-402a-acf8-6cea8e529993",
- "name": "PayPal Braintree Access Token",
- "regex": "access_token\\$production\\$[0-9a-z]{16}\\$[0-9a-f]{32}"
- },
- {
- "id": "54274b18-bfac-47ce-afd1-0f05bc3e3b59",
- "name": "Stripe Restricted API Key",
- "regex": "['\"]?rk_live_[0-9a-zA-Z]{24}['\"]?"
- },
- {
- "id": "5176e805-0cda-44fa-ac96-c092c646180a",
- "name": "Facebook Access Token",
- "regex": "['\"]?EAACEdEose0cBA[0-9A-Za-z]+['\"]?"
- },
- {
- "id": "74736dd1-dd11-4139-beb6-41cd43a50317",
- "name": "Generic API Key",
- "regex": "(?i)['\"]?api[_]?key['\"]?\\s*[:=]\\s*['\"]?([0-9a-zA-Z]{32,45})['\"]?",
- "allowRules": [
- {
- "description": "Avoiding Twilio API Key",
- "regex": "(?i)['\"]?api[_]?key['\"]?\\s*[:=]\\s*['\"]?(SK[0-9a-fA-F]{32})['\"]?"
- }
- ],
- "specialMask": "(?i)['\"]?api[_]?key['\"]?\\s*[:=]\\s*"
- },
- {
- "id": "62d0025d-9575-4eff-b60b-d3b4fcec0d04",
- "name": "Mailgun API Key",
- "regex": "['\"]?key-[0-9a-zA-Z]{32}['\"]?"
- },
- {
- "id": "50cc5f03-e686-4183-97e9-12f9b55d0f97",
- "name": "Picatic API Key",
- "regex": "sk_live_[0-9a-z]{32}"
- },
- {
- "id": "e0f01838-b1c2-4669-b84b-981949ebe5ed",
- "name": "Twilio API Key",
- "regex": "SK[0-9a-fA-F]{32}"
- },
- {
- "id": "7f370dd5-eea3-4e5f-8354-3cb2506f9f13",
- "name": "Generic Access Key",
- "regex": "(?i)^\\s*['\"]?(access)[_]?key['\"]?\\s*[:=]\\s*['\"]?([[A-Za-z0-9\/~^_!@&%()=?*+-]+)['\"]?",
- "specialMask": "(?i)['\"]?access[_]?key['\"]?\\s*[:=]\\s*"
- },
- {
- "id": "2f665079-c383-4b33-896e-88268c1fa258",
- "name": "Generic Private Key",
- "regex": "(?i)['\"]?private[_]?key['\"]?\\s*[:=]\\s*['\"]?([[A-Za-z0-9/~^_!@&%()=?*+-]+)['\"]?",
- "specialMask": "(?i)['\"]?private[_]?key['\"]?\\s*[:=]\\s*",
- "allowRules": [
- {
- "description": "Avoiding bash variables",
- "regex": "(?i)['\"]?\\$\\s*\\{[^\\s\\}]+\\}['\"]?"
- },
- {
- "description": "Avoid Docker Compose secrets paths",
- "regex": "(?i)['\"]?private[_]?key['\"]?\\s*[:=]\\s*['\"]?/run/secrets/\\w+['\"]?"
- }
- ]
- },
- {
- "id": "baee238e-1921-4801-9c3f-79ae1d7b2cbc",
- "name": "Generic Token",
- "regex": "(?i)['\"]?token(_)?(key)?['\"]?\\s*[:=]\\s*['\"]?([[A-Za-z0-9/~^_!@&%()=?*+-]+)['\"]?",
- "allowRules": [
- {
- "description": "Avoiding Amazon MWS Auth Token",
- "regex": "(?i)['\"]?token(_)?(key)?['\"]?\\s*[=:]\\s*['\"]?(amzn\\.mws\\.[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12})['\"]?"
- },
- {
- "description": "Avoiding Slack Token",
- "regex": "(?i)['\"]?token(_)?(key)?['\"]?\\s*[=:]\\s*['\"]?(xox[p|b|o|a]-[0-9]{12}-[0-9]{12}-[0-9]{12}-[a-z0-9]{32})['\"]?"
- },
- {
- "description": "Avoiding Square Access Token",
- "regex": "(?i)['\"]?token(_)?(key)?['\"]?\\s*[=:]\\s*['\"]?(sq0atp-[0-9A-Za-z\\-_]{22})['\"]?"
- },
- {
- "description": "Avoiding Google OAuth Access Token",
- "regex": "(?i)['\"]?token(_)?(key)?['\"]?\\s*[=:]\\s*['\"]?(ya29\\.[0-9A-Za-z\\-_]+)['\"]?"
- },
- {
- "description": "Avoiding PayPal Braintree Access Token",
- "regex": "(?i)['\"]?token(_)?(key)?['\"]?\\s*[=:]\\s*['\"]?(access_token\\$production\\$[0-9a-z]{16}\\$[0-9a-f]{32})['\"]?"
- },
- {
- "description": "Avoiding Facebook Access Token",
- "regex": "(?i)['\"]?token(_)?(key)?['\"]?\\s*[=:]\\s*['\"]?(EAACEdEose0cBA[0-9A-Za-z]+)['\"]?"
- },
- {
- "description": "Avoiding TF resource access",
- "regex": "(?i)['\"]?token(_)?(key)?['\"]?\\s*=\\s*([a-zA-z_]+(.))?[a-zA-z_]+(.)[a-zA-z_]+(.)[a-zA-z_]+"
- },
- {
- "description": "Avoiding TF creation token",
- "regex": "(?i)['\"]?creation_token['\"]?\\s*[:=]\\s*['\"]?([[A-Za-z0-9/~^_!@&%()=?*+-]+)['\"]?"
- },
- {
- "description": "Avoiding CLoudformation ServiceToken",
- "regex": "['\"]?ServiceToken['\"]?\\s*[:=]\\s*['\"]?([A-Za-z0-9/~^_!@&%()=?*+-.]+)['\"]?"
- },
- {
- "description": "Avoiding LifecycleActionToken Var",
- "regex": "(?i)['\"]?LifecycleActionToken['\"]?\\s*[:=]\\s*['\"]?([[A-Za-z0-9/~^_!@&%()=?*+-]+)['\"]?"
- },
- {
- "description": "Avoiding Github id-token Default Values",
- "regex": "(?i)['\"]?id-token['\"]?\\s*[:=]\\s*(write|read|none)"
- },
- {
- "description": "Avoiding result_token Var",
- "regex": "(?i)['\"]?result(_)?token['\"]?\\s*[:=]\\s*['\"]?([[A-Za-z0-9/~^_!@&%()=?*+-]+)['\"]?"
- },
- {
- "description": "Avoiding next_token Var",
- "regex": "(?i)['\"]?next(_)?token['\"]?\\s*[:=]\\s*['\"]?([[A-Za-z0-9/~^_!@&%()=?*+-]+)['\"]?"
- },
- {
- "description": "Avoiding next_token Var",
- "regex": "(?i)['\"]?next(_)?token['\"]?\\s*[:=]\\s*['\"]?([[A-Za-z0-9/~^_!@&%()=?*+-]+)['\"]?"
- },
- {
- "description": "Avoiding references to module outputs in Bicep",
- "regex": "(?i)token(_)?(key)?\\s*[:=]\\s*([a-zA-Z][a-zA-Z0-9_]*)\\.outputs\\.([a-zA-Z][a-zA-Z0-9_]*)"
- },
- {
- "description": "Avoiding Run After Triggers (if written in conformity with best practices)",
- "regex": "(?i)['\"](HTTP|Parse_JSON|Try|Catch)_-_(Get_)?OAuth_Token['\"]?\\s*[:=]\\s*['\"]?([[A-Za-z0-9/~^_!@&%()=?*+-]+)['\"]?"
- }
- ],
- "specialMask": "(?i)['\"]?token(_)?(key)?['\"]?\\s*[:=]\\s*"
-
- },
- {
- "id": "e0f01838-b1c2-4669-b84b-981949ebe5ed",
- "name": "CloudFormation Secret Template",
- "regex": "(?i)['\"]?SecretStringTemplate['\"]?\\s*:\\s*['\"]?{([\\\":A-Za-z0-9/~^_!@&%()=?*+-]{10,})}",
- "specialMask": "(?i)['\"]?SecretStringTemplate['\"]?\\s*:\\s*"
- },
- {
- "id": "9fb1cd65-7a07-4531-9bcf-47589d0f82d6",
- "name": "Encryption Key",
- "regex": "(?i)['\"]?encryption[_]?key['\"]?\\s*[:=]\\s*['\"]?([[A-Za-z0-9/~^_!@&%()=?*+-]+)['\"]?",
- "allowRules": [
- {
- "description": "Avoiding TF resource access",
- "regex": "(?i)['\"]?encryption[_]?key['\"]?\\s*=\\s*([a-zA-z_]+(.))?[a-zA-z_]+(.)[a-zA-z_]+(.)[a-zA-z_]+"
- },
- {
- "description": "Avoiding CLoudformation KeyName",
- "regex": "['\"]?EncryptionKey['\"]?\\s*[:=]\\s*['\"]?([A-Za-z0-9/~^_!@&%()=?*+-.]+)['\"]?"
- }
- ],
- "specialMask": "(?i)['\"]?encryption[_]?key['\"]?\\s*[:=]\\s*"
- },
- {
- "id": "8a879bc7-6f82-40fd-bb48-74d25d557fe8",
- "name": "SendGrid API Key",
- "regex": "(?i)SG\\.[a-zA-Z0-9\\-\\_]{22}\\.[a-zA-Z0-9\\-\\_]{43}\\s*"
- },
- {
- "id": "be0ed753-d304-4363-844a-144050d4006d",
- "name": "Generic Password on YAML files when value in tuple",
- "regex": ".*password\\s*:[\\n|\\r]\\s*value:([^\\n|\\r]*)",
- "multiline": {
- "detectLineGroup": 1
- },
- "specialMask": ".*password\\s*:[\\n|\\r]\\s*value:"
- },
- {
- "id": "f05f238a-2ef0-4c39-9a36-951de1ba6dc9",
- "name": "Dockerfile ENV hardcoded password with omitted equals",
- "regex": "(?i)ENV\\s+[A-Za-z0-9/~^_!@&%()=?*+-.]*password[A-Za-z0-9/~^_!@&%()=?*+-.]*\\s+['\"]?([A-Za-z0-9/~^_!@&%()=?*+-. ]{4,})['\"]?"
- }
- ],
- "allowRules": [
- {
- "description": "Avoiding TF variables",
- "regex": "(?i)['\"]?[a-zA-Z_]+['\"]?\\s*=\\s*['\"]?(var\\.)['\"]?"
- },
- {
- "description": "!Ref is a cloudFormation reference",
- "regex": "(?i)['\"]?[a-zA-Z_]+['\"]?\\s*:\\s+!Ref\\s+\\.*"
- },
- {
- "description": "Avoiding cloudFormation intrinsic functions",
- "regex": "(?i)['\"]?[a-zA-Z_]+['\"]?\\s*:\\s+(!GetAtt|!Sub|!FindInMap|!If|!GetAZs|!ImportValue|!Join|!Select|!Split|!Not|Fn::Transform(:)?)\\s+\\.*"
- },
- {
- "description": "Avoiding CF resolve",
- "regex": "(?i)['\"]?[a-zA-Z_]+['\"]?\\s*[=:]\\s*['\"]?({{resolve:)['\"]?"
- },
- {
- "description": "Avoiding Boolean's",
- "regex": "(?i)['\"]?[a-zA-Z_]+['\"]?\\s*[=:]\\s*['\"]?(true|false)['\"]?"
- },
- {
- "description": "Avoiding arn",
- "regex": "(?i)['\"]?[a-zA-Z_]+['\"]?\\s*[=:]\\s*['\"]?(arn:)['\"]?"
- },
- {
- "description": "Avoiding array access",
- "regex": "(?i)['\"]?[a-zA-Z_]+['\"]?\\s*[=:]\\s*['\"]?([A-Za-z0-9/~^_!@&%()=?*+-.]{4,}\\[([0-9]|['\"][a-zA-Z0-9]+['\"])\\])['\"]?"
- },
- {
- "description": "Avoiding TF file function",
- "regex": "(?i)['\"]?[a-zA-Z_]+['\"]?\\s*=\\s*['\"]?(file\\()['\"]?"
- },
- {
- "description": "Avoiding ansible-vault encrypted variables",
- "regex": "(?i)['\"]?[a-zA-Z_]+['\"]?\\s*[=:]\\s*['\"]?(!vault \\|)['\"]?"
- },
- {
- "description": "Avoiding sha-hashed mysql native passwords",
- "regex": "(?i)['\"]?[a-zA-Z_]+['\"]?\\s*[=:]\\s*['\"]?(\\*[0-9A-F]{40})['\"]?"
- }
- ]
-}
+{
+ "rules": [
+ {
+ "id": "487f4be7-3fd9-4506-a07a-eae252180c08",
+ "name": "Generic Password",
+ "regex": "(?i)['\"]?password['\"]?\\s*[:=]\\s*['\"]?([A-Za-z0-9/~^_!@&%()=?*+-. ]{4,})['\"]?",
+ "allowRules": [
+ {
+ "description": "Avoiding TF resource access",
+ "regex": "(?i)['\"]?password['\"]?\\s*[:=]\\s*(([a-zA-Z_]+(\\[([a-zA-Z_]+\\.[a-zA-Z_]+.*|\\d+)\\])?\\.[a-zA-Z_]+(\\[([a-zA-Z_]+\\.[a-zA-Z_]+.*|\\d+)\\])?)\\s*([\\[\\.\\)\\]\\}\\$]|(:\\s*null))|null)"
+ },
+ {
+ "description": "Avoiding description field",
+ "regex": "(?i)['\"]?description['\"]?\\s*=\\s*['\"].*['\"]"
+ },
+ {
+ "description": "Avoiding Terraform 'optional' statement",
+ "regex": "(?i)['\"]?password['\"]?\\s*=\\s*optional\\((string|number|sensitive\\(string\\)|map\\(string\\)|set\\(string\\)|any)\\)$"
+ },
+ {
+ "description": "Avoiding Terraform 'try' statement",
+ "regex": "(?i)['\"]?password['\"]?\\s*=\\s*try\\([^\"']+,[^\"']+\\)$"
+ },
+ {
+ "description": "Avoiding CF AllowUsersToChangePassword",
+ "regex": "['\"]?AllowUsersToChangePassword['\"]?\\s*[:=]\\s*['\"]?([A-Za-z0-9/~^_!@&%()=?*+-.]{4,})['\"]?"
+ },
+ {
+ "description": "Avoiding Ansible playbook update_password",
+ "regex": "['\"]?update_password['\"]?\\s*[:=]\\s*['\"]?([A-Za-z0-9/~^_!@&%()=?*+-.]{4,})['\"]?"
+ },
+ {
+ "description": "Allow placeholders",
+ "regex": "(?i)['\"]?password['\"]?\\s*[:=]\\s*['\"](\\$\\(|\\$?\\{\\{)\\s*\\w+\\s*(\\)|\\}\\})['\"]"
+ },
+ {
+ "description": "Allow empty values",
+ "regex": "(?i)['\"]?password['\"]?\\s*[:=]\\s*(''|\"\")"
+ },
+ {
+ "description": "Allow password retrieved from ARM parameters",
+ "regex": "(?i)['\"]?password['\"]?\\s*[:=]\\s*['\"]?\\s*,\\s*parameters\\(['\"]([a-zA-Z][a-zA-Z0-9_-]*)['\"]['\"]?\\)"
+ },
+ {
+ "description": "Avoiding Proto File fields",
+ "regex": "(?i)password\\s*=\\s*[1-9][0-9]{0,8}\\s*;"
+ }
+ ],
+ "specialMask": "(?i)['\"]?password['\"]?\\s*[:=]\\s*"
+ },
+ {
+ "id": "3e2d3b2f-c22a-4df1-9cc6-a7a0aebb0c99",
+ "name": "Generic Secret",
+ "regex": "(?i)['\"]?secret[_]?(key|value)?['\"]?\\s*(:|=)\\s*['\"]?([A-Za-z0-9/~^_!@#&%(){};=?*+-<>,:;[\\]%$]{10,})['\"]?",
+ "entropies": [
+ {
+ "group": 3,
+ "min": 2.8,
+ "max": 8
+ }
+ ],
+ "allowRules": [
+ {
+ "description": "Avoiding Square OAuth Secret",
+ "regex": "(?i)['\"]?secret[_]?(key)?['\"]?\\s*(:|=)\\s*['\"]?(sq0csp-[0-9A-Za-z\\-_]{43})['\"]?"
+ },
+ {
+ "description": "Avoiding TF resource access",
+ "regex": "(?i)['\"]?secret[_]?(key)?['\"]?\\s*[:=]\\s*(([a-zA-Z_]+(\\[([a-zA-Z_]+\\.[a-zA-Z_]+.*|\\d+)\\])?\\.[a-zA-Z_]+(\\[([a-zA-Z_]+\\.[a-zA-Z_]+.*|\\d+)\\])?)\\s*([\\.\\)\\]\\$]|(:\\s*null))|null)"
+ },
+ {
+ "description": "Avoiding Secrets Manager arn",
+ "regex": ":secretsmanager:[a-z0-9-*?]+:[0-9*?]+:(?i)['\"]?secret[_]?(key)?['\"]?\\s*(:|=)\\s*['\"]?([A-Za-z0-9/~^_!@&%()=?*+-]+)['\"]?"
+ },
+ {
+ "description": "Avoiding CloudFormation Parameters Descriptions",
+ "regex": "['\"]?Description['\"]?\\s*[:=]\\s*['\"]?([A-Za-z0-9/~^_!@&%()=?*${}+-.'\"]+)['\"]?"
+ },
+ {
+ "description": "Avoiding Secrets from Azure Key Vault",
+ "regex": "(?i)['\"]?secret[_]?(key)?['\"]?\\s*(:|=)\\s*['\"]?[${]+[A-Za-z0-9/~^_!@&%()=?*+-]+}?"
+ },
+ {
+ "description": "Allow secret retrieved from ARM parameters",
+ "regex": "(?i)['\"]?secret[_]?(key)?['\"]?\\s*[:=]\\s*['\"]?\\[\\s*parameters\\(['\"][a-zA-Z][a-zA-Z0-9_-]*['\"]\\s*\\)\\s*\\]"
+ },
+ {
+ "description": "Allow secrets retrieved from Bicep getSecret built in function",
+ "regex": "(?i)['\"]?secret[_]?(key|value)?['\"]?\\s*(:|=)\\s*[a-zA-Z]*\\.getSecret\\(\\s*[\"']([A-Za-z0-9/~^_!@#&%(){};=?*+-<>,:;[\\]%$]+)[\"']\\)"
+ }
+ ],
+ "specialMask": "(?i)['\"]?secret[_]?(key)?['\"]?\\s*(:|=)\\s*"
+ },
+ {
+ "id": "51b5b840-cd0c-4556-98a7-fe5f4def80cf",
+ "name": "Asymmetric private key",
+ "regex": "-----BEGIN ((EC|PGP|DSA|RSA|OPENSSH) )?PRIVATE KEY( BLOCK)?-----\\s*(([A-Za-z0-9+,:\\-\\/=\\n\\r]+\\s*)+)-----END ((EC|PGP|DSA|RSA|OPENSSH) )?PRIVATE KEY( BLOCK)?-----",
+ "multiline": {
+ "detectLineGroup": 4
+ },
+ "entropies": [
+ {
+ "group": 5,
+ "min": 3.7,
+ "max": 12
+ }
+ ],
+ "specialMask": "all"
+ },
+ {
+ "id": "a007a85e-a2a7-4a81-803a-7a2ca0c65abb",
+ "name": "Putty User Key File Content",
+ "regex": "['\"]?PuTTY-User-Key-File-\\d: ([\\w\\d-:\\n\\s+/=]+Private-MAC: [\\d\\w\"]+)['\"]?",
+ "multiline": {
+ "detectLineGroup": 1
+ },
+ "specialMask": "all"
+ },
+ {
+ "id": "c4d3b58a-e6d4-450f-9340-04f1e702eaae",
+ "name": "Password in URL",
+ "regex": "['\"]?[a-zA-Z]{3,10}://[^/\\s:@$]*?:[^/\\s:@$]*?@[^/\\s:@$]*['\"]?"
+ },
+ {
+ "id": "76c0bcde-903d-456e-ac13-e58c34987852",
+ "name": "AWS Access Key",
+ "regex": "(A3T[A-Z0-9]|AKIA|ASIA)[A-Z0-9]{16}"
+ },
+ {
+ "id": "76c0bcde-903d-456e-ac13-e58c34987852",
+ "name": "AWS Context-specific credential",
+ "regex": "(A3T[A-Z0-9]|ACCA)[A-Z0-9]{16}"
+ },
+ {
+ "id": "76c0bcde-903d-456e-ac13-e58c34987852",
+ "name": "AWS Certificate",
+ "regex": "(A3T[A-Z0-9]|ASCA)[A-Z0-9]{16}"
+ },
+ {
+ "id": "83ab47ff-381d-48cd-bac5-fb32222f54af",
+ "name": "AWS Secret Key",
+ "regex": "(?i)AWS_SECRET(_ACCESS)?(_KEY)?\\s*[:=]\\s*['\"]?([a-zA-Z0-9/]{40})[\"']?",
+ "entropies": [
+ {
+ "group": 3,
+ "min": 4.8,
+ "max": 7
+ }
+ ],
+ "specialMask": "(?i)AWS_SECRET(_ACCESS)?(_KEY)?\\s*[:=]\\s*"
+ },
+ {
+ "id": "4b2b5fd3-364d-4093-bac2-17391b2a5297",
+ "name": "K8s Environment Variable Password",
+ "regex": "apiVersion((.*)\\s*)*env:((.*)\\s*)*name:\\s*\\w+(?i)pass((?i)word)?\\w*\\s*(value):\\s*([\"|'].*[\"|'])",
+ "multiline": {
+ "detectLineGroup": 7
+ },
+ "specialMask": "\\s*(value):\\s*"
+ },
+ {
+ "id": "d651cca2-2156-4d17-8e76-423e68de5c8b",
+ "name": "Google OAuth",
+ "regex": "['\"]?[0-9]+-[0-9A-Za-z_]{32}\\.apps\\.googleusercontent\\.com['\"]?"
+ },
+ {
+ "id": "ccde326f-ebc7-4772-8ad5-de66e90a8cc3",
+ "name": "Slack Webhook",
+ "regex": "['\"]?https://hooks.slack.com/services/T[a-zA-Z0-9_]{8}/B[a-zA-Z0-9_]{8}/[a-zA-Z0-9_]{24}['\"]?"
+ },
+ {
+ "id": "d6214dca-a31b-425f-bcf7-f4faa772a1c0",
+ "name": "MSTeams Webhook",
+ "regex": "['\"]?https://[a-zA-Z0-9_]{1,24}.webhook.office.com/webhook(b2)?/[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}@[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}/IncomingWebhook/[a-z0-9]+/[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}['\"]?"
+ },
+ {
+ "id": "7908a9e3-5cac-41b1-b514-5f6d82ce02d5",
+ "name": "Slack Token",
+ "regex": "['\"]?(xox[p|b|o|a]-[0-9]{12}-[0-9]{12}-[0-9]{12}-[a-z0-9]{32})['\"]?"
+ },
+ {
+ "id": "6abcae17-b175-4698-a9a5-b07661974749",
+ "name": "Stripe API Key",
+ "regex": "['\"]?sk_live_[0-9a-zA-Z]{24}[^0-9a-zA-Z]['\"]?"
+ },
+ {
+ "id": "0b1b2482-51e7-49d1-893d-522afa4a6bd0",
+ "name": "Square Access Token",
+ "regex": "sq0atp-[0-9A-Za-z\\-_]{22}"
+ },
+ {
+ "id": "6c54f9da-1a11-445a-8568-0d327e6af8be",
+ "name": "MailChimp API Key",
+ "regex": "[0-9a-f]{32}-us[0-9]{1,2}"
+ },
+ {
+ "id": "e9856348-4069-4ac0-bd91-415f6a7b84a4",
+ "name": "Google API Key",
+ "regex": "['\"]?AIza[0-9A-Za-z\\-_]{35}['\"]?"
+ },
+ {
+ "id": "9a3650af-5b88-48cd-ab89-cd77fd0b633f",
+ "name": "Heroku API Key",
+ "regex": "['\"]?(?i)heroku((.|\\n)*)\\b([0-9A-F]{8}-[0-9A-F]{4}-[0-9A-F]{4}-[0-9A-F]{4}-[0-9A-F]{12})\\b['\"]?",
+ "multiline": {
+ "detectLineGroup": 3
+ },
+ "specialMask": "['\"]?(?i)api_key[^\\w\"']+"
+ },
+ {
+ "id": "bb51eb1e-0357-44a2-86d7-dd5350cffd43",
+ "name": "Square OAuth Secret",
+ "regex": "['\"]?sq0csp-[0-9A-Za-z\\-_]{43}['\"]?"
+ },
+ {
+ "id": "ac8c8075-6ec0-4367-9e26-30ec8161d258",
+ "name": "Amazon MWS Auth Token",
+ "regex": "amzn\\.mws\\.[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}"
+ },
+ {
+ "id": "41a1ca8d-f466-4084-a8c9-50f8b22200d5",
+ "name": "Google OAuth Access Token",
+ "regex": "ya29\\.[0-9A-Za-z\\-_]+"
+ },
+ {
+ "id": "4919b847-e3da-402a-acf8-6cea8e529993",
+ "name": "PayPal Braintree Access Token",
+ "regex": "access_token\\$production\\$[0-9a-z]{16}\\$[0-9a-f]{32}"
+ },
+ {
+ "id": "54274b18-bfac-47ce-afd1-0f05bc3e3b59",
+ "name": "Stripe Restricted API Key",
+ "regex": "['\"]?rk_live_[0-9a-zA-Z]{24}['\"]?"
+ },
+ {
+ "id": "5176e805-0cda-44fa-ac96-c092c646180a",
+ "name": "Facebook Access Token",
+ "regex": "['\"]?EAACEdEose0cBA[0-9A-Za-z]+['\"]?"
+ },
+ {
+ "id": "74736dd1-dd11-4139-beb6-41cd43a50317",
+ "name": "Generic API Key",
+ "regex": "(?i)['\"]?api[_]?key['\"]?\\s*[:=]\\s*['\"]?([0-9a-zA-Z]{32,45})['\"]?",
+ "allowRules": [
+ {
+ "description": "Avoiding Twilio API Key",
+ "regex": "(?i)['\"]?api[_]?key['\"]?\\s*[:=]\\s*['\"]?(SK[0-9a-fA-F]{32})['\"]?"
+ }
+ ],
+ "specialMask": "(?i)['\"]?api[_]?key['\"]?\\s*[:=]\\s*"
+ },
+ {
+ "id": "62d0025d-9575-4eff-b60b-d3b4fcec0d04",
+ "name": "Mailgun API Key",
+ "regex": "['\"]?key-[0-9a-zA-Z]{32}['\"]?"
+ },
+ {
+ "id": "50cc5f03-e686-4183-97e9-12f9b55d0f97",
+ "name": "Picatic API Key",
+ "regex": "sk_live_[0-9a-z]{32}"
+ },
+ {
+ "id": "e0f01838-b1c2-4669-b84b-981949ebe5ed",
+ "name": "Twilio API Key",
+ "regex": "SK[0-9a-fA-F]{32}"
+ },
+ {
+ "id": "7f370dd5-eea3-4e5f-8354-3cb2506f9f13",
+ "name": "Generic Access Key",
+ "regex": "(?i)^\\s*['\"]?(access)[_]?key['\"]?\\s*[:=]\\s*['\"]?([[A-Za-z0-9\/~^_!@&%()=?*+-]+)['\"]?",
+ "specialMask": "(?i)['\"]?access[_]?key['\"]?\\s*[:=]\\s*"
+ },
+ {
+ "id": "2f665079-c383-4b33-896e-88268c1fa258",
+ "name": "Generic Private Key",
+ "regex": "(?i)['\"]?private[_]?key['\"]?\\s*[:=]\\s*['\"]?([[A-Za-z0-9/~^_!@&%()=?*+-]+)['\"]?",
+ "specialMask": "(?i)['\"]?private[_]?key['\"]?\\s*[:=]\\s*",
+ "allowRules": [
+ {
+ "description": "Avoiding bash variables",
+ "regex": "(?i)['\"]?\\$\\s*\\{[^\\s\\}]+\\}['\"]?"
+ },
+ {
+ "description": "Avoid Docker Compose secrets paths",
+ "regex": "(?i)['\"]?private[_]?key['\"]?\\s*[:=]\\s*['\"]?/run/secrets/\\w+['\"]?"
+ },
+ {
+ "description": "Avoiding Proto File fields",
+ "regex": "(?i)private[_]?key\\s*=\\s*[1-9][0-9]{0,8}\\s*;"
+ }
+ ]
+ },
+ {
+ "id": "baee238e-1921-4801-9c3f-79ae1d7b2cbc",
+ "name": "Generic Token",
+ "regex": "(?i)['\"]?token(_)?(key)?['\"]?\\s*[:=]\\s*['\"]?([[A-Za-z0-9/~^_!@&%()=?*+-]+)['\"]?",
+ "allowRules": [
+ {
+ "description": "Avoiding Amazon MWS Auth Token",
+ "regex": "(?i)['\"]?token(_)?(key)?['\"]?\\s*[=:]\\s*['\"]?(amzn\\.mws\\.[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12})['\"]?"
+ },
+ {
+ "description": "Avoiding Slack Token",
+ "regex": "(?i)['\"]?token(_)?(key)?['\"]?\\s*[=:]\\s*['\"]?(xox[p|b|o|a]-[0-9]{12}-[0-9]{12}-[0-9]{12}-[a-z0-9]{32})['\"]?"
+ },
+ {
+ "description": "Avoiding Square Access Token",
+ "regex": "(?i)['\"]?token(_)?(key)?['\"]?\\s*[=:]\\s*['\"]?(sq0atp-[0-9A-Za-z\\-_]{22})['\"]?"
+ },
+ {
+ "description": "Avoiding Google OAuth Access Token",
+ "regex": "(?i)['\"]?token(_)?(key)?['\"]?\\s*[=:]\\s*['\"]?(ya29\\.[0-9A-Za-z\\-_]+)['\"]?"
+ },
+ {
+ "description": "Avoiding PayPal Braintree Access Token",
+ "regex": "(?i)['\"]?token(_)?(key)?['\"]?\\s*[=:]\\s*['\"]?(access_token\\$production\\$[0-9a-z]{16}\\$[0-9a-f]{32})['\"]?"
+ },
+ {
+ "description": "Avoiding Facebook Access Token",
+ "regex": "(?i)['\"]?token(_)?(key)?['\"]?\\s*[=:]\\s*['\"]?(EAACEdEose0cBA[0-9A-Za-z]+)['\"]?"
+ },
+ {
+ "description": "Avoiding TF resource access",
+ "regex": "(?i)['\"]?token(_)?(key)?['\"]?\\s*=\\s*([a-zA-z_]+(.))?[a-zA-z_]+(.)[a-zA-z_]+(.)[a-zA-z_]+"
+ },
+ {
+ "description": "Avoiding TF creation token",
+ "regex": "(?i)['\"]?creation_token['\"]?\\s*[:=]\\s*['\"]?([[A-Za-z0-9/~^_!@&%()=?*+-]+)['\"]?"
+ },
+ {
+ "description": "Avoiding CLoudformation ServiceToken",
+ "regex": "['\"]?ServiceToken['\"]?\\s*[:=]\\s*['\"]?([A-Za-z0-9/~^_!@&%()=?*+-.]+)['\"]?"
+ },
+ {
+ "description": "Avoiding LifecycleActionToken Var",
+ "regex": "(?i)['\"]?LifecycleActionToken['\"]?\\s*[:=]\\s*['\"]?([[A-Za-z0-9/~^_!@&%()=?*+-]+)['\"]?"
+ },
+ {
+ "description": "Avoiding Github id-token Default Values",
+ "regex": "(?i)['\"]?id-token['\"]?\\s*[:=]\\s*(write|read|none)"
+ },
+ {
+ "description": "Avoiding result_token Var",
+ "regex": "(?i)['\"]?result(_)?token['\"]?\\s*[:=]\\s*['\"]?([[A-Za-z0-9/~^_!@&%()=?*+-]+)['\"]?"
+ },
+ {
+ "description": "Avoiding next_token Var",
+ "regex": "(?i)['\"]?next(_)?token['\"]?\\s*[:=]\\s*['\"]?([[A-Za-z0-9/~^_!@&%()=?*+-]+)['\"]?"
+ },
+ {
+ "description": "Avoiding next_token Var",
+ "regex": "(?i)['\"]?next(_)?token['\"]?\\s*[:=]\\s*['\"]?([[A-Za-z0-9/~^_!@&%()=?*+-]+)['\"]?"
+ },
+ {
+ "description": "Avoiding references to module outputs in Bicep",
+ "regex": "(?i)token(_)?(key)?\\s*[:=]\\s*([a-zA-Z][a-zA-Z0-9_]*)\\.outputs\\.([a-zA-Z][a-zA-Z0-9_]*)"
+ },
+ {
+ "description": "Avoiding Run After Triggers (if written in conformity with best practices)",
+ "regex": "(?i)['\"](HTTP|Parse_JSON|Try|Catch)_-_(Get_)?OAuth_Token['\"]?\\s*[:=]\\s*['\"]?([[A-Za-z0-9/~^_!@&%()=?*+-]+)['\"]?"
+ },
+ {
+ "description": "Avoiding Proto File fields",
+ "regex": "(?i)token(_)?(key)?\\s*=\\s*[1-9][0-9]{0,8}\\s*;"
+ }
+ ],
+ "specialMask": "(?i)['\"]?token(_)?(key)?['\"]?\\s*[:=]\\s*"
+
+ },
+ {
+ "id": "e0f01838-b1c2-4669-b84b-981949ebe5ed",
+ "name": "CloudFormation Secret Template",
+ "regex": "(?i)['\"]?SecretStringTemplate['\"]?\\s*:\\s*['\"]?{([\\\":A-Za-z0-9/~^_!@&%()=?*+-]{10,})}",
+ "specialMask": "(?i)['\"]?SecretStringTemplate['\"]?\\s*:\\s*"
+ },
+ {
+ "id": "9fb1cd65-7a07-4531-9bcf-47589d0f82d6",
+ "name": "Encryption Key",
+ "regex": "(?i)['\"]?encryption[_]?key['\"]?\\s*[:=]\\s*['\"]?([[A-Za-z0-9/~^_!@&%()=?*+-]+)['\"]?",
+ "allowRules": [
+ {
+ "description": "Avoiding TF resource access",
+ "regex": "(?i)['\"]?encryption[_]?key['\"]?\\s*=\\s*([a-zA-z_]+(.))?[a-zA-z_]+(.)[a-zA-z_]+(.)[a-zA-z_]+"
+ },
+ {
+ "description": "Avoiding CLoudformation KeyName",
+ "regex": "['\"]?EncryptionKey['\"]?\\s*[:=]\\s*['\"]?([A-Za-z0-9/~^_!@&%()=?*+-.]+)['\"]?"
+ },
+ {
+ "description": "Avoiding Proto File fields",
+ "regex": "(?i)encryption[_]?key\\s*=\\s*[1-9][0-9]{0,8}\\s*;"
+ }
+ ],
+ "specialMask": "(?i)['\"]?encryption[_]?key['\"]?\\s*[:=]\\s*"
+ },
+ {
+ "id": "8a879bc7-6f82-40fd-bb48-74d25d557fe8",
+ "name": "SendGrid API Key",
+ "regex": "(?i)SG\\.[a-zA-Z0-9\\-\\_]{22}\\.[a-zA-Z0-9\\-\\_]{43}\\s*"
+ },
+ {
+ "id": "be0ed753-d304-4363-844a-144050d4006d",
+ "name": "Generic Password on YAML files when value in tuple",
+ "regex": ".*password\\s*:[\\n|\\r]\\s*value:([^\\n|\\r]*)",
+ "multiline": {
+ "detectLineGroup": 1
+ },
+ "specialMask": ".*password\\s*:[\\n|\\r]\\s*value:"
+ },
+ {
+ "id": "f05f238a-2ef0-4c39-9a36-951de1ba6dc9",
+ "name": "Dockerfile ENV hardcoded password with omitted equals",
+ "regex": "(?i)ENV\\s+[A-Za-z0-9/~^_!@&%()=?*+-.]*password[A-Za-z0-9/~^_!@&%()=?*+-.]*\\s+['\"]?([A-Za-z0-9/~^_!@&%()=?*+-. ]{4,})['\"]?"
+ }
+ ],
+ "allowRules": [
+ {
+ "description": "Avoiding TF variables",
+ "regex": "(?i)['\"]?[a-zA-Z_]+['\"]?\\s*=\\s*['\"]?(var\\.)['\"]?"
+ },
+ {
+ "description": "!Ref is a cloudFormation reference",
+ "regex": "(?i)['\"]?[a-zA-Z_]+['\"]?\\s*:\\s+!Ref\\s+\\.*"
+ },
+ {
+ "description": "Avoiding cloudFormation intrinsic functions",
+ "regex": "(?i)['\"]?[a-zA-Z_]+['\"]?\\s*:\\s+(!GetAtt|!Sub|!FindInMap|!If|!GetAZs|!ImportValue|!Join|!Select|!Split|!Not|Fn::Transform(:)?)\\s+\\.*"
+ },
+ {
+ "description": "Avoiding CF resolve",
+ "regex": "(?i)['\"]?[a-zA-Z_]+['\"]?\\s*[=:]\\s*['\"]?({{resolve:)['\"]?"
+ },
+ {
+ "description": "Avoiding Boolean's",
+ "regex": "(?i)['\"]?[a-zA-Z_]+['\"]?\\s*[=:]\\s*['\"]?(true|false)['\"]?"
+ },
+ {
+ "description": "Avoiding arn",
+ "regex": "(?i)['\"]?[a-zA-Z_]+['\"]?\\s*[=:]\\s*['\"]?(arn:)['\"]?"
+ },
+ {
+ "description": "Avoiding array access",
+ "regex": "(?i)['\"]?[a-zA-Z_]+['\"]?\\s*[=:]\\s*['\"]?([A-Za-z0-9/~^_!@&%()=?*+-.]{4,}\\[([0-9]|['\"][a-zA-Z0-9]+['\"])\\])['\"]?"
+ },
+ {
+ "description": "Avoiding TF file function",
+ "regex": "(?i)['\"]?[a-zA-Z_]+['\"]?\\s*=\\s*['\"]?(file\\()['\"]?"
+ },
+ {
+ "description": "Avoiding ansible-vault encrypted variables",
+ "regex": "(?i)['\"]?[a-zA-Z_]+['\"]?\\s*[=:]\\s*['\"]?(!vault \\|)['\"]?"
+ },
+ {
+ "description": "Avoiding sha-hashed mysql native passwords",
+ "regex": "(?i)['\"]?[a-zA-Z_]+['\"]?\\s*[=:]\\s*['\"]?(\\*[0-9A-F]{40})['\"]?"
+ }
+ ]
+}
diff --git a/assets/queries/common/passwords_and_secrets/test/negative60.proto b/assets/queries/common/passwords_and_secrets/test/negative60.proto
index 44b0784a650..b920060c8ec 100644
--- a/assets/queries/common/passwords_and_secrets/test/negative60.proto
+++ b/assets/queries/common/passwords_and_secrets/test/negative60.proto
@@ -1,334 +1,56 @@
-syntax = "proto3";
-
-package com.example.security_test.v1;
-
-import "google/protobuf/wrappers.proto";
-import "google/protobuf/timestamp.proto";
-
-// =============================================================================
-// This file is a test fixture for secret/token/password scanning tools.
-// It should be treated as a NEGATIVE (no real secrets).
-// Proto files define schemas, not actual secret values.
-// Any secret-like strings here are example annotations, not real credentials.
-// =============================================================================
-
-// ---------------------------------------------------------------------------
-// OAuth / Identity Provider Configurations
-// ---------------------------------------------------------------------------
-
-message OAuthProviderConfig {
- google.protobuf.StringValue client_id = 1;
- google.protobuf.StringValue client_secret = 2;
- google.protobuf.StringValue access_token = 3;
- google.protobuf.StringValue refresh_token = 4;
- google.protobuf.StringValue token_endpoint = 5;
- google.protobuf.StringValue authorization_code = 6;
- google.protobuf.StringValue id_token = 7;
- google.protobuf.StringValue bearer_token = 8;
- google.protobuf.UInt32Value token_expiry_seconds = 9;
- google.protobuf.StringValue pkce_code_verifier = 10;
-}
-
-message SamlConfig {
- google.protobuf.StringValue signing_certificate = 1;
- google.protobuf.StringValue private_key = 2;
- google.protobuf.StringValue idp_certificate = 3;
- google.protobuf.StringValue sp_private_key = 4;
- google.protobuf.StringValue assertion_consumer_service_url = 5;
- google.protobuf.StringValue metadata_signing_key = 6;
-}
-
-message LdapConfig {
- google.protobuf.StringValue bind_dn = 1;
- google.protobuf.StringValue bind_password = 2;
- google.protobuf.StringValue admin_password = 3;
- google.protobuf.StringValue service_account_password = 4;
- google.protobuf.StringValue base_dn = 5;
- google.protobuf.BoolValue use_ssl = 6;
- google.protobuf.StringValue ssl_certificate = 7;
-}
-
-// ---------------------------------------------------------------------------
-// API Key / Token Management
-// ---------------------------------------------------------------------------
-
-enum ApiKeyType {
- API_KEY_TYPE_UNKNOWN = 0;
- API_KEY_TYPE_READ_ONLY = 1;
- API_KEY_TYPE_READ_WRITE = 2;
- API_KEY_TYPE_ADMIN = 3;
-}
-
-message ApiKeyConfig {
- google.protobuf.StringValue api_key = 1;
- google.protobuf.StringValue api_secret = 2;
- google.protobuf.StringValue api_token = 3;
- google.protobuf.StringValue secret_key = 4;
- google.protobuf.StringValue access_key_id = 5;
- google.protobuf.StringValue secret_access_key = 6;
- ApiKeyType key_type = 7;
- google.protobuf.Timestamp expires_at = 8;
- google.protobuf.StringValue signing_secret = 9;
- google.protobuf.StringValue hmac_key = 10;
-}
-
-message PersonalAccessToken {
- google.protobuf.StringValue token = 1;
- google.protobuf.StringValue token_hash = 2;
- google.protobuf.StringValue token_prefix = 3;
- google.protobuf.Timestamp issued_at = 4;
- google.protobuf.Timestamp expires_at = 5;
- repeated string scopes = 6;
-}
-
-// ---------------------------------------------------------------------------
-// Cloud Provider Credentials
-// ---------------------------------------------------------------------------
-
-message AwsCredentials {
- google.protobuf.StringValue aws_access_key_id = 1;
- google.protobuf.StringValue aws_secret_access_key = 2;
- google.protobuf.StringValue aws_session_token = 3;
- google.protobuf.StringValue role_arn = 4;
- google.protobuf.StringValue external_id = 5;
- google.protobuf.StringValue kms_key_id = 6;
-}
-
-message GcpCredentials {
- google.protobuf.StringValue service_account_key_json = 1;
- google.protobuf.StringValue private_key_id = 2;
- google.protobuf.StringValue private_key = 3;
- google.protobuf.StringValue client_email = 4;
- google.protobuf.StringValue project_id = 5;
- google.protobuf.StringValue access_token = 6;
-}
-
-message AzureCredentials {
- google.protobuf.StringValue tenant_id = 1;
- google.protobuf.StringValue client_id = 2;
- google.protobuf.StringValue client_secret = 3;
- google.protobuf.StringValue subscription_id = 4;
- google.protobuf.StringValue connection_string = 5;
- google.protobuf.StringValue sas_token = 6;
- google.protobuf.StringValue storage_account_key = 7;
-}
-
-// ---------------------------------------------------------------------------
-// Database Credentials
-// ---------------------------------------------------------------------------
-
-message DatabaseCredentials {
- google.protobuf.StringValue host = 1;
- google.protobuf.UInt32Value port = 2;
- google.protobuf.StringValue username = 3;
- google.protobuf.StringValue password = 4;
- google.protobuf.StringValue database_name = 5;
- google.protobuf.StringValue connection_string = 6;
- google.protobuf.StringValue ssl_ca_cert = 7;
- google.protobuf.StringValue ssl_client_cert = 8;
- google.protobuf.StringValue ssl_client_key = 9;
- google.protobuf.StringValue master_password = 10;
- google.protobuf.StringValue replication_password = 11;
-}
-
-message RedisCredentials {
- google.protobuf.StringValue host = 1;
- google.protobuf.UInt32Value port = 2;
- google.protobuf.StringValue password = 3;
- google.protobuf.StringValue auth_token = 4;
- google.protobuf.StringValue tls_cert = 5;
-}
-
-// ---------------------------------------------------------------------------
-// Third-Party Integration Credentials
-// ---------------------------------------------------------------------------
-
-message SlackIntegrationConfig {
- google.protobuf.StringValue bot_token = 1;
- google.protobuf.StringValue signing_secret = 2;
- google.protobuf.StringValue verification_token = 3;
- google.protobuf.StringValue oauth_access_token = 4;
- google.protobuf.StringValue webhook_secret = 5;
- google.protobuf.StringValue app_token = 6;
-}
-
-message GitHubIntegrationConfig {
- google.protobuf.StringValue personal_access_token = 1;
- google.protobuf.StringValue webhook_secret = 2;
- google.protobuf.StringValue app_private_key = 3;
- google.protobuf.StringValue app_installation_token = 4;
- google.protobuf.StringValue deploy_key = 5;
- google.protobuf.StringValue oauth_client_secret = 6;
-}
-
-message StripeConfig {
- google.protobuf.StringValue publishable_key = 1;
- google.protobuf.StringValue secret_key = 2;
- google.protobuf.StringValue webhook_signing_secret = 3;
- google.protobuf.StringValue restricted_api_key = 4;
-}
-
-message TwilioConfig {
- google.protobuf.StringValue account_sid = 1;
- google.protobuf.StringValue auth_token = 2;
- google.protobuf.StringValue api_key_sid = 3;
- google.protobuf.StringValue api_key_secret = 4;
-}
-
-message SendGridConfig {
- google.protobuf.StringValue api_key = 1;
- google.protobuf.StringValue smtp_password = 2;
- google.protobuf.StringValue webhook_verification_key = 3;
-}
-
-// ---------------------------------------------------------------------------
-// Encryption and Signing
-// ---------------------------------------------------------------------------
-
-message EncryptionConfig {
- google.protobuf.StringValue encryption_key = 1;
- google.protobuf.StringValue decryption_key = 2;
- google.protobuf.StringValue master_key = 3;
- google.protobuf.StringValue data_encryption_key = 4;
- google.protobuf.StringValue key_encryption_key = 5;
- google.protobuf.StringValue initialization_vector = 6;
- google.protobuf.StringValue passphrase = 7;
- google.protobuf.StringValue salt = 8;
-}
-
-message JwtConfig {
- google.protobuf.StringValue jwt_secret = 1;
- google.protobuf.StringValue jwt_private_key = 2;
- google.protobuf.StringValue jwt_public_key = 3;
- google.protobuf.StringValue jwt_signing_key = 4;
- google.protobuf.UInt32Value jwt_expiry_seconds = 5;
- google.protobuf.StringValue jwt_refresh_secret = 6;
-}
-
-message SshConfig {
- google.protobuf.StringValue ssh_private_key = 1;
- google.protobuf.StringValue ssh_public_key = 2;
- google.protobuf.StringValue ssh_passphrase = 3;
- google.protobuf.StringValue ssh_host_key = 4;
- google.protobuf.StringValue known_hosts_entry = 5;
-}
-
-message TlsConfig {
- google.protobuf.StringValue tls_certificate = 1;
- google.protobuf.StringValue tls_private_key = 2;
- google.protobuf.StringValue ca_certificate = 3;
- google.protobuf.StringValue ca_private_key = 4;
- google.protobuf.StringValue pfx_password = 5;
- google.protobuf.StringValue keystore_password = 6;
- google.protobuf.StringValue truststore_password = 7;
-}
-
-// ---------------------------------------------------------------------------
-// User / Account Credentials
-// ---------------------------------------------------------------------------
-
-message UserCredentials {
- google.protobuf.StringValue username = 1;
- google.protobuf.StringValue password = 2;
- google.protobuf.StringValue password_hash = 3;
- google.protobuf.StringValue password_salt = 4;
- google.protobuf.StringValue totp_secret = 5;
- google.protobuf.StringValue recovery_codes = 6;
- google.protobuf.StringValue security_question_answer = 7;
- google.protobuf.StringValue pin_code = 8;
-}
-
-message ServiceAccountCredentials {
- google.protobuf.StringValue service_account_id = 1;
- google.protobuf.StringValue service_account_secret = 2;
- google.protobuf.StringValue service_account_token = 3;
- google.protobuf.StringValue service_account_private_key = 4;
- google.protobuf.StringValue credentials_json = 5;
-}
-
-// ---------------------------------------------------------------------------
-// Webhook Secrets (similar to the original file's domain)
-// ---------------------------------------------------------------------------
-
-message WebhookSecurityConfig {
- google.protobuf.StringValue webhook_secret = 1;
- google.protobuf.StringValue signing_key = 2;
- google.protobuf.StringValue verification_token = 3;
- google.protobuf.StringValue shared_secret = 4;
- google.protobuf.StringValue callback_token = 5;
- google.protobuf.StringValue hmac_secret = 6;
- google.protobuf.StringValue basic_auth_username = 7;
- google.protobuf.StringValue basic_auth_password = 8;
-}
-
-// ---------------------------------------------------------------------------
-// Container / Orchestration Secrets
-// ---------------------------------------------------------------------------
-
-message KubernetesSecretRef {
- google.protobuf.StringValue secret_name = 1;
- google.protobuf.StringValue secret_namespace = 2;
- google.protobuf.StringValue kubeconfig = 3;
- google.protobuf.StringValue cluster_ca_certificate = 4;
- google.protobuf.StringValue service_account_token = 5;
- google.protobuf.StringValue docker_config_json = 6;
- google.protobuf.StringValue image_pull_secret = 7;
-}
-
-message DockerRegistryCredentials {
- google.protobuf.StringValue registry_url = 1;
- google.protobuf.StringValue registry_username = 2;
- google.protobuf.StringValue registry_password = 3;
- google.protobuf.StringValue registry_token = 4;
- google.protobuf.StringValue docker_auth = 5;
-}
-
-// ---------------------------------------------------------------------------
-// CI/CD Pipeline Secrets
-// ---------------------------------------------------------------------------
-
-message CiCdSecrets {
- google.protobuf.StringValue deploy_token = 1;
- google.protobuf.StringValue ci_token = 2;
- google.protobuf.StringValue npm_token = 3;
- google.protobuf.StringValue pypi_token = 4;
- google.protobuf.StringValue nuget_api_key = 5;
- google.protobuf.StringValue sonar_token = 6;
- google.protobuf.StringValue codecov_token = 7;
- google.protobuf.StringValue artifactory_password = 8;
- google.protobuf.StringValue nexus_password = 9;
- google.protobuf.StringValue gpg_signing_key = 10;
- google.protobuf.StringValue cosign_private_key = 11;
-}
-
-// ---------------------------------------------------------------------------
-// Aggregate Configuration (uses all of the above)
-// ---------------------------------------------------------------------------
-
-message IntegrationCredentials {
- oneof credentials {
- OAuthProviderConfig oauth = 1;
- SamlConfig saml = 2;
- LdapConfig ldap = 3;
- ApiKeyConfig api_key = 4;
- AwsCredentials aws = 5;
- GcpCredentials gcp = 6;
- AzureCredentials azure = 7;
- DatabaseCredentials database = 8;
- RedisCredentials redis = 9;
- SlackIntegrationConfig slack = 10;
- GitHubIntegrationConfig github = 11;
- StripeConfig stripe = 12;
- TwilioConfig twilio = 13;
- SendGridConfig sendgrid = 14;
- EncryptionConfig encryption = 15;
- JwtConfig jwt = 16;
- SshConfig ssh = 17;
- TlsConfig tls = 18;
- UserCredentials user = 19;
- ServiceAccountCredentials service_account = 20;
- KubernetesSecretRef kubernetes = 21;
- DockerRegistryCredentials docker = 22;
- CiCdSecrets ci_cd = 23;
- }
+syntax = "proto3";
+
+// Contains "secret", "key", "password" and "token" keywords - would flag if not for allow rules
+// Note - This is as valid proto file that generates output with "protoc" command as of version "libprotoc 34.0"
+
+package com.example.security_test.v1;
+
+import "google/protobuf/wrappers.proto";
+
+message ResultsThatFlag {
+ google.protobuf.StringValue refresh_token = 536870911; // if value is larger - out of range error "Field numbers cannot be greater than 536870911." - Generic Token
+ google.protobuf.StringValue access_token= 1; // Generic Token
+ google.protobuf.StringValue id_token = 3; // Generic Token
+ google.protobuf.StringValue bearer_toaken = 4;;; // Generic Token
+ google.protobuf.StringValue api_token = 7 ; // Generic Token
+ google.protobuf.StringValue token = 8; // Generic Token
+ google.protobuf.StringValue aws_session_token = 9; // Generic Token
+ google.protobuf.StringValue sas_token = 12; // Generic Token
+ google.protobuf.StringValue auth_token = 13; // Generic Token
+ google.protobuf.StringValue bot_token = 14; // Generic Token
+ google.protobuf.StringValue verification_token=15; // Generic Token
+ google.protobuf.StringValue oauth_access_token = 16; // Generic Token
+ google.protobuf.StringValue app_token = 17; // Generic Token
+ google.protobuf.StringValue personal_access_token = 18; // Generic Token
+ google.protobuf.StringValue service_account_token = 29; // Generic Token
+ google.protobuf.StringValue webhook_verification_token = 31; // Generic Token
+ google.protobuf.StringValue callback_token = 32; // Generic Token
+ google.protobuf.StringValue k8s_service_account_token = 33; // Generic Token
+ google.protobuf.StringValue registry_token = 34; // Generic Token
+ google.protobuf.StringValue deploy_token = 35; // Generic Token
+ google.protobuf.StringValue ci_token = 36; // Generic Token
+ google.protobuf.StringValue npm_token = 37; // Generic Token
+ google.protobuf.StringValue pypi_token = 38; // Generic Token
+ google.protobuf.StringValue app_installation_token = 20; // Generic Token
+ google.protobuf.StringValue twilio_auth_token = 21; // Generic Token
+ google.protobuf.StringValue twilio_auth_token_key = 121; // Generic Token
+ google.protobuf.StringValue test_token_ = 122 ; // Generic Token
+ google.protobuf.StringValue sonar_token = 39;google.protobuf.StringValue codecov_token = 40;// trailing comment test - Generic Token
+ google.protobuf.StringValue jwt_private_key = 25; // Generic Private Key
+ google.protobuf.StringValue ssh_private_key = 26; // Generic Private Key
+ google.protobuf.StringValue tls_private_key = 27; // Generic Private Key
+ google.protobuf.StringValue ca_private_key = 28 ; // Generic Private Key
+ google.protobuf.StringValue cosign_private_key = 41; // Generic Private Key
+ google.protobuf.StringValue service_account_private_key = 30; // Generic Private Key
+ google.protobuf.StringValue app_private_key = 19; // Generic Private Key
+ google.protobuf.StringValue gcp_private_key = 10; // Generic Private Key
+ google.protobuf.StringValue private_key = 5; // Generic Private Key
+ google.protobuf.StringValue sp_private_key = 6; // Generic Private Key
+ google.protobuf.StringValue encryption_key = 22; // Encryption Key
+ google.protobuf.StringValue data_encryption_key= 23 ; // Encryption Key
+ google.protobuf.StringValue key_encryption_key=24; // Encryption Key
+ google.protobuf.StringValue registry_password = 104; // Generic Password
+ google.protobuf.StringValue artifactory_password = 107 ; // Generic Password
+ google.protobuf.StringValue nexus_password = 108; // Generic Password
+ string password = 64; // Generic Password
}
\ No newline at end of file
diff --git a/assets/queries/common/passwords_and_secrets/test/positive56.proto b/assets/queries/common/passwords_and_secrets/test/positive56.proto
new file mode 100644
index 00000000000..4367e728812
--- /dev/null
+++ b/assets/queries/common/passwords_and_secrets/test/positive56.proto
@@ -0,0 +1,18 @@
+syntax = "proto3";
+
+// This sample should not flag the message defined only the exposed secrets in comments :
+// "password" = "test_sample"
+// "secret_key" : minimum_ten_characters
+// "unsafe_token" : "is_this_safe"
+// Note - This is as valid proto file that generates output with "protoc" command as of version "libprotoc 34.0"
+
+package com.example.security_test.v1;
+
+import "google/protobuf/wrappers.proto";
+
+message InocentMessage {
+ google.protobuf.StringValue safe_value = 1;
+ double not_a_password = 2;
+ float not_a_token = 3;
+ string not_an_encryption_key = 4;
+}
\ No newline at end of file
diff --git a/assets/queries/common/passwords_and_secrets/test/positive_expected_result.json b/assets/queries/common/passwords_and_secrets/test/positive_expected_result.json
index e29ad869f20..3d5ba084ca2 100644
--- a/assets/queries/common/passwords_and_secrets/test/positive_expected_result.json
+++ b/assets/queries/common/passwords_and_secrets/test/positive_expected_result.json
@@ -1,464 +1,482 @@
-[
- {
- "queryName": "Passwords And Secrets - Generic Password",
- "severity": "HIGH",
- "line": 8,
- "fileName": "positive1.yaml"
- },
- {
- "queryName": "Passwords And Secrets - Generic Password",
- "severity": "HIGH",
- "line": 6,
- "fileName": "positive2.yaml"
- },
- {
- "queryName": "Passwords And Secrets - Generic Password",
- "severity": "HIGH",
- "line": 7,
- "fileName": "positive3.yaml"
- },
- {
- "queryName": "Passwords And Secrets - Generic Password",
- "severity": "HIGH",
- "line": 9,
- "fileName": "positive4.tf"
- },
- {
- "queryName": "Passwords And Secrets - Generic Secret",
- "severity": "HIGH",
- "line": 2,
- "fileName": "positive5.tf"
- },
- {
- "queryName": "Passwords And Secrets - Generic Password",
- "severity": "HIGH",
- "line": 3,
- "fileName": "positive6.dockerfile"
- },
- {
- "queryName": "Passwords And Secrets - Generic Password",
- "severity": "HIGH",
- "line": 7,
- "fileName": "positive6.dockerfile"
- },
- {
- "queryName": "Passwords And Secrets - Generic Password",
- "severity": "HIGH",
- "line": 8,
- "fileName": "positive7.tf"
- },
- {
- "queryName": "Passwords And Secrets - Generic Password",
- "severity": "HIGH",
- "line": 4,
- "fileName": "positive8.json"
- },
- {
- "queryName": "Passwords And Secrets - Generic Password",
- "severity": "HIGH",
- "line":7,
- "fileName": "positive8.json"
- },
- {
- "queryName": "Passwords And Secrets - Generic Password",
- "severity": "HIGH",
- "line": 8,
- "fileName": "positive9.tf"
- },
- {
- "queryName": "Passwords And Secrets - Password in URL",
- "severity": "HIGH",
- "line": 7,
- "fileName": "positive10.json"
- },
- {
- "queryName": "Passwords And Secrets - Slack Webhook",
- "severity": "HIGH",
- "line": 17,
- "fileName": "positive10.json"
- },
- {
- "queryName": "Passwords And Secrets - MSTeams Webhook",
- "severity": "HIGH",
- "line": 27,
- "fileName": "positive10.json"
- },
- {
- "queryName": "Passwords And Secrets - Password in URL",
- "severity": "HIGH",
- "line": 7,
- "fileName": "positive11.yaml"
- },
- {
- "queryName": "Passwords And Secrets - Slack Webhook",
- "severity": "HIGH",
- "line": 9,
- "fileName": "positive11.yaml"
- },
- {
- "queryName": "Passwords And Secrets - MSTeams Webhook",
- "severity": "HIGH",
- "line": 11,
- "fileName": "positive11.yaml"
- },
- {
- "queryName": "Passwords And Secrets - Generic Password",
- "severity": "HIGH",
- "line": 8,
- "fileName": "positive12.json"
- },
- {
- "queryName": "Passwords And Secrets - Password in URL",
- "severity": "HIGH",
- "line": 11,
- "fileName": "positive12.json"
- },
- {
- "queryName": "Passwords And Secrets - Slack Webhook",
- "severity": "HIGH",
- "line": 15,
- "fileName": "positive12.json"
- },
- {
- "queryName": "Passwords And Secrets - MSTeams Webhook",
- "severity": "HIGH",
- "line": 19,
- "fileName": "positive12.json"
- },
- {
- "queryName": "Passwords And Secrets - Asymmetric private key",
- "severity": "HIGH",
- "line": 6,
- "fileName": "positive13.tf"
- },
- {
- "queryName": "Passwords And Secrets - AWS Access Key",
- "severity": "HIGH",
- "line": 17,
- "fileName": "positive14.tf"
- },
- {
- "queryName": "Passwords And Secrets - AWS Secret Key",
- "severity": "HIGH",
- "line": 18,
- "fileName": "positive14.tf"
- },
- {
- "queryName": "Passwords And Secrets - AWS Access Key",
- "severity": "HIGH",
- "line": 14,
- "fileName": "positive15.tf"
- },
- {
- "queryName": "Passwords And Secrets - AWS Secret Key",
- "severity": "HIGH",
- "line": 15,
- "fileName": "positive15.tf"
- },
- {
- "queryName": "Passwords And Secrets - K8s Environment Variable Password",
- "severity": "HIGH",
- "line": 34,
- "fileName": "positive16.yaml"
- },
- {
- "queryName": "Passwords And Secrets - K8s Environment Variable Password",
- "severity": "HIGH",
- "line": 36,
- "fileName": "positive16.yaml"
- },
- {
- "queryName": "Passwords And Secrets - Generic Password",
- "severity": "HIGH",
- "line": 7,
- "fileName": "positive17.tf"
- },
- {
- "queryName": "Passwords And Secrets - Google OAuth",
- "severity": "HIGH",
- "line": 5,
- "fileName": "positive18.tf"
- },
- {
- "queryName": "Passwords And Secrets - Slack Token",
- "severity": "HIGH",
- "line": 2,
- "fileName": "positive19.tf"
- },
- {
- "queryName": "Passwords And Secrets - Stripe API Key",
- "severity": "HIGH",
- "line": 2,
- "fileName": "positive20.tf"
- },
- {
- "queryName": "Passwords And Secrets - Google API Key",
- "severity": "HIGH",
- "line": 50,
- "fileName": "positive21.tf"
- },
- {
- "queryName": "Passwords And Secrets - Heroku API Key",
- "severity": "HIGH",
- "line": 3,
- "fileName": "positive22.tf"
- },
- {
- "queryName": "Passwords And Secrets - Generic Token",
- "severity": "HIGH",
- "line": 3,
- "fileName": "positive23.tf"
- },
- {
- "queryName": "Passwords And Secrets - Generic API Key",
- "severity": "HIGH",
- "line": 4,
- "fileName": "positive24.tf"
- },
- {
- "queryName": "Passwords And Secrets - Square Access Token",
- "severity": "HIGH",
- "line": 3,
- "fileName": "positive25.dockerfile"
- },
- {
- "queryName": "Passwords And Secrets - Picatic API Key",
- "severity": "HIGH",
- "line": 5,
- "fileName": "positive25.dockerfile"
- },
- {
- "queryName": "Passwords And Secrets - Amazon MWS Auth Token",
- "severity": "HIGH",
- "line": 7,
- "fileName": "positive25.dockerfile"
- },
- {
- "queryName": "Passwords And Secrets - MailChimp API Key",
- "severity": "HIGH",
- "line": 9,
- "fileName": "positive25.dockerfile"
- },
- {
- "queryName": "Passwords And Secrets - SendGrid API Key",
- "severity": "HIGH",
- "line": 11,
- "fileName": "positive25.dockerfile"
- },
- {
- "queryName": "Passwords And Secrets - Generic Private Key",
- "severity": "HIGH",
- "line": 9,
- "fileName": "positive26.yaml"
- },
- {
- "queryName": "Passwords And Secrets - Generic Token",
- "severity": "HIGH",
- "line": 5,
- "fileName": "positive27.yaml"
- },
- {
- "queryName": "Passwords And Secrets - Generic Token",
- "severity": "HIGH",
- "line": 22,
- "fileName": "positive27.yaml"
- },
- {
- "queryName": "Passwords And Secrets - Generic Token",
- "severity": "HIGH",
- "line": 5,
- "fileName": "positive28.yaml"
- },
- {
- "queryName": "Passwords And Secrets - Mailgun API Key",
- "severity": "HIGH",
- "line": 2,
- "fileName": "positive29.tf"
- },
- {
- "queryName": "Passwords And Secrets - Stripe Restricted API Key",
- "severity": "HIGH",
- "line": 2,
- "fileName": "positive30.tf"
- },
- {
- "queryName": "Passwords And Secrets - Twilio API Key",
- "severity": "HIGH",
- "line": 4,
- "fileName": "positive31.yaml"
- },
- {
- "queryName": "Passwords And Secrets - PayPal Braintree Access Token",
- "severity": "HIGH",
- "line": 4,
- "fileName": "positive32.yaml"
- },
- {
- "queryName": "Passwords And Secrets - Facebook Access Token",
- "severity": "HIGH",
- "line": 13,
- "fileName": "positive33.yaml"
- },
- {
- "queryName": "Passwords And Secrets - Square OAuth Secret",
- "severity": "HIGH",
- "line": 13,
- "fileName": "positive34.yaml"
- },
- {
- "queryName": "Passwords And Secrets - Google OAuth Access Token",
- "severity": "HIGH",
- "line": 13,
- "fileName": "positive35.yaml"
- },
- {
- "queryName": "Passwords And Secrets - Putty User Key File Content",
- "severity": "HIGH",
- "line": 5,
- "fileName": "positive36.tf"
- },
- {
- "queryName": "Passwords And Secrets - Generic Secret",
- "severity": "HIGH",
- "line": 14,
- "fileName": "positive37.tf"
- },
- {
- "queryName": "Passwords And Secrets - CloudFormation Secret Template",
- "severity": "HIGH",
- "line": 16,
- "fileName": "positive38.yaml"
- },
- {
- "queryName": "Passwords And Secrets - Generic Secret",
- "severity": "HIGH",
- "line": 3,
- "fileName": "positive39.tf"
- },
- {
- "queryName": "Passwords And Secrets - AWS Context-specific credential",
- "severity": "HIGH",
- "line": 14,
- "fileName": "positive40.tf"
- },
- {
- "queryName": "Passwords And Secrets - AWS Certificate",
- "severity": "HIGH",
- "line": 15,
- "fileName": "positive40.tf"
- },
- {
- "queryName": "Passwords And Secrets - Asymmetric private key",
- "severity": "HIGH",
- "line": 6,
- "fileName": "positive41.tf"
- },
- {
- "queryName": "Passwords And Secrets - Generic Access Key",
- "severity": "HIGH",
- "line": 7,
- "fileName": "positive42.tf"
- },
- {
- "queryName": "Passwords And Secrets - Generic Token",
- "severity": "HIGH",
- "line": 5,
- "fileName": "positive43.yaml"
- },
- {
- "queryName": "Passwords And Secrets - Generic Secret",
- "severity": "HIGH",
- "line": 17,
- "fileName": "positive44.yaml"
- },
- {
- "queryName": "Passwords And Secrets - Generic Password",
- "severity": "HIGH",
- "line": 9,
- "fileName": "positive45.tf"
- },
- {
- "queryName": "Passwords And Secrets - Generic Password",
- "severity": "HIGH",
- "line": 20,
- "fileName": "positive46.yaml"
- },
- {
- "queryName": "Passwords And Secrets - Generic Password",
- "severity": "HIGH",
- "line": 21,
- "fileName": "positive46.yaml"
- },
- {
- "queryName": "Passwords And Secrets - Google OAuth",
- "severity": "HIGH",
- "line": 5,
- "fileName": "positive47.tf"
- },
- {
- "queryName": "Passwords And Secrets - Generic Secret",
- "severity": "HIGH",
- "line": 6,
- "fileName": "positive47.tf"
- },
- {
- "queryName": "Passwords And Secrets - Generic Password",
- "severity": "HIGH",
- "line": 8,
- "fileName": "positive48.tf"
- },
- {
- "queryName": "Passwords And Secrets - Generic Private Key",
- "severity": "HIGH",
- "line": 7,
- "fileName": "positive49.yml"
- },
- {
- "queryName": "Passwords And Secrets - Generic Password on YAML files when value in tuple",
- "severity": "HIGH",
- "line": 56,
- "fileName": "positive50.yaml"
- },
- {
- "queryName": "Passwords And Secrets - Generic Password on YAML files when value in tuple",
- "severity": "HIGH",
- "line": 68,
- "fileName": "positive50.yaml"
- },
- {
- "queryName": "Passwords And Secrets - Dockerfile ENV hardcoded password with omitted equals",
- "severity": "HIGH",
- "line": 4,
- "fileName": "positive51.dockerfile"
- },
- {
- "queryName": "Passwords And Secrets - Generic Password",
- "severity": "HIGH",
- "line": 4,
- "fileName": "positive52.dockerfile"
- },
- {
- "queryName": "Passwords And Secrets - Generic Password",
- "severity": "HIGH",
- "line": 54,
- "fileName": "positive53.json"
- },
- {
- "queryName": "Passwords And Secrets - Generic Password",
- "severity": "HIGH",
- "line": 8,
- "fileName": "positive54.tf"
- },
- {
- "queryName": "Passwords And Secrets - Generic Password",
- "severity": "HIGH",
- "line": 14,
- "fileName": "positive54.tf"
- },
- {
- "queryName": "Passwords And Secrets - Generic Secret",
- "severity": "HIGH",
- "line": 4,
- "fileName": "positive55.json"
- }
+[
+ {
+ "queryName": "Passwords And Secrets - Generic Password",
+ "severity": "HIGH",
+ "line": 8,
+ "fileName": "positive1.yaml"
+ },
+ {
+ "queryName": "Passwords And Secrets - Generic Password",
+ "severity": "HIGH",
+ "line": 6,
+ "fileName": "positive2.yaml"
+ },
+ {
+ "queryName": "Passwords And Secrets - Generic Password",
+ "severity": "HIGH",
+ "line": 7,
+ "fileName": "positive3.yaml"
+ },
+ {
+ "queryName": "Passwords And Secrets - Generic Password",
+ "severity": "HIGH",
+ "line": 9,
+ "fileName": "positive4.tf"
+ },
+ {
+ "queryName": "Passwords And Secrets - Generic Secret",
+ "severity": "HIGH",
+ "line": 2,
+ "fileName": "positive5.tf"
+ },
+ {
+ "queryName": "Passwords And Secrets - Generic Password",
+ "severity": "HIGH",
+ "line": 3,
+ "fileName": "positive6.dockerfile"
+ },
+ {
+ "queryName": "Passwords And Secrets - Generic Password",
+ "severity": "HIGH",
+ "line": 7,
+ "fileName": "positive6.dockerfile"
+ },
+ {
+ "queryName": "Passwords And Secrets - Generic Password",
+ "severity": "HIGH",
+ "line": 8,
+ "fileName": "positive7.tf"
+ },
+ {
+ "queryName": "Passwords And Secrets - Generic Password",
+ "severity": "HIGH",
+ "line": 4,
+ "fileName": "positive8.json"
+ },
+ {
+ "queryName": "Passwords And Secrets - Generic Password",
+ "severity": "HIGH",
+ "line":7,
+ "fileName": "positive8.json"
+ },
+ {
+ "queryName": "Passwords And Secrets - Generic Password",
+ "severity": "HIGH",
+ "line": 8,
+ "fileName": "positive9.tf"
+ },
+ {
+ "queryName": "Passwords And Secrets - Password in URL",
+ "severity": "HIGH",
+ "line": 7,
+ "fileName": "positive10.json"
+ },
+ {
+ "queryName": "Passwords And Secrets - Slack Webhook",
+ "severity": "HIGH",
+ "line": 17,
+ "fileName": "positive10.json"
+ },
+ {
+ "queryName": "Passwords And Secrets - MSTeams Webhook",
+ "severity": "HIGH",
+ "line": 27,
+ "fileName": "positive10.json"
+ },
+ {
+ "queryName": "Passwords And Secrets - Password in URL",
+ "severity": "HIGH",
+ "line": 7,
+ "fileName": "positive11.yaml"
+ },
+ {
+ "queryName": "Passwords And Secrets - Slack Webhook",
+ "severity": "HIGH",
+ "line": 9,
+ "fileName": "positive11.yaml"
+ },
+ {
+ "queryName": "Passwords And Secrets - MSTeams Webhook",
+ "severity": "HIGH",
+ "line": 11,
+ "fileName": "positive11.yaml"
+ },
+ {
+ "queryName": "Passwords And Secrets - Generic Password",
+ "severity": "HIGH",
+ "line": 8,
+ "fileName": "positive12.json"
+ },
+ {
+ "queryName": "Passwords And Secrets - Password in URL",
+ "severity": "HIGH",
+ "line": 11,
+ "fileName": "positive12.json"
+ },
+ {
+ "queryName": "Passwords And Secrets - Slack Webhook",
+ "severity": "HIGH",
+ "line": 15,
+ "fileName": "positive12.json"
+ },
+ {
+ "queryName": "Passwords And Secrets - MSTeams Webhook",
+ "severity": "HIGH",
+ "line": 19,
+ "fileName": "positive12.json"
+ },
+ {
+ "queryName": "Passwords And Secrets - Asymmetric private key",
+ "severity": "HIGH",
+ "line": 6,
+ "fileName": "positive13.tf"
+ },
+ {
+ "queryName": "Passwords And Secrets - AWS Access Key",
+ "severity": "HIGH",
+ "line": 17,
+ "fileName": "positive14.tf"
+ },
+ {
+ "queryName": "Passwords And Secrets - AWS Secret Key",
+ "severity": "HIGH",
+ "line": 18,
+ "fileName": "positive14.tf"
+ },
+ {
+ "queryName": "Passwords And Secrets - AWS Access Key",
+ "severity": "HIGH",
+ "line": 14,
+ "fileName": "positive15.tf"
+ },
+ {
+ "queryName": "Passwords And Secrets - AWS Secret Key",
+ "severity": "HIGH",
+ "line": 15,
+ "fileName": "positive15.tf"
+ },
+ {
+ "queryName": "Passwords And Secrets - K8s Environment Variable Password",
+ "severity": "HIGH",
+ "line": 34,
+ "fileName": "positive16.yaml"
+ },
+ {
+ "queryName": "Passwords And Secrets - K8s Environment Variable Password",
+ "severity": "HIGH",
+ "line": 36,
+ "fileName": "positive16.yaml"
+ },
+ {
+ "queryName": "Passwords And Secrets - Generic Password",
+ "severity": "HIGH",
+ "line": 7,
+ "fileName": "positive17.tf"
+ },
+ {
+ "queryName": "Passwords And Secrets - Google OAuth",
+ "severity": "HIGH",
+ "line": 5,
+ "fileName": "positive18.tf"
+ },
+ {
+ "queryName": "Passwords And Secrets - Slack Token",
+ "severity": "HIGH",
+ "line": 2,
+ "fileName": "positive19.tf"
+ },
+ {
+ "queryName": "Passwords And Secrets - Stripe API Key",
+ "severity": "HIGH",
+ "line": 2,
+ "fileName": "positive20.tf"
+ },
+ {
+ "queryName": "Passwords And Secrets - Google API Key",
+ "severity": "HIGH",
+ "line": 50,
+ "fileName": "positive21.tf"
+ },
+ {
+ "queryName": "Passwords And Secrets - Heroku API Key",
+ "severity": "HIGH",
+ "line": 3,
+ "fileName": "positive22.tf"
+ },
+ {
+ "queryName": "Passwords And Secrets - Generic Token",
+ "severity": "HIGH",
+ "line": 3,
+ "fileName": "positive23.tf"
+ },
+ {
+ "queryName": "Passwords And Secrets - Generic API Key",
+ "severity": "HIGH",
+ "line": 4,
+ "fileName": "positive24.tf"
+ },
+ {
+ "queryName": "Passwords And Secrets - Square Access Token",
+ "severity": "HIGH",
+ "line": 3,
+ "fileName": "positive25.dockerfile"
+ },
+ {
+ "queryName": "Passwords And Secrets - Picatic API Key",
+ "severity": "HIGH",
+ "line": 5,
+ "fileName": "positive25.dockerfile"
+ },
+ {
+ "queryName": "Passwords And Secrets - Amazon MWS Auth Token",
+ "severity": "HIGH",
+ "line": 7,
+ "fileName": "positive25.dockerfile"
+ },
+ {
+ "queryName": "Passwords And Secrets - MailChimp API Key",
+ "severity": "HIGH",
+ "line": 9,
+ "fileName": "positive25.dockerfile"
+ },
+ {
+ "queryName": "Passwords And Secrets - SendGrid API Key",
+ "severity": "HIGH",
+ "line": 11,
+ "fileName": "positive25.dockerfile"
+ },
+ {
+ "queryName": "Passwords And Secrets - Generic Private Key",
+ "severity": "HIGH",
+ "line": 9,
+ "fileName": "positive26.yaml"
+ },
+ {
+ "queryName": "Passwords And Secrets - Generic Token",
+ "severity": "HIGH",
+ "line": 5,
+ "fileName": "positive27.yaml"
+ },
+ {
+ "queryName": "Passwords And Secrets - Generic Token",
+ "severity": "HIGH",
+ "line": 22,
+ "fileName": "positive27.yaml"
+ },
+ {
+ "queryName": "Passwords And Secrets - Generic Token",
+ "severity": "HIGH",
+ "line": 5,
+ "fileName": "positive28.yaml"
+ },
+ {
+ "queryName": "Passwords And Secrets - Mailgun API Key",
+ "severity": "HIGH",
+ "line": 2,
+ "fileName": "positive29.tf"
+ },
+ {
+ "queryName": "Passwords And Secrets - Stripe Restricted API Key",
+ "severity": "HIGH",
+ "line": 2,
+ "fileName": "positive30.tf"
+ },
+ {
+ "queryName": "Passwords And Secrets - Twilio API Key",
+ "severity": "HIGH",
+ "line": 4,
+ "fileName": "positive31.yaml"
+ },
+ {
+ "queryName": "Passwords And Secrets - PayPal Braintree Access Token",
+ "severity": "HIGH",
+ "line": 4,
+ "fileName": "positive32.yaml"
+ },
+ {
+ "queryName": "Passwords And Secrets - Facebook Access Token",
+ "severity": "HIGH",
+ "line": 13,
+ "fileName": "positive33.yaml"
+ },
+ {
+ "queryName": "Passwords And Secrets - Square OAuth Secret",
+ "severity": "HIGH",
+ "line": 13,
+ "fileName": "positive34.yaml"
+ },
+ {
+ "queryName": "Passwords And Secrets - Google OAuth Access Token",
+ "severity": "HIGH",
+ "line": 13,
+ "fileName": "positive35.yaml"
+ },
+ {
+ "queryName": "Passwords And Secrets - Putty User Key File Content",
+ "severity": "HIGH",
+ "line": 5,
+ "fileName": "positive36.tf"
+ },
+ {
+ "queryName": "Passwords And Secrets - Generic Secret",
+ "severity": "HIGH",
+ "line": 14,
+ "fileName": "positive37.tf"
+ },
+ {
+ "queryName": "Passwords And Secrets - CloudFormation Secret Template",
+ "severity": "HIGH",
+ "line": 16,
+ "fileName": "positive38.yaml"
+ },
+ {
+ "queryName": "Passwords And Secrets - Generic Secret",
+ "severity": "HIGH",
+ "line": 3,
+ "fileName": "positive39.tf"
+ },
+ {
+ "queryName": "Passwords And Secrets - AWS Context-specific credential",
+ "severity": "HIGH",
+ "line": 14,
+ "fileName": "positive40.tf"
+ },
+ {
+ "queryName": "Passwords And Secrets - AWS Certificate",
+ "severity": "HIGH",
+ "line": 15,
+ "fileName": "positive40.tf"
+ },
+ {
+ "queryName": "Passwords And Secrets - Asymmetric private key",
+ "severity": "HIGH",
+ "line": 6,
+ "fileName": "positive41.tf"
+ },
+ {
+ "queryName": "Passwords And Secrets - Generic Access Key",
+ "severity": "HIGH",
+ "line": 7,
+ "fileName": "positive42.tf"
+ },
+ {
+ "queryName": "Passwords And Secrets - Generic Token",
+ "severity": "HIGH",
+ "line": 5,
+ "fileName": "positive43.yaml"
+ },
+ {
+ "queryName": "Passwords And Secrets - Generic Secret",
+ "severity": "HIGH",
+ "line": 17,
+ "fileName": "positive44.yaml"
+ },
+ {
+ "queryName": "Passwords And Secrets - Generic Password",
+ "severity": "HIGH",
+ "line": 9,
+ "fileName": "positive45.tf"
+ },
+ {
+ "queryName": "Passwords And Secrets - Generic Password",
+ "severity": "HIGH",
+ "line": 20,
+ "fileName": "positive46.yaml"
+ },
+ {
+ "queryName": "Passwords And Secrets - Generic Password",
+ "severity": "HIGH",
+ "line": 21,
+ "fileName": "positive46.yaml"
+ },
+ {
+ "queryName": "Passwords And Secrets - Google OAuth",
+ "severity": "HIGH",
+ "line": 5,
+ "fileName": "positive47.tf"
+ },
+ {
+ "queryName": "Passwords And Secrets - Generic Secret",
+ "severity": "HIGH",
+ "line": 6,
+ "fileName": "positive47.tf"
+ },
+ {
+ "queryName": "Passwords And Secrets - Generic Password",
+ "severity": "HIGH",
+ "line": 8,
+ "fileName": "positive48.tf"
+ },
+ {
+ "queryName": "Passwords And Secrets - Generic Private Key",
+ "severity": "HIGH",
+ "line": 7,
+ "fileName": "positive49.yml"
+ },
+ {
+ "queryName": "Passwords And Secrets - Generic Password on YAML files when value in tuple",
+ "severity": "HIGH",
+ "line": 56,
+ "fileName": "positive50.yaml"
+ },
+ {
+ "queryName": "Passwords And Secrets - Generic Password on YAML files when value in tuple",
+ "severity": "HIGH",
+ "line": 68,
+ "fileName": "positive50.yaml"
+ },
+ {
+ "queryName": "Passwords And Secrets - Dockerfile ENV hardcoded password with omitted equals",
+ "severity": "HIGH",
+ "line": 4,
+ "fileName": "positive51.dockerfile"
+ },
+ {
+ "queryName": "Passwords And Secrets - Generic Password",
+ "severity": "HIGH",
+ "line": 4,
+ "fileName": "positive52.dockerfile"
+ },
+ {
+ "queryName": "Passwords And Secrets - Generic Password",
+ "severity": "HIGH",
+ "line": 54,
+ "fileName": "positive53.json"
+ },
+ {
+ "queryName": "Passwords And Secrets - Generic Password",
+ "severity": "HIGH",
+ "line": 8,
+ "fileName": "positive54.tf"
+ },
+ {
+ "queryName": "Passwords And Secrets - Generic Password",
+ "severity": "HIGH",
+ "line": 14,
+ "fileName": "positive54.tf"
+ },
+ {
+ "queryName": "Passwords And Secrets - Generic Secret",
+ "severity": "HIGH",
+ "line": 4,
+ "fileName": "positive55.json"
+ },
+ {
+ "queryName": "Passwords And Secrets - Generic Secret",
+ "severity": "HIGH",
+ "line": 4,
+ "fileName": "positive56.json"
+ },
+ {
+ "queryName": "Passwords And Secrets - Generic Secret",
+ "severity": "HIGH",
+ "line": 5,
+ "fileName": "positive56.json"
+ },
+ {
+ "queryName": "Passwords And Secrets - Generic Secret",
+ "severity": "HIGH",
+ "line": 6,
+ "fileName": "positive56.json"
+ }
]
\ No newline at end of file
diff --git a/pkg/engine/secrets/inspector.go b/pkg/engine/secrets/inspector.go
index 20602131733..36dfa4aab00 100644
--- a/pkg/engine/secrets/inspector.go
+++ b/pkg/engine/secrets/inspector.go
@@ -660,16 +660,13 @@ func ignoreLine(lineNumber int, linesIgnore []int) bool {
return false
}
-// cleanFiles keeps one file per filePath and filters .proto files
+// cleanFiles keeps one file per filePath
func cleanFiles(files model.FileMetadatas) model.FileMetadatas {
keys := make(map[string]bool)
cleanFiles := model.FileMetadatas{}
for i := range files {
- if files[i].Kind == model.KindPROTO {
- continue
- }
filePath := files[i].FilePath
if _, value := keys[filePath]; !value {
keys[filePath] = true
diff --git a/pkg/engine/secrets/inspector_test.go b/pkg/engine/secrets/inspector_test.go
index 5839c5b9e0d..f642d0e1772 100644
--- a/pkg/engine/secrets/inspector_test.go
+++ b/pkg/engine/secrets/inspector_test.go
@@ -266,20 +266,26 @@ var OriginalData8 = `
package com.example.security_test.v1;
import "google/protobuf/wrappers.proto";
- import "google/protobuf/timestamp.proto";
-
- message OAuthProviderConfig {
- google.protobuf.StringValue client_id = 1;
- google.protobuf.StringValue client_secret = 2;
- google.protobuf.StringValue access_token = 3;
- google.protobuf.StringValue refresh_token = 4;
- google.protobuf.StringValue token_endpoint = 5;
- google.protobuf.StringValue authorization_code = 6;
- google.protobuf.StringValue id_token = 7;
- google.protobuf.StringValue bearer_token = 8;
- google.protobuf.UInt32Value token_expiry_seconds = 9;
- google.protobuf.StringValue pkce_code_verifier = 10;
- }
+
+ message ResultsThatFlag {
+ google.protobuf.StringValue refresh_token = 536870911; // if value is larger - out of range error "Field numbers cannot be greater than 536870911." - Generic Token
+ google.protobuf.StringValue access_token= 1; // Generic Token
+ google.protobuf.StringValue id_token = 3; // Generic Token
+ google.protobuf.StringValue bearer_toaken = 4;;; // Generic Token
+ google.protobuf.StringValue api_token = 7 ; // Generic Token
+ google.protobuf.StringValue token = 8; // Generic Token
+ google.protobuf.StringValue sonar_token = 39;google.protobuf.StringValue codecov_token = 40;// trailing comment test - Generic Token
+ google.protobuf.StringValue jwt_private_key = 25; // Generic Private Key
+ google.protobuf.StringValue ssh_private_key = 26; // Generic Private Key
+ google.protobuf.StringValue tls_private_key = 27; // Generic Private Key
+ google.protobuf.StringValue sp_private_key = 6; // Generic Private Key
+ google.protobuf.StringValue encryption_key = 22; // Encryption Key
+ google.protobuf.StringValue data_encryption_key= 23 ; // Encryption Key
+ google.protobuf.StringValue key_encryption_key=24; // Encryption Key
+ google.protobuf.StringValue registry_password = 104; // Generic Password
+ google.protobuf.StringValue artifactory_password = 107 ; // Generic Password
+ google.protobuf.StringValue nexus_password = 108; // Generic Password
+ string password = 64; // Generic Password
`
var testInspectInput = []struct {
@@ -441,7 +447,7 @@ var testInspectInput = []struct {
wantErr: false,
},
{
- name: "invalid_file_kind",
+ name: "valid_no_results",
files: model.FileMetadatas{
{
ID: "a6fbadc6-da29-4340-8d56-aa26a8852526",
From bf117895263b100f7412af1bf12ad4d27e7c42ff Mon Sep 17 00:00:00 2001
From: Andre Pereira <219305055+cx-andre-pereira@users.noreply.github.com>
Date: Thu, 26 Mar 2026 15:18:12 +0000
Subject: [PATCH 03/30] Fix expected results
---
.../passwords_and_secrets/test/positive_expected_result.json | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/assets/queries/common/passwords_and_secrets/test/positive_expected_result.json b/assets/queries/common/passwords_and_secrets/test/positive_expected_result.json
index 3d5ba084ca2..2d6320703a9 100644
--- a/assets/queries/common/passwords_and_secrets/test/positive_expected_result.json
+++ b/assets/queries/common/passwords_and_secrets/test/positive_expected_result.json
@@ -462,7 +462,7 @@
"fileName": "positive55.json"
},
{
- "queryName": "Passwords And Secrets - Generic Secret",
+ "queryName": "Passwords And Secrets - Generic Password",
"severity": "HIGH",
"line": 4,
"fileName": "positive56.json"
@@ -474,7 +474,7 @@
"fileName": "positive56.json"
},
{
- "queryName": "Passwords And Secrets - Generic Secret",
+ "queryName": "Passwords And Secrets - Generic Token",
"severity": "HIGH",
"line": 6,
"fileName": "positive56.json"
From 6f74701c35d1628e7114e9d2c97b22c6a1641ae0 Mon Sep 17 00:00:00 2001
From: Andre Pereira <219305055+cx-andre-pereira@users.noreply.github.com>
Date: Thu, 26 Mar 2026 15:41:36 +0000
Subject: [PATCH 04/30] Part 1 fix git diff
---
.../passwords_and_secrets/regex_rules.json | 900 ++++++++---------
.../test/positive_expected_result.json | 944 +++++++++---------
2 files changed, 905 insertions(+), 939 deletions(-)
diff --git a/assets/queries/common/passwords_and_secrets/regex_rules.json b/assets/queries/common/passwords_and_secrets/regex_rules.json
index 40608122628..4620f0285cd 100644
--- a/assets/queries/common/passwords_and_secrets/regex_rules.json
+++ b/assets/queries/common/passwords_and_secrets/regex_rules.json
@@ -1,458 +1,442 @@
-{
- "rules": [
- {
- "id": "487f4be7-3fd9-4506-a07a-eae252180c08",
- "name": "Generic Password",
- "regex": "(?i)['\"]?password['\"]?\\s*[:=]\\s*['\"]?([A-Za-z0-9/~^_!@&%()=?*+-. ]{4,})['\"]?",
- "allowRules": [
- {
- "description": "Avoiding TF resource access",
- "regex": "(?i)['\"]?password['\"]?\\s*[:=]\\s*(([a-zA-Z_]+(\\[([a-zA-Z_]+\\.[a-zA-Z_]+.*|\\d+)\\])?\\.[a-zA-Z_]+(\\[([a-zA-Z_]+\\.[a-zA-Z_]+.*|\\d+)\\])?)\\s*([\\[\\.\\)\\]\\}\\$]|(:\\s*null))|null)"
- },
- {
- "description": "Avoiding description field",
- "regex": "(?i)['\"]?description['\"]?\\s*=\\s*['\"].*['\"]"
- },
- {
- "description": "Avoiding Terraform 'optional' statement",
- "regex": "(?i)['\"]?password['\"]?\\s*=\\s*optional\\((string|number|sensitive\\(string\\)|map\\(string\\)|set\\(string\\)|any)\\)$"
- },
- {
- "description": "Avoiding Terraform 'try' statement",
- "regex": "(?i)['\"]?password['\"]?\\s*=\\s*try\\([^\"']+,[^\"']+\\)$"
- },
- {
- "description": "Avoiding CF AllowUsersToChangePassword",
- "regex": "['\"]?AllowUsersToChangePassword['\"]?\\s*[:=]\\s*['\"]?([A-Za-z0-9/~^_!@&%()=?*+-.]{4,})['\"]?"
- },
- {
- "description": "Avoiding Ansible playbook update_password",
- "regex": "['\"]?update_password['\"]?\\s*[:=]\\s*['\"]?([A-Za-z0-9/~^_!@&%()=?*+-.]{4,})['\"]?"
- },
- {
- "description": "Allow placeholders",
- "regex": "(?i)['\"]?password['\"]?\\s*[:=]\\s*['\"](\\$\\(|\\$?\\{\\{)\\s*\\w+\\s*(\\)|\\}\\})['\"]"
- },
- {
- "description": "Allow empty values",
- "regex": "(?i)['\"]?password['\"]?\\s*[:=]\\s*(''|\"\")"
- },
- {
- "description": "Allow password retrieved from ARM parameters",
- "regex": "(?i)['\"]?password['\"]?\\s*[:=]\\s*['\"]?\\s*,\\s*parameters\\(['\"]([a-zA-Z][a-zA-Z0-9_-]*)['\"]['\"]?\\)"
- },
- {
- "description": "Avoiding Proto File fields",
- "regex": "(?i)password\\s*=\\s*[1-9][0-9]{0,8}\\s*;"
- }
- ],
- "specialMask": "(?i)['\"]?password['\"]?\\s*[:=]\\s*"
- },
- {
- "id": "3e2d3b2f-c22a-4df1-9cc6-a7a0aebb0c99",
- "name": "Generic Secret",
- "regex": "(?i)['\"]?secret[_]?(key|value)?['\"]?\\s*(:|=)\\s*['\"]?([A-Za-z0-9/~^_!@#&%(){};=?*+-<>,:;[\\]%$]{10,})['\"]?",
- "entropies": [
- {
- "group": 3,
- "min": 2.8,
- "max": 8
- }
- ],
- "allowRules": [
- {
- "description": "Avoiding Square OAuth Secret",
- "regex": "(?i)['\"]?secret[_]?(key)?['\"]?\\s*(:|=)\\s*['\"]?(sq0csp-[0-9A-Za-z\\-_]{43})['\"]?"
- },
- {
- "description": "Avoiding TF resource access",
- "regex": "(?i)['\"]?secret[_]?(key)?['\"]?\\s*[:=]\\s*(([a-zA-Z_]+(\\[([a-zA-Z_]+\\.[a-zA-Z_]+.*|\\d+)\\])?\\.[a-zA-Z_]+(\\[([a-zA-Z_]+\\.[a-zA-Z_]+.*|\\d+)\\])?)\\s*([\\.\\)\\]\\$]|(:\\s*null))|null)"
- },
- {
- "description": "Avoiding Secrets Manager arn",
- "regex": ":secretsmanager:[a-z0-9-*?]+:[0-9*?]+:(?i)['\"]?secret[_]?(key)?['\"]?\\s*(:|=)\\s*['\"]?([A-Za-z0-9/~^_!@&%()=?*+-]+)['\"]?"
- },
- {
- "description": "Avoiding CloudFormation Parameters Descriptions",
- "regex": "['\"]?Description['\"]?\\s*[:=]\\s*['\"]?([A-Za-z0-9/~^_!@&%()=?*${}+-.'\"]+)['\"]?"
- },
- {
- "description": "Avoiding Secrets from Azure Key Vault",
- "regex": "(?i)['\"]?secret[_]?(key)?['\"]?\\s*(:|=)\\s*['\"]?[${]+[A-Za-z0-9/~^_!@&%()=?*+-]+}?"
- },
- {
- "description": "Allow secret retrieved from ARM parameters",
- "regex": "(?i)['\"]?secret[_]?(key)?['\"]?\\s*[:=]\\s*['\"]?\\[\\s*parameters\\(['\"][a-zA-Z][a-zA-Z0-9_-]*['\"]\\s*\\)\\s*\\]"
- },
- {
- "description": "Allow secrets retrieved from Bicep getSecret built in function",
- "regex": "(?i)['\"]?secret[_]?(key|value)?['\"]?\\s*(:|=)\\s*[a-zA-Z]*\\.getSecret\\(\\s*[\"']([A-Za-z0-9/~^_!@#&%(){};=?*+-<>,:;[\\]%$]+)[\"']\\)"
- }
- ],
- "specialMask": "(?i)['\"]?secret[_]?(key)?['\"]?\\s*(:|=)\\s*"
- },
- {
- "id": "51b5b840-cd0c-4556-98a7-fe5f4def80cf",
- "name": "Asymmetric private key",
- "regex": "-----BEGIN ((EC|PGP|DSA|RSA|OPENSSH) )?PRIVATE KEY( BLOCK)?-----\\s*(([A-Za-z0-9+,:\\-\\/=\\n\\r]+\\s*)+)-----END ((EC|PGP|DSA|RSA|OPENSSH) )?PRIVATE KEY( BLOCK)?-----",
- "multiline": {
- "detectLineGroup": 4
- },
- "entropies": [
- {
- "group": 5,
- "min": 3.7,
- "max": 12
- }
- ],
- "specialMask": "all"
- },
- {
- "id": "a007a85e-a2a7-4a81-803a-7a2ca0c65abb",
- "name": "Putty User Key File Content",
- "regex": "['\"]?PuTTY-User-Key-File-\\d: ([\\w\\d-:\\n\\s+/=]+Private-MAC: [\\d\\w\"]+)['\"]?",
- "multiline": {
- "detectLineGroup": 1
- },
- "specialMask": "all"
- },
- {
- "id": "c4d3b58a-e6d4-450f-9340-04f1e702eaae",
- "name": "Password in URL",
- "regex": "['\"]?[a-zA-Z]{3,10}://[^/\\s:@$]*?:[^/\\s:@$]*?@[^/\\s:@$]*['\"]?"
- },
- {
- "id": "76c0bcde-903d-456e-ac13-e58c34987852",
- "name": "AWS Access Key",
- "regex": "(A3T[A-Z0-9]|AKIA|ASIA)[A-Z0-9]{16}"
- },
- {
- "id": "76c0bcde-903d-456e-ac13-e58c34987852",
- "name": "AWS Context-specific credential",
- "regex": "(A3T[A-Z0-9]|ACCA)[A-Z0-9]{16}"
- },
- {
- "id": "76c0bcde-903d-456e-ac13-e58c34987852",
- "name": "AWS Certificate",
- "regex": "(A3T[A-Z0-9]|ASCA)[A-Z0-9]{16}"
- },
- {
- "id": "83ab47ff-381d-48cd-bac5-fb32222f54af",
- "name": "AWS Secret Key",
- "regex": "(?i)AWS_SECRET(_ACCESS)?(_KEY)?\\s*[:=]\\s*['\"]?([a-zA-Z0-9/]{40})[\"']?",
- "entropies": [
- {
- "group": 3,
- "min": 4.8,
- "max": 7
- }
- ],
- "specialMask": "(?i)AWS_SECRET(_ACCESS)?(_KEY)?\\s*[:=]\\s*"
- },
- {
- "id": "4b2b5fd3-364d-4093-bac2-17391b2a5297",
- "name": "K8s Environment Variable Password",
- "regex": "apiVersion((.*)\\s*)*env:((.*)\\s*)*name:\\s*\\w+(?i)pass((?i)word)?\\w*\\s*(value):\\s*([\"|'].*[\"|'])",
- "multiline": {
- "detectLineGroup": 7
- },
- "specialMask": "\\s*(value):\\s*"
- },
- {
- "id": "d651cca2-2156-4d17-8e76-423e68de5c8b",
- "name": "Google OAuth",
- "regex": "['\"]?[0-9]+-[0-9A-Za-z_]{32}\\.apps\\.googleusercontent\\.com['\"]?"
- },
- {
- "id": "ccde326f-ebc7-4772-8ad5-de66e90a8cc3",
- "name": "Slack Webhook",
- "regex": "['\"]?https://hooks.slack.com/services/T[a-zA-Z0-9_]{8}/B[a-zA-Z0-9_]{8}/[a-zA-Z0-9_]{24}['\"]?"
- },
- {
- "id": "d6214dca-a31b-425f-bcf7-f4faa772a1c0",
- "name": "MSTeams Webhook",
- "regex": "['\"]?https://[a-zA-Z0-9_]{1,24}.webhook.office.com/webhook(b2)?/[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}@[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}/IncomingWebhook/[a-z0-9]+/[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}['\"]?"
- },
- {
- "id": "7908a9e3-5cac-41b1-b514-5f6d82ce02d5",
- "name": "Slack Token",
- "regex": "['\"]?(xox[p|b|o|a]-[0-9]{12}-[0-9]{12}-[0-9]{12}-[a-z0-9]{32})['\"]?"
- },
- {
- "id": "6abcae17-b175-4698-a9a5-b07661974749",
- "name": "Stripe API Key",
- "regex": "['\"]?sk_live_[0-9a-zA-Z]{24}[^0-9a-zA-Z]['\"]?"
- },
- {
- "id": "0b1b2482-51e7-49d1-893d-522afa4a6bd0",
- "name": "Square Access Token",
- "regex": "sq0atp-[0-9A-Za-z\\-_]{22}"
- },
- {
- "id": "6c54f9da-1a11-445a-8568-0d327e6af8be",
- "name": "MailChimp API Key",
- "regex": "[0-9a-f]{32}-us[0-9]{1,2}"
- },
- {
- "id": "e9856348-4069-4ac0-bd91-415f6a7b84a4",
- "name": "Google API Key",
- "regex": "['\"]?AIza[0-9A-Za-z\\-_]{35}['\"]?"
- },
- {
- "id": "9a3650af-5b88-48cd-ab89-cd77fd0b633f",
- "name": "Heroku API Key",
- "regex": "['\"]?(?i)heroku((.|\\n)*)\\b([0-9A-F]{8}-[0-9A-F]{4}-[0-9A-F]{4}-[0-9A-F]{4}-[0-9A-F]{12})\\b['\"]?",
- "multiline": {
- "detectLineGroup": 3
- },
- "specialMask": "['\"]?(?i)api_key[^\\w\"']+"
- },
- {
- "id": "bb51eb1e-0357-44a2-86d7-dd5350cffd43",
- "name": "Square OAuth Secret",
- "regex": "['\"]?sq0csp-[0-9A-Za-z\\-_]{43}['\"]?"
- },
- {
- "id": "ac8c8075-6ec0-4367-9e26-30ec8161d258",
- "name": "Amazon MWS Auth Token",
- "regex": "amzn\\.mws\\.[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}"
- },
- {
- "id": "41a1ca8d-f466-4084-a8c9-50f8b22200d5",
- "name": "Google OAuth Access Token",
- "regex": "ya29\\.[0-9A-Za-z\\-_]+"
- },
- {
- "id": "4919b847-e3da-402a-acf8-6cea8e529993",
- "name": "PayPal Braintree Access Token",
- "regex": "access_token\\$production\\$[0-9a-z]{16}\\$[0-9a-f]{32}"
- },
- {
- "id": "54274b18-bfac-47ce-afd1-0f05bc3e3b59",
- "name": "Stripe Restricted API Key",
- "regex": "['\"]?rk_live_[0-9a-zA-Z]{24}['\"]?"
- },
- {
- "id": "5176e805-0cda-44fa-ac96-c092c646180a",
- "name": "Facebook Access Token",
- "regex": "['\"]?EAACEdEose0cBA[0-9A-Za-z]+['\"]?"
- },
- {
- "id": "74736dd1-dd11-4139-beb6-41cd43a50317",
- "name": "Generic API Key",
- "regex": "(?i)['\"]?api[_]?key['\"]?\\s*[:=]\\s*['\"]?([0-9a-zA-Z]{32,45})['\"]?",
- "allowRules": [
- {
- "description": "Avoiding Twilio API Key",
- "regex": "(?i)['\"]?api[_]?key['\"]?\\s*[:=]\\s*['\"]?(SK[0-9a-fA-F]{32})['\"]?"
- }
- ],
- "specialMask": "(?i)['\"]?api[_]?key['\"]?\\s*[:=]\\s*"
- },
- {
- "id": "62d0025d-9575-4eff-b60b-d3b4fcec0d04",
- "name": "Mailgun API Key",
- "regex": "['\"]?key-[0-9a-zA-Z]{32}['\"]?"
- },
- {
- "id": "50cc5f03-e686-4183-97e9-12f9b55d0f97",
- "name": "Picatic API Key",
- "regex": "sk_live_[0-9a-z]{32}"
- },
- {
- "id": "e0f01838-b1c2-4669-b84b-981949ebe5ed",
- "name": "Twilio API Key",
- "regex": "SK[0-9a-fA-F]{32}"
- },
- {
- "id": "7f370dd5-eea3-4e5f-8354-3cb2506f9f13",
- "name": "Generic Access Key",
- "regex": "(?i)^\\s*['\"]?(access)[_]?key['\"]?\\s*[:=]\\s*['\"]?([[A-Za-z0-9\/~^_!@&%()=?*+-]+)['\"]?",
- "specialMask": "(?i)['\"]?access[_]?key['\"]?\\s*[:=]\\s*"
- },
- {
- "id": "2f665079-c383-4b33-896e-88268c1fa258",
- "name": "Generic Private Key",
- "regex": "(?i)['\"]?private[_]?key['\"]?\\s*[:=]\\s*['\"]?([[A-Za-z0-9/~^_!@&%()=?*+-]+)['\"]?",
- "specialMask": "(?i)['\"]?private[_]?key['\"]?\\s*[:=]\\s*",
- "allowRules": [
- {
- "description": "Avoiding bash variables",
- "regex": "(?i)['\"]?\\$\\s*\\{[^\\s\\}]+\\}['\"]?"
- },
- {
- "description": "Avoid Docker Compose secrets paths",
- "regex": "(?i)['\"]?private[_]?key['\"]?\\s*[:=]\\s*['\"]?/run/secrets/\\w+['\"]?"
- },
- {
- "description": "Avoiding Proto File fields",
- "regex": "(?i)private[_]?key\\s*=\\s*[1-9][0-9]{0,8}\\s*;"
- }
- ]
- },
- {
- "id": "baee238e-1921-4801-9c3f-79ae1d7b2cbc",
- "name": "Generic Token",
- "regex": "(?i)['\"]?token(_)?(key)?['\"]?\\s*[:=]\\s*['\"]?([[A-Za-z0-9/~^_!@&%()=?*+-]+)['\"]?",
- "allowRules": [
- {
- "description": "Avoiding Amazon MWS Auth Token",
- "regex": "(?i)['\"]?token(_)?(key)?['\"]?\\s*[=:]\\s*['\"]?(amzn\\.mws\\.[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12})['\"]?"
- },
- {
- "description": "Avoiding Slack Token",
- "regex": "(?i)['\"]?token(_)?(key)?['\"]?\\s*[=:]\\s*['\"]?(xox[p|b|o|a]-[0-9]{12}-[0-9]{12}-[0-9]{12}-[a-z0-9]{32})['\"]?"
- },
- {
- "description": "Avoiding Square Access Token",
- "regex": "(?i)['\"]?token(_)?(key)?['\"]?\\s*[=:]\\s*['\"]?(sq0atp-[0-9A-Za-z\\-_]{22})['\"]?"
- },
- {
- "description": "Avoiding Google OAuth Access Token",
- "regex": "(?i)['\"]?token(_)?(key)?['\"]?\\s*[=:]\\s*['\"]?(ya29\\.[0-9A-Za-z\\-_]+)['\"]?"
- },
- {
- "description": "Avoiding PayPal Braintree Access Token",
- "regex": "(?i)['\"]?token(_)?(key)?['\"]?\\s*[=:]\\s*['\"]?(access_token\\$production\\$[0-9a-z]{16}\\$[0-9a-f]{32})['\"]?"
- },
- {
- "description": "Avoiding Facebook Access Token",
- "regex": "(?i)['\"]?token(_)?(key)?['\"]?\\s*[=:]\\s*['\"]?(EAACEdEose0cBA[0-9A-Za-z]+)['\"]?"
- },
- {
- "description": "Avoiding TF resource access",
- "regex": "(?i)['\"]?token(_)?(key)?['\"]?\\s*=\\s*([a-zA-z_]+(.))?[a-zA-z_]+(.)[a-zA-z_]+(.)[a-zA-z_]+"
- },
- {
- "description": "Avoiding TF creation token",
- "regex": "(?i)['\"]?creation_token['\"]?\\s*[:=]\\s*['\"]?([[A-Za-z0-9/~^_!@&%()=?*+-]+)['\"]?"
- },
- {
- "description": "Avoiding CLoudformation ServiceToken",
- "regex": "['\"]?ServiceToken['\"]?\\s*[:=]\\s*['\"]?([A-Za-z0-9/~^_!@&%()=?*+-.]+)['\"]?"
- },
- {
- "description": "Avoiding LifecycleActionToken Var",
- "regex": "(?i)['\"]?LifecycleActionToken['\"]?\\s*[:=]\\s*['\"]?([[A-Za-z0-9/~^_!@&%()=?*+-]+)['\"]?"
- },
- {
- "description": "Avoiding Github id-token Default Values",
- "regex": "(?i)['\"]?id-token['\"]?\\s*[:=]\\s*(write|read|none)"
- },
- {
- "description": "Avoiding result_token Var",
- "regex": "(?i)['\"]?result(_)?token['\"]?\\s*[:=]\\s*['\"]?([[A-Za-z0-9/~^_!@&%()=?*+-]+)['\"]?"
- },
- {
- "description": "Avoiding next_token Var",
- "regex": "(?i)['\"]?next(_)?token['\"]?\\s*[:=]\\s*['\"]?([[A-Za-z0-9/~^_!@&%()=?*+-]+)['\"]?"
- },
- {
- "description": "Avoiding next_token Var",
- "regex": "(?i)['\"]?next(_)?token['\"]?\\s*[:=]\\s*['\"]?([[A-Za-z0-9/~^_!@&%()=?*+-]+)['\"]?"
- },
- {
- "description": "Avoiding references to module outputs in Bicep",
- "regex": "(?i)token(_)?(key)?\\s*[:=]\\s*([a-zA-Z][a-zA-Z0-9_]*)\\.outputs\\.([a-zA-Z][a-zA-Z0-9_]*)"
- },
- {
- "description": "Avoiding Run After Triggers (if written in conformity with best practices)",
- "regex": "(?i)['\"](HTTP|Parse_JSON|Try|Catch)_-_(Get_)?OAuth_Token['\"]?\\s*[:=]\\s*['\"]?([[A-Za-z0-9/~^_!@&%()=?*+-]+)['\"]?"
- },
- {
- "description": "Avoiding Proto File fields",
- "regex": "(?i)token(_)?(key)?\\s*=\\s*[1-9][0-9]{0,8}\\s*;"
- }
- ],
- "specialMask": "(?i)['\"]?token(_)?(key)?['\"]?\\s*[:=]\\s*"
-
- },
- {
- "id": "e0f01838-b1c2-4669-b84b-981949ebe5ed",
- "name": "CloudFormation Secret Template",
- "regex": "(?i)['\"]?SecretStringTemplate['\"]?\\s*:\\s*['\"]?{([\\\":A-Za-z0-9/~^_!@&%()=?*+-]{10,})}",
- "specialMask": "(?i)['\"]?SecretStringTemplate['\"]?\\s*:\\s*"
- },
- {
- "id": "9fb1cd65-7a07-4531-9bcf-47589d0f82d6",
- "name": "Encryption Key",
- "regex": "(?i)['\"]?encryption[_]?key['\"]?\\s*[:=]\\s*['\"]?([[A-Za-z0-9/~^_!@&%()=?*+-]+)['\"]?",
- "allowRules": [
- {
- "description": "Avoiding TF resource access",
- "regex": "(?i)['\"]?encryption[_]?key['\"]?\\s*=\\s*([a-zA-z_]+(.))?[a-zA-z_]+(.)[a-zA-z_]+(.)[a-zA-z_]+"
- },
- {
- "description": "Avoiding CLoudformation KeyName",
- "regex": "['\"]?EncryptionKey['\"]?\\s*[:=]\\s*['\"]?([A-Za-z0-9/~^_!@&%()=?*+-.]+)['\"]?"
- },
- {
- "description": "Avoiding Proto File fields",
- "regex": "(?i)encryption[_]?key\\s*=\\s*[1-9][0-9]{0,8}\\s*;"
- }
- ],
- "specialMask": "(?i)['\"]?encryption[_]?key['\"]?\\s*[:=]\\s*"
- },
- {
- "id": "8a879bc7-6f82-40fd-bb48-74d25d557fe8",
- "name": "SendGrid API Key",
- "regex": "(?i)SG\\.[a-zA-Z0-9\\-\\_]{22}\\.[a-zA-Z0-9\\-\\_]{43}\\s*"
- },
- {
- "id": "be0ed753-d304-4363-844a-144050d4006d",
- "name": "Generic Password on YAML files when value in tuple",
- "regex": ".*password\\s*:[\\n|\\r]\\s*value:([^\\n|\\r]*)",
- "multiline": {
- "detectLineGroup": 1
- },
- "specialMask": ".*password\\s*:[\\n|\\r]\\s*value:"
- },
- {
- "id": "f05f238a-2ef0-4c39-9a36-951de1ba6dc9",
- "name": "Dockerfile ENV hardcoded password with omitted equals",
- "regex": "(?i)ENV\\s+[A-Za-z0-9/~^_!@&%()=?*+-.]*password[A-Za-z0-9/~^_!@&%()=?*+-.]*\\s+['\"]?([A-Za-z0-9/~^_!@&%()=?*+-. ]{4,})['\"]?"
- }
- ],
- "allowRules": [
- {
- "description": "Avoiding TF variables",
- "regex": "(?i)['\"]?[a-zA-Z_]+['\"]?\\s*=\\s*['\"]?(var\\.)['\"]?"
- },
- {
- "description": "!Ref is a cloudFormation reference",
- "regex": "(?i)['\"]?[a-zA-Z_]+['\"]?\\s*:\\s+!Ref\\s+\\.*"
- },
- {
- "description": "Avoiding cloudFormation intrinsic functions",
- "regex": "(?i)['\"]?[a-zA-Z_]+['\"]?\\s*:\\s+(!GetAtt|!Sub|!FindInMap|!If|!GetAZs|!ImportValue|!Join|!Select|!Split|!Not|Fn::Transform(:)?)\\s+\\.*"
- },
- {
- "description": "Avoiding CF resolve",
- "regex": "(?i)['\"]?[a-zA-Z_]+['\"]?\\s*[=:]\\s*['\"]?({{resolve:)['\"]?"
- },
- {
- "description": "Avoiding Boolean's",
- "regex": "(?i)['\"]?[a-zA-Z_]+['\"]?\\s*[=:]\\s*['\"]?(true|false)['\"]?"
- },
- {
- "description": "Avoiding arn",
- "regex": "(?i)['\"]?[a-zA-Z_]+['\"]?\\s*[=:]\\s*['\"]?(arn:)['\"]?"
- },
- {
- "description": "Avoiding array access",
- "regex": "(?i)['\"]?[a-zA-Z_]+['\"]?\\s*[=:]\\s*['\"]?([A-Za-z0-9/~^_!@&%()=?*+-.]{4,}\\[([0-9]|['\"][a-zA-Z0-9]+['\"])\\])['\"]?"
- },
- {
- "description": "Avoiding TF file function",
- "regex": "(?i)['\"]?[a-zA-Z_]+['\"]?\\s*=\\s*['\"]?(file\\()['\"]?"
- },
- {
- "description": "Avoiding ansible-vault encrypted variables",
- "regex": "(?i)['\"]?[a-zA-Z_]+['\"]?\\s*[=:]\\s*['\"]?(!vault \\|)['\"]?"
- },
- {
- "description": "Avoiding sha-hashed mysql native passwords",
- "regex": "(?i)['\"]?[a-zA-Z_]+['\"]?\\s*[=:]\\s*['\"]?(\\*[0-9A-F]{40})['\"]?"
- }
- ]
-}
+{
+ "rules": [
+ {
+ "id": "487f4be7-3fd9-4506-a07a-eae252180c08",
+ "name": "Generic Password",
+ "regex": "(?i)['\"]?password['\"]?\\s*[:=]\\s*['\"]?([A-Za-z0-9/~^_!@&%()=?*+-. ]{4,})['\"]?",
+ "allowRules": [
+ {
+ "description": "Avoiding TF resource access",
+ "regex": "(?i)['\"]?password['\"]?\\s*[:=]\\s*(([a-zA-Z_]+(\\[([a-zA-Z_]+\\.[a-zA-Z_]+.*|\\d+)\\])?\\.[a-zA-Z_]+(\\[([a-zA-Z_]+\\.[a-zA-Z_]+.*|\\d+)\\])?)\\s*([\\[\\.\\)\\]\\}\\$]|(:\\s*null))|null)"
+ },
+ {
+ "description": "Avoiding description field",
+ "regex": "(?i)['\"]?description['\"]?\\s*=\\s*['\"].*['\"]"
+ },
+ {
+ "description": "Avoiding Terraform 'optional' statement",
+ "regex": "(?i)['\"]?password['\"]?\\s*=\\s*optional\\((string|number|sensitive\\(string\\)|map\\(string\\)|set\\(string\\)|any)\\)$"
+ },
+ {
+ "description": "Avoiding Terraform 'try' statement",
+ "regex": "(?i)['\"]?password['\"]?\\s*=\\s*try\\([^\"']+,[^\"']+\\)$"
+ },
+ {
+ "description": "Avoiding CF AllowUsersToChangePassword",
+ "regex": "['\"]?AllowUsersToChangePassword['\"]?\\s*[:=]\\s*['\"]?([A-Za-z0-9/~^_!@&%()=?*+-.]{4,})['\"]?"
+ },
+ {
+ "description": "Avoiding Ansible playbook update_password",
+ "regex": "['\"]?update_password['\"]?\\s*[:=]\\s*['\"]?([A-Za-z0-9/~^_!@&%()=?*+-.]{4,})['\"]?"
+ },
+ {
+ "description": "Allow placeholders",
+ "regex": "(?i)['\"]?password['\"]?\\s*[:=]\\s*['\"](\\$\\(|\\$?\\{\\{)\\s*\\w+\\s*(\\)|\\}\\})['\"]"
+ },
+ {
+ "description": "Allow empty values",
+ "regex": "(?i)['\"]?password['\"]?\\s*[:=]\\s*(''|\"\")"
+ },
+ {
+ "description": "Allow password retrieved from ARM parameters",
+ "regex": "(?i)['\"]?password['\"]?\\s*[:=]\\s*['\"]?\\s*,\\s*parameters\\(['\"]([a-zA-Z][a-zA-Z0-9_-]*)['\"]['\"]?\\)"
+ }
+ ],
+ "specialMask": "(?i)['\"]?password['\"]?\\s*[:=]\\s*"
+ },
+ {
+ "id": "3e2d3b2f-c22a-4df1-9cc6-a7a0aebb0c99",
+ "name": "Generic Secret",
+ "regex": "(?i)['\"]?secret[_]?(key|value)?['\"]?\\s*(:|=)\\s*['\"]?([A-Za-z0-9/~^_!@#&%(){};=?*+-<>,:;[\\]%$]{10,})['\"]?",
+ "entropies": [
+ {
+ "group": 3,
+ "min": 2.8,
+ "max": 8
+ }
+ ],
+ "allowRules": [
+ {
+ "description": "Avoiding Square OAuth Secret",
+ "regex": "(?i)['\"]?secret[_]?(key)?['\"]?\\s*(:|=)\\s*['\"]?(sq0csp-[0-9A-Za-z\\-_]{43})['\"]?"
+ },
+ {
+ "description": "Avoiding TF resource access",
+ "regex": "(?i)['\"]?secret[_]?(key)?['\"]?\\s*[:=]\\s*(([a-zA-Z_]+(\\[([a-zA-Z_]+\\.[a-zA-Z_]+.*|\\d+)\\])?\\.[a-zA-Z_]+(\\[([a-zA-Z_]+\\.[a-zA-Z_]+.*|\\d+)\\])?)\\s*([\\.\\)\\]\\$]|(:\\s*null))|null)"
+ },
+ {
+ "description": "Avoiding Secrets Manager arn",
+ "regex": ":secretsmanager:[a-z0-9-*?]+:[0-9*?]+:(?i)['\"]?secret[_]?(key)?['\"]?\\s*(:|=)\\s*['\"]?([A-Za-z0-9/~^_!@&%()=?*+-]+)['\"]?"
+ },
+ {
+ "description": "Avoiding CloudFormation Parameters Descriptions",
+ "regex": "['\"]?Description['\"]?\\s*[:=]\\s*['\"]?([A-Za-z0-9/~^_!@&%()=?*${}+-.'\"]+)['\"]?"
+ },
+ {
+ "description": "Avoiding Secrets from Azure Key Vault",
+ "regex": "(?i)['\"]?secret[_]?(key)?['\"]?\\s*(:|=)\\s*['\"]?[${]+[A-Za-z0-9/~^_!@&%()=?*+-]+}?"
+ },
+ {
+ "description": "Allow secret retrieved from ARM parameters",
+ "regex": "(?i)['\"]?secret[_]?(key)?['\"]?\\s*[:=]\\s*['\"]?\\[\\s*parameters\\(['\"][a-zA-Z][a-zA-Z0-9_-]*['\"]\\s*\\)\\s*\\]"
+ },
+ {
+ "description": "Allow secrets retrieved from Bicep getSecret built in function",
+ "regex": "(?i)['\"]?secret[_]?(key|value)?['\"]?\\s*(:|=)\\s*[a-zA-Z]*\\.getSecret\\(\\s*[\"']([A-Za-z0-9/~^_!@#&%(){};=?*+-<>,:;[\\]%$]+)[\"']\\)"
+ }
+ ],
+ "specialMask": "(?i)['\"]?secret[_]?(key)?['\"]?\\s*(:|=)\\s*"
+ },
+ {
+ "id": "51b5b840-cd0c-4556-98a7-fe5f4def80cf",
+ "name": "Asymmetric private key",
+ "regex": "-----BEGIN ((EC|PGP|DSA|RSA|OPENSSH) )?PRIVATE KEY( BLOCK)?-----\\s*(([A-Za-z0-9+,:\\-\\/=\\n\\r]+\\s*)+)-----END ((EC|PGP|DSA|RSA|OPENSSH) )?PRIVATE KEY( BLOCK)?-----",
+ "multiline": {
+ "detectLineGroup": 4
+ },
+ "entropies": [
+ {
+ "group": 5,
+ "min": 3.7,
+ "max": 12
+ }
+ ],
+ "specialMask": "all"
+ },
+ {
+ "id": "a007a85e-a2a7-4a81-803a-7a2ca0c65abb",
+ "name": "Putty User Key File Content",
+ "regex": "['\"]?PuTTY-User-Key-File-\\d: ([\\w\\d-:\\n\\s+/=]+Private-MAC: [\\d\\w\"]+)['\"]?",
+ "multiline": {
+ "detectLineGroup": 1
+ },
+ "specialMask": "all"
+ },
+ {
+ "id": "c4d3b58a-e6d4-450f-9340-04f1e702eaae",
+ "name": "Password in URL",
+ "regex": "['\"]?[a-zA-Z]{3,10}://[^/\\s:@$]*?:[^/\\s:@$]*?@[^/\\s:@$]*['\"]?"
+ },
+ {
+ "id": "76c0bcde-903d-456e-ac13-e58c34987852",
+ "name": "AWS Access Key",
+ "regex": "(A3T[A-Z0-9]|AKIA|ASIA)[A-Z0-9]{16}"
+ },
+ {
+ "id": "76c0bcde-903d-456e-ac13-e58c34987852",
+ "name": "AWS Context-specific credential",
+ "regex": "(A3T[A-Z0-9]|ACCA)[A-Z0-9]{16}"
+ },
+ {
+ "id": "76c0bcde-903d-456e-ac13-e58c34987852",
+ "name": "AWS Certificate",
+ "regex": "(A3T[A-Z0-9]|ASCA)[A-Z0-9]{16}"
+ },
+ {
+ "id": "83ab47ff-381d-48cd-bac5-fb32222f54af",
+ "name": "AWS Secret Key",
+ "regex": "(?i)AWS_SECRET(_ACCESS)?(_KEY)?\\s*[:=]\\s*['\"]?([a-zA-Z0-9/]{40})[\"']?",
+ "entropies": [
+ {
+ "group": 3,
+ "min": 4.8,
+ "max": 7
+ }
+ ],
+ "specialMask": "(?i)AWS_SECRET(_ACCESS)?(_KEY)?\\s*[:=]\\s*"
+ },
+ {
+ "id": "4b2b5fd3-364d-4093-bac2-17391b2a5297",
+ "name": "K8s Environment Variable Password",
+ "regex": "apiVersion((.*)\\s*)*env:((.*)\\s*)*name:\\s*\\w+(?i)pass((?i)word)?\\w*\\s*(value):\\s*([\"|'].*[\"|'])",
+ "multiline": {
+ "detectLineGroup": 7
+ },
+ "specialMask": "\\s*(value):\\s*"
+ },
+ {
+ "id": "d651cca2-2156-4d17-8e76-423e68de5c8b",
+ "name": "Google OAuth",
+ "regex": "['\"]?[0-9]+-[0-9A-Za-z_]{32}\\.apps\\.googleusercontent\\.com['\"]?"
+ },
+ {
+ "id": "ccde326f-ebc7-4772-8ad5-de66e90a8cc3",
+ "name": "Slack Webhook",
+ "regex": "['\"]?https://hooks.slack.com/services/T[a-zA-Z0-9_]{8}/B[a-zA-Z0-9_]{8}/[a-zA-Z0-9_]{24}['\"]?"
+ },
+ {
+ "id": "d6214dca-a31b-425f-bcf7-f4faa772a1c0",
+ "name": "MSTeams Webhook",
+ "regex": "['\"]?https://[a-zA-Z0-9_]{1,24}.webhook.office.com/webhook(b2)?/[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}@[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}/IncomingWebhook/[a-z0-9]+/[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}['\"]?"
+ },
+ {
+ "id": "7908a9e3-5cac-41b1-b514-5f6d82ce02d5",
+ "name": "Slack Token",
+ "regex": "['\"]?(xox[p|b|o|a]-[0-9]{12}-[0-9]{12}-[0-9]{12}-[a-z0-9]{32})['\"]?"
+ },
+ {
+ "id": "6abcae17-b175-4698-a9a5-b07661974749",
+ "name": "Stripe API Key",
+ "regex": "['\"]?sk_live_[0-9a-zA-Z]{24}[^0-9a-zA-Z]['\"]?"
+ },
+ {
+ "id": "0b1b2482-51e7-49d1-893d-522afa4a6bd0",
+ "name": "Square Access Token",
+ "regex": "sq0atp-[0-9A-Za-z\\-_]{22}"
+ },
+ {
+ "id": "6c54f9da-1a11-445a-8568-0d327e6af8be",
+ "name": "MailChimp API Key",
+ "regex": "[0-9a-f]{32}-us[0-9]{1,2}"
+ },
+ {
+ "id": "e9856348-4069-4ac0-bd91-415f6a7b84a4",
+ "name": "Google API Key",
+ "regex": "['\"]?AIza[0-9A-Za-z\\-_]{35}['\"]?"
+ },
+ {
+ "id": "9a3650af-5b88-48cd-ab89-cd77fd0b633f",
+ "name": "Heroku API Key",
+ "regex": "['\"]?(?i)heroku((.|\\n)*)\\b([0-9A-F]{8}-[0-9A-F]{4}-[0-9A-F]{4}-[0-9A-F]{4}-[0-9A-F]{12})\\b['\"]?",
+ "multiline": {
+ "detectLineGroup": 3
+ },
+ "specialMask": "['\"]?(?i)api_key[^\\w\"']+"
+ },
+ {
+ "id": "bb51eb1e-0357-44a2-86d7-dd5350cffd43",
+ "name": "Square OAuth Secret",
+ "regex": "['\"]?sq0csp-[0-9A-Za-z\\-_]{43}['\"]?"
+ },
+ {
+ "id": "ac8c8075-6ec0-4367-9e26-30ec8161d258",
+ "name": "Amazon MWS Auth Token",
+ "regex": "amzn\\.mws\\.[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}"
+ },
+ {
+ "id": "41a1ca8d-f466-4084-a8c9-50f8b22200d5",
+ "name": "Google OAuth Access Token",
+ "regex": "ya29\\.[0-9A-Za-z\\-_]+"
+ },
+ {
+ "id": "4919b847-e3da-402a-acf8-6cea8e529993",
+ "name": "PayPal Braintree Access Token",
+ "regex": "access_token\\$production\\$[0-9a-z]{16}\\$[0-9a-f]{32}"
+ },
+ {
+ "id": "54274b18-bfac-47ce-afd1-0f05bc3e3b59",
+ "name": "Stripe Restricted API Key",
+ "regex": "['\"]?rk_live_[0-9a-zA-Z]{24}['\"]?"
+ },
+ {
+ "id": "5176e805-0cda-44fa-ac96-c092c646180a",
+ "name": "Facebook Access Token",
+ "regex": "['\"]?EAACEdEose0cBA[0-9A-Za-z]+['\"]?"
+ },
+ {
+ "id": "74736dd1-dd11-4139-beb6-41cd43a50317",
+ "name": "Generic API Key",
+ "regex": "(?i)['\"]?api[_]?key['\"]?\\s*[:=]\\s*['\"]?([0-9a-zA-Z]{32,45})['\"]?",
+ "allowRules": [
+ {
+ "description": "Avoiding Twilio API Key",
+ "regex": "(?i)['\"]?api[_]?key['\"]?\\s*[:=]\\s*['\"]?(SK[0-9a-fA-F]{32})['\"]?"
+ }
+ ],
+ "specialMask": "(?i)['\"]?api[_]?key['\"]?\\s*[:=]\\s*"
+ },
+ {
+ "id": "62d0025d-9575-4eff-b60b-d3b4fcec0d04",
+ "name": "Mailgun API Key",
+ "regex": "['\"]?key-[0-9a-zA-Z]{32}['\"]?"
+ },
+ {
+ "id": "50cc5f03-e686-4183-97e9-12f9b55d0f97",
+ "name": "Picatic API Key",
+ "regex": "sk_live_[0-9a-z]{32}"
+ },
+ {
+ "id": "e0f01838-b1c2-4669-b84b-981949ebe5ed",
+ "name": "Twilio API Key",
+ "regex": "SK[0-9a-fA-F]{32}"
+ },
+ {
+ "id": "7f370dd5-eea3-4e5f-8354-3cb2506f9f13",
+ "name": "Generic Access Key",
+ "regex": "(?i)^\\s*['\"]?(access)[_]?key['\"]?\\s*[:=]\\s*['\"]?([[A-Za-z0-9\/~^_!@&%()=?*+-]+)['\"]?",
+ "specialMask": "(?i)['\"]?access[_]?key['\"]?\\s*[:=]\\s*"
+ },
+ {
+ "id": "2f665079-c383-4b33-896e-88268c1fa258",
+ "name": "Generic Private Key",
+ "regex": "(?i)['\"]?private[_]?key['\"]?\\s*[:=]\\s*['\"]?([[A-Za-z0-9/~^_!@&%()=?*+-]+)['\"]?",
+ "specialMask": "(?i)['\"]?private[_]?key['\"]?\\s*[:=]\\s*",
+ "allowRules": [
+ {
+ "description": "Avoiding bash variables",
+ "regex": "(?i)['\"]?\\$\\s*\\{[^\\s\\}]+\\}['\"]?"
+ },
+ {
+ "description": "Avoid Docker Compose secrets paths",
+ "regex": "(?i)['\"]?private[_]?key['\"]?\\s*[:=]\\s*['\"]?/run/secrets/\\w+['\"]?"
+ }
+ ]
+ },
+ {
+ "id": "baee238e-1921-4801-9c3f-79ae1d7b2cbc",
+ "name": "Generic Token",
+ "regex": "(?i)['\"]?token(_)?(key)?['\"]?\\s*[:=]\\s*['\"]?([[A-Za-z0-9/~^_!@&%()=?*+-]+)['\"]?",
+ "allowRules": [
+ {
+ "description": "Avoiding Amazon MWS Auth Token",
+ "regex": "(?i)['\"]?token(_)?(key)?['\"]?\\s*[=:]\\s*['\"]?(amzn\\.mws\\.[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12})['\"]?"
+ },
+ {
+ "description": "Avoiding Slack Token",
+ "regex": "(?i)['\"]?token(_)?(key)?['\"]?\\s*[=:]\\s*['\"]?(xox[p|b|o|a]-[0-9]{12}-[0-9]{12}-[0-9]{12}-[a-z0-9]{32})['\"]?"
+ },
+ {
+ "description": "Avoiding Square Access Token",
+ "regex": "(?i)['\"]?token(_)?(key)?['\"]?\\s*[=:]\\s*['\"]?(sq0atp-[0-9A-Za-z\\-_]{22})['\"]?"
+ },
+ {
+ "description": "Avoiding Google OAuth Access Token",
+ "regex": "(?i)['\"]?token(_)?(key)?['\"]?\\s*[=:]\\s*['\"]?(ya29\\.[0-9A-Za-z\\-_]+)['\"]?"
+ },
+ {
+ "description": "Avoiding PayPal Braintree Access Token",
+ "regex": "(?i)['\"]?token(_)?(key)?['\"]?\\s*[=:]\\s*['\"]?(access_token\\$production\\$[0-9a-z]{16}\\$[0-9a-f]{32})['\"]?"
+ },
+ {
+ "description": "Avoiding Facebook Access Token",
+ "regex": "(?i)['\"]?token(_)?(key)?['\"]?\\s*[=:]\\s*['\"]?(EAACEdEose0cBA[0-9A-Za-z]+)['\"]?"
+ },
+ {
+ "description": "Avoiding TF resource access",
+ "regex": "(?i)['\"]?token(_)?(key)?['\"]?\\s*=\\s*([a-zA-z_]+(.))?[a-zA-z_]+(.)[a-zA-z_]+(.)[a-zA-z_]+"
+ },
+ {
+ "description": "Avoiding TF creation token",
+ "regex": "(?i)['\"]?creation_token['\"]?\\s*[:=]\\s*['\"]?([[A-Za-z0-9/~^_!@&%()=?*+-]+)['\"]?"
+ },
+ {
+ "description": "Avoiding CLoudformation ServiceToken",
+ "regex": "['\"]?ServiceToken['\"]?\\s*[:=]\\s*['\"]?([A-Za-z0-9/~^_!@&%()=?*+-.]+)['\"]?"
+ },
+ {
+ "description": "Avoiding LifecycleActionToken Var",
+ "regex": "(?i)['\"]?LifecycleActionToken['\"]?\\s*[:=]\\s*['\"]?([[A-Za-z0-9/~^_!@&%()=?*+-]+)['\"]?"
+ },
+ {
+ "description": "Avoiding Github id-token Default Values",
+ "regex": "(?i)['\"]?id-token['\"]?\\s*[:=]\\s*(write|read|none)"
+ },
+ {
+ "description": "Avoiding result_token Var",
+ "regex": "(?i)['\"]?result(_)?token['\"]?\\s*[:=]\\s*['\"]?([[A-Za-z0-9/~^_!@&%()=?*+-]+)['\"]?"
+ },
+ {
+ "description": "Avoiding next_token Var",
+ "regex": "(?i)['\"]?next(_)?token['\"]?\\s*[:=]\\s*['\"]?([[A-Za-z0-9/~^_!@&%()=?*+-]+)['\"]?"
+ },
+ {
+ "description": "Avoiding next_token Var",
+ "regex": "(?i)['\"]?next(_)?token['\"]?\\s*[:=]\\s*['\"]?([[A-Za-z0-9/~^_!@&%()=?*+-]+)['\"]?"
+ },
+ {
+ "description": "Avoiding references to module outputs in Bicep",
+ "regex": "(?i)token(_)?(key)?\\s*[:=]\\s*([a-zA-Z][a-zA-Z0-9_]*)\\.outputs\\.([a-zA-Z][a-zA-Z0-9_]*)"
+ },
+ {
+ "description": "Avoiding Run After Triggers (if written in conformity with best practices)",
+ "regex": "(?i)['\"](HTTP|Parse_JSON|Try|Catch)_-_(Get_)?OAuth_Token['\"]?\\s*[:=]\\s*['\"]?([[A-Za-z0-9/~^_!@&%()=?*+-]+)['\"]?"
+ }
+ ],
+ "specialMask": "(?i)['\"]?token(_)?(key)?['\"]?\\s*[:=]\\s*"
+
+ },
+ {
+ "id": "e0f01838-b1c2-4669-b84b-981949ebe5ed",
+ "name": "CloudFormation Secret Template",
+ "regex": "(?i)['\"]?SecretStringTemplate['\"]?\\s*:\\s*['\"]?{([\\\":A-Za-z0-9/~^_!@&%()=?*+-]{10,})}",
+ "specialMask": "(?i)['\"]?SecretStringTemplate['\"]?\\s*:\\s*"
+ },
+ {
+ "id": "9fb1cd65-7a07-4531-9bcf-47589d0f82d6",
+ "name": "Encryption Key",
+ "regex": "(?i)['\"]?encryption[_]?key['\"]?\\s*[:=]\\s*['\"]?([[A-Za-z0-9/~^_!@&%()=?*+-]+)['\"]?",
+ "allowRules": [
+ {
+ "description": "Avoiding TF resource access",
+ "regex": "(?i)['\"]?encryption[_]?key['\"]?\\s*=\\s*([a-zA-z_]+(.))?[a-zA-z_]+(.)[a-zA-z_]+(.)[a-zA-z_]+"
+ },
+ {
+ "description": "Avoiding CLoudformation KeyName",
+ "regex": "['\"]?EncryptionKey['\"]?\\s*[:=]\\s*['\"]?([A-Za-z0-9/~^_!@&%()=?*+-.]+)['\"]?"
+ }
+ ],
+ "specialMask": "(?i)['\"]?encryption[_]?key['\"]?\\s*[:=]\\s*"
+ },
+ {
+ "id": "8a879bc7-6f82-40fd-bb48-74d25d557fe8",
+ "name": "SendGrid API Key",
+ "regex": "(?i)SG\\.[a-zA-Z0-9\\-\\_]{22}\\.[a-zA-Z0-9\\-\\_]{43}\\s*"
+ },
+ {
+ "id": "be0ed753-d304-4363-844a-144050d4006d",
+ "name": "Generic Password on YAML files when value in tuple",
+ "regex": ".*password\\s*:[\\n|\\r]\\s*value:([^\\n|\\r]*)",
+ "multiline": {
+ "detectLineGroup": 1
+ },
+ "specialMask": ".*password\\s*:[\\n|\\r]\\s*value:"
+ },
+ {
+ "id": "f05f238a-2ef0-4c39-9a36-951de1ba6dc9",
+ "name": "Dockerfile ENV hardcoded password with omitted equals",
+ "regex": "(?i)ENV\\s+[A-Za-z0-9/~^_!@&%()=?*+-.]*password[A-Za-z0-9/~^_!@&%()=?*+-.]*\\s+['\"]?([A-Za-z0-9/~^_!@&%()=?*+-. ]{4,})['\"]?"
+ }
+ ],
+ "allowRules": [
+ {
+ "description": "Avoiding TF variables",
+ "regex": "(?i)['\"]?[a-zA-Z_]+['\"]?\\s*=\\s*['\"]?(var\\.)['\"]?"
+ },
+ {
+ "description": "!Ref is a cloudFormation reference",
+ "regex": "(?i)['\"]?[a-zA-Z_]+['\"]?\\s*:\\s+!Ref\\s+\\.*"
+ },
+ {
+ "description": "Avoiding cloudFormation intrinsic functions",
+ "regex": "(?i)['\"]?[a-zA-Z_]+['\"]?\\s*:\\s+(!GetAtt|!Sub|!FindInMap|!If|!GetAZs|!ImportValue|!Join|!Select|!Split|!Not|Fn::Transform(:)?)\\s+\\.*"
+ },
+ {
+ "description": "Avoiding CF resolve",
+ "regex": "(?i)['\"]?[a-zA-Z_]+['\"]?\\s*[=:]\\s*['\"]?({{resolve:)['\"]?"
+ },
+ {
+ "description": "Avoiding Boolean's",
+ "regex": "(?i)['\"]?[a-zA-Z_]+['\"]?\\s*[=:]\\s*['\"]?(true|false)['\"]?"
+ },
+ {
+ "description": "Avoiding arn",
+ "regex": "(?i)['\"]?[a-zA-Z_]+['\"]?\\s*[=:]\\s*['\"]?(arn:)['\"]?"
+ },
+ {
+ "description": "Avoiding array access",
+ "regex": "(?i)['\"]?[a-zA-Z_]+['\"]?\\s*[=:]\\s*['\"]?([A-Za-z0-9/~^_!@&%()=?*+-.]{4,}\\[([0-9]|['\"][a-zA-Z0-9]+['\"])\\])['\"]?"
+ },
+ {
+ "description": "Avoiding TF file function",
+ "regex": "(?i)['\"]?[a-zA-Z_]+['\"]?\\s*=\\s*['\"]?(file\\()['\"]?"
+ },
+ {
+ "description": "Avoiding ansible-vault encrypted variables",
+ "regex": "(?i)['\"]?[a-zA-Z_]+['\"]?\\s*[=:]\\s*['\"]?(!vault \\|)['\"]?"
+ },
+ {
+ "description": "Avoiding sha-hashed mysql native passwords",
+ "regex": "(?i)['\"]?[a-zA-Z_]+['\"]?\\s*[=:]\\s*['\"]?(\\*[0-9A-F]{40})['\"]?"
+ }
+ ]
+}
diff --git a/assets/queries/common/passwords_and_secrets/test/positive_expected_result.json b/assets/queries/common/passwords_and_secrets/test/positive_expected_result.json
index 2d6320703a9..e29ad869f20 100644
--- a/assets/queries/common/passwords_and_secrets/test/positive_expected_result.json
+++ b/assets/queries/common/passwords_and_secrets/test/positive_expected_result.json
@@ -1,482 +1,464 @@
-[
- {
- "queryName": "Passwords And Secrets - Generic Password",
- "severity": "HIGH",
- "line": 8,
- "fileName": "positive1.yaml"
- },
- {
- "queryName": "Passwords And Secrets - Generic Password",
- "severity": "HIGH",
- "line": 6,
- "fileName": "positive2.yaml"
- },
- {
- "queryName": "Passwords And Secrets - Generic Password",
- "severity": "HIGH",
- "line": 7,
- "fileName": "positive3.yaml"
- },
- {
- "queryName": "Passwords And Secrets - Generic Password",
- "severity": "HIGH",
- "line": 9,
- "fileName": "positive4.tf"
- },
- {
- "queryName": "Passwords And Secrets - Generic Secret",
- "severity": "HIGH",
- "line": 2,
- "fileName": "positive5.tf"
- },
- {
- "queryName": "Passwords And Secrets - Generic Password",
- "severity": "HIGH",
- "line": 3,
- "fileName": "positive6.dockerfile"
- },
- {
- "queryName": "Passwords And Secrets - Generic Password",
- "severity": "HIGH",
- "line": 7,
- "fileName": "positive6.dockerfile"
- },
- {
- "queryName": "Passwords And Secrets - Generic Password",
- "severity": "HIGH",
- "line": 8,
- "fileName": "positive7.tf"
- },
- {
- "queryName": "Passwords And Secrets - Generic Password",
- "severity": "HIGH",
- "line": 4,
- "fileName": "positive8.json"
- },
- {
- "queryName": "Passwords And Secrets - Generic Password",
- "severity": "HIGH",
- "line":7,
- "fileName": "positive8.json"
- },
- {
- "queryName": "Passwords And Secrets - Generic Password",
- "severity": "HIGH",
- "line": 8,
- "fileName": "positive9.tf"
- },
- {
- "queryName": "Passwords And Secrets - Password in URL",
- "severity": "HIGH",
- "line": 7,
- "fileName": "positive10.json"
- },
- {
- "queryName": "Passwords And Secrets - Slack Webhook",
- "severity": "HIGH",
- "line": 17,
- "fileName": "positive10.json"
- },
- {
- "queryName": "Passwords And Secrets - MSTeams Webhook",
- "severity": "HIGH",
- "line": 27,
- "fileName": "positive10.json"
- },
- {
- "queryName": "Passwords And Secrets - Password in URL",
- "severity": "HIGH",
- "line": 7,
- "fileName": "positive11.yaml"
- },
- {
- "queryName": "Passwords And Secrets - Slack Webhook",
- "severity": "HIGH",
- "line": 9,
- "fileName": "positive11.yaml"
- },
- {
- "queryName": "Passwords And Secrets - MSTeams Webhook",
- "severity": "HIGH",
- "line": 11,
- "fileName": "positive11.yaml"
- },
- {
- "queryName": "Passwords And Secrets - Generic Password",
- "severity": "HIGH",
- "line": 8,
- "fileName": "positive12.json"
- },
- {
- "queryName": "Passwords And Secrets - Password in URL",
- "severity": "HIGH",
- "line": 11,
- "fileName": "positive12.json"
- },
- {
- "queryName": "Passwords And Secrets - Slack Webhook",
- "severity": "HIGH",
- "line": 15,
- "fileName": "positive12.json"
- },
- {
- "queryName": "Passwords And Secrets - MSTeams Webhook",
- "severity": "HIGH",
- "line": 19,
- "fileName": "positive12.json"
- },
- {
- "queryName": "Passwords And Secrets - Asymmetric private key",
- "severity": "HIGH",
- "line": 6,
- "fileName": "positive13.tf"
- },
- {
- "queryName": "Passwords And Secrets - AWS Access Key",
- "severity": "HIGH",
- "line": 17,
- "fileName": "positive14.tf"
- },
- {
- "queryName": "Passwords And Secrets - AWS Secret Key",
- "severity": "HIGH",
- "line": 18,
- "fileName": "positive14.tf"
- },
- {
- "queryName": "Passwords And Secrets - AWS Access Key",
- "severity": "HIGH",
- "line": 14,
- "fileName": "positive15.tf"
- },
- {
- "queryName": "Passwords And Secrets - AWS Secret Key",
- "severity": "HIGH",
- "line": 15,
- "fileName": "positive15.tf"
- },
- {
- "queryName": "Passwords And Secrets - K8s Environment Variable Password",
- "severity": "HIGH",
- "line": 34,
- "fileName": "positive16.yaml"
- },
- {
- "queryName": "Passwords And Secrets - K8s Environment Variable Password",
- "severity": "HIGH",
- "line": 36,
- "fileName": "positive16.yaml"
- },
- {
- "queryName": "Passwords And Secrets - Generic Password",
- "severity": "HIGH",
- "line": 7,
- "fileName": "positive17.tf"
- },
- {
- "queryName": "Passwords And Secrets - Google OAuth",
- "severity": "HIGH",
- "line": 5,
- "fileName": "positive18.tf"
- },
- {
- "queryName": "Passwords And Secrets - Slack Token",
- "severity": "HIGH",
- "line": 2,
- "fileName": "positive19.tf"
- },
- {
- "queryName": "Passwords And Secrets - Stripe API Key",
- "severity": "HIGH",
- "line": 2,
- "fileName": "positive20.tf"
- },
- {
- "queryName": "Passwords And Secrets - Google API Key",
- "severity": "HIGH",
- "line": 50,
- "fileName": "positive21.tf"
- },
- {
- "queryName": "Passwords And Secrets - Heroku API Key",
- "severity": "HIGH",
- "line": 3,
- "fileName": "positive22.tf"
- },
- {
- "queryName": "Passwords And Secrets - Generic Token",
- "severity": "HIGH",
- "line": 3,
- "fileName": "positive23.tf"
- },
- {
- "queryName": "Passwords And Secrets - Generic API Key",
- "severity": "HIGH",
- "line": 4,
- "fileName": "positive24.tf"
- },
- {
- "queryName": "Passwords And Secrets - Square Access Token",
- "severity": "HIGH",
- "line": 3,
- "fileName": "positive25.dockerfile"
- },
- {
- "queryName": "Passwords And Secrets - Picatic API Key",
- "severity": "HIGH",
- "line": 5,
- "fileName": "positive25.dockerfile"
- },
- {
- "queryName": "Passwords And Secrets - Amazon MWS Auth Token",
- "severity": "HIGH",
- "line": 7,
- "fileName": "positive25.dockerfile"
- },
- {
- "queryName": "Passwords And Secrets - MailChimp API Key",
- "severity": "HIGH",
- "line": 9,
- "fileName": "positive25.dockerfile"
- },
- {
- "queryName": "Passwords And Secrets - SendGrid API Key",
- "severity": "HIGH",
- "line": 11,
- "fileName": "positive25.dockerfile"
- },
- {
- "queryName": "Passwords And Secrets - Generic Private Key",
- "severity": "HIGH",
- "line": 9,
- "fileName": "positive26.yaml"
- },
- {
- "queryName": "Passwords And Secrets - Generic Token",
- "severity": "HIGH",
- "line": 5,
- "fileName": "positive27.yaml"
- },
- {
- "queryName": "Passwords And Secrets - Generic Token",
- "severity": "HIGH",
- "line": 22,
- "fileName": "positive27.yaml"
- },
- {
- "queryName": "Passwords And Secrets - Generic Token",
- "severity": "HIGH",
- "line": 5,
- "fileName": "positive28.yaml"
- },
- {
- "queryName": "Passwords And Secrets - Mailgun API Key",
- "severity": "HIGH",
- "line": 2,
- "fileName": "positive29.tf"
- },
- {
- "queryName": "Passwords And Secrets - Stripe Restricted API Key",
- "severity": "HIGH",
- "line": 2,
- "fileName": "positive30.tf"
- },
- {
- "queryName": "Passwords And Secrets - Twilio API Key",
- "severity": "HIGH",
- "line": 4,
- "fileName": "positive31.yaml"
- },
- {
- "queryName": "Passwords And Secrets - PayPal Braintree Access Token",
- "severity": "HIGH",
- "line": 4,
- "fileName": "positive32.yaml"
- },
- {
- "queryName": "Passwords And Secrets - Facebook Access Token",
- "severity": "HIGH",
- "line": 13,
- "fileName": "positive33.yaml"
- },
- {
- "queryName": "Passwords And Secrets - Square OAuth Secret",
- "severity": "HIGH",
- "line": 13,
- "fileName": "positive34.yaml"
- },
- {
- "queryName": "Passwords And Secrets - Google OAuth Access Token",
- "severity": "HIGH",
- "line": 13,
- "fileName": "positive35.yaml"
- },
- {
- "queryName": "Passwords And Secrets - Putty User Key File Content",
- "severity": "HIGH",
- "line": 5,
- "fileName": "positive36.tf"
- },
- {
- "queryName": "Passwords And Secrets - Generic Secret",
- "severity": "HIGH",
- "line": 14,
- "fileName": "positive37.tf"
- },
- {
- "queryName": "Passwords And Secrets - CloudFormation Secret Template",
- "severity": "HIGH",
- "line": 16,
- "fileName": "positive38.yaml"
- },
- {
- "queryName": "Passwords And Secrets - Generic Secret",
- "severity": "HIGH",
- "line": 3,
- "fileName": "positive39.tf"
- },
- {
- "queryName": "Passwords And Secrets - AWS Context-specific credential",
- "severity": "HIGH",
- "line": 14,
- "fileName": "positive40.tf"
- },
- {
- "queryName": "Passwords And Secrets - AWS Certificate",
- "severity": "HIGH",
- "line": 15,
- "fileName": "positive40.tf"
- },
- {
- "queryName": "Passwords And Secrets - Asymmetric private key",
- "severity": "HIGH",
- "line": 6,
- "fileName": "positive41.tf"
- },
- {
- "queryName": "Passwords And Secrets - Generic Access Key",
- "severity": "HIGH",
- "line": 7,
- "fileName": "positive42.tf"
- },
- {
- "queryName": "Passwords And Secrets - Generic Token",
- "severity": "HIGH",
- "line": 5,
- "fileName": "positive43.yaml"
- },
- {
- "queryName": "Passwords And Secrets - Generic Secret",
- "severity": "HIGH",
- "line": 17,
- "fileName": "positive44.yaml"
- },
- {
- "queryName": "Passwords And Secrets - Generic Password",
- "severity": "HIGH",
- "line": 9,
- "fileName": "positive45.tf"
- },
- {
- "queryName": "Passwords And Secrets - Generic Password",
- "severity": "HIGH",
- "line": 20,
- "fileName": "positive46.yaml"
- },
- {
- "queryName": "Passwords And Secrets - Generic Password",
- "severity": "HIGH",
- "line": 21,
- "fileName": "positive46.yaml"
- },
- {
- "queryName": "Passwords And Secrets - Google OAuth",
- "severity": "HIGH",
- "line": 5,
- "fileName": "positive47.tf"
- },
- {
- "queryName": "Passwords And Secrets - Generic Secret",
- "severity": "HIGH",
- "line": 6,
- "fileName": "positive47.tf"
- },
- {
- "queryName": "Passwords And Secrets - Generic Password",
- "severity": "HIGH",
- "line": 8,
- "fileName": "positive48.tf"
- },
- {
- "queryName": "Passwords And Secrets - Generic Private Key",
- "severity": "HIGH",
- "line": 7,
- "fileName": "positive49.yml"
- },
- {
- "queryName": "Passwords And Secrets - Generic Password on YAML files when value in tuple",
- "severity": "HIGH",
- "line": 56,
- "fileName": "positive50.yaml"
- },
- {
- "queryName": "Passwords And Secrets - Generic Password on YAML files when value in tuple",
- "severity": "HIGH",
- "line": 68,
- "fileName": "positive50.yaml"
- },
- {
- "queryName": "Passwords And Secrets - Dockerfile ENV hardcoded password with omitted equals",
- "severity": "HIGH",
- "line": 4,
- "fileName": "positive51.dockerfile"
- },
- {
- "queryName": "Passwords And Secrets - Generic Password",
- "severity": "HIGH",
- "line": 4,
- "fileName": "positive52.dockerfile"
- },
- {
- "queryName": "Passwords And Secrets - Generic Password",
- "severity": "HIGH",
- "line": 54,
- "fileName": "positive53.json"
- },
- {
- "queryName": "Passwords And Secrets - Generic Password",
- "severity": "HIGH",
- "line": 8,
- "fileName": "positive54.tf"
- },
- {
- "queryName": "Passwords And Secrets - Generic Password",
- "severity": "HIGH",
- "line": 14,
- "fileName": "positive54.tf"
- },
- {
- "queryName": "Passwords And Secrets - Generic Secret",
- "severity": "HIGH",
- "line": 4,
- "fileName": "positive55.json"
- },
- {
- "queryName": "Passwords And Secrets - Generic Password",
- "severity": "HIGH",
- "line": 4,
- "fileName": "positive56.json"
- },
- {
- "queryName": "Passwords And Secrets - Generic Secret",
- "severity": "HIGH",
- "line": 5,
- "fileName": "positive56.json"
- },
- {
- "queryName": "Passwords And Secrets - Generic Token",
- "severity": "HIGH",
- "line": 6,
- "fileName": "positive56.json"
- }
+[
+ {
+ "queryName": "Passwords And Secrets - Generic Password",
+ "severity": "HIGH",
+ "line": 8,
+ "fileName": "positive1.yaml"
+ },
+ {
+ "queryName": "Passwords And Secrets - Generic Password",
+ "severity": "HIGH",
+ "line": 6,
+ "fileName": "positive2.yaml"
+ },
+ {
+ "queryName": "Passwords And Secrets - Generic Password",
+ "severity": "HIGH",
+ "line": 7,
+ "fileName": "positive3.yaml"
+ },
+ {
+ "queryName": "Passwords And Secrets - Generic Password",
+ "severity": "HIGH",
+ "line": 9,
+ "fileName": "positive4.tf"
+ },
+ {
+ "queryName": "Passwords And Secrets - Generic Secret",
+ "severity": "HIGH",
+ "line": 2,
+ "fileName": "positive5.tf"
+ },
+ {
+ "queryName": "Passwords And Secrets - Generic Password",
+ "severity": "HIGH",
+ "line": 3,
+ "fileName": "positive6.dockerfile"
+ },
+ {
+ "queryName": "Passwords And Secrets - Generic Password",
+ "severity": "HIGH",
+ "line": 7,
+ "fileName": "positive6.dockerfile"
+ },
+ {
+ "queryName": "Passwords And Secrets - Generic Password",
+ "severity": "HIGH",
+ "line": 8,
+ "fileName": "positive7.tf"
+ },
+ {
+ "queryName": "Passwords And Secrets - Generic Password",
+ "severity": "HIGH",
+ "line": 4,
+ "fileName": "positive8.json"
+ },
+ {
+ "queryName": "Passwords And Secrets - Generic Password",
+ "severity": "HIGH",
+ "line":7,
+ "fileName": "positive8.json"
+ },
+ {
+ "queryName": "Passwords And Secrets - Generic Password",
+ "severity": "HIGH",
+ "line": 8,
+ "fileName": "positive9.tf"
+ },
+ {
+ "queryName": "Passwords And Secrets - Password in URL",
+ "severity": "HIGH",
+ "line": 7,
+ "fileName": "positive10.json"
+ },
+ {
+ "queryName": "Passwords And Secrets - Slack Webhook",
+ "severity": "HIGH",
+ "line": 17,
+ "fileName": "positive10.json"
+ },
+ {
+ "queryName": "Passwords And Secrets - MSTeams Webhook",
+ "severity": "HIGH",
+ "line": 27,
+ "fileName": "positive10.json"
+ },
+ {
+ "queryName": "Passwords And Secrets - Password in URL",
+ "severity": "HIGH",
+ "line": 7,
+ "fileName": "positive11.yaml"
+ },
+ {
+ "queryName": "Passwords And Secrets - Slack Webhook",
+ "severity": "HIGH",
+ "line": 9,
+ "fileName": "positive11.yaml"
+ },
+ {
+ "queryName": "Passwords And Secrets - MSTeams Webhook",
+ "severity": "HIGH",
+ "line": 11,
+ "fileName": "positive11.yaml"
+ },
+ {
+ "queryName": "Passwords And Secrets - Generic Password",
+ "severity": "HIGH",
+ "line": 8,
+ "fileName": "positive12.json"
+ },
+ {
+ "queryName": "Passwords And Secrets - Password in URL",
+ "severity": "HIGH",
+ "line": 11,
+ "fileName": "positive12.json"
+ },
+ {
+ "queryName": "Passwords And Secrets - Slack Webhook",
+ "severity": "HIGH",
+ "line": 15,
+ "fileName": "positive12.json"
+ },
+ {
+ "queryName": "Passwords And Secrets - MSTeams Webhook",
+ "severity": "HIGH",
+ "line": 19,
+ "fileName": "positive12.json"
+ },
+ {
+ "queryName": "Passwords And Secrets - Asymmetric private key",
+ "severity": "HIGH",
+ "line": 6,
+ "fileName": "positive13.tf"
+ },
+ {
+ "queryName": "Passwords And Secrets - AWS Access Key",
+ "severity": "HIGH",
+ "line": 17,
+ "fileName": "positive14.tf"
+ },
+ {
+ "queryName": "Passwords And Secrets - AWS Secret Key",
+ "severity": "HIGH",
+ "line": 18,
+ "fileName": "positive14.tf"
+ },
+ {
+ "queryName": "Passwords And Secrets - AWS Access Key",
+ "severity": "HIGH",
+ "line": 14,
+ "fileName": "positive15.tf"
+ },
+ {
+ "queryName": "Passwords And Secrets - AWS Secret Key",
+ "severity": "HIGH",
+ "line": 15,
+ "fileName": "positive15.tf"
+ },
+ {
+ "queryName": "Passwords And Secrets - K8s Environment Variable Password",
+ "severity": "HIGH",
+ "line": 34,
+ "fileName": "positive16.yaml"
+ },
+ {
+ "queryName": "Passwords And Secrets - K8s Environment Variable Password",
+ "severity": "HIGH",
+ "line": 36,
+ "fileName": "positive16.yaml"
+ },
+ {
+ "queryName": "Passwords And Secrets - Generic Password",
+ "severity": "HIGH",
+ "line": 7,
+ "fileName": "positive17.tf"
+ },
+ {
+ "queryName": "Passwords And Secrets - Google OAuth",
+ "severity": "HIGH",
+ "line": 5,
+ "fileName": "positive18.tf"
+ },
+ {
+ "queryName": "Passwords And Secrets - Slack Token",
+ "severity": "HIGH",
+ "line": 2,
+ "fileName": "positive19.tf"
+ },
+ {
+ "queryName": "Passwords And Secrets - Stripe API Key",
+ "severity": "HIGH",
+ "line": 2,
+ "fileName": "positive20.tf"
+ },
+ {
+ "queryName": "Passwords And Secrets - Google API Key",
+ "severity": "HIGH",
+ "line": 50,
+ "fileName": "positive21.tf"
+ },
+ {
+ "queryName": "Passwords And Secrets - Heroku API Key",
+ "severity": "HIGH",
+ "line": 3,
+ "fileName": "positive22.tf"
+ },
+ {
+ "queryName": "Passwords And Secrets - Generic Token",
+ "severity": "HIGH",
+ "line": 3,
+ "fileName": "positive23.tf"
+ },
+ {
+ "queryName": "Passwords And Secrets - Generic API Key",
+ "severity": "HIGH",
+ "line": 4,
+ "fileName": "positive24.tf"
+ },
+ {
+ "queryName": "Passwords And Secrets - Square Access Token",
+ "severity": "HIGH",
+ "line": 3,
+ "fileName": "positive25.dockerfile"
+ },
+ {
+ "queryName": "Passwords And Secrets - Picatic API Key",
+ "severity": "HIGH",
+ "line": 5,
+ "fileName": "positive25.dockerfile"
+ },
+ {
+ "queryName": "Passwords And Secrets - Amazon MWS Auth Token",
+ "severity": "HIGH",
+ "line": 7,
+ "fileName": "positive25.dockerfile"
+ },
+ {
+ "queryName": "Passwords And Secrets - MailChimp API Key",
+ "severity": "HIGH",
+ "line": 9,
+ "fileName": "positive25.dockerfile"
+ },
+ {
+ "queryName": "Passwords And Secrets - SendGrid API Key",
+ "severity": "HIGH",
+ "line": 11,
+ "fileName": "positive25.dockerfile"
+ },
+ {
+ "queryName": "Passwords And Secrets - Generic Private Key",
+ "severity": "HIGH",
+ "line": 9,
+ "fileName": "positive26.yaml"
+ },
+ {
+ "queryName": "Passwords And Secrets - Generic Token",
+ "severity": "HIGH",
+ "line": 5,
+ "fileName": "positive27.yaml"
+ },
+ {
+ "queryName": "Passwords And Secrets - Generic Token",
+ "severity": "HIGH",
+ "line": 22,
+ "fileName": "positive27.yaml"
+ },
+ {
+ "queryName": "Passwords And Secrets - Generic Token",
+ "severity": "HIGH",
+ "line": 5,
+ "fileName": "positive28.yaml"
+ },
+ {
+ "queryName": "Passwords And Secrets - Mailgun API Key",
+ "severity": "HIGH",
+ "line": 2,
+ "fileName": "positive29.tf"
+ },
+ {
+ "queryName": "Passwords And Secrets - Stripe Restricted API Key",
+ "severity": "HIGH",
+ "line": 2,
+ "fileName": "positive30.tf"
+ },
+ {
+ "queryName": "Passwords And Secrets - Twilio API Key",
+ "severity": "HIGH",
+ "line": 4,
+ "fileName": "positive31.yaml"
+ },
+ {
+ "queryName": "Passwords And Secrets - PayPal Braintree Access Token",
+ "severity": "HIGH",
+ "line": 4,
+ "fileName": "positive32.yaml"
+ },
+ {
+ "queryName": "Passwords And Secrets - Facebook Access Token",
+ "severity": "HIGH",
+ "line": 13,
+ "fileName": "positive33.yaml"
+ },
+ {
+ "queryName": "Passwords And Secrets - Square OAuth Secret",
+ "severity": "HIGH",
+ "line": 13,
+ "fileName": "positive34.yaml"
+ },
+ {
+ "queryName": "Passwords And Secrets - Google OAuth Access Token",
+ "severity": "HIGH",
+ "line": 13,
+ "fileName": "positive35.yaml"
+ },
+ {
+ "queryName": "Passwords And Secrets - Putty User Key File Content",
+ "severity": "HIGH",
+ "line": 5,
+ "fileName": "positive36.tf"
+ },
+ {
+ "queryName": "Passwords And Secrets - Generic Secret",
+ "severity": "HIGH",
+ "line": 14,
+ "fileName": "positive37.tf"
+ },
+ {
+ "queryName": "Passwords And Secrets - CloudFormation Secret Template",
+ "severity": "HIGH",
+ "line": 16,
+ "fileName": "positive38.yaml"
+ },
+ {
+ "queryName": "Passwords And Secrets - Generic Secret",
+ "severity": "HIGH",
+ "line": 3,
+ "fileName": "positive39.tf"
+ },
+ {
+ "queryName": "Passwords And Secrets - AWS Context-specific credential",
+ "severity": "HIGH",
+ "line": 14,
+ "fileName": "positive40.tf"
+ },
+ {
+ "queryName": "Passwords And Secrets - AWS Certificate",
+ "severity": "HIGH",
+ "line": 15,
+ "fileName": "positive40.tf"
+ },
+ {
+ "queryName": "Passwords And Secrets - Asymmetric private key",
+ "severity": "HIGH",
+ "line": 6,
+ "fileName": "positive41.tf"
+ },
+ {
+ "queryName": "Passwords And Secrets - Generic Access Key",
+ "severity": "HIGH",
+ "line": 7,
+ "fileName": "positive42.tf"
+ },
+ {
+ "queryName": "Passwords And Secrets - Generic Token",
+ "severity": "HIGH",
+ "line": 5,
+ "fileName": "positive43.yaml"
+ },
+ {
+ "queryName": "Passwords And Secrets - Generic Secret",
+ "severity": "HIGH",
+ "line": 17,
+ "fileName": "positive44.yaml"
+ },
+ {
+ "queryName": "Passwords And Secrets - Generic Password",
+ "severity": "HIGH",
+ "line": 9,
+ "fileName": "positive45.tf"
+ },
+ {
+ "queryName": "Passwords And Secrets - Generic Password",
+ "severity": "HIGH",
+ "line": 20,
+ "fileName": "positive46.yaml"
+ },
+ {
+ "queryName": "Passwords And Secrets - Generic Password",
+ "severity": "HIGH",
+ "line": 21,
+ "fileName": "positive46.yaml"
+ },
+ {
+ "queryName": "Passwords And Secrets - Google OAuth",
+ "severity": "HIGH",
+ "line": 5,
+ "fileName": "positive47.tf"
+ },
+ {
+ "queryName": "Passwords And Secrets - Generic Secret",
+ "severity": "HIGH",
+ "line": 6,
+ "fileName": "positive47.tf"
+ },
+ {
+ "queryName": "Passwords And Secrets - Generic Password",
+ "severity": "HIGH",
+ "line": 8,
+ "fileName": "positive48.tf"
+ },
+ {
+ "queryName": "Passwords And Secrets - Generic Private Key",
+ "severity": "HIGH",
+ "line": 7,
+ "fileName": "positive49.yml"
+ },
+ {
+ "queryName": "Passwords And Secrets - Generic Password on YAML files when value in tuple",
+ "severity": "HIGH",
+ "line": 56,
+ "fileName": "positive50.yaml"
+ },
+ {
+ "queryName": "Passwords And Secrets - Generic Password on YAML files when value in tuple",
+ "severity": "HIGH",
+ "line": 68,
+ "fileName": "positive50.yaml"
+ },
+ {
+ "queryName": "Passwords And Secrets - Dockerfile ENV hardcoded password with omitted equals",
+ "severity": "HIGH",
+ "line": 4,
+ "fileName": "positive51.dockerfile"
+ },
+ {
+ "queryName": "Passwords And Secrets - Generic Password",
+ "severity": "HIGH",
+ "line": 4,
+ "fileName": "positive52.dockerfile"
+ },
+ {
+ "queryName": "Passwords And Secrets - Generic Password",
+ "severity": "HIGH",
+ "line": 54,
+ "fileName": "positive53.json"
+ },
+ {
+ "queryName": "Passwords And Secrets - Generic Password",
+ "severity": "HIGH",
+ "line": 8,
+ "fileName": "positive54.tf"
+ },
+ {
+ "queryName": "Passwords And Secrets - Generic Password",
+ "severity": "HIGH",
+ "line": 14,
+ "fileName": "positive54.tf"
+ },
+ {
+ "queryName": "Passwords And Secrets - Generic Secret",
+ "severity": "HIGH",
+ "line": 4,
+ "fileName": "positive55.json"
+ }
]
\ No newline at end of file
From ac1555083e4f9708a1e9ea79074b66cffd2fde49 Mon Sep 17 00:00:00 2001
From: Andre Pereira <219305055+cx-andre-pereira@users.noreply.github.com>
Date: Thu, 26 Mar 2026 15:42:22 +0000
Subject: [PATCH 05/30] Part 2 fix git diff
---
.../passwords_and_secrets/regex_rules.json | 22 ++++++++++++++-----
.../test/positive_expected_result.json | 18 +++++++++++++++
2 files changed, 35 insertions(+), 5 deletions(-)
diff --git a/assets/queries/common/passwords_and_secrets/regex_rules.json b/assets/queries/common/passwords_and_secrets/regex_rules.json
index 4620f0285cd..7e61733518e 100644
--- a/assets/queries/common/passwords_and_secrets/regex_rules.json
+++ b/assets/queries/common/passwords_and_secrets/regex_rules.json
@@ -40,6 +40,10 @@
{
"description": "Allow password retrieved from ARM parameters",
"regex": "(?i)['\"]?password['\"]?\\s*[:=]\\s*['\"]?\\s*,\\s*parameters\\(['\"]([a-zA-Z][a-zA-Z0-9_-]*)['\"]['\"]?\\)"
+ },
+ {
+ "description": "Avoiding Proto File fields",
+ "regex": "(?i)password\\s*=\\s*[1-9][0-9]{0,8}\\s*;"
}
],
"specialMask": "(?i)['\"]?password['\"]?\\s*[:=]\\s*"
@@ -279,6 +283,10 @@
{
"description": "Avoid Docker Compose secrets paths",
"regex": "(?i)['\"]?private[_]?key['\"]?\\s*[:=]\\s*['\"]?/run/secrets/\\w+['\"]?"
+ },
+ {
+ "description": "Avoiding Proto File fields",
+ "regex": "(?i)private[_]?key\\s*=\\s*[1-9][0-9]{0,8}\\s*;"
}
]
},
@@ -338,11 +346,7 @@
{
"description": "Avoiding next_token Var",
"regex": "(?i)['\"]?next(_)?token['\"]?\\s*[:=]\\s*['\"]?([[A-Za-z0-9/~^_!@&%()=?*+-]+)['\"]?"
- },
- {
- "description": "Avoiding next_token Var",
- "regex": "(?i)['\"]?next(_)?token['\"]?\\s*[:=]\\s*['\"]?([[A-Za-z0-9/~^_!@&%()=?*+-]+)['\"]?"
- },
+ }
{
"description": "Avoiding references to module outputs in Bicep",
"regex": "(?i)token(_)?(key)?\\s*[:=]\\s*([a-zA-Z][a-zA-Z0-9_]*)\\.outputs\\.([a-zA-Z][a-zA-Z0-9_]*)"
@@ -350,6 +354,10 @@
{
"description": "Avoiding Run After Triggers (if written in conformity with best practices)",
"regex": "(?i)['\"](HTTP|Parse_JSON|Try|Catch)_-_(Get_)?OAuth_Token['\"]?\\s*[:=]\\s*['\"]?([[A-Za-z0-9/~^_!@&%()=?*+-]+)['\"]?"
+ },
+ {
+ "description": "Avoiding Proto File fields",
+ "regex": "(?i)token(_)?(key)?\\s*=\\s*[1-9][0-9]{0,8}\\s*;"
}
],
"specialMask": "(?i)['\"]?token(_)?(key)?['\"]?\\s*[:=]\\s*"
@@ -373,6 +381,10 @@
{
"description": "Avoiding CLoudformation KeyName",
"regex": "['\"]?EncryptionKey['\"]?\\s*[:=]\\s*['\"]?([A-Za-z0-9/~^_!@&%()=?*+-.]+)['\"]?"
+ },
+ {
+ "description": "Avoiding Proto File fields",
+ "regex": "(?i)encryption[_]?key\\s*=\\s*[1-9][0-9]{0,8}\\s*;"
}
],
"specialMask": "(?i)['\"]?encryption[_]?key['\"]?\\s*[:=]\\s*"
diff --git a/assets/queries/common/passwords_and_secrets/test/positive_expected_result.json b/assets/queries/common/passwords_and_secrets/test/positive_expected_result.json
index e29ad869f20..8cfd8102b6a 100644
--- a/assets/queries/common/passwords_and_secrets/test/positive_expected_result.json
+++ b/assets/queries/common/passwords_and_secrets/test/positive_expected_result.json
@@ -460,5 +460,23 @@
"severity": "HIGH",
"line": 4,
"fileName": "positive55.json"
+ },
+ {
+ "queryName": "Passwords And Secrets - Generic Password",
+ "severity": "HIGH",
+ "line": 4,
+ "fileName": "positive56.json"
+ },
+ {
+ "queryName": "Passwords And Secrets - Generic Secret",
+ "severity": "HIGH",
+ "line": 5,
+ "fileName": "positive56.json"
+ },
+ {
+ "queryName": "Passwords And Secrets - Generic Token",
+ "severity": "HIGH",
+ "line": 6,
+ "fileName": "positive56.json"
}
]
\ No newline at end of file
From bb1c871b0e17c5cf5a96d14dd386e309bad2f86a Mon Sep 17 00:00:00 2001
From: Andre Pereira <219305055+cx-andre-pereira@users.noreply.github.com>
Date: Thu, 26 Mar 2026 15:43:26 +0000
Subject: [PATCH 06/30] Fix regex rules (duplicated rule was removed but comma
was missed)
---
assets/queries/common/passwords_and_secrets/regex_rules.json | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/assets/queries/common/passwords_and_secrets/regex_rules.json b/assets/queries/common/passwords_and_secrets/regex_rules.json
index 7e61733518e..a47eb8b523d 100644
--- a/assets/queries/common/passwords_and_secrets/regex_rules.json
+++ b/assets/queries/common/passwords_and_secrets/regex_rules.json
@@ -346,7 +346,7 @@
{
"description": "Avoiding next_token Var",
"regex": "(?i)['\"]?next(_)?token['\"]?\\s*[:=]\\s*['\"]?([[A-Za-z0-9/~^_!@&%()=?*+-]+)['\"]?"
- }
+ },
{
"description": "Avoiding references to module outputs in Bicep",
"regex": "(?i)token(_)?(key)?\\s*[:=]\\s*([a-zA-Z][a-zA-Z0-9_]*)\\.outputs\\.([a-zA-Z][a-zA-Z0-9_]*)"
From 97cf527178b5cb0151d99afaa7c035dc1e13df26 Mon Sep 17 00:00:00 2001
From: Andre Pereira <219305055+cx-andre-pereira@users.noreply.github.com>
Date: Thu, 26 Mar 2026 16:00:03 +0000
Subject: [PATCH 07/30] Two more allow rules plus updated negative sample
---
.../passwords_and_secrets/regex_rules.json | 12 +++++++++++-
.../passwords_and_secrets/test/negative60.proto | 16 +++++++++-------
2 files changed, 20 insertions(+), 8 deletions(-)
diff --git a/assets/queries/common/passwords_and_secrets/regex_rules.json b/assets/queries/common/passwords_and_secrets/regex_rules.json
index a47eb8b523d..c3213f8db3e 100644
--- a/assets/queries/common/passwords_and_secrets/regex_rules.json
+++ b/assets/queries/common/passwords_and_secrets/regex_rules.json
@@ -87,6 +87,10 @@
{
"description": "Allow secrets retrieved from Bicep getSecret built in function",
"regex": "(?i)['\"]?secret[_]?(key|value)?['\"]?\\s*(:|=)\\s*[a-zA-Z]*\\.getSecret\\(\\s*[\"']([A-Za-z0-9/~^_!@#&%(){};=?*+-<>,:;[\\]%$]+)[\"']\\)"
+ },
+ {
+ "description": "Avoiding Proto File fields",
+ "regex": "(?i)secret[_]?(key|value)?\\s*=\\s*[1-9][0-9]{0,8}\\s*;"
}
],
"specialMask": "(?i)['\"]?secret[_]?(key)?['\"]?\\s*(:|=)\\s*"
@@ -267,7 +271,13 @@
{
"id": "7f370dd5-eea3-4e5f-8354-3cb2506f9f13",
"name": "Generic Access Key",
- "regex": "(?i)^\\s*['\"]?(access)[_]?key['\"]?\\s*[:=]\\s*['\"]?([[A-Za-z0-9\/~^_!@&%()=?*+-]+)['\"]?",
+ "regex": "(?i)^\\s*['\"]?access[_]?key['\"]?\\s*[:=]\\s*['\"]?([[A-Za-z0-9\/~^_!@&%()=?*+-]+)['\"]?",
+ "allowRules": [
+ {
+ "description": "Avoiding Proto File fields",
+ "regex": "(?i)access[_]?key\\s*=\\s*[1-9][0-9]{0,8}\\s*;"
+ }
+ ],
"specialMask": "(?i)['\"]?access[_]?key['\"]?\\s*[:=]\\s*"
},
{
diff --git a/assets/queries/common/passwords_and_secrets/test/negative60.proto b/assets/queries/common/passwords_and_secrets/test/negative60.proto
index b920060c8ec..4b22ba8d902 100644
--- a/assets/queries/common/passwords_and_secrets/test/negative60.proto
+++ b/assets/queries/common/passwords_and_secrets/test/negative60.proto
@@ -7,7 +7,15 @@ package com.example.security_test.v1;
import "google/protobuf/wrappers.proto";
-message ResultsThatFlag {
+message SampleMessageNegative {
+ string the_secret = 15; //Generic Secret
+ string another_secret_ = 16; //Generic Secret
+ string the_secret_key = 17; //Generic Secret
+ string a_secret_value = 18; //Generic Secret
+ string another_secretvalue = 19; //Generic Secret
+ string another_secretkey = 31; //Generic Secret
+ double accesskey = 1212; //Generic Access Key
+ string access_key = 1313; //Generic Access Key
google.protobuf.StringValue refresh_token = 536870911; // if value is larger - out of range error "Field numbers cannot be greater than 536870911." - Generic Token
google.protobuf.StringValue access_token= 1; // Generic Token
google.protobuf.StringValue id_token = 3; // Generic Token
@@ -18,12 +26,6 @@ message ResultsThatFlag {
google.protobuf.StringValue sas_token = 12; // Generic Token
google.protobuf.StringValue auth_token = 13; // Generic Token
google.protobuf.StringValue bot_token = 14; // Generic Token
- google.protobuf.StringValue verification_token=15; // Generic Token
- google.protobuf.StringValue oauth_access_token = 16; // Generic Token
- google.protobuf.StringValue app_token = 17; // Generic Token
- google.protobuf.StringValue personal_access_token = 18; // Generic Token
- google.protobuf.StringValue service_account_token = 29; // Generic Token
- google.protobuf.StringValue webhook_verification_token = 31; // Generic Token
google.protobuf.StringValue callback_token = 32; // Generic Token
google.protobuf.StringValue k8s_service_account_token = 33; // Generic Token
google.protobuf.StringValue registry_token = 34; // Generic Token
From c13808d150ea03a189858888a1fc8a09f3974012 Mon Sep 17 00:00:00 2001
From: Andre Pereira <219305055+cx-andre-pereira@users.noreply.github.com>
Date: Thu, 26 Mar 2026 16:07:44 +0000
Subject: [PATCH 08/30] Fallback, generic secret reqires 10 digits (impossible
in proto) and generic api key enforces trimmed line starting with 'access'
---
.../queries/common/passwords_and_secrets/regex_rules.json | 4 ----
.../common/passwords_and_secrets/test/negative60.proto | 8 --------
2 files changed, 12 deletions(-)
diff --git a/assets/queries/common/passwords_and_secrets/regex_rules.json b/assets/queries/common/passwords_and_secrets/regex_rules.json
index c3213f8db3e..a9411de719a 100644
--- a/assets/queries/common/passwords_and_secrets/regex_rules.json
+++ b/assets/queries/common/passwords_and_secrets/regex_rules.json
@@ -87,10 +87,6 @@
{
"description": "Allow secrets retrieved from Bicep getSecret built in function",
"regex": "(?i)['\"]?secret[_]?(key|value)?['\"]?\\s*(:|=)\\s*[a-zA-Z]*\\.getSecret\\(\\s*[\"']([A-Za-z0-9/~^_!@#&%(){};=?*+-<>,:;[\\]%$]+)[\"']\\)"
- },
- {
- "description": "Avoiding Proto File fields",
- "regex": "(?i)secret[_]?(key|value)?\\s*=\\s*[1-9][0-9]{0,8}\\s*;"
}
],
"specialMask": "(?i)['\"]?secret[_]?(key)?['\"]?\\s*(:|=)\\s*"
diff --git a/assets/queries/common/passwords_and_secrets/test/negative60.proto b/assets/queries/common/passwords_and_secrets/test/negative60.proto
index 4b22ba8d902..469ed11ea50 100644
--- a/assets/queries/common/passwords_and_secrets/test/negative60.proto
+++ b/assets/queries/common/passwords_and_secrets/test/negative60.proto
@@ -8,14 +8,6 @@ package com.example.security_test.v1;
import "google/protobuf/wrappers.proto";
message SampleMessageNegative {
- string the_secret = 15; //Generic Secret
- string another_secret_ = 16; //Generic Secret
- string the_secret_key = 17; //Generic Secret
- string a_secret_value = 18; //Generic Secret
- string another_secretvalue = 19; //Generic Secret
- string another_secretkey = 31; //Generic Secret
- double accesskey = 1212; //Generic Access Key
- string access_key = 1313; //Generic Access Key
google.protobuf.StringValue refresh_token = 536870911; // if value is larger - out of range error "Field numbers cannot be greater than 536870911." - Generic Token
google.protobuf.StringValue access_token= 1; // Generic Token
google.protobuf.StringValue id_token = 3; // Generic Token
From 3b4a2c29154893c90f50180ab14be98b663716ed Mon Sep 17 00:00:00 2001
From: Andre Pereira <219305055+cx-andre-pereira@users.noreply.github.com>
Date: Thu, 26 Mar 2026 16:09:01 +0000
Subject: [PATCH 09/30] Removed unnecessar allow rule
---
.../queries/common/passwords_and_secrets/regex_rules.json | 6 ------
1 file changed, 6 deletions(-)
diff --git a/assets/queries/common/passwords_and_secrets/regex_rules.json b/assets/queries/common/passwords_and_secrets/regex_rules.json
index a9411de719a..288de1bc6ba 100644
--- a/assets/queries/common/passwords_and_secrets/regex_rules.json
+++ b/assets/queries/common/passwords_and_secrets/regex_rules.json
@@ -268,12 +268,6 @@
"id": "7f370dd5-eea3-4e5f-8354-3cb2506f9f13",
"name": "Generic Access Key",
"regex": "(?i)^\\s*['\"]?access[_]?key['\"]?\\s*[:=]\\s*['\"]?([[A-Za-z0-9\/~^_!@&%()=?*+-]+)['\"]?",
- "allowRules": [
- {
- "description": "Avoiding Proto File fields",
- "regex": "(?i)access[_]?key\\s*=\\s*[1-9][0-9]{0,8}\\s*;"
- }
- ],
"specialMask": "(?i)['\"]?access[_]?key['\"]?\\s*[:=]\\s*"
},
{
From 50fd363f7a25d5a3f44a7022eefb93bdf65e0734 Mon Sep 17 00:00:00 2001
From: Andre Pereira <219305055+cx-andre-pereira@users.noreply.github.com>
Date: Thu, 26 Mar 2026 17:40:33 +0000
Subject: [PATCH 10/30] Improved negative28 tests used for TF resource access
allow rule in 'Generic Token', improved 2 TF reousrce access rules, added
missing positive test for 'Encryption Key' query, added samples (similar to
neg28) in negative61 for TF resource access allow rule in 'Encryption Key'
query (was also missing test)
---
.../passwords_and_secrets/regex_rules.json | 6 +-
.../passwords_and_secrets/test/negative28.tf | 114 ++++++++++++++-
.../passwords_and_secrets/test/negative61.tf | 134 ++++++++++++++++++
.../test/positive57.yaml | 8 ++
.../test/positive_expected_result.json | 18 +++
5 files changed, 274 insertions(+), 6 deletions(-)
create mode 100644 assets/queries/common/passwords_and_secrets/test/negative61.tf
create mode 100644 assets/queries/common/passwords_and_secrets/test/positive57.yaml
diff --git a/assets/queries/common/passwords_and_secrets/regex_rules.json b/assets/queries/common/passwords_and_secrets/regex_rules.json
index 288de1bc6ba..a5e83c5b3f2 100644
--- a/assets/queries/common/passwords_and_secrets/regex_rules.json
+++ b/assets/queries/common/passwords_and_secrets/regex_rules.json
@@ -321,7 +321,7 @@
},
{
"description": "Avoiding TF resource access",
- "regex": "(?i)['\"]?token(_)?(key)?['\"]?\\s*=\\s*([a-zA-z_]+(.))?[a-zA-z_]+(.)[a-zA-z_]+(.)[a-zA-z_]+"
+ "regex": "(?i)['\"]?token(_)?(key)?['\"]?\\s*[:=]\\s*(([a-zA-Z_]+(\\[([a-zA-Z_]+\\.[a-zA-Z_]+.*|\\d+)\\])?\\.[a-zA-Z_]+(\\[([a-zA-Z_]+\\.[a-zA-Z_]+.*|\\d+)\\])?)\\s*([\\[\\.\\)\\]\\}\\$]|(:\\s*null))|null)"
},
{
"description": "Avoiding TF creation token",
@@ -372,11 +372,11 @@
{
"id": "9fb1cd65-7a07-4531-9bcf-47589d0f82d6",
"name": "Encryption Key",
- "regex": "(?i)['\"]?encryption[_]?key['\"]?\\s*[:=]\\s*['\"]?([[A-Za-z0-9/~^_!@&%()=?*+-]+)['\"]?",
+ "regex": "(?i)['\"]?encryption[_]?key['\"]?\\s*[:=]\\s*['\"]?[A-Za-z0-9/~^_!@&%()=?*+-]+['\"]?",
"allowRules": [
{
"description": "Avoiding TF resource access",
- "regex": "(?i)['\"]?encryption[_]?key['\"]?\\s*=\\s*([a-zA-z_]+(.))?[a-zA-z_]+(.)[a-zA-z_]+(.)[a-zA-z_]+"
+ "regex": "(?i)['\"]?encryption[_]?key['\"]?\\s*[:=]\\s*(([a-zA-Z_]+(\\[([a-zA-Z_]+\\.[a-zA-Z_]+.*|\\d+)\\])?\\.[a-zA-Z_]+(\\[([a-zA-Z_]+\\.[a-zA-Z_]+.*|\\d+)\\])?)\\s*([\\[\\.\\)\\]\\}\\$]|(:\\s*null))|null)"
},
{
"description": "Avoiding CLoudformation KeyName",
diff --git a/assets/queries/common/passwords_and_secrets/test/negative28.tf b/assets/queries/common/passwords_and_secrets/test/negative28.tf
index 7239fcb2612..7843cd6f5e9 100644
--- a/assets/queries/common/passwords_and_secrets/test/negative28.tf
+++ b/assets/queries/common/passwords_and_secrets/test/negative28.tf
@@ -1,4 +1,112 @@
-provider rancher2 {
- api_url = data.terraform_remote_state.rancher.outputs.api_url
- token_key = data.terraform_remote_state.rancher.outputs.token_key
+# Sample to test 'Generic Token' - allow TF resource access rule
+terraform {
+ required_providers {
+ aws = {
+ source = "hashicorp/aws"
+ version = "~> 5.0"
+ }
+ }
}
+
+provider "aws" {
+ region = "us-east-1"
+}
+
+variable "auth_token" {
+ description = "Authentication token"
+ type = string
+ sensitive = true
+}
+
+variable "environment" {
+ description = "Deployment environment"
+ type = string
+ default = "production"
+}
+
+variable "enabled" {
+ description = "Whether to enable resources"
+ type = bool
+ default = true
+}
+
+variable "clients" {
+ description = "Client configurations"
+ type = object({
+ oauth = map(object({
+ enabled = bool
+ }))
+ })
+}
+
+resource "aws_secretsmanager_secret_version" "token_version" {
+ for_each = { for k, v in var.clients.oauth : k => v if var.enabled }
+
+ secret_id = aws_secretsmanager_secret.client_token_secret[each.key].id
+ secret_string = jsonencode({ "client" : each.key, "token" : random_password.client_token[each.key].result })
+}
+
+resource "aws_secretsmanager_secret_version" "token_version_2" {
+ for_each = { for k, v in var.clients.oauth : k => v if var.enabled }
+
+ secret_id = aws_secretsmanager_secret.client_token_secret[each.key].id
+ secret_string = jsonencode({ "client" : each.key, "token" : random_password[each.key].client_token.result })
+}
+
+resource "aws_secretsmanager_secret_version" "token_version_3" {
+ for_each = { for k, v in var.clients.oauth : k => v if var.enabled }
+
+ secret_id = aws_secretsmanager_secret.client_token_secret[each.key].id
+ secret_string = jsonencode({ "client" : each.key, "token" : random_password["index"].client_token.result })
+}
+
+resource "aws_lb_listener" "https" {
+ count = var.enabled ? 1 : 0
+ load_balancer_arn = aws_lb.main[0].arn
+ port = 443
+ protocol = "HTTPS"
+
+ default_action {
+ type = "forward"
+ target_group_arn = [for t in aws_lb_target_group.app : t.token_key]
+ }
+}
+
+resource "aws_lb_listener" "https_null" {
+ count = var.enabled ? 1 : 0
+ load_balancer_arn = aws_lb.main[0].arn
+ port = 443
+ protocol = "HTTPS"
+
+ default_action {
+ type = "fixed-response"
+ token_key = null
+ }
+}
+module "auth_service" {
+ source = "./modules/auth"
+
+ token = var.auth_token
+}
+module "api_gateway" {
+ source = "./modules/gateway"
+
+ token = module.auth_service.token_output.value
+}
+module "legacy_service" {
+ source = "./modules/legacy"
+
+ token = data.aws_secretsmanager_secret_version.existing_token.secret_string
+}
+
+locals {
+ token_config = {
+ value = aws_secretsmanager_secret.client_token_secret["primary"].arn
+ }
+}
+
+module "monitoring" {
+ source = "./modules/monitoring"
+
+ token = local.token_config.value
+}
\ No newline at end of file
diff --git a/assets/queries/common/passwords_and_secrets/test/negative61.tf b/assets/queries/common/passwords_and_secrets/test/negative61.tf
new file mode 100644
index 00000000000..9b986baab96
--- /dev/null
+++ b/assets/queries/common/passwords_and_secrets/test/negative61.tf
@@ -0,0 +1,134 @@
+# Sample for 'Encryption Key' - avoiding TF resource access rule
+terraform {
+ required_providers {
+ aws = {
+ source = "hashicorp/aws"
+ version = "~> 5.0"
+ }
+ }
+}
+
+provider "aws" {
+ region = "us-east-1"
+}
+
+variable "encryption_key" {
+ description = "Encryption key from external config"
+ type = string
+ sensitive = true
+}
+
+variable "environment" {
+ description = "Deployment environment"
+ type = string
+ default = "production"
+}
+
+variable "enabled" {
+ description = "Whether to enable resources"
+ type = bool
+ default = true
+}
+
+variable "clients" {
+ description = "Client configurations"
+ type = object({
+ storage = map(object({
+ enabled = bool
+ }))
+ })
+}
+
+resource "aws_kms_key" "client_encryption_key" {
+ for_each = { for k, v in var.clients.storage : k => v if var.enabled }
+
+ description = "KMS key for ${each.key}"
+ deletion_window_in_days = 30
+ enable_key_rotation = true
+}
+
+resource "aws_kms_alias" "client_encryption_alias" {
+ for_each = { for k, v in var.clients.storage : k => v if var.enabled }
+
+ name = "alias/${each.key}-encryption"
+ target_key_id = aws_kms_key.client_encryption_key[each.key].key_id
+}
+
+module "storage" {
+ for_each = { for k, v in var.clients.storage : k => v if var.enabled }
+ source = "./modules/storage"
+
+ encryption_key = aws_kms_key.client_encryption_key[each.key].arn
+}
+
+module "storage_2" {
+ for_each = { for k, v in var.clients.storage : k => v if var.enabled }
+ source = "./modules/storage"
+
+ encryption_key = aws_kms_key[each.key].client_encryption_key.arn
+}
+
+module "storage_3" {
+ for_each = { for k, v in var.clients.storage : k => v if var.enabled }
+ source = "./modules/storage"
+
+ encryption_key = aws_kms_key["index"].client_encryption_key.arn
+}
+
+resource "aws_s3_bucket_server_side_encryption_configuration" "bucket_enc" {
+ count = var.enabled ? 1 : 0
+ bucket = aws_s3_bucket.main[0].id
+
+ rule {
+ apply_server_side_encryption_by_default {
+ sse_algorithm = "aws:kms"
+ encryption_key = [for k in aws_kms_key.client_encryption_key : k.arn]
+ }
+ }
+}
+
+module "optional_encryption" {
+ source = "./modules/storage"
+
+ encryption_key = null
+}
+
+module "database" {
+ source = "./modules/database"
+
+ encryption_key = var.encryption_key
+}
+
+module "encryption" {
+ source = "./modules/encryption"
+
+ environment = var.environment
+}
+
+module "app" {
+ source = "./modules/app"
+
+ encryption_key = module.encryption.key_output.value
+}
+
+data "aws_kms_key" "existing" {
+ key_id = "alias/existing-encryption-key"
+}
+
+module "legacy" {
+ source = "./modules/legacy"
+
+ encryption_key = data.aws_kms_key.existing.arn
+}
+
+locals {
+ encryption_config = {
+ key_arn = aws_kms_key.client_encryption_key["primary"].arn
+ }
+}
+
+module "monitoring" {
+ source = "./modules/monitoring"
+
+ encryption_key = local.encryption_config.key_arn
+}
\ No newline at end of file
diff --git a/assets/queries/common/passwords_and_secrets/test/positive57.yaml b/assets/queries/common/passwords_and_secrets/test/positive57.yaml
new file mode 100644
index 00000000000..c0f56b93551
--- /dev/null
+++ b/assets/queries/common/passwords_and_secrets/test/positive57.yaml
@@ -0,0 +1,8 @@
+# Samples for "Encryption Key" query
+- hosts: all
+ remote_user: root
+ vars:
+ encryption_key: aes256_my_super_secret_key_value
+ encryption_key: Ab3f8G2kL9mN4pQ7
+ encryptionkey: 0123456789abcdef
+
diff --git a/assets/queries/common/passwords_and_secrets/test/positive_expected_result.json b/assets/queries/common/passwords_and_secrets/test/positive_expected_result.json
index 8cfd8102b6a..e5117987c99 100644
--- a/assets/queries/common/passwords_and_secrets/test/positive_expected_result.json
+++ b/assets/queries/common/passwords_and_secrets/test/positive_expected_result.json
@@ -478,5 +478,23 @@
"severity": "HIGH",
"line": 6,
"fileName": "positive56.json"
+ },
+ {
+ "queryName": "Passwords And Secrets - Encryption Key",
+ "severity": "HIGH",
+ "line": 5,
+ "fileName": "positive57.yaml"
+ },
+ {
+ "queryName": "Passwords And Secrets - Encryption Key",
+ "severity": "HIGH",
+ "line": 7,
+ "fileName": "positive57.yaml"
+ },
+ {
+ "queryName": "Passwords And Secrets - Encryption Key",
+ "severity": "HIGH",
+ "line": 6,
+ "fileName": "positive57.yaml"
}
]
\ No newline at end of file
From da78bfa261f40c90bc1f62523d74c8738cd85c20 Mon Sep 17 00:00:00 2001
From: Andre Pereira <219305055+cx-andre-pereira@users.noreply.github.com>
Date: Fri, 27 Mar 2026 10:22:50 +0000
Subject: [PATCH 11/30] Minor test change
---
.../queries/common/passwords_and_secrets/test/negative60.proto | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/assets/queries/common/passwords_and_secrets/test/negative60.proto b/assets/queries/common/passwords_and_secrets/test/negative60.proto
index 469ed11ea50..63d53613600 100644
--- a/assets/queries/common/passwords_and_secrets/test/negative60.proto
+++ b/assets/queries/common/passwords_and_secrets/test/negative60.proto
@@ -9,7 +9,7 @@ import "google/protobuf/wrappers.proto";
message SampleMessageNegative {
google.protobuf.StringValue refresh_token = 536870911; // if value is larger - out of range error "Field numbers cannot be greater than 536870911." - Generic Token
- google.protobuf.StringValue access_token= 1; // Generic Token
+ google.protobuf.StringValue access_token= 111111111; // Generic Token
google.protobuf.StringValue id_token = 3; // Generic Token
google.protobuf.StringValue bearer_toaken = 4;;; // Generic Token
google.protobuf.StringValue api_token = 7 ; // Generic Token
From d0de24897b4c795a1cf887d926f2abaedc88f5c1 Mon Sep 17 00:00:00 2001
From: Andre Pereira <219305055+cx-andre-pereira@users.noreply.github.com>
Date: Fri, 27 Mar 2026 10:32:16 +0000
Subject: [PATCH 12/30] Expected results fix
---
.../test/positive_expected_result.json | 10 +++++-----
1 file changed, 5 insertions(+), 5 deletions(-)
diff --git a/assets/queries/common/passwords_and_secrets/test/positive_expected_result.json b/assets/queries/common/passwords_and_secrets/test/positive_expected_result.json
index e5117987c99..88cc664b56b 100644
--- a/assets/queries/common/passwords_and_secrets/test/positive_expected_result.json
+++ b/assets/queries/common/passwords_and_secrets/test/positive_expected_result.json
@@ -465,19 +465,19 @@
"queryName": "Passwords And Secrets - Generic Password",
"severity": "HIGH",
"line": 4,
- "fileName": "positive56.json"
+ "fileName": "positive56.proto"
},
{
"queryName": "Passwords And Secrets - Generic Secret",
"severity": "HIGH",
"line": 5,
- "fileName": "positive56.json"
+ "fileName": "positive56.proto"
},
{
"queryName": "Passwords And Secrets - Generic Token",
"severity": "HIGH",
"line": 6,
- "fileName": "positive56.json"
+ "fileName": "positive56.proto"
},
{
"queryName": "Passwords And Secrets - Encryption Key",
@@ -488,13 +488,13 @@
{
"queryName": "Passwords And Secrets - Encryption Key",
"severity": "HIGH",
- "line": 7,
+ "line": 6,
"fileName": "positive57.yaml"
},
{
"queryName": "Passwords And Secrets - Encryption Key",
"severity": "HIGH",
- "line": 6,
+ "line": 7,
"fileName": "positive57.yaml"
}
]
\ No newline at end of file
From 24afdabc1b28b3c40341917a6ead544f04a9a835 Mon Sep 17 00:00:00 2001
From: Andre Pereira <219305055+cx-andre-pereira@users.noreply.github.com>
Date: Fri, 27 Mar 2026 11:41:21 +0000
Subject: [PATCH 13/30] Changed uuid for 'CloudFormation Secret Template (is
duplicated)
---
assets/queries/common/passwords_and_secrets/regex_rules.json | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/assets/queries/common/passwords_and_secrets/regex_rules.json b/assets/queries/common/passwords_and_secrets/regex_rules.json
index a5e83c5b3f2..a0046c4df1e 100644
--- a/assets/queries/common/passwords_and_secrets/regex_rules.json
+++ b/assets/queries/common/passwords_and_secrets/regex_rules.json
@@ -364,7 +364,7 @@
},
{
- "id": "e0f01838-b1c2-4669-b84b-981949ebe5ed",
+ "id": "0ec60fb3-5b78-4da0-bea0-b854fd9bf8b9",
"name": "CloudFormation Secret Template",
"regex": "(?i)['\"]?SecretStringTemplate['\"]?\\s*:\\s*['\"]?{([\\\":A-Za-z0-9/~^_!@&%()=?*+-]{10,})}",
"specialMask": "(?i)['\"]?SecretStringTemplate['\"]?\\s*:\\s*"
From 5d246c4d7944867be4e48a1b2aa79161a34d4f03 Mon Sep 17 00:00:00 2001
From: Andre Pereira <219305055+cx-andre-pereira@users.noreply.github.com>
Date: Mon, 30 Mar 2026 15:15:00 +0100
Subject: [PATCH 14/30] Cataloged every single test file, tested all queries
and all allow rules individually, added tests for cases missing them, minor
improvements to a lot of regex
---
.../passwords_and_secrets/regex_rules.json | 64 +++--
.../passwords_and_secrets/test/negative1.yaml | 2 +-
.../passwords_and_secrets/test/negative10.tf | 3 +-
.../passwords_and_secrets/test/negative11.tf | 3 +-
.../passwords_and_secrets/test/negative12.tf | 3 +-
.../passwords_and_secrets/test/negative13.tf | 1 +
.../passwords_and_secrets/test/negative14.tf | 1 +
.../passwords_and_secrets/test/negative15.tf | 1 +
.../passwords_and_secrets/test/negative16.tf | 3 +-
.../passwords_and_secrets/test/negative17.tf | 1 +
.../test/negative18.yaml | 3 +-
.../test/negative19.yaml | 5 +-
.../passwords_and_secrets/test/negative2.yaml | 4 +-
.../test/negative20.yaml | 1 +
.../passwords_and_secrets/test/negative21.tf | 1 +
.../passwords_and_secrets/test/negative22.tf | 1 +
.../test/negative23.yaml | 1 +
.../test/negative24.yaml | 1 +
.../test/negative25.yaml | 1 +
.../test/negative26.yaml | 1 +
.../passwords_and_secrets/test/negative27.tf | 1 +
.../passwords_and_secrets/test/negative28.tf | 47 +---
.../test/negative29.yaml | 7 +-
.../passwords_and_secrets/test/negative3.yaml | 2 +-
.../test/negative30.yaml | 3 +-
.../test/negative31.yaml | 3 +-
.../test/negative32.yaml | 3 +-
.../test/negative33.yaml | 42 +---
.../passwords_and_secrets/test/negative34.tf | 1 +
.../test/negative35.dockerfile | 1 +
.../passwords_and_secrets/test/negative36.tf | 3 +-
.../test/negative37.yaml | 3 +-
.../test/negative38.yaml | 7 +-
.../test/negative39.yaml | 3 +-
.../passwords_and_secrets/test/negative4.tf | 4 +-
.../test/negative40.yaml | 5 +-
.../test/negative41.yaml | 3 +-
.../passwords_and_secrets/test/negative42.tf | 3 +-
.../passwords_and_secrets/test/negative43.tf | 4 +-
.../passwords_and_secrets/test/negative44.yml | 3 +-
.../passwords_and_secrets/test/negative45.yml | 3 +-
.../test/negative46.yaml | 1 +
.../passwords_and_secrets/test/negative47.tf | 3 +-
.../passwords_and_secrets/test/negative48.tf | 23 +-
.../test/negative49.dockerfile | 1 +
.../test/negative5.dockerfile | 1 +
.../test/negative50.dockerfile | 1 +
.../passwords_and_secrets/test/negative51.yml | 38 +--
.../passwords_and_secrets/test/negative52.yml | 4 +-
.../test/negative53.json | 53 +---
.../test/negative54.json | 1 +
.../passwords_and_secrets/test/negative55.yml | 9 +-
.../passwords_and_secrets/test/negative56.tf | 9 +-
.../test/negative57.bicep | 3 +-
.../test/{negative57.json => negative58.json} | 1 +
.../{negative58.bicep => negative59.bicep} | 4 +-
.../passwords_and_secrets/test/negative6.json | 1 +
.../test/{negative59.tf => negative60.tf} | 14 +-
.../{negative60.proto => negative61.proto} | 102 ++++----
.../test/{negative61.tf => negative62.tf} | 48 +---
.../test/negative63.yaml | 21 ++
.../passwords_and_secrets/test/negative64.tf | 12 +
.../passwords_and_secrets/test/negative65.tf | 6 +
.../test/negative66.json | 21 ++
.../test/negative67.yaml | 12 +
.../test/negative68.yaml | 22 ++
.../passwords_and_secrets/test/negative69.tf | 23 ++
.../passwords_and_secrets/test/negative7.tf | 3 +-
.../test/negative70.yaml | 29 +++
.../test/negative71.yaml | 17 ++
.../passwords_and_secrets/test/negative72.tf | 28 +++
.../test/negative73.yaml | 24 ++
.../passwords_and_secrets/test/negative8.tf | 3 +-
.../passwords_and_secrets/test/negative9.tf | 1 +
.../passwords_and_secrets/test/positive1.yaml | 4 +-
.../test/positive10.json | 3 +
.../test/positive11.yaml | 9 +-
.../test/positive12.json | 4 +
.../passwords_and_secrets/test/positive13.tf | 1 +
.../passwords_and_secrets/test/positive14.tf | 3 +-
.../passwords_and_secrets/test/positive15.tf | 234 +-----------------
.../test/positive16.yaml | 5 +-
.../passwords_and_secrets/test/positive17.tf | 3 +-
.../passwords_and_secrets/test/positive18.tf | 3 +-
.../passwords_and_secrets/test/positive19.tf | 2 +
.../passwords_and_secrets/test/positive2.yaml | 4 +-
.../passwords_and_secrets/test/positive20.tf | 1 +
.../passwords_and_secrets/test/positive21.tf | 1 +
.../passwords_and_secrets/test/positive22.tf | 3 +-
.../passwords_and_secrets/test/positive23.tf | 2 +-
.../passwords_and_secrets/test/positive24.tf | 3 +-
.../test/positive25.dockerfile | 12 +
.../test/positive26.yaml | 3 +-
.../test/positive27.yaml | 5 +-
.../test/positive28.yaml | 3 +-
.../passwords_and_secrets/test/positive29.tf | 1 +
.../passwords_and_secrets/test/positive3.yaml | 4 +-
.../passwords_and_secrets/test/positive30.tf | 1 +
.../test/positive31.yaml | 4 +-
.../test/positive32.yaml | 4 +-
.../test/positive33.yaml | 6 +-
.../test/positive34.yaml | 5 +-
.../test/positive35.yaml | 4 +-
.../passwords_and_secrets/test/positive36.tf | 1 +
.../passwords_and_secrets/test/positive37.tf | 3 +-
.../test/positive38.yaml | 22 +-
.../passwords_and_secrets/test/positive39.tf | 1 +
.../passwords_and_secrets/test/positive4.tf | 4 +-
.../passwords_and_secrets/test/positive40.tf | 1 +
.../passwords_and_secrets/test/positive41.tf | 1 +
.../passwords_and_secrets/test/positive42.tf | 3 +-
.../test/positive43.yaml | 3 +-
.../test/positive44.yaml | 27 +-
.../passwords_and_secrets/test/positive45.tf | 4 +-
.../test/positive46.yaml | 5 +-
.../passwords_and_secrets/test/positive47.tf | 6 +-
.../passwords_and_secrets/test/positive48.tf | 6 +-
.../passwords_and_secrets/test/positive49.yml | 6 +-
.../passwords_and_secrets/test/positive5.tf | 3 +-
.../test/positive50.yaml | 218 +---------------
.../test/positive51.dockerfile | 1 +
.../test/positive52.dockerfile | 1 +
.../test/positive53.json | 1 +
.../passwords_and_secrets/test/positive54.tf | 6 +-
.../test/positive55.json | 1 +
.../test/positive56.proto | 19 +-
.../test/positive57.yaml | 8 -
.../test/positive6.dockerfile | 5 +-
.../passwords_and_secrets/test/positive7.tf | 3 +-
.../passwords_and_secrets/test/positive8.json | 1 +
.../passwords_and_secrets/test/positive9.tf | 3 +-
.../test/positive_expected_result.json | 188 +++++++-------
132 files changed, 717 insertions(+), 962 deletions(-)
rename assets/queries/common/passwords_and_secrets/test/{negative57.json => negative58.json} (89%)
rename assets/queries/common/passwords_and_secrets/test/{negative58.bicep => negative59.bicep} (73%)
rename assets/queries/common/passwords_and_secrets/test/{negative59.tf => negative60.tf} (78%)
rename assets/queries/common/passwords_and_secrets/test/{negative60.proto => negative61.proto} (54%)
rename assets/queries/common/passwords_and_secrets/test/{negative61.tf => negative62.tf} (71%)
create mode 100644 assets/queries/common/passwords_and_secrets/test/negative63.yaml
create mode 100644 assets/queries/common/passwords_and_secrets/test/negative64.tf
create mode 100644 assets/queries/common/passwords_and_secrets/test/negative65.tf
create mode 100644 assets/queries/common/passwords_and_secrets/test/negative66.json
create mode 100644 assets/queries/common/passwords_and_secrets/test/negative67.yaml
create mode 100644 assets/queries/common/passwords_and_secrets/test/negative68.yaml
create mode 100644 assets/queries/common/passwords_and_secrets/test/negative69.tf
create mode 100644 assets/queries/common/passwords_and_secrets/test/negative70.yaml
create mode 100644 assets/queries/common/passwords_and_secrets/test/negative71.yaml
create mode 100644 assets/queries/common/passwords_and_secrets/test/negative72.tf
create mode 100644 assets/queries/common/passwords_and_secrets/test/negative73.yaml
delete mode 100644 assets/queries/common/passwords_and_secrets/test/positive57.yaml
diff --git a/assets/queries/common/passwords_and_secrets/regex_rules.json b/assets/queries/common/passwords_and_secrets/regex_rules.json
index a0046c4df1e..e8b60a70c95 100644
--- a/assets/queries/common/passwords_and_secrets/regex_rules.json
+++ b/assets/queries/common/passwords_and_secrets/regex_rules.json
@@ -3,7 +3,7 @@
{
"id": "487f4be7-3fd9-4506-a07a-eae252180c08",
"name": "Generic Password",
- "regex": "(?i)['\"]?password['\"]?\\s*[:=]\\s*['\"]?([A-Za-z0-9/~^_!@&%()=?*+-. ]{4,})['\"]?",
+ "regex": "(?i)['\"]?password['\"]?\\s*[:=]\\s*['\"]?([A-Za-z0-9/~^_!@&%()=?*+\\-,. ]{4,})['\"]?",
"allowRules": [
{
"description": "Avoiding TF resource access",
@@ -15,19 +15,15 @@
},
{
"description": "Avoiding Terraform 'optional' statement",
- "regex": "(?i)['\"]?password['\"]?\\s*=\\s*optional\\((string|number|sensitive\\(string\\)|map\\(string\\)|set\\(string\\)|any)\\)$"
+ "regex": "(?i)['\"]?password['\"]?\\s*=\\s*optional\\((string|number|sensitive\\(string\\)|map\\(string\\)|set\\(string\\)|any)\\)"
},
{
"description": "Avoiding Terraform 'try' statement",
- "regex": "(?i)['\"]?password['\"]?\\s*=\\s*try\\([^\"']+,[^\"']+\\)$"
- },
- {
- "description": "Avoiding CF AllowUsersToChangePassword",
- "regex": "['\"]?AllowUsersToChangePassword['\"]?\\s*[:=]\\s*['\"]?([A-Za-z0-9/~^_!@&%()=?*+-.]{4,})['\"]?"
+ "regex": "(?i)['\"]?password['\"]?\\s*=\\s*try\\([^\"']+,[^\"']+\\)"
},
{
"description": "Avoiding Ansible playbook update_password",
- "regex": "['\"]?update_password['\"]?\\s*[:=]\\s*['\"]?([A-Za-z0-9/~^_!@&%()=?*+-.]{4,})['\"]?"
+ "regex": "['\"]?update_password['\"]?\\s*[:=]\\s*['\"]?([A-Za-z0-9/~^_!@&%()=?*+\\-,.]{4,})['\"]?"
},
{
"description": "Allow placeholders",
@@ -39,7 +35,7 @@
},
{
"description": "Allow password retrieved from ARM parameters",
- "regex": "(?i)['\"]?password['\"]?\\s*[:=]\\s*['\"]?\\s*,\\s*parameters\\(['\"]([a-zA-Z][a-zA-Z0-9_-]*)['\"]['\"]?\\)"
+ "regex": "(?i)['\"]?password['\"]?\\s*[:=]\\s*['\"]?\\s*,\\s*parameters\\(['\"]([a-zA-Z][a-zA-Z0-9_\\-]*)['\"]['\"]?\\)"
},
{
"description": "Avoiding Proto File fields",
@@ -51,10 +47,10 @@
{
"id": "3e2d3b2f-c22a-4df1-9cc6-a7a0aebb0c99",
"name": "Generic Secret",
- "regex": "(?i)['\"]?secret[_]?(key|value)?['\"]?\\s*(:|=)\\s*['\"]?([A-Za-z0-9/~^_!@#&%(){};=?*+-<>,:;[\\]%$]{10,})['\"]?",
+ "regex": "(?i)['\"]?secret[_]?(key|value)?['\"]?\\s*[:=]\\s*['\"]?([A-Za-z0-9/~^_!@#&%(){};=?*+\\-.<>,:;[\\]%$]{10,})['\"]?",
"entropies": [
{
- "group": 3,
+ "group": 2,
"min": 2.8,
"max": 8
}
@@ -62,7 +58,7 @@
"allowRules": [
{
"description": "Avoiding Square OAuth Secret",
- "regex": "(?i)['\"]?secret[_]?(key)?['\"]?\\s*(:|=)\\s*['\"]?(sq0csp-[0-9A-Za-z\\-_]{43})['\"]?"
+ "regex": "(?i)['\"]?secret[_]?(key)?['\"]?\\s*[:=]\\s*['\"]?(sq0csp-[0-9A-Za-z\\-_]{43})['\"]?"
},
{
"description": "Avoiding TF resource access",
@@ -70,26 +66,26 @@
},
{
"description": "Avoiding Secrets Manager arn",
- "regex": ":secretsmanager:[a-z0-9-*?]+:[0-9*?]+:(?i)['\"]?secret[_]?(key)?['\"]?\\s*(:|=)\\s*['\"]?([A-Za-z0-9/~^_!@&%()=?*+-]+)['\"]?"
+ "regex": ":secretsmanager:[a-z0-9-*?]+:[0-9*?]+:(?i)['\"]?secret[_]?(key)?['\"]?\\s*[:=]\\s*['\"]?([A-Za-z0-9/~^_!@&%()=?*+\\-]+)['\"]?"
},
{
"description": "Avoiding CloudFormation Parameters Descriptions",
- "regex": "['\"]?Description['\"]?\\s*[:=]\\s*['\"]?([A-Za-z0-9/~^_!@&%()=?*${}+-.'\"]+)['\"]?"
+ "regex": "(?i)['\"]?Description['\"]?\\s*[:=]\\s*['\"]?.*['\"]?"
},
{
- "description": "Avoiding Secrets from Azure Key Vault",
- "regex": "(?i)['\"]?secret[_]?(key)?['\"]?\\s*(:|=)\\s*['\"]?[${]+[A-Za-z0-9/~^_!@&%()=?*+-]+}?"
+ "description": "Avoiding Secrets from Variable Interpolation",
+ "regex": "(?i)['\"]?secret[_]?(key)?['\"]?\\s*[:=]\\s*['\"]?[${]+[A-Za-z0-9/~^_!@&%()=?*+\\-]+}?"
},
{
"description": "Allow secret retrieved from ARM parameters",
- "regex": "(?i)['\"]?secret[_]?(key)?['\"]?\\s*[:=]\\s*['\"]?\\[\\s*parameters\\(['\"][a-zA-Z][a-zA-Z0-9_-]*['\"]\\s*\\)\\s*\\]"
+ "regex": "(?i)['\"]?secret[_]?(key)?['\"]?\\s*[:=]\\s*['\"]?\\[\\s*parameters\\(['\"][a-zA-Z][a-zA-Z0-9_\\-]*['\"]\\s*\\)\\s*\\]"
},
{
"description": "Allow secrets retrieved from Bicep getSecret built in function",
- "regex": "(?i)['\"]?secret[_]?(key|value)?['\"]?\\s*(:|=)\\s*[a-zA-Z]*\\.getSecret\\(\\s*[\"']([A-Za-z0-9/~^_!@#&%(){};=?*+-<>,:;[\\]%$]+)[\"']\\)"
+ "regex": "(?i)['\"]?secret[_]?(key|value)?['\"]?\\s*[:=]\\s*[a-zA-Z]*\\.getSecret\\(\\s*[\"']([A-Za-z0-9/~^_!@#&%(){};=?*+\\-<>,:;[\\]%$]+)[\"']\\)"
}
],
- "specialMask": "(?i)['\"]?secret[_]?(key)?['\"]?\\s*(:|=)\\s*"
+ "specialMask": "(?i)['\"]?secret[_]?(key)?['\"]?\\s*[:=]\\s*"
},
{
"id": "51b5b840-cd0c-4556-98a7-fe5f4def80cf",
@@ -267,13 +263,13 @@
{
"id": "7f370dd5-eea3-4e5f-8354-3cb2506f9f13",
"name": "Generic Access Key",
- "regex": "(?i)^\\s*['\"]?access[_]?key['\"]?\\s*[:=]\\s*['\"]?([[A-Za-z0-9\/~^_!@&%()=?*+-]+)['\"]?",
+ "regex": "(?i)^\\s*['\"]?access[_]?key['\"]?\\s*[:=]\\s*['\"]?([[A-Za-z0-9\/~^_!@&%()=?*+\\-]+)['\"]?",
"specialMask": "(?i)['\"]?access[_]?key['\"]?\\s*[:=]\\s*"
},
{
"id": "2f665079-c383-4b33-896e-88268c1fa258",
"name": "Generic Private Key",
- "regex": "(?i)['\"]?private[_]?key['\"]?\\s*[:=]\\s*['\"]?([[A-Za-z0-9/~^_!@&%()=?*+-]+)['\"]?",
+ "regex": "(?i)['\"]?private[_]?key['\"]?\\s*[:=]\\s*['\"]?([[A-Za-z0-9/~^_!@&%()=?*+\\-]+)['\"]?",
"specialMask": "(?i)['\"]?private[_]?key['\"]?\\s*[:=]\\s*",
"allowRules": [
{
@@ -293,7 +289,7 @@
{
"id": "baee238e-1921-4801-9c3f-79ae1d7b2cbc",
"name": "Generic Token",
- "regex": "(?i)['\"]?token(_)?(key)?['\"]?\\s*[:=]\\s*['\"]?([[A-Za-z0-9/~^_!@&%()=?*+-]+)['\"]?",
+ "regex": "(?i)['\"]?token(_)?(key)?['\"]?\\s*[:=]\\s*['\"]?([[A-Za-z0-9/~^_!@&%()=?*+\\-]+)['\"]?",
"allowRules": [
{
"description": "Avoiding Amazon MWS Auth Token",
@@ -325,15 +321,15 @@
},
{
"description": "Avoiding TF creation token",
- "regex": "(?i)['\"]?creation_token['\"]?\\s*[:=]\\s*['\"]?([[A-Za-z0-9/~^_!@&%()=?*+-]+)['\"]?"
+ "regex": "(?i)['\"]?creation_token['\"]?\\s*[:=]\\s*['\"]?([[A-Za-z0-9/~^_!@&%()=?*+\\-]+)['\"]?"
},
{
"description": "Avoiding CLoudformation ServiceToken",
- "regex": "['\"]?ServiceToken['\"]?\\s*[:=]\\s*['\"]?([A-Za-z0-9/~^_!@&%()=?*+-.]+)['\"]?"
+ "regex": "['\"]?ServiceToken['\"]?\\s*[:=]\\s*['\"]?([A-Za-z0-9/~^_!@&%()=?*+\\-,.]+)['\"]?"
},
{
"description": "Avoiding LifecycleActionToken Var",
- "regex": "(?i)['\"]?LifecycleActionToken['\"]?\\s*[:=]\\s*['\"]?([[A-Za-z0-9/~^_!@&%()=?*+-]+)['\"]?"
+ "regex": "(?i)['\"]?LifecycleActionToken['\"]?\\s*[:=]\\s*['\"]?([[A-Za-z0-9/~^_!@&%()=?*+\\-]+)['\"]?"
},
{
"description": "Avoiding Github id-token Default Values",
@@ -341,11 +337,11 @@
},
{
"description": "Avoiding result_token Var",
- "regex": "(?i)['\"]?result(_)?token['\"]?\\s*[:=]\\s*['\"]?([[A-Za-z0-9/~^_!@&%()=?*+-]+)['\"]?"
+ "regex": "(?i)['\"]?result(_)?token['\"]?\\s*[:=]\\s*['\"]?([[A-Za-z0-9/~^_!@&%()=?*+\\-]+)['\"]?"
},
{
"description": "Avoiding next_token Var",
- "regex": "(?i)['\"]?next(_)?token['\"]?\\s*[:=]\\s*['\"]?([[A-Za-z0-9/~^_!@&%()=?*+-]+)['\"]?"
+ "regex": "(?i)['\"]?next(_)?token['\"]?\\s*[:=]\\s*['\"]?([[A-Za-z0-9/~^_!@&%()=?*+\\-]+)['\"]?"
},
{
"description": "Avoiding references to module outputs in Bicep",
@@ -366,13 +362,13 @@
{
"id": "0ec60fb3-5b78-4da0-bea0-b854fd9bf8b9",
"name": "CloudFormation Secret Template",
- "regex": "(?i)['\"]?SecretStringTemplate['\"]?\\s*:\\s*['\"]?{([\\\":A-Za-z0-9/~^_!@&%()=?*+-]{10,})}",
+ "regex": "(?i)['\"]?SecretStringTemplate['\"]?\\s*:\\s*['\"]?{([\\\":A-Za-z0-9/~^_!@&%()=?*+\\-]{10,})}",
"specialMask": "(?i)['\"]?SecretStringTemplate['\"]?\\s*:\\s*"
},
{
"id": "9fb1cd65-7a07-4531-9bcf-47589d0f82d6",
"name": "Encryption Key",
- "regex": "(?i)['\"]?encryption[_]?key['\"]?\\s*[:=]\\s*['\"]?[A-Za-z0-9/~^_!@&%()=?*+-]+['\"]?",
+ "regex": "(?i)['\"]?encryption[_]?key['\"]?\\s*[:=]\\s*['\"]?[[A-Za-z0-9/~^_!@&%()=?*+\\-]+['\"]?",
"allowRules": [
{
"description": "Avoiding TF resource access",
@@ -380,7 +376,7 @@
},
{
"description": "Avoiding CLoudformation KeyName",
- "regex": "['\"]?EncryptionKey['\"]?\\s*[:=]\\s*['\"]?([A-Za-z0-9/~^_!@&%()=?*+-.]+)['\"]?"
+ "regex": "['\"]?EncryptionKey['\"]?\\s*[:=]\\s*['\"]?([A-Za-z0-9/~^_!@&%()=?*+\\-,.]+)['\"]?"
},
{
"description": "Avoiding Proto File fields",
@@ -406,7 +402,7 @@
{
"id": "f05f238a-2ef0-4c39-9a36-951de1ba6dc9",
"name": "Dockerfile ENV hardcoded password with omitted equals",
- "regex": "(?i)ENV\\s+[A-Za-z0-9/~^_!@&%()=?*+-.]*password[A-Za-z0-9/~^_!@&%()=?*+-.]*\\s+['\"]?([A-Za-z0-9/~^_!@&%()=?*+-. ]{4,})['\"]?"
+ "regex": "(?i)ENV\\s+[A-Za-z0-9/~^_!@&%()=?*+\\-,.]*password[A-Za-z0-9/~^_!@&%()=?*+\\-,.]*\\s+['\"]?([A-Za-z0-9/~^_!@&%()=?*+\\-,. ]{4,})['\"]?"
}
],
"allowRules": [
@@ -422,10 +418,6 @@
"description": "Avoiding cloudFormation intrinsic functions",
"regex": "(?i)['\"]?[a-zA-Z_]+['\"]?\\s*:\\s+(!GetAtt|!Sub|!FindInMap|!If|!GetAZs|!ImportValue|!Join|!Select|!Split|!Not|Fn::Transform(:)?)\\s+\\.*"
},
- {
- "description": "Avoiding CF resolve",
- "regex": "(?i)['\"]?[a-zA-Z_]+['\"]?\\s*[=:]\\s*['\"]?({{resolve:)['\"]?"
- },
{
"description": "Avoiding Boolean's",
"regex": "(?i)['\"]?[a-zA-Z_]+['\"]?\\s*[=:]\\s*['\"]?(true|false)['\"]?"
@@ -436,7 +428,7 @@
},
{
"description": "Avoiding array access",
- "regex": "(?i)['\"]?[a-zA-Z_]+['\"]?\\s*[=:]\\s*['\"]?([A-Za-z0-9/~^_!@&%()=?*+-.]{4,}\\[([0-9]|['\"][a-zA-Z0-9]+['\"])\\])['\"]?"
+ "regex": "(?i)['\"]?[a-zA-Z_]+['\"]?\\s*[=:]\\s*['\"]?([A-Za-z0-9/~^_!@&%()=?*+\\-,.]{4,}\\[([0-9]|['\"][a-zA-Z0-9]+['\"])\\])['\"]?"
},
{
"description": "Avoiding TF file function",
diff --git a/assets/queries/common/passwords_and_secrets/test/negative1.yaml b/assets/queries/common/passwords_and_secrets/test/negative1.yaml
index a61780e50aa..9b356498020 100644
--- a/assets/queries/common/passwords_and_secrets/test/negative1.yaml
+++ b/assets/queries/common/passwords_and_secrets/test/negative1.yaml
@@ -1,4 +1,4 @@
-#k8s test
+# Generic Negative Test - no secrets (k8s)
apiVersion: v1
kind: Pod
metadata:
diff --git a/assets/queries/common/passwords_and_secrets/test/negative10.tf b/assets/queries/common/passwords_and_secrets/test/negative10.tf
index 4e829394c64..8ebc14538d1 100644
--- a/assets/queries/common/passwords_and_secrets/test/negative10.tf
+++ b/assets/queries/common/passwords_and_secrets/test/negative10.tf
@@ -1,3 +1,4 @@
+# Global allow rule - a88baa34-e2ad-44ea-ad6f-8cac87bc7c71 - "Avoiding TF variables" allow-rule-test
resource "aws_db_instance" "default" {
name = var.dbname
engine = "mysql"
@@ -10,7 +11,7 @@ resource "aws_db_instance" "default" {
instance_class = "db.t3.micro"
allocated_storage = "20"
username = "admin"
- password = var.password
+ password = var.password # negative1
apply_immediately = true
multi_az = false
backup_retention_period = 0
diff --git a/assets/queries/common/passwords_and_secrets/test/negative11.tf b/assets/queries/common/passwords_and_secrets/test/negative11.tf
index 91111c3c83d..191c744108b 100644
--- a/assets/queries/common/passwords_and_secrets/test/negative11.tf
+++ b/assets/queries/common/passwords_and_secrets/test/negative11.tf
@@ -1,9 +1,10 @@
+# Global allow rule - a88baa34-e2ad-44ea-ad6f-8cac87bc7c71 - "Avoiding TF variables" allow-rule-test
resource "auth0_connection" "google_oauth2" {
name = "Google-OAuth2-Connection"
strategy = "google-oauth2"
options {
client_id = var.google_client_id
- client_secret = var.google_client_secret
+ client_secret = var.google_client_secret # negative1
allowed_audiences = [ "example.com", "api.example.com" ]
scopes = [ "email", "profile", "gmail", "youtube" ]
set_user_root_attributes = "on_each_login"
diff --git a/assets/queries/common/passwords_and_secrets/test/negative12.tf b/assets/queries/common/passwords_and_secrets/test/negative12.tf
index 234d9f04a5e..e7754d742a6 100644
--- a/assets/queries/common/passwords_and_secrets/test/negative12.tf
+++ b/assets/queries/common/passwords_and_secrets/test/negative12.tf
@@ -1,3 +1,4 @@
+# Global allow rule - a88baa34-e2ad-44ea-ad6f-8cac87bc7c71 - "Avoiding TF variables" allow-rule-test
provider "slack" {
- token = var.slack_token
+ token = var.slack_token # negative1
}
diff --git a/assets/queries/common/passwords_and_secrets/test/negative13.tf b/assets/queries/common/passwords_and_secrets/test/negative13.tf
index 087185f62e0..0e5d10d861d 100644
--- a/assets/queries/common/passwords_and_secrets/test/negative13.tf
+++ b/assets/queries/common/passwords_and_secrets/test/negative13.tf
@@ -1,3 +1,4 @@
+# "Generic API Key" - 74736dd1-dd11-4139-beb6-41cd43a50317 negative-test ('.' char is illegal in key definition, incorrect key length (17 is not in {32,45}))
provider "stripe" {
api_key = var.strip_api_key
}
diff --git a/assets/queries/common/passwords_and_secrets/test/negative14.tf b/assets/queries/common/passwords_and_secrets/test/negative14.tf
index 4f13644463a..4303622ddc9 100644
--- a/assets/queries/common/passwords_and_secrets/test/negative14.tf
+++ b/assets/queries/common/passwords_and_secrets/test/negative14.tf
@@ -1,3 +1,4 @@
+# Generic Negative Test - several keywords used in safe contexts ("password","api_key","secret_key")
resource "aws_ecs_task_definition" "webapp" {
family = "tomato-webapp"
task_role_arn = data.aws_iam_role.ecs_task_role.arn
diff --git a/assets/queries/common/passwords_and_secrets/test/negative15.tf b/assets/queries/common/passwords_and_secrets/test/negative15.tf
index bc0d6ecbf12..569e43cdc68 100644
--- a/assets/queries/common/passwords_and_secrets/test/negative15.tf
+++ b/assets/queries/common/passwords_and_secrets/test/negative15.tf
@@ -1,3 +1,4 @@
+# "Generic API Key" - 74736dd1-dd11-4139-beb6-41cd43a50317 negative-test ('.' char is illegal in key definition, incorrect key length (18 is not in {32,45}))
provider "heroku" {
email = "ops@company.com"
api_key = var.heroku_api_key
diff --git a/assets/queries/common/passwords_and_secrets/test/negative16.tf b/assets/queries/common/passwords_and_secrets/test/negative16.tf
index dc59720fe42..e66d5e32d84 100644
--- a/assets/queries/common/passwords_and_secrets/test/negative16.tf
+++ b/assets/queries/common/passwords_and_secrets/test/negative16.tf
@@ -1,3 +1,4 @@
+# Global allow rule - a88baa34-e2ad-44ea-ad6f-8cac87bc7c71 - "Avoiding TF variables" allow-rule-test
provider "github" {
- token = var.github_key
+ token = var.github_key # negative1
}
diff --git a/assets/queries/common/passwords_and_secrets/test/negative17.tf b/assets/queries/common/passwords_and_secrets/test/negative17.tf
index 8d76b026cd0..468fb4dc74f 100644
--- a/assets/queries/common/passwords_and_secrets/test/negative17.tf
+++ b/assets/queries/common/passwords_and_secrets/test/negative17.tf
@@ -1,3 +1,4 @@
+# "Generic API Key" - 74736dd1-dd11-4139-beb6-41cd43a50317 negative-test ('.' char is illegal in key definition, incorrect key length (11 is not in {32,45}))
provider "cloudflare" {
version = "~> 2.0"
email = "var.cloudflare_email"
diff --git a/assets/queries/common/passwords_and_secrets/test/negative18.yaml b/assets/queries/common/passwords_and_secrets/test/negative18.yaml
index 6e0600259ea..72b93cd1a70 100644
--- a/assets/queries/common/passwords_and_secrets/test/negative18.yaml
+++ b/assets/queries/common/passwords_and_secrets/test/negative18.yaml
@@ -1,3 +1,4 @@
+# Global allow rule - a88baa34-e2ad-44ea-ad6f-8cac87bc7c71 - "!Ref is a cloudFormation reference" allow-rule-test - #2
Parameters:
PrivateKey1:
Type: String
@@ -9,4 +10,4 @@ Resources:
PinpointAPNSChannel:
Type: AWS::Pinpoint::APNSChannel
Properties:
- PrivateKey: !GetAtt PrivateKey1
+ PrivateKey: !GetAtt PrivateKey1 # negative1
diff --git a/assets/queries/common/passwords_and_secrets/test/negative19.yaml b/assets/queries/common/passwords_and_secrets/test/negative19.yaml
index bf0684e33bc..6ce2d03bc45 100644
--- a/assets/queries/common/passwords_and_secrets/test/negative19.yaml
+++ b/assets/queries/common/passwords_and_secrets/test/negative19.yaml
@@ -1,3 +1,4 @@
+# Global allow rule - a88baa34-e2ad-44ea-ad6f-8cac87bc7c71 - "!Ref is a cloudFormation reference" allow-rule-test
Parameters:
PinpointAPNSVoipChannelTokenKey:
Type: String
@@ -5,7 +6,7 @@ Resources:
ElastiCacheReplicationGroup:
Type: AWS::ElastiCache::ReplicationGroup
Properties:
- AuthToken: !Ref PinpointAPNSVoipChannelTokenKey
+ AuthToken: !Ref PinpointAPNSVoipChannelTokenKey # negative1
CacheNodeType: cache.m5.large
CacheSubnetGroupName: subnet-foobar
Engine: redis
@@ -22,5 +23,5 @@ Resources:
PinpointAPNSChannel:
Type: AWS::Pinpoint::APNSChannel
Properties:
- TokenKey: !Ref PinpointAPNSVoipChannelTokenKey
+ TokenKey: !Ref PinpointAPNSVoipChannelTokenKey # negative2
ApplicationId: !Ref PinpointApp
diff --git a/assets/queries/common/passwords_and_secrets/test/negative2.yaml b/assets/queries/common/passwords_and_secrets/test/negative2.yaml
index f7d63e9ec52..3ce5a39b7a4 100644
--- a/assets/queries/common/passwords_and_secrets/test/negative2.yaml
+++ b/assets/queries/common/passwords_and_secrets/test/negative2.yaml
@@ -1,9 +1,9 @@
-#cloud formation test
+# Global allow rule - a88baa34-e2ad-44ea-ad6f-8cac87bc7c71 - "!Ref is a cloudFormation reference" allow-rule-test
Resources:
RDSCluster:
Type: "AWS::RDS::DBCluster"
Properties:
- MasterUserPassword: !Ref PasswordMaster
+ MasterUserPassword: !Ref PasswordMaster # negative1
DBClusterIdentifier: my-serverless-cluster
Engine: aurora
EngineVersion: 5.6.10a
diff --git a/assets/queries/common/passwords_and_secrets/test/negative20.yaml b/assets/queries/common/passwords_and_secrets/test/negative20.yaml
index 38a22a90353..f7a987b0fc4 100644
--- a/assets/queries/common/passwords_and_secrets/test/negative20.yaml
+++ b/assets/queries/common/passwords_and_secrets/test/negative20.yaml
@@ -1,3 +1,4 @@
+# Generic Negative Test - no secrets
- name: Start a workflow in the Itential Automation Platform
community.network.iap_start_workflow:
iap_port: 3000
diff --git a/assets/queries/common/passwords_and_secrets/test/negative21.tf b/assets/queries/common/passwords_and_secrets/test/negative21.tf
index ca6ffa5c299..4b588082f97 100644
--- a/assets/queries/common/passwords_and_secrets/test/negative21.tf
+++ b/assets/queries/common/passwords_and_secrets/test/negative21.tf
@@ -1,3 +1,4 @@
+# "Generic API Key" - 74736dd1-dd11-4139-beb6-41cd43a50317 negative-test ('.' char is illegal in key definition, incorrect key length (19 is not in {32,45}))
provider "mailgun" {
api_key = "var.mailgun_api_key"
}
diff --git a/assets/queries/common/passwords_and_secrets/test/negative22.tf b/assets/queries/common/passwords_and_secrets/test/negative22.tf
index 25083d09fd4..130843b7c90 100644
--- a/assets/queries/common/passwords_and_secrets/test/negative22.tf
+++ b/assets/queries/common/passwords_and_secrets/test/negative22.tf
@@ -1,3 +1,4 @@
+# "Generic API Key" - 74736dd1-dd11-4139-beb6-41cd43a50317 negative-test ('.' char is illegal in key definition, incorrect key length (28 is not in {32,45}))
provider "stripe" {
api_key = var.strip_restricted_api_key
}
diff --git a/assets/queries/common/passwords_and_secrets/test/negative23.yaml b/assets/queries/common/passwords_and_secrets/test/negative23.yaml
index e31348aa535..c1b557cff10 100644
--- a/assets/queries/common/passwords_and_secrets/test/negative23.yaml
+++ b/assets/queries/common/passwords_and_secrets/test/negative23.yaml
@@ -1,3 +1,4 @@
+# "Twilio API Key" - e0f01838-b1c2-4669-b84b-981949ebe5ed negative-test (is not a hardcoded key)
- hosts: all
remote_user: root
vars:
diff --git a/assets/queries/common/passwords_and_secrets/test/negative24.yaml b/assets/queries/common/passwords_and_secrets/test/negative24.yaml
index d9ddd4e3a1c..c048ca3cf62 100644
--- a/assets/queries/common/passwords_and_secrets/test/negative24.yaml
+++ b/assets/queries/common/passwords_and_secrets/test/negative24.yaml
@@ -1,3 +1,4 @@
+# "PayPal Braintree Access Token" - 4919b847-e3da-402a-acf8-6cea8e529993 negative-test (is not a hardcoded token)
- hosts: all
remote_user: root
vars:
diff --git a/assets/queries/common/passwords_and_secrets/test/negative25.yaml b/assets/queries/common/passwords_and_secrets/test/negative25.yaml
index 00fd2e53a80..052fd677f84 100644
--- a/assets/queries/common/passwords_and_secrets/test/negative25.yaml
+++ b/assets/queries/common/passwords_and_secrets/test/negative25.yaml
@@ -1,3 +1,4 @@
+# Generic Negative Test - no secrets
apiVersion: v1
kind: Pod
metadata:
diff --git a/assets/queries/common/passwords_and_secrets/test/negative26.yaml b/assets/queries/common/passwords_and_secrets/test/negative26.yaml
index 3cec573147d..8c9ab401d81 100644
--- a/assets/queries/common/passwords_and_secrets/test/negative26.yaml
+++ b/assets/queries/common/passwords_and_secrets/test/negative26.yaml
@@ -1,3 +1,4 @@
+# "Google OAuth Access Token" - 41a1ca8d-f466-4084-a8c9-50f8b22200d5 negative-test (is not a hardcoded token)
apiVersion: v1
kind: Config
users:
diff --git a/assets/queries/common/passwords_and_secrets/test/negative27.tf b/assets/queries/common/passwords_and_secrets/test/negative27.tf
index 5f9a7d3c42f..e7fae8eaaa5 100644
--- a/assets/queries/common/passwords_and_secrets/test/negative27.tf
+++ b/assets/queries/common/passwords_and_secrets/test/negative27.tf
@@ -1,3 +1,4 @@
+# Generic Negative Test - no secrets
resource "aws_lambda_function" "analysis_lambda4" {
# lambda have plain text secrets in environment variables
filename = "resources/lambda_function_payload.zip"
diff --git a/assets/queries/common/passwords_and_secrets/test/negative28.tf b/assets/queries/common/passwords_and_secrets/test/negative28.tf
index 7843cd6f5e9..dd578f8459a 100644
--- a/assets/queries/common/passwords_and_secrets/test/negative28.tf
+++ b/assets/queries/common/passwords_and_secrets/test/negative28.tf
@@ -1,4 +1,6 @@
-# Sample to test 'Generic Token' - allow TF resource access rule
+# "Generic Token" - baee238e-1921-4801-9c3f-79ae1d7b2cbc - "Avoiding TF resource access" allow-rule-test - #1
+# Global allow rule - a88baa34-e2ad-44ea-ad6f-8cac87bc7c71 - "Avoiding TF variables" allow-rule-test - #2
+# Global allow rule - a88baa34-e2ad-44ea-ad6f-8cac87bc7c71 - "Avoiding array access" allow-rule-test - #3
terraform {
required_providers {
aws = {
@@ -18,60 +20,33 @@ variable "auth_token" {
sensitive = true
}
-variable "environment" {
- description = "Deployment environment"
- type = string
- default = "production"
-}
-
variable "enabled" {
description = "Whether to enable resources"
type = bool
default = true
}
-variable "clients" {
- description = "Client configurations"
- type = object({
- oauth = map(object({
- enabled = bool
- }))
- })
-}
-
resource "aws_secretsmanager_secret_version" "token_version" {
for_each = { for k, v in var.clients.oauth : k => v if var.enabled }
secret_id = aws_secretsmanager_secret.client_token_secret[each.key].id
- secret_string = jsonencode({ "client" : each.key, "token" : random_password.client_token[each.key].result })
+ secret_string = jsonencode({ "client" : each.key, "token" : random_password.client_token[each.key].result }) #1
}
resource "aws_secretsmanager_secret_version" "token_version_2" {
for_each = { for k, v in var.clients.oauth : k => v if var.enabled }
secret_id = aws_secretsmanager_secret.client_token_secret[each.key].id
- secret_string = jsonencode({ "client" : each.key, "token" : random_password[each.key].client_token.result })
+ secret_string = jsonencode({ "client" : each.key, "token" : random_password[each.key].client_token.result }) #1
}
resource "aws_secretsmanager_secret_version" "token_version_3" {
for_each = { for k, v in var.clients.oauth : k => v if var.enabled }
- secret_id = aws_secretsmanager_secret.client_token_secret[each.key].id
+ secret_id = aws_secretsmanager_secret.client_token_secret[each.key].id #3
secret_string = jsonencode({ "client" : each.key, "token" : random_password["index"].client_token.result })
}
-resource "aws_lb_listener" "https" {
- count = var.enabled ? 1 : 0
- load_balancer_arn = aws_lb.main[0].arn
- port = 443
- protocol = "HTTPS"
-
- default_action {
- type = "forward"
- target_group_arn = [for t in aws_lb_target_group.app : t.token_key]
- }
-}
-
resource "aws_lb_listener" "https_null" {
count = var.enabled ? 1 : 0
load_balancer_arn = aws_lb.main[0].arn
@@ -80,23 +55,23 @@ resource "aws_lb_listener" "https_null" {
default_action {
type = "fixed-response"
- token_key = null
+ token_key = null #1
}
}
module "auth_service" {
source = "./modules/auth"
- token = var.auth_token
+ token = var.auth_token #2
}
module "api_gateway" {
source = "./modules/gateway"
- token = module.auth_service.token_output.value
+ token = module.auth_service.token_output.value #1
}
module "legacy_service" {
source = "./modules/legacy"
- token = data.aws_secretsmanager_secret_version.existing_token.secret_string
+ token = data.aws_secretsmanager_secret_version.existing_token.secret_string #1
}
locals {
@@ -108,5 +83,5 @@ locals {
module "monitoring" {
source = "./modules/monitoring"
- token = local.token_config.value
+ token = local.token_config.value #1
}
\ No newline at end of file
diff --git a/assets/queries/common/passwords_and_secrets/test/negative29.yaml b/assets/queries/common/passwords_and_secrets/test/negative29.yaml
index c51ed1df46d..a5236003152 100644
--- a/assets/queries/common/passwords_and_secrets/test/negative29.yaml
+++ b/assets/queries/common/passwords_and_secrets/test/negative29.yaml
@@ -1,3 +1,4 @@
+# "Generic Token" - baee238e-1921-4801-9c3f-79ae1d7b2cbc - "Avoiding Github id-token Default Values" allow-rule-test
name: Example Workflow
on: workflow_call
@@ -7,7 +8,7 @@ jobs:
permissions:
contents: read
pages: write
- id-token: write
+ id-token: write # negative1
runs-on: ubuntu
@@ -25,7 +26,7 @@ jobs:
permissions:
contents: read
pages: write
- id-token: read
+ id-token: read # negative2
runs-on: ubuntu
@@ -43,7 +44,7 @@ jobs:
permissions:
contents: read
pages: write
- id-token: none
+ id-token: none # negative3
runs-on: ubuntu
diff --git a/assets/queries/common/passwords_and_secrets/test/negative3.yaml b/assets/queries/common/passwords_and_secrets/test/negative3.yaml
index c30d868b0bf..6ad0a843c18 100644
--- a/assets/queries/common/passwords_and_secrets/test/negative3.yaml
+++ b/assets/queries/common/passwords_and_secrets/test/negative3.yaml
@@ -1,4 +1,4 @@
-#ansible test
+# Generic Negative Test - no secrets (ansible)
- name: create a cluster
google.cloud.gcp_container_cluster:
name: my-cluster
diff --git a/assets/queries/common/passwords_and_secrets/test/negative30.yaml b/assets/queries/common/passwords_and_secrets/test/negative30.yaml
index ed211b11eeb..d039c7d1bee 100644
--- a/assets/queries/common/passwords_and_secrets/test/negative30.yaml
+++ b/assets/queries/common/passwords_and_secrets/test/negative30.yaml
@@ -1,9 +1,10 @@
+# Global allow rule - a88baa34-e2ad-44ea-ad6f-8cac87bc7c71 - "Avoiding Boolean's" allow-rule-test
apiVersion: v1
kind: Pod
metadata:
name: security-context-demo
spec:
- automountServiceAccountToken: false
+ automountServiceAccountToken: false # negative1
securityContext:
runAsUser: 1000
runAsGroup: 3000
diff --git a/assets/queries/common/passwords_and_secrets/test/negative31.yaml b/assets/queries/common/passwords_and_secrets/test/negative31.yaml
index 9f4a78d1e74..11426285f38 100644
--- a/assets/queries/common/passwords_and_secrets/test/negative31.yaml
+++ b/assets/queries/common/passwords_and_secrets/test/negative31.yaml
@@ -1,3 +1,4 @@
+# Global allow rule - a88baa34-e2ad-44ea-ad6f-8cac87bc7c71 - "Avoiding arn" allow-rule-test
- name: 'aws_codebuild integration tests'
collections:
- amazon.aws
@@ -22,7 +23,7 @@
packaging: NONE
type: CODEPIPELINE
name: test
- encryption_key: 'arn:aws:kms:{{ aws_region }}:{{ aws_account_id }}:alias/aws/s3'
+ encryption_key: 'arn:aws:kms:{{ aws_region }}:{{ aws_account_id }}:alias/aws/s3' # negative1
environment:
compute_type: BUILD_GENERAL1_SMALL
privileged_mode: true
diff --git a/assets/queries/common/passwords_and_secrets/test/negative32.yaml b/assets/queries/common/passwords_and_secrets/test/negative32.yaml
index 355c7ea91a8..12c4c5f871f 100644
--- a/assets/queries/common/passwords_and_secrets/test/negative32.yaml
+++ b/assets/queries/common/passwords_and_secrets/test/negative32.yaml
@@ -1,5 +1,6 @@
+# Global allow rule - a88baa34-e2ad-44ea-ad6f-8cac87bc7c71 - "!Ref is a cloudFormation reference" allow-rule-test - #2
Conditions:
HasKmsKey: !Not [!Equals [!Ref ParentKmsKeyStack, '']]
HasSecretName: !Not [!Equals [!Ref ParentKmsKeyStack, '']]
- HasPassword: !Not [!Equals [!Ref DBPassword, '']]
+ HasPassword: !Not [!Equals [!Ref DBPassword, '']] # negative1
Resources:
\ No newline at end of file
diff --git a/assets/queries/common/passwords_and_secrets/test/negative33.yaml b/assets/queries/common/passwords_and_secrets/test/negative33.yaml
index 3b62384bc30..3d55552fe66 100644
--- a/assets/queries/common/passwords_and_secrets/test/negative33.yaml
+++ b/assets/queries/common/passwords_and_secrets/test/negative33.yaml
@@ -1,46 +1,14 @@
+# "Generic Password" - 487f4be7-3fd9-4506-a07a-eae252180c08 - "Avoiding TF resource access" allow-rule-test - #1 (line 10)
+# Global allow rule - a88baa34-e2ad-44ea-ad6f-8cac87bc7c71 - "Avoiding Boolean's" allow-rule-test - #2 (line 11)
+# Done through "Avoiding TF resource access" and "Avoiding Boolean's" allow rules
Resources:
LambdaFunctionV2:
Type: 'AWS::Lambda::Function'
Properties:
- Code:
+ Code: #1 & #2:
ZipFile: |
- 'use strict';
- const AWS = require('aws-sdk');
- const response = require('cfn-response');
- const iam = new AWS.IAM({apiVersion: '2010-05-08'});
- exports.handler = (event, context, cb) => {
- console.log(`Invoke: ${JSON.stringify(event)}`);
- function done(err) {
- if (err) {
- console.log(`Error: ${JSON.stringify(err)}`);
- response.send(event, context, response.FAILED, {});
- } else {
- response.send(event, context, response.SUCCESS, {});
- }
- }
- if (event.RequestType === 'Delete') {
- iam.deleteAccountPasswordPolicy({}, done);
- } else if (event.RequestType === 'Create' || event.RequestType === 'Update') {
- const params = {
- MinimumPasswordLength: parseInt(event.ResourceProperties.MinimumPasswordLength, 10),
- RequireSymbols: event.ResourceProperties.RequireSymbols === 'true',
- RequireNumbers: event.ResourceProperties.RequireNumbers === 'true',
- RequireUppercaseCharacters: event.ResourceProperties.RequireUppercaseCharacters === 'true',
- RequireLowercaseCharacters: event.ResourceProperties.RequireLowercaseCharacters === 'true',
AllowUsersToChangePassword: event.ResourceProperties.AllowUsersToChangePassword === 'true',
- HardExpiry: event.ResourceProperties.HardExpiry === 'true'
- };
- if (parseInt(event.ResourceProperties.MaxPasswordAge, 10) > 0) {
- params.MaxPasswordAge = parseInt(event.ResourceProperties.MaxPasswordAge, 10);
- }
- if (parseInt(event.ResourceProperties.PasswordReusePrevention, 10) > 0) {
- params.PasswordReusePrevention = parseInt(event.ResourceProperties.PasswordReusePrevention, 10);
- }
- iam.updateAccountPasswordPolicy(params, done);
- } else {
- cb(new Error(`unsupported RequestType: ${event.RequestType}`));
- }
- };
+ AllowUsersToChangePassword: false,
Handler: 'index.handler'
MemorySize: 128
Role: !GetAtt 'LambdaRole.Arn'
diff --git a/assets/queries/common/passwords_and_secrets/test/negative34.tf b/assets/queries/common/passwords_and_secrets/test/negative34.tf
index 06348a85bde..deb5e088234 100644
--- a/assets/queries/common/passwords_and_secrets/test/negative34.tf
+++ b/assets/queries/common/passwords_and_secrets/test/negative34.tf
@@ -1,3 +1,4 @@
+# "Generic Secret" - 3e2d3b2f-c22a-4df1-9cc6-a7a0aebb0c99 - "Avoiding TF resource access" allow-rule-test
locals {
secrets = {
my_secret = random_password.my_password.result
diff --git a/assets/queries/common/passwords_and_secrets/test/negative35.dockerfile b/assets/queries/common/passwords_and_secrets/test/negative35.dockerfile
index 1c127d1c060..2a30a0f817d 100644
--- a/assets/queries/common/passwords_and_secrets/test/negative35.dockerfile
+++ b/assets/queries/common/passwords_and_secrets/test/negative35.dockerfile
@@ -1,3 +1,4 @@
+# Generic Negative Test - arbitrary git "token" references (dockerfile)
FROM baseImage
RUN apk add --no-cache git \
diff --git a/assets/queries/common/passwords_and_secrets/test/negative36.tf b/assets/queries/common/passwords_and_secrets/test/negative36.tf
index 9711f6f6c29..e08a4255e49 100644
--- a/assets/queries/common/passwords_and_secrets/test/negative36.tf
+++ b/assets/queries/common/passwords_and_secrets/test/negative36.tf
@@ -1,9 +1,10 @@
+# Global allow rule - a88baa34-e2ad-44ea-ad6f-8cac87bc7c71 - "Avoiding TF file function" allow-rule-test
resource "aws_instance" "instance" {
ami = data.aws_ami.ubuntu.id
instance_type = "t3.micro"
connection {
user = "ubuntu"
- private_key = file(var.private_key_path)
+ private_key = file(var.private_key_path) # negative1
}
}
diff --git a/assets/queries/common/passwords_and_secrets/test/negative37.yaml b/assets/queries/common/passwords_and_secrets/test/negative37.yaml
index 2ea6fa3094e..876687a757e 100644
--- a/assets/queries/common/passwords_and_secrets/test/negative37.yaml
+++ b/assets/queries/common/passwords_and_secrets/test/negative37.yaml
@@ -1,10 +1,11 @@
+# Global allow rule - a88baa34-e2ad-44ea-ad6f-8cac87bc7c71 - "Avoiding array access" allow-rule-test (line 10)
Resources:
MytFunction:
Type: AWS::Lambda::Function
Properties:
FunctionName: !Sub '${AWS::StackName}-CdnViewerRequest'
Code:
- ZipFile: !Sub |
+ ZipFile: !Sub | # negative1:
function msg(userPass) {
return {"username": userPass[1], "password": userPass[2]}
}
diff --git a/assets/queries/common/passwords_and_secrets/test/negative38.yaml b/assets/queries/common/passwords_and_secrets/test/negative38.yaml
index fde8a4bb5f2..d4c334302bd 100644
--- a/assets/queries/common/passwords_and_secrets/test/negative38.yaml
+++ b/assets/queries/common/passwords_and_secrets/test/negative38.yaml
@@ -1,3 +1,4 @@
+# "Generic Secret" - 3e2d3b2f-c22a-4df1-9cc6-a7a0aebb0c99 - "Avoiding Secrets Manager arn" allow-rule-test
Type: AWS::Glue::Connection
Resources:
Properties:
@@ -9,18 +10,18 @@ Resources:
- ""
- - "mongodb://{{resolve:secretsmanager:arn:"
- Ref: AWS::Partition
- - :secretsmanager:eu-west-1:1111111111111:secret:/test/resources/docdb-test:SecretString:endpoint::}}/test
+ - :secretsmanager:eu-west-1:1111111111111:secret:/test/resources/docdb-test:SecretString:endpoint::}}/test # positive1
USERNAME:
Fn::Join:
- ""
- - "{{resolve:secretsmanager:arn:"
- Ref: AWS::Partition
- - :secretsmanager:eu-west-1:1111111111111:secret:/test/resources/docdb-test:SecretString:username::}}
+ - :secretsmanager:eu-west-1:1111111111111:secret:/test/resources/docdb-test:SecretString:username::}} # positive2
PASSWORD:
Fn::Join:
- ""
- - "{{resolve:secretsmanager:arn:"
- Ref: AWS::Partition
- - :secretsmanager:eu-west-1:1111111111111:secret:/test/resources/docdb-test:SecretString:password::}}
+ - :secretsmanager:eu-west-1:1111111111111:secret:/test/resources/docdb-test:SecretString:password::}} # positive3
JDBC_ENFORCE_SSL: true
ConnectionType: MONGODB
diff --git a/assets/queries/common/passwords_and_secrets/test/negative39.yaml b/assets/queries/common/passwords_and_secrets/test/negative39.yaml
index e3d55dff65a..e2a11754245 100644
--- a/assets/queries/common/passwords_and_secrets/test/negative39.yaml
+++ b/assets/queries/common/passwords_and_secrets/test/negative39.yaml
@@ -1,3 +1,4 @@
+# "Encryption Key" - 9fb1cd65-7a07-4531-9bcf-47589d0f82d6 - "Avoiding CLoudformation KeyName" allow-rule-test
AWSTemplateFormatVersion: "2010-09-09"
Resources:
somecode:
@@ -8,7 +9,7 @@ Resources:
TimeoutInMinutes: 10
QueuedTimeoutInMinutes: 10
ServiceRole: someservicerole
- EncryptionKey: somekey
+ EncryptionKey: somekey # negative1
Artifacts:
Type: someartifact
Cache:
diff --git a/assets/queries/common/passwords_and_secrets/test/negative4.tf b/assets/queries/common/passwords_and_secrets/test/negative4.tf
index 93cd948d850..cac5afdb401 100644
--- a/assets/queries/common/passwords_and_secrets/test/negative4.tf
+++ b/assets/queries/common/passwords_and_secrets/test/negative4.tf
@@ -1,4 +1,4 @@
-#this code is a correct code for which the query should not find any result
+# Global allow rule - a88baa34-e2ad-44ea-ad6f-8cac87bc7c71 - "Avoiding TF variables" allow-rule-test
resource "google_container_cluster" "primary" {
name = "marcellus-wallace"
location = "us-central1-a"
@@ -17,7 +17,7 @@ resource "google_container_cluster" "primary" {
}
resource "google_secret_manager_secret_version" "secret-version-basic" {
- secret = var.my_google_secret
+ secret = var.my_google_secret # negative1
secret_data = "secret-data"
}
diff --git a/assets/queries/common/passwords_and_secrets/test/negative40.yaml b/assets/queries/common/passwords_and_secrets/test/negative40.yaml
index 2ac3c5a5e9a..a004d424b8f 100644
--- a/assets/queries/common/passwords_and_secrets/test/negative40.yaml
+++ b/assets/queries/common/passwords_and_secrets/test/negative40.yaml
@@ -1,3 +1,4 @@
+# "Generic Secret" - 3e2d3b2f-c22a-4df1-9cc6-a7a0aebb0c99 - "Avoiding Secrets Manager arn" allow-rule-test
Type: AWS::Glue::Connection
Resources:
Properties:
@@ -9,13 +10,13 @@ Resources:
- ""
- - "mongodb://{{resolve:secretsmanager:arn:"
- Ref: AWS::Partition
- - :secretsmanager:*:1111111111111:secret:/test/resources/docdb-test:SecretString:endpoint::}}/test
+ - :secretsmanager:*:1111111111111:secret:/test/resources/docdb-test:SecretString:endpoint::}}/test # positive1
USERNAME:
Fn::Join:
- ""
- - "{{resolve:secretsmanager:arn:"
- Ref: AWS::Partition
- - :secretsmanager:eu-west-1:*:secret:/test/resources/docdb-test:SecretString:username::}}
+ - :secretsmanager:eu-west-1:*:secret:/test/resources/docdb-test:SecretString:username::}} # positive2
PASSWORD:
Fn::Join:
- ""
diff --git a/assets/queries/common/passwords_and_secrets/test/negative41.yaml b/assets/queries/common/passwords_and_secrets/test/negative41.yaml
index a4a81ed903b..c8206ad0e25 100644
--- a/assets/queries/common/passwords_and_secrets/test/negative41.yaml
+++ b/assets/queries/common/passwords_and_secrets/test/negative41.yaml
@@ -1,3 +1,4 @@
+# "Generic Token" - baee238e-1921-4801-9c3f-79ae1d7b2cbc - "Avoiding CLoudformation ServiceToken" allow-rule-test
---
AWSTemplateFormatVersion: "2010-09-09"
Description: >
@@ -76,7 +77,7 @@ Resources:
GetSubnets:
Type: AWS::CloudFormation::CustomResource
Properties:
- ServiceToken: anArn
+ ServiceToken: anArn # negative1
LoadBalancer3:
Type: AWS::ElasticLoadBalancing::LoadBalancer
Properties:
diff --git a/assets/queries/common/passwords_and_secrets/test/negative42.tf b/assets/queries/common/passwords_and_secrets/test/negative42.tf
index d0cea665b08..2a0f2a82707 100644
--- a/assets/queries/common/passwords_and_secrets/test/negative42.tf
+++ b/assets/queries/common/passwords_and_secrets/test/negative42.tf
@@ -1,10 +1,11 @@
+# Global allow rule - a88baa34-e2ad-44ea-ad6f-8cac87bc7c71 - "Avoiding TF file function" allow-rule-test
data "terraform_remote_state" "intnet" {
backend = "azurerm"
config = {
storage_account_name = "asdsadas"
container_name = "dp-prasdasdase-001"
key = "infrastructure.tfstate"
- access_key = file(var.access_key_path)
+ access_key = file(var.access_key_path) # negative1
}
workspace = terraform.workspace
}
diff --git a/assets/queries/common/passwords_and_secrets/test/negative43.tf b/assets/queries/common/passwords_and_secrets/test/negative43.tf
index 0188abcc114..879e2ea31c4 100644
--- a/assets/queries/common/passwords_and_secrets/test/negative43.tf
+++ b/assets/queries/common/passwords_and_secrets/test/negative43.tf
@@ -1,4 +1,4 @@
-#this is a problematic code where the query should report a result(s)
+# "Generic Password" - 487f4be7-3fd9-4506-a07a-eae252180c08 - "Avoiding TF resource access" allow-rule-test
resource "google_container_cluster" "primary1" {
name = "marcellus-wallace"
location = "us-central1-a"
@@ -6,7 +6,7 @@ resource "google_container_cluster" "primary1" {
master_auth {
username = ""
- password = local.rds_postgres_is_primary ? var.rds_postgres_password : null
+ password = local.rds_postgres_is_primary ? var.rds_postgres_password : null # negative1
client_certificate_config {
issue_client_certificate = true
diff --git a/assets/queries/common/passwords_and_secrets/test/negative44.yml b/assets/queries/common/passwords_and_secrets/test/negative44.yml
index e441afac9df..6296c2f65d4 100644
--- a/assets/queries/common/passwords_and_secrets/test/negative44.yml
+++ b/assets/queries/common/passwords_and_secrets/test/negative44.yml
@@ -1,3 +1,4 @@
+# "Generic Private Key" - 2f665079-c383-4b33-896e-88268c1fa258 - "Avoiding bash variables" allow-rule-test
on: workflow_call
stages:
@@ -9,7 +10,7 @@ variables:
jobs:
job_build:
stage: build
- script:
+ script: # negative1:
- if [[ -z "${GIT_PRIVATE_KEY:-}" ]]; then
echo "Missing GIT_PRIVATE_KEY variable!"
exit 1
diff --git a/assets/queries/common/passwords_and_secrets/test/negative45.yml b/assets/queries/common/passwords_and_secrets/test/negative45.yml
index 7bd9c906de5..aa2305611fc 100644
--- a/assets/queries/common/passwords_and_secrets/test/negative45.yml
+++ b/assets/queries/common/passwords_and_secrets/test/negative45.yml
@@ -1,3 +1,4 @@
+# "Generic Password" - 487f4be7-3fd9-4506-a07a-eae252180c08 - "Avoiding Ansible playbook update_password" allow-rule-test
- name: "Configure the MySQL user "
community.mysql.mysql_user:
login_user: "root"
@@ -5,4 +6,4 @@
name: "{{ mysql_user }}"
password: "{{ mysql_user_password }}"
password_expire: "never"
- update_password: "on_create"
+ update_password: "on_create" # negative1
diff --git a/assets/queries/common/passwords_and_secrets/test/negative46.yaml b/assets/queries/common/passwords_and_secrets/test/negative46.yaml
index 23dcecea39d..771dd11a5d8 100644
--- a/assets/queries/common/passwords_and_secrets/test/negative46.yaml
+++ b/assets/queries/common/passwords_and_secrets/test/negative46.yaml
@@ -1,3 +1,4 @@
+# "Generic Secret" - 3e2d3b2f-c22a-4df1-9cc6-a7a0aebb0c99 - "Avoiding Secrets from Variable Interpolation" allow-rule-test - (lines 51/73)
name: Deploy
on:
workflow_call:
diff --git a/assets/queries/common/passwords_and_secrets/test/negative47.tf b/assets/queries/common/passwords_and_secrets/test/negative47.tf
index 8647a01ff60..6809ca7a8be 100644
--- a/assets/queries/common/passwords_and_secrets/test/negative47.tf
+++ b/assets/queries/common/passwords_and_secrets/test/negative47.tf
@@ -1,3 +1,4 @@
+# "Generic Password" - 487f4be7-3fd9-4506-a07a-eae252180c08 - "Avoiding TF resource access" allow-rule-test
provider "azurerm" {
features {}
}
@@ -19,7 +20,7 @@ resource "azurerm_linux_virtual_machine" "example_vm" {
location = "your-location"
size = "Standard_DS1_v2"
admin_username = "adminuser"
- admin_password = data.azurerm_key_vault_secret.LinuxVmPassword.value
+ admin_password = data.azurerm_key_vault_secret.LinuxVmPassword.value # negative1
network_interface_ids = [
# Your network interface ID
diff --git a/assets/queries/common/passwords_and_secrets/test/negative48.tf b/assets/queries/common/passwords_and_secrets/test/negative48.tf
index 85e9a2c0f38..b132cda2df9 100644
--- a/assets/queries/common/passwords_and_secrets/test/negative48.tf
+++ b/assets/queries/common/passwords_and_secrets/test/negative48.tf
@@ -1,17 +1,18 @@
+# "Generic Password" - 487f4be7-3fd9-4506-a07a-eae252180c08 - "Avoiding TF resource access" allow-rule-test
data "template_file" "sci_integration_app_properties_secret_template" {
template = file(join("", ["/secrets/sci-integration-app", var.resource_identifier_shorthand], ".json"))
- vars = {
- ayreshirerarran_password = data.aws_kms_secrets.sci_app_kms_secrets.plaintext["ayreshirerarran_password"]
- lanark_password = data.aws_kms_secrets.sci_app_kms_secrets.plaintext["lanark_password"]
- tayside_password = data.aws_kms_secrets.sci_app_kms_secrets.plaintext["tayside_password"]
- glasgow_password = data.aws_kms_secrets.sci_app_kms_secrets.plaintext["glasgow_password"]
- grampian_password = data.aws_kms_secrets.sci_app_kms_secrets.plaintext["grampian_password"]
- highland_password = data.aws_kms_secrets.sci_app_kms_secrets.plaintext["highland_password"]
- westernisles_password = data.aws_kms_secrets.sci_app_kms_secrets.plaintext["westernisles_password"]
+ vars = { # negative1-11
+ ayreshirerarran_password = data.aws_kms_secrets.sci_app_kms_secrets.plaintext["ayreshirerarran_password"]
+ lanark_password = data.aws_kms_secrets.sci_app_kms_secrets.plaintext["lanark_password"]
+ tayside_password = data.aws_kms_secrets.sci_app_kms_secrets.plaintext["tayside_password"]
+ glasgow_password = data.aws_kms_secrets.sci_app_kms_secrets.plaintext["glasgow_password"]
+ grampian_password = data.aws_kms_secrets.sci_app_kms_secrets.plaintext["grampian_password"]
+ highland_password = data.aws_kms_secrets.sci_app_kms_secrets.plaintext["highland_password"]
+ westernisles_password = data.aws_kms_secrets.sci_app_kms_secrets.plaintext["westernisles_password"]
dumfriesandgalloway_password = data.aws_kms_secrets.sci_app_kms_secrets.plaintext["dumfriesandgalloway_password"]
- forthvalley_password = data.aws_kms_secrets.sci_app_kms_secrets.plaintext["forthvalley_password"]
- borders_password = data.aws_kms_secrets.sci_app_kms_secrets.plaintext["borders_password"]
- lothian_password = data.aws_kms_secrets.sci_app_kms_secrets.plaintext["lothian_password"]
+ forthvalley_password = data.aws_kms_secrets.sci_app_kms_secrets.plaintext["forthvalley_password"]
+ borders_password = data.aws_kms_secrets.sci_app_kms_secrets.plaintext["borders_password"]
+ lothian_password = data.aws_kms_secrets.sci_app_kms_secrets.plaintext["lothian_password"]
}
}
diff --git a/assets/queries/common/passwords_and_secrets/test/negative49.dockerfile b/assets/queries/common/passwords_and_secrets/test/negative49.dockerfile
index c7dacace4bb..90ca5fb8054 100644
--- a/assets/queries/common/passwords_and_secrets/test/negative49.dockerfile
+++ b/assets/queries/common/passwords_and_secrets/test/negative49.dockerfile
@@ -1,3 +1,4 @@
+# Generic Negative Test - arbitrary git "token" references, ARTEMIS_PASSWORD missing (dockerfile)
FROM baseImage
ENV ARTEMIS_USER artemis
diff --git a/assets/queries/common/passwords_and_secrets/test/negative5.dockerfile b/assets/queries/common/passwords_and_secrets/test/negative5.dockerfile
index 5c147649f3d..ad7b491f481 100644
--- a/assets/queries/common/passwords_and_secrets/test/negative5.dockerfile
+++ b/assets/queries/common/passwords_and_secrets/test/negative5.dockerfile
@@ -1,3 +1,4 @@
+# Generic Negative Test - no secrets (dockerfile)
FROM baseImage
RUN command
diff --git a/assets/queries/common/passwords_and_secrets/test/negative50.dockerfile b/assets/queries/common/passwords_and_secrets/test/negative50.dockerfile
index 0ccae6885d9..a31ae5e8777 100644
--- a/assets/queries/common/passwords_and_secrets/test/negative50.dockerfile
+++ b/assets/queries/common/passwords_and_secrets/test/negative50.dockerfile
@@ -1,3 +1,4 @@
+# Generic Negative Test - arbitrary git "token" references, ARTEMIS_PASSWORD missing (dockerfile)
FROM baseImage
ENV ARTEMIS_USER=artemis
diff --git a/assets/queries/common/passwords_and_secrets/test/negative51.yml b/assets/queries/common/passwords_and_secrets/test/negative51.yml
index d0fe10329d2..77bc61d54a7 100644
--- a/assets/queries/common/passwords_and_secrets/test/negative51.yml
+++ b/assets/queries/common/passwords_and_secrets/test/negative51.yml
@@ -1,43 +1,27 @@
+# "Generic Password" - 487f4be7-3fd9-4506-a07a-eae252180c08 - "Allow placeholders" allow-rule-test - #1
+# "Generic Password" - 487f4be7-3fd9-4506-a07a-eae252180c08 - "Allow empty values" allow-rule-test - #2
stages:
- template: templates/main-stage.yml
parameters:
environment: 'foo'
isSm9ChangeRequired: true
-
+
isDedicatedSubscription: 'true'
setResourceLock: 'true'
nameResourceLock: 'PrdPreventAccidentalDeletion'
isDevelopment: 'false'
- # example 1 (placeholders)
- vmAdminPassword: '$(VM_ADMIN_PASSWORD)' # SET IN PIPELINE
- sqlAdminPassword: '$(SQL_ADMIN_PASSWORD)' # SET IN PIPELINE
- yetanotherAdminPassword: '${{SQL_ADMIN_PASSWORD}}' # SET IN PIPELINE
- andyetanotherAdminPassword: '${{ SQL_ADMIN_PASSWORD }}' # SET IN PIPELINE
+
+ vmAdminPassword: '$(VM_ADMIN_PASSWORD)' #1
+ sqlAdminPassword: '$(SQL_ADMIN_PASSWORD)' #1
+ yetanotherAdminPassword: '${{SQL_ADMIN_PASSWORD}}' #1
+ andyetanotherAdminPassword: '${{ SQL_ADMIN_PASSWORD }}' #1
# example 2 (empty string value)
- anotherAdminPassword: '' # SET IN PIPELINE
+ anotherAdminPassword: '' #2
- serviceConnectionName: 'foo'
+ serviceConnectionName: 'foo'
subscriptionId: 'foo'
- organisationalGroup: 'foo' # Replace this with your own Organisational Group name.
- devOrganisationalGroup: 'foo' # should be empty for none DEV env
- sm9ApplicationCi: 'foo' # Replace this with your own SM9 Application CI name.
- resourceGroupBaseName: 'foo' # This is used to construct a Resource Group name. Replace this with your desired resource group name.
- resourceGroupNameSuffix: 'foo' # This is suffixed to the Resource Group name in a Shared subscription (must be an integer). Can be left as-is.
- location: 'foo' # Replace this with your desired Azure region.
- linuxAgentPoolName: 'foo' # Agent pool name of Linux agents. Can be left as-is.
- windowsAgentPoolName: 'foo' # Agent pool name of Windows agents. Can be left as-is.
- System.Debug: 'foo' # Set to 'foo' to enable debug logging. Can be left as-is.
-
- skipAdditionalResources: 'foo' # if true skip creating additional resources
- skipSQL: 'foo'
+ organisationalGroup: 'foo'
- #####################################################################################
- # ADF #
- #####################################################################################
- adfName: 'foo'
- adfDeveloperGroup: 'foo' # Group has access to ADF
- irName: 'foo'
- irDescription: 'foo'
diff --git a/assets/queries/common/passwords_and_secrets/test/negative52.yml b/assets/queries/common/passwords_and_secrets/test/negative52.yml
index 2bff2375d79..a74962814d7 100755
--- a/assets/queries/common/passwords_and_secrets/test/negative52.yml
+++ b/assets/queries/common/passwords_and_secrets/test/negative52.yml
@@ -1,3 +1,4 @@
+# "Generic Private Key" - 2f665079-c383-4b33-896e-88268c1fa258 - "Avoid Docker Compose secrets paths" allow-rule-test
version: '3.7'
services:
@@ -8,8 +9,7 @@ services:
environment:
env: "dev"
- # this value is a Docker Compose secrets path, its contents are not exposed
- PrivateKey: /run/secrets/SOME_AUTHORIZATION_PRIVATE_KEY
+ PrivateKey: /run/secrets/SOME_AUTHORIZATION_PRIVATE_KEY # negative1
secrets:
SOME_AUTHORIZATION_PRIVATE_KEY:
diff --git a/assets/queries/common/passwords_and_secrets/test/negative53.json b/assets/queries/common/passwords_and_secrets/test/negative53.json
index 67f4c99199f..424b5a1de8e 100644
--- a/assets/queries/common/passwords_and_secrets/test/negative53.json
+++ b/assets/queries/common/passwords_and_secrets/test/negative53.json
@@ -1,54 +1,7 @@
{
+ "metadata" : "# 'Generic Password' - 487f4be7-3fd9-4506-a07a-eae252180c08 - 'Allow password retrieved from ARM parameters' allow rule test",
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
- "parameters": {
- "siteName": {
- "type": "string"
- },
- "administratorLogin": {
- "type": "string"
- },
- "administratorLoginPassword": {
- "type": "securestring"
- },
- "secretSuffix": {
- "type": "string",
- "defaultValue": "word"
- },
- "location": {
- "type": "string",
- "defaultValue": "[resourceGroup().location]"
- }
- },
- "variables": {
- "databaseName": "[concat(parameters('siteName'), 'db')]",
- "serverName": "[concat(parameters('siteName'), 'srv')]",
- "hostingPlanName": "[concat(parameters('siteName'), 'plan')]",
- "passKey": "[concat('Pass', parameters('secretSuffix'))]"
- },
- "resources": [
- {
- "apiVersion": "2020-06-01",
- "type": "Microsoft.Web/serverfarms",
- "name": "[variables('hostingPlanName')]",
- "location": "[parameters('location')]",
- "sku": {
- "Tier": "Standard",
- "Name": "S1"
- },
- "properties": {}
- },
- {
- "apiVersion": "2020-06-01",
- "type": "Microsoft.Web/sites",
- "name": "[parameters('siteName')]",
- "location": "[parameters('location')]",
- "dependsOn": [
- "[resourceId('Microsoft.Web/serverfarms', variables('hostingPlanName'))]"
- ],
- "properties": {
- "serverFarmId": "[variables('hostingPlanName')]"
- },
"resources": [
{
"apiVersion": "2020-06-01",
@@ -62,6 +15,4 @@
}
}
]
- }
- ]
-}
\ No newline at end of file
+ }
\ No newline at end of file
diff --git a/assets/queries/common/passwords_and_secrets/test/negative54.json b/assets/queries/common/passwords_and_secrets/test/negative54.json
index fc05799de54..c20dfc90e20 100644
--- a/assets/queries/common/passwords_and_secrets/test/negative54.json
+++ b/assets/queries/common/passwords_and_secrets/test/negative54.json
@@ -1,4 +1,5 @@
{
+ "metadata": "'Generic Secret' - 3e2d3b2f-c22a-4df1-9cc6-a7a0aebb0c99 - 'Allow secret retrieved from ARM parameters' allow-rule-test",
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {
diff --git a/assets/queries/common/passwords_and_secrets/test/negative55.yml b/assets/queries/common/passwords_and_secrets/test/negative55.yml
index cfa94d9def7..3e81e0d9609 100644
--- a/assets/queries/common/passwords_and_secrets/test/negative55.yml
+++ b/assets/queries/common/passwords_and_secrets/test/negative55.yml
@@ -1,3 +1,4 @@
+# "Generic Token" - baee238e-1921-4801-9c3f-79ae1d7b2cbc - "Avoiding Github id-token Default Values" allow-rule-test
jobs:
release:
if: github.event.pull_request.merged == true || github.event_name == 'push' || github.event_name == 'workflow_dispatch'
@@ -9,10 +10,10 @@ jobs:
actions: write # for createWorkflowDispatch
issues: write # for comments on issues
pull-requests: write # for comments on pull requests
- #id-token: write # for oidc npm provenance
- #"id-token": read
- #'id-token': none
- #permissions: {id-token: write, contents: read, pull-requests: write}
+ #id-token: write # for oidc npm provenance # negative1
+ #"id-token": read # negative2
+ #'id-token': none # negative3
+ #permissions: {id-token: write, contents: read, pull-requests: write} # negative4
steps:
- name: debug
shell: bash
diff --git a/assets/queries/common/passwords_and_secrets/test/negative56.tf b/assets/queries/common/passwords_and_secrets/test/negative56.tf
index 36459daba4b..fc2b3199da6 100644
--- a/assets/queries/common/passwords_and_secrets/test/negative56.tf
+++ b/assets/queries/common/passwords_and_secrets/test/negative56.tf
@@ -1,15 +1,18 @@
-
+# "Generic Password" - 487f4be7-3fd9-4506-a07a-eae252180c08 - "Avoiding description field" allow-rule-test - #1
+# "Generic Password" - 487f4be7-3fd9-4506-a07a-eae252180c08 - "Avoiding Terraform 'optional' statement" allow-rule-test - #2
+# "Generic Password" - 487f4be7-3fd9-4506-a07a-eae252180c08 - "Avoiding Terraform 'try' statement" allow-rule-test - #3
variable "linux_vms" {
+ # 1:
description = "A list of the Linux VMs to create. \n [region:](#region:) The Azure location where the Windows Virtual Machine should exist. Changing this forces a new resource to be created. \n [size:](#size:) The SKU which should be used for this Virtual Machine, such as Standard_F2. \n [admin_username:](#admin_username:) The username of the local administrator used for the Virtual Machine. Changing this forces a new resource to be created. \n [admin_password:](#admin_password:) he Password which should be used for the local-administrator on this Virtual Machine. Changing this forces a new resource to be created."
type = map(object({
region = string
size = optional(string)
admin_username = optional(string)
- admin_password = optional(string)
+ admin_password = optional(string) #2
}))
default = {}
}
resource "azurerm_linux_virtual_machine" "vms" {
- admin_password = try(each.value.admin_password, null)
+ admin_password = try(each.value.admin_password, null) #3
}
\ No newline at end of file
diff --git a/assets/queries/common/passwords_and_secrets/test/negative57.bicep b/assets/queries/common/passwords_and_secrets/test/negative57.bicep
index 7857f63eda0..391f80920ec 100644
--- a/assets/queries/common/passwords_and_secrets/test/negative57.bicep
+++ b/assets/queries/common/passwords_and_secrets/test/negative57.bicep
@@ -1,3 +1,4 @@
+// "Generic Secret" - 3e2d3b2f-c22a-4df1-9cc6-a7a0aebb0c99 - 'Allow secrets retrieved from Bicep getSecret built in function' allow-rule-test
import { common, tagsObject, deployName, removeSpace } from '../../../CommonValues.bicep'
@description('Nome do sistema')
@@ -20,6 +21,6 @@ module consumerModule '../SecretConsumer/Resource.bicep' = {
systemName: systemName
resourceName: resourceName
tags: tags
- apiClientSecret: kvTest.getSecret('secret-sample')
+ apiClientSecret: kvTest.getSecret('secret-sample') // positive1
}
}
diff --git a/assets/queries/common/passwords_and_secrets/test/negative57.json b/assets/queries/common/passwords_and_secrets/test/negative58.json
similarity index 89%
rename from assets/queries/common/passwords_and_secrets/test/negative57.json
rename to assets/queries/common/passwords_and_secrets/test/negative58.json
index fc9b4a8bc07..cb39e3334c0 100644
--- a/assets/queries/common/passwords_and_secrets/test/negative57.json
+++ b/assets/queries/common/passwords_and_secrets/test/negative58.json
@@ -1,4 +1,5 @@
{
+ "metadata": "'Generic Token' - baee238e-1921-4801-9c3f-79ae1d7b2cbc - 'Avoiding Run After Triggers (if written in conformity with best practices)' allow-rule-test",
"$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"resources": [
diff --git a/assets/queries/common/passwords_and_secrets/test/negative58.bicep b/assets/queries/common/passwords_and_secrets/test/negative59.bicep
similarity index 73%
rename from assets/queries/common/passwords_and_secrets/test/negative58.bicep
rename to assets/queries/common/passwords_and_secrets/test/negative59.bicep
index 1c5b9541a6e..81980d26005 100644
--- a/assets/queries/common/passwords_and_secrets/test/negative58.bicep
+++ b/assets/queries/common/passwords_and_secrets/test/negative59.bicep
@@ -1,3 +1,4 @@
+// "Generic Token" - baee238e-1921-4801-9c3f-79ae1d7b2cbc - "Avoiding references to module outputs in Bicep" allow-rule-test (also detected as TF resource access)
param systemName string
param resourceName string
param tags object
@@ -19,7 +20,8 @@ module clientModule '../ClientModule/Resource.bicep' = {
systemName: systemName
resourceName: resourceName
tags: tags
- validationToken: myModule.outputs.apiToken
+ // negative1:
+ validationToken: myModule.outputs.apiToken
}
}
diff --git a/assets/queries/common/passwords_and_secrets/test/negative6.json b/assets/queries/common/passwords_and_secrets/test/negative6.json
index ecd7db09e2e..fa275d2cf25 100644
--- a/assets/queries/common/passwords_and_secrets/test/negative6.json
+++ b/assets/queries/common/passwords_and_secrets/test/negative6.json
@@ -1,4 +1,5 @@
{
+ "metadata": "Generic Negative Test - no secrets",
"openapi": "3.0.0",
"info": {
"title": "Simple API Overview",
diff --git a/assets/queries/common/passwords_and_secrets/test/negative59.tf b/assets/queries/common/passwords_and_secrets/test/negative60.tf
similarity index 78%
rename from assets/queries/common/passwords_and_secrets/test/negative59.tf
rename to assets/queries/common/passwords_and_secrets/test/negative60.tf
index b9419d704a2..d5052c3ba1e 100644
--- a/assets/queries/common/passwords_and_secrets/test/negative59.tf
+++ b/assets/queries/common/passwords_and_secrets/test/negative60.tf
@@ -1,7 +1,13 @@
+# "Generic Password" - 487f4be7-3fd9-4506-a07a-eae252180c08 - "Avoiding TF resource access" allow-rule-test - #1
+# Global allow rule - a88baa34-e2ad-44ea-ad6f-8cac87bc7c71 - "Avoiding array access" allow-rule-test - #2
+# "Generic Secret" - 3e2d3b2f-c22a-4df1-9cc6-a7a0aebb0c99 - "Avoiding TF resource access" allow-rule-test - #3
+# "Generic Secret" - 3e2d3b2f-c22a-4df1-9cc6-a7a0aebb0c99 - "Avoiding Secrets from Variable Interpolation" allow-rule-test - #4
+
resource "aws_secretsmanager_secret_version" "secret_version" {
for_each = { for k, v in var.clients.scram : k => v if var.enabled && var.client_sasl_scram_enabled }
secret_id = aws_secretsmanager_secret.client_secret[each.key].id # use of indexes
+ #1:
secret_string = jsonencode({ "username" : join("_", [var.product, each.key, var.environment == "dev" ? var.environment : var.stack]), "password" : random_password.client_password[each.key].result })
}
@@ -9,6 +15,7 @@ resource "aws_secretsmanager_secret_version" "secret_version_2" {
for_each = { for k, v in var.clients.scram : k => v if var.enabled && var.client_sasl_scram_enabled }
secret_id = aws_secretsmanager_secret.client_secret[each.key].id # use of indexes
+ #1:
secret_string = jsonencode({ "username" : join("_", [var.product, each.key, var.environment == "dev" ? var.environment : var.stack]), "password" : random_password[each.key].client_password.result })
}
@@ -16,17 +23,18 @@ resource "aws_secretsmanager_secret_version" "secret_version_3" {
for_each = { for k, v in var.clients.scram : k => v if var.enabled && var.client_sasl_scram_enabled }
secret_id = aws_secretsmanager_secret.client_secret[each.key].id # use of indexes
+ #2:
secret_string = jsonencode({ "username" : join("_", [var.product, each.key, var.environment == "dev" ? var.environment : var.stack]), "password" : random_password["index"].client_password.result })
}
resource "aws_msk_scram_secret_association" "msk_secret_association" {
count = var.enabled && var.client_sasl_scram_enabled ? 1 : 0
cluster_arn = aws_msk_cluster.kafka[0].arn
- secret_arn_list = [for secret in aws_secretsmanager_secret.client_secret : secret.arn] # short reference
+ secret_arn_list = [for secret in aws_secretsmanager_secret.client_secret : secret.arn] #3
}
resource "aws_msk_scram_secret_association" "msk_secret_association_2" {
count = var.enabled && var.client_sasl_scram_enabled ? 1 : 0
cluster_arn = aws_msk_cluster.kafka[0].arn
- secret_arn_list = [for secret in aws_secretsmanager_secret.client_secret : null] # short reference
-}
+ secret_arn_list = [for secret in aws_secretsmanager_secret.client_secret : "${secret.arn}"] #4
+}
\ No newline at end of file
diff --git a/assets/queries/common/passwords_and_secrets/test/negative60.proto b/assets/queries/common/passwords_and_secrets/test/negative61.proto
similarity index 54%
rename from assets/queries/common/passwords_and_secrets/test/negative60.proto
rename to assets/queries/common/passwords_and_secrets/test/negative61.proto
index 63d53613600..346dc9bdb1d 100644
--- a/assets/queries/common/passwords_and_secrets/test/negative60.proto
+++ b/assets/queries/common/passwords_and_secrets/test/negative61.proto
@@ -1,50 +1,54 @@
-syntax = "proto3";
-
-// Contains "secret", "key", "password" and "token" keywords - would flag if not for allow rules
-// Note - This is as valid proto file that generates output with "protoc" command as of version "libprotoc 34.0"
-
-package com.example.security_test.v1;
-
-import "google/protobuf/wrappers.proto";
-
-message SampleMessageNegative {
- google.protobuf.StringValue refresh_token = 536870911; // if value is larger - out of range error "Field numbers cannot be greater than 536870911." - Generic Token
- google.protobuf.StringValue access_token= 111111111; // Generic Token
- google.protobuf.StringValue id_token = 3; // Generic Token
- google.protobuf.StringValue bearer_toaken = 4;;; // Generic Token
- google.protobuf.StringValue api_token = 7 ; // Generic Token
- google.protobuf.StringValue token = 8; // Generic Token
- google.protobuf.StringValue aws_session_token = 9; // Generic Token
- google.protobuf.StringValue sas_token = 12; // Generic Token
- google.protobuf.StringValue auth_token = 13; // Generic Token
- google.protobuf.StringValue bot_token = 14; // Generic Token
- google.protobuf.StringValue callback_token = 32; // Generic Token
- google.protobuf.StringValue k8s_service_account_token = 33; // Generic Token
- google.protobuf.StringValue registry_token = 34; // Generic Token
- google.protobuf.StringValue deploy_token = 35; // Generic Token
- google.protobuf.StringValue ci_token = 36; // Generic Token
- google.protobuf.StringValue npm_token = 37; // Generic Token
- google.protobuf.StringValue pypi_token = 38; // Generic Token
- google.protobuf.StringValue app_installation_token = 20; // Generic Token
- google.protobuf.StringValue twilio_auth_token = 21; // Generic Token
- google.protobuf.StringValue twilio_auth_token_key = 121; // Generic Token
- google.protobuf.StringValue test_token_ = 122 ; // Generic Token
- google.protobuf.StringValue sonar_token = 39;google.protobuf.StringValue codecov_token = 40;// trailing comment test - Generic Token
- google.protobuf.StringValue jwt_private_key = 25; // Generic Private Key
- google.protobuf.StringValue ssh_private_key = 26; // Generic Private Key
- google.protobuf.StringValue tls_private_key = 27; // Generic Private Key
- google.protobuf.StringValue ca_private_key = 28 ; // Generic Private Key
- google.protobuf.StringValue cosign_private_key = 41; // Generic Private Key
- google.protobuf.StringValue service_account_private_key = 30; // Generic Private Key
- google.protobuf.StringValue app_private_key = 19; // Generic Private Key
- google.protobuf.StringValue gcp_private_key = 10; // Generic Private Key
- google.protobuf.StringValue private_key = 5; // Generic Private Key
- google.protobuf.StringValue sp_private_key = 6; // Generic Private Key
- google.protobuf.StringValue encryption_key = 22; // Encryption Key
- google.protobuf.StringValue data_encryption_key= 23 ; // Encryption Key
- google.protobuf.StringValue key_encryption_key=24; // Encryption Key
- google.protobuf.StringValue registry_password = 104; // Generic Password
- google.protobuf.StringValue artifactory_password = 107 ; // Generic Password
- google.protobuf.StringValue nexus_password = 108; // Generic Password
- string password = 64; // Generic Password
+// "Generic Token" - baee238e-1921-4801-9c3f-79ae1d7b2cbc - "Avoiding Proto File fields" allow-rule-test - #1
+// "Generic Private Key" - 2f665079-c383-4b33-896e-88268c1fa258 - "Avoiding Proto File fields" allow rule test - #2
+// "Encryption Key" - 9fb1cd65-7a07-4531-9bcf-47589d0f82d6 - "Avoiding Proto File fields" allow-rule-test - #3
+// "Generic Password" - 487f4be7-3fd9-4506-a07a-eae252180c08 - "Avoiding Proto File fields" allow rule test - #4
+syntax = "proto3";
+
+// Contains "secret", "key", "password" and "token" keywords - would flag if not for allow rules
+// Note - This is as valid proto file that generates output with "protoc" command as of version "libprotoc 34.0"
+
+package com.example.security_test.v1;
+
+import "google/protobuf/wrappers.proto";
+
+message SampleMessageNegative {
+ google.protobuf.StringValue refresh_token = 536870911; // if value is larger - out of range error "Field numbers cannot be greater than 536870911." - Generic Token #1
+ google.protobuf.StringValue sonar_token = 39;google.protobuf.StringValue codecov_token = 40;// trailing comment test - Generic Token #1
+ google.protobuf.StringValue access_token= 111111111; // Generic Token #1
+ google.protobuf.StringValue id_token = 3; // Generic Token #1
+ google.protobuf.StringValue bearer_toaken = 4;;; // Generic Token #1
+ google.protobuf.StringValue api_token = 7 ; // Generic Token #1
+ google.protobuf.StringValue token = 8; // Generic Token #1
+ google.protobuf.StringValue aws_session_token = 9; // Generic Token #1
+ google.protobuf.StringValue sas_token = 12; // Generic Token #1
+ google.protobuf.StringValue auth_token = 13; // Generic Token #1
+ google.protobuf.StringValue bot_token = 14; // Generic Token #1
+ google.protobuf.StringValue callback_token = 32; // Generic Token #1
+ google.protobuf.StringValue k8s_service_account_token = 33; // Generic Token #1
+ google.protobuf.StringValue registry_token = 34; // Generic Token #1
+ google.protobuf.StringValue deploy_token = 35; // Generic Token #1
+ google.protobuf.StringValue ci_token = 36; // Generic Token #1
+ google.protobuf.StringValue npm_token = 37; // Generic Token #1
+ google.protobuf.StringValue pypi_token = 38; // Generic Token #1
+ google.protobuf.StringValue app_installation_token = 20; // Generic Token #1
+ google.protobuf.StringValue twilio_auth_token = 21; // Generic Token #1
+ google.protobuf.StringValue twilio_auth_token_key = 121; // Generic Token #1
+ google.protobuf.StringValue test_token_ = 122 ; // Generic Token #1
+ google.protobuf.StringValue jwt_private_key = 25; // Generic Private Key #2
+ google.protobuf.StringValue ssh_private_key = 26; // Generic Private Key #2
+ google.protobuf.StringValue tls_private_key = 27; // Generic Private Key #2
+ google.protobuf.StringValue ca_private_key = 28 ; // Generic Private Key #2
+ google.protobuf.StringValue cosign_private_key = 41; // Generic Private Key #2
+ google.protobuf.StringValue service_account_private_key = 30; // Generic Private Key #2
+ google.protobuf.StringValue app_private_key = 19; // Generic Private Key #2
+ google.protobuf.StringValue gcp_private_key = 10; // Generic Private Key #2
+ google.protobuf.StringValue private_key = 5; // Generic Private Key #2
+ google.protobuf.StringValue sp_private_key = 6; // Generic Private Key #2
+ google.protobuf.StringValue encryption_key = 22; // Encryption Key #3
+ google.protobuf.StringValue data_encryption_key= 23 ; // Encryption Key #3
+ google.protobuf.StringValue key_encryption_key=24; // Encryption Key #3
+ google.protobuf.StringValue registry_password = 10421; // Generic Password #4
+ google.protobuf.StringValue artifactory_password = 10731 ; // Generic Password #4
+ google.protobuf.StringValue nexus_password = 10853; // Generic Password #4
+ string password = 64114; // Generic Password #4
}
\ No newline at end of file
diff --git a/assets/queries/common/passwords_and_secrets/test/negative61.tf b/assets/queries/common/passwords_and_secrets/test/negative62.tf
similarity index 71%
rename from assets/queries/common/passwords_and_secrets/test/negative61.tf
rename to assets/queries/common/passwords_and_secrets/test/negative62.tf
index 9b986baab96..e4cfd62629e 100644
--- a/assets/queries/common/passwords_and_secrets/test/negative61.tf
+++ b/assets/queries/common/passwords_and_secrets/test/negative62.tf
@@ -1,4 +1,6 @@
-# Sample for 'Encryption Key' - avoiding TF resource access rule
+# "Encryption Key" - 9fb1cd65-7a07-4531-9bcf-47589d0f82d6 - "Avoiding TF resource access" allow-rule-test - #1
+# Global allow rule - a88baa34-e2ad-44ea-ad6f-8cac87bc7c71 - "Avoiding TF variables" allow-rule-test - #2
+# Global allow rule - a88baa34-e2ad-44ea-ad6f-8cac87bc7c71 - "Avoiding array access" allow-rule-test - #3
terraform {
required_providers {
aws = {
@@ -18,26 +20,6 @@ variable "encryption_key" {
sensitive = true
}
-variable "environment" {
- description = "Deployment environment"
- type = string
- default = "production"
-}
-
-variable "enabled" {
- description = "Whether to enable resources"
- type = bool
- default = true
-}
-
-variable "clients" {
- description = "Client configurations"
- type = object({
- storage = map(object({
- enabled = bool
- }))
- })
-}
resource "aws_kms_key" "client_encryption_key" {
for_each = { for k, v in var.clients.storage : k => v if var.enabled }
@@ -58,21 +40,21 @@ module "storage" {
for_each = { for k, v in var.clients.storage : k => v if var.enabled }
source = "./modules/storage"
- encryption_key = aws_kms_key.client_encryption_key[each.key].arn
+ encryption_key = aws_kms_key.client_encryption_key[each.key].arn #1
}
module "storage_2" {
for_each = { for k, v in var.clients.storage : k => v if var.enabled }
source = "./modules/storage"
- encryption_key = aws_kms_key[each.key].client_encryption_key.arn
+ encryption_key = aws_kms_key[each.key].client_encryption_key.arn #1
}
module "storage_3" {
for_each = { for k, v in var.clients.storage : k => v if var.enabled }
source = "./modules/storage"
- encryption_key = aws_kms_key["index"].client_encryption_key.arn
+ encryption_key = aws_kms_key["index"].client_encryption_key.arn #3
}
resource "aws_s3_bucket_server_side_encryption_configuration" "bucket_enc" {
@@ -82,7 +64,7 @@ resource "aws_s3_bucket_server_side_encryption_configuration" "bucket_enc" {
rule {
apply_server_side_encryption_by_default {
sse_algorithm = "aws:kms"
- encryption_key = [for k in aws_kms_key.client_encryption_key : k.arn]
+ kms_master_key_id = [for k in aws_kms_key.client_encryption_key : k.arn] #1
}
}
}
@@ -90,25 +72,19 @@ resource "aws_s3_bucket_server_side_encryption_configuration" "bucket_enc" {
module "optional_encryption" {
source = "./modules/storage"
- encryption_key = null
+ encryption_key = null #1
}
module "database" {
source = "./modules/database"
- encryption_key = var.encryption_key
-}
-
-module "encryption" {
- source = "./modules/encryption"
-
- environment = var.environment
+ encryption_key = var.encryption_key #2
}
module "app" {
source = "./modules/app"
- encryption_key = module.encryption.key_output.value
+ encryption_key = module.encryption.key_output.value #1
}
data "aws_kms_key" "existing" {
@@ -118,7 +94,7 @@ data "aws_kms_key" "existing" {
module "legacy" {
source = "./modules/legacy"
- encryption_key = data.aws_kms_key.existing.arn
+ encryption_key = data.aws_kms_key.existing.arn #1
}
locals {
@@ -130,5 +106,5 @@ locals {
module "monitoring" {
source = "./modules/monitoring"
- encryption_key = local.encryption_config.key_arn
+ encryption_key = local.encryption_config.key_arn #1
}
\ No newline at end of file
diff --git a/assets/queries/common/passwords_and_secrets/test/negative63.yaml b/assets/queries/common/passwords_and_secrets/test/negative63.yaml
new file mode 100644
index 00000000000..22417cd1bef
--- /dev/null
+++ b/assets/queries/common/passwords_and_secrets/test/negative63.yaml
@@ -0,0 +1,21 @@
+# "Generic Secret" - 3e2d3b2f-c22a-4df1-9cc6-a7a0aebb0c99 - "Avoiding CloudFormation Parameters Descriptions" allow rule test
+Transform: 'AWS::Serverless-2016-10-31'
+Metadata:
+ 'AWS::ServerlessRepo::Application':
+ Name: AthenaJdbcConnector
+ Description: 'This connector enables Amazon Athena to communicate with your Database instance(s) using JDBC driver.'
+ Author: 'default author'
+ SpdxLicenseId: Apache-2.0
+ LicenseUrl: LICENSE.txt
+ ReadmeUrl: README.md
+ Labels:
+ - athena-federation
+ HomePageUrl: 'https://github.com/awslabs/aws-athena-query-federation'
+ SemanticVersion: 2021.41.1
+ SourceCodeUrl: 'https://github.com/awslabs/aws-athena-query-federation'
+Parameters:
+ SecretNamePrefix:
+ # negative1 :
+ Description: 'Used to create resource-based authorization policy for "secretsmanager:GetSecretValue" action. E.g. All Athena JDBC Federation secret names can be prefixed with "AthenaJdbcFederation" and authorization policy will allow "arn:${AWS::Partition}:secretsmanager:${AWS::Region}:${AWS::AccountId}:secret:AthenaJdbcFederatione*". Parameter value in this case should be "AthenaJdbcFederation". If you do not have a prefix, you can manually update the IAM policy to add allow any secret names.'
+ Type: String
+Resources:
\ No newline at end of file
diff --git a/assets/queries/common/passwords_and_secrets/test/negative64.tf b/assets/queries/common/passwords_and_secrets/test/negative64.tf
new file mode 100644
index 00000000000..64a973d6622
--- /dev/null
+++ b/assets/queries/common/passwords_and_secrets/test/negative64.tf
@@ -0,0 +1,12 @@
+# "Generic Token" - baee238e-1921-4801-9c3f-79ae1d7b2cbc - "Avoiding TF creation token" allow-rule-test
+resource "aws_efs_file_system" "example" {
+ creation_token = "my-efs-filesystem" # positive1
+
+ tags = {
+ Name = "MyEFS"
+ }
+}
+
+resource "aws_efs_file_system" "quoted_key" {
+ creation_token = "my-efs-token-123" # positive2
+}
\ No newline at end of file
diff --git a/assets/queries/common/passwords_and_secrets/test/negative65.tf b/assets/queries/common/passwords_and_secrets/test/negative65.tf
new file mode 100644
index 00000000000..bd7f4d82505
--- /dev/null
+++ b/assets/queries/common/passwords_and_secrets/test/negative65.tf
@@ -0,0 +1,6 @@
+# "Generic Token" - baee238e-1921-4801-9c3f-79ae1d7b2cbc - "Avoiding LifecycleActionToken Var" allow-rule-test
+variable "lifecycle_config" {
+ default = {
+ LifecycleActionToken = "placeholder-token-value"
+ }
+}
\ No newline at end of file
diff --git a/assets/queries/common/passwords_and_secrets/test/negative66.json b/assets/queries/common/passwords_and_secrets/test/negative66.json
new file mode 100644
index 00000000000..90679701540
--- /dev/null
+++ b/assets/queries/common/passwords_and_secrets/test/negative66.json
@@ -0,0 +1,21 @@
+{
+ "metadata": "'Generic Token' - baee238e-1921-4801-9c3f-79ae1d7b2cbc - 'Avoiding LifecycleActionToken Var' allow-rule-test",
+ "contentVersion": "1.0.0.0",
+ "resources": [
+ {
+ "type": "Microsoft.Compute/virtualMachineScaleSets",
+ "apiVersion": "2021-03-01",
+ "name": "[parameters('vmssName')]",
+ "location": "eastus",
+ "properties": {
+ "orchestrationMode": "Flexible",
+ "lifecycleHook": {
+ "LifecycleActionToken": "d290f1ee-6c54-4b01-90e6-d701748f0851",
+ "LifecycleHookName": "my-lifecycle-hook",
+ "AutoScalingGroupName": "my-asg-group",
+ "LifecycleTransition": "autoscaling:EC2_INSTANCE_LAUNCHING"
+ }
+ }
+ }
+ ]
+}
\ No newline at end of file
diff --git a/assets/queries/common/passwords_and_secrets/test/negative67.yaml b/assets/queries/common/passwords_and_secrets/test/negative67.yaml
new file mode 100644
index 00000000000..3cc66ec6b20
--- /dev/null
+++ b/assets/queries/common/passwords_and_secrets/test/negative67.yaml
@@ -0,0 +1,12 @@
+# "Generic Token" - baee238e-1921-4801-9c3f-79ae1d7b2cbc - "Avoiding LifecycleActionToken Var" allow-rule-test
+Resources:
+ LifecycleHookAction:
+ Type: AWS::AutoScaling::LifecycleHook
+ Properties:
+ AutoScalingGroupName: my-asg-group
+ LifecycleTransition: "autoscaling:EC2_INSTANCE_LAUNCHING"
+ NotificationMetadata: |
+ {
+ "LifecycleActionToken": "d290f1ee-6c54-4b01-90e6-d701748f0851",
+ "LifecycleHookName": "my-lifecycle-hook"
+ }
\ No newline at end of file
diff --git a/assets/queries/common/passwords_and_secrets/test/negative68.yaml b/assets/queries/common/passwords_and_secrets/test/negative68.yaml
new file mode 100644
index 00000000000..92fc008849f
--- /dev/null
+++ b/assets/queries/common/passwords_and_secrets/test/negative68.yaml
@@ -0,0 +1,22 @@
+# "Generic Token" - baee238e-1921-4801-9c3f-79ae1d7b2cbc - "Avoiding result_token Var" allow-rule-test
+Resources:
+ ConfigEvaluatorFunction:
+ Type: AWS::Lambda::Function
+ Properties:
+ Runtime: python3.12
+ Handler: index.handler
+ Code:
+ ZipFile: |
+ import boto3
+ config = boto3.client('config')
+ def handler(event, context):
+ result_token = event['resultToken']
+ config.put_evaluations(
+ Evaluations=[{
+ 'ComplianceResourceType': event['configRuleArn'],
+ 'ComplianceResourceId': event['resourceId'],
+ 'ComplianceType': 'COMPLIANT',
+ 'OrderingTimestamp': event['notificationCreationTime']
+ }],
+ ResultToken=result_token
+ )
\ No newline at end of file
diff --git a/assets/queries/common/passwords_and_secrets/test/negative69.tf b/assets/queries/common/passwords_and_secrets/test/negative69.tf
new file mode 100644
index 00000000000..5cc8cde4783
--- /dev/null
+++ b/assets/queries/common/passwords_and_secrets/test/negative69.tf
@@ -0,0 +1,23 @@
+# "Generic Token" - baee238e-1921-4801-9c3f-79ae1d7b2cbc - "Avoiding next_token Var" allow-rule-test
+resource "aws_lambda_function" "list_resources" {
+ function_name = "list-all-resources"
+ runtime = "python3.12"
+ handler = "index.handler"
+ role = aws_iam_role.lambda_role.arn
+ filename = "lambda.zip"
+}
+
+resource "local_file" "lambda_code" {
+ filename = "index.py"
+ content = <code
- officiel géographique (COG))
- codeCedexEtablissement:
- type: string
- description: Numéro de Cedex
- libelleCedexEtablissement:
- type: string
- description: Libellé correspondant au numéro de Cedex (variable codeCedexEtablissement)
- codePaysEtrangerEtablissement:
- type: string
- description: Code pays pour les établissements situés à l’étranger
- libellePaysEtrangerEtablissement:
- type: string
- description: Libellé du pays pour les adresses à l’étranger
- description: Ensemble des variables d'adresse d'un établissement
- etatService:
- type: string
- description: État actuel du service
- enum:
- - UP
- - DOWN
tags: []
diff --git a/assets/queries/common/passwords_and_secrets/test/positive51.dockerfile b/assets/queries/common/passwords_and_secrets/test/positive51.dockerfile
index a923ba6c694..e67a52b60c4 100644
--- a/assets/queries/common/passwords_and_secrets/test/positive51.dockerfile
+++ b/assets/queries/common/passwords_and_secrets/test/positive51.dockerfile
@@ -1,3 +1,4 @@
+# "Dockerfile ENV hardcoded password with omitted equals" - f05f238a-2ef0-4c39-9a36-951de1ba6dc9 positive-test
FROM baseImage
ENV ARTEMIS_USER artemis
diff --git a/assets/queries/common/passwords_and_secrets/test/positive52.dockerfile b/assets/queries/common/passwords_and_secrets/test/positive52.dockerfile
index c536dbe279e..1d4bb917502 100644
--- a/assets/queries/common/passwords_and_secrets/test/positive52.dockerfile
+++ b/assets/queries/common/passwords_and_secrets/test/positive52.dockerfile
@@ -1,3 +1,4 @@
+# "Generic Password" - 487f4be7-3fd9-4506-a07a-eae252180c08 positive-test
FROM baseImage
ENV ARTEMIS_USER=artemis
diff --git a/assets/queries/common/passwords_and_secrets/test/positive53.json b/assets/queries/common/passwords_and_secrets/test/positive53.json
index 2ed1353d025..f4dde0380aa 100644
--- a/assets/queries/common/passwords_and_secrets/test/positive53.json
+++ b/assets/queries/common/passwords_and_secrets/test/positive53.json
@@ -1,4 +1,5 @@
{
+ "metadata": "'Generic Password' - 487f4be7-3fd9-4506-a07a-eae252180c08 positive-test (line 55)",
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {
diff --git a/assets/queries/common/passwords_and_secrets/test/positive54.tf b/assets/queries/common/passwords_and_secrets/test/positive54.tf
index e541addefc5..4761e4aeaf2 100644
--- a/assets/queries/common/passwords_and_secrets/test/positive54.tf
+++ b/assets/queries/common/passwords_and_secrets/test/positive54.tf
@@ -1,15 +1,15 @@
-
+# "Generic Password" - 487f4be7-3fd9-4506-a07a-eae252180c08 positive-test
variable "linux_vms" {
description = "positive54.tf"
type = map(object({
region = string
size = optional(string)
admin_username = optional(string)
- admin_password = "optional(sensitive(string))"
+ admin_password = "optional(sensitive(string))" # positive1
}))
default = {}
}
resource "azurerm_linux_virtual_machine" "vms" {
- admin_password = try(each.value.admin_password, "exposed_password", null)
+ admin_password = try(each.value.admin_password, "exposed_password", null) # positive2
}
\ No newline at end of file
diff --git a/assets/queries/common/passwords_and_secrets/test/positive55.json b/assets/queries/common/passwords_and_secrets/test/positive55.json
index 10f73052150..17c97f066c3 100644
--- a/assets/queries/common/passwords_and_secrets/test/positive55.json
+++ b/assets/queries/common/passwords_and_secrets/test/positive55.json
@@ -1,4 +1,5 @@
{
+ "metadata": "'Generic Secret' - 3e2d3b2f-c22a-4df1-9cc6-a7a0aebb0c positive-test (line 5)",
"Resources": {
"service-3": {
"secretValue": "secretVaule1"
diff --git a/assets/queries/common/passwords_and_secrets/test/positive56.proto b/assets/queries/common/passwords_and_secrets/test/positive56.proto
index 4367e728812..1f45d1eba27 100644
--- a/assets/queries/common/passwords_and_secrets/test/positive56.proto
+++ b/assets/queries/common/passwords_and_secrets/test/positive56.proto
@@ -1,9 +1,16 @@
+// "Generic Password" - 487f4be7-3fd9-4506-a07a-eae252180c08 positive-test - #1
+// "Generic Secret" - 3e2d3b2f-c22a-4df1-9cc6-a7a0aebb0c99 positive-test - #2
+// "Generic Token" - baee238e-1921-4801-9c3f-79ae1d7b2cbc positive-test - #3
+// "Generic Password" - 487f4be7-3fd9-4506-a07a-eae252180c08 - "Avoiding Proto File fields" allow rule test - #4
+// "Generic Token" - baee238e-1921-4801-9c3f-79ae1d7b2cbc - "Avoiding Proto File fields" allow-rule-test - #5
+// "Encryption Key" - 9fb1cd65-7a07-4531-9bcf-47589d0f82d6 - "Avoiding Proto File fields" allow-rule-test - #6
+
syntax = "proto3";
// This sample should not flag the message defined only the exposed secrets in comments :
-// "password" = "test_sample"
-// "secret_key" : minimum_ten_characters
-// "unsafe_token" : "is_this_safe"
+// "password" = "test_sample" #1
+// "secret_key" : minimum_ten_characters #2
+// "unsafe_token" : "is_this_safe" #3
// Note - This is as valid proto file that generates output with "protoc" command as of version "libprotoc 34.0"
package com.example.security_test.v1;
@@ -12,7 +19,7 @@ import "google/protobuf/wrappers.proto";
message InocentMessage {
google.protobuf.StringValue safe_value = 1;
- double not_a_password = 2;
- float not_a_token = 3;
- string not_an_encryption_key = 4;
+ double not_a_password = 22222; // #4
+ float not_a_token = 3; // #5
+ string not_an_encryption_key = 4; // #6
}
\ No newline at end of file
diff --git a/assets/queries/common/passwords_and_secrets/test/positive57.yaml b/assets/queries/common/passwords_and_secrets/test/positive57.yaml
deleted file mode 100644
index c0f56b93551..00000000000
--- a/assets/queries/common/passwords_and_secrets/test/positive57.yaml
+++ /dev/null
@@ -1,8 +0,0 @@
-# Samples for "Encryption Key" query
-- hosts: all
- remote_user: root
- vars:
- encryption_key: aes256_my_super_secret_key_value
- encryption_key: Ab3f8G2kL9mN4pQ7
- encryptionkey: 0123456789abcdef
-
diff --git a/assets/queries/common/passwords_and_secrets/test/positive6.dockerfile b/assets/queries/common/passwords_and_secrets/test/positive6.dockerfile
index b7215a3a104..523c26689fa 100644
--- a/assets/queries/common/passwords_and_secrets/test/positive6.dockerfile
+++ b/assets/queries/common/passwords_and_secrets/test/positive6.dockerfile
@@ -1,7 +1,10 @@
+# "Generic Password" - 487f4be7-3fd9-4506-a07a-eae252180c08 positive-test
FROM baseImage
+# positive1
ARG password=pass!1213Fs
-
FROM test2
+
+# positive2
ARG password=pass!1213Fs
diff --git a/assets/queries/common/passwords_and_secrets/test/positive7.tf b/assets/queries/common/passwords_and_secrets/test/positive7.tf
index 0cf0ff92627..570ea8d10f9 100644
--- a/assets/queries/common/passwords_and_secrets/test/positive7.tf
+++ b/assets/queries/common/passwords_and_secrets/test/positive7.tf
@@ -1,3 +1,4 @@
+# "Generic Password" - 487f4be7-3fd9-4506-a07a-eae252180c08 positive-test
resource "google_container_cluster" "primary2" {
name = "marcellus-wallace"
location = "us-central1-a"
@@ -5,7 +6,7 @@ resource "google_container_cluster" "primary2" {
master_auth {
username = ""
- password = "pwd_jsuwauJk212"
+ password = "pwd_jsuwauJk212" # positive1
client_certificate_config {
issue_client_certificate = true
diff --git a/assets/queries/common/passwords_and_secrets/test/positive8.json b/assets/queries/common/passwords_and_secrets/test/positive8.json
index 2fd45f3ca51..d1d351b7f93 100644
--- a/assets/queries/common/passwords_and_secrets/test/positive8.json
+++ b/assets/queries/common/passwords_and_secrets/test/positive8.json
@@ -1,4 +1,5 @@
{
+ "metadata": "'Generic Password' - 487f4be7-3fd9-4506-a07a-eae252180c08 positive-test (line 5/8)",
"Resources": {
"service-1": {
"password": "abcdefg"
diff --git a/assets/queries/common/passwords_and_secrets/test/positive9.tf b/assets/queries/common/passwords_and_secrets/test/positive9.tf
index ae7cdce4e49..749fe5ec111 100644
--- a/assets/queries/common/passwords_and_secrets/test/positive9.tf
+++ b/assets/queries/common/passwords_and_secrets/test/positive9.tf
@@ -1,3 +1,4 @@
+# "Generic Password" - 487f4be7-3fd9-4506-a07a-eae252180c08 positive-test
resource "google_container_cluster" "primary4" {
name = "marcellus-wallace"
location = "us-central1-a"
@@ -5,7 +6,7 @@ resource "google_container_cluster" "primary4" {
master_auth {
username = ""
- password = "abcd s"
+ password = "abcd s" # positive1
client_certificate_config {
issue_client_certificate = true
diff --git a/assets/queries/common/passwords_and_secrets/test/positive_expected_result.json b/assets/queries/common/passwords_and_secrets/test/positive_expected_result.json
index 88cc664b56b..b97ffd3a0ed 100644
--- a/assets/queries/common/passwords_and_secrets/test/positive_expected_result.json
+++ b/assets/queries/common/passwords_and_secrets/test/positive_expected_result.json
@@ -26,181 +26,181 @@
{
"queryName": "Passwords And Secrets - Generic Secret",
"severity": "HIGH",
- "line": 2,
+ "line": 3,
"fileName": "positive5.tf"
},
{
"queryName": "Passwords And Secrets - Generic Password",
"severity": "HIGH",
- "line": 3,
+ "line": 5,
"fileName": "positive6.dockerfile"
},
{
"queryName": "Passwords And Secrets - Generic Password",
"severity": "HIGH",
- "line": 7,
+ "line": 10,
"fileName": "positive6.dockerfile"
},
{
"queryName": "Passwords And Secrets - Generic Password",
"severity": "HIGH",
- "line": 8,
+ "line": 9,
"fileName": "positive7.tf"
},
{
"queryName": "Passwords And Secrets - Generic Password",
"severity": "HIGH",
- "line": 4,
+ "line": 5,
"fileName": "positive8.json"
},
{
"queryName": "Passwords And Secrets - Generic Password",
"severity": "HIGH",
- "line":7,
+ "line": 8,
"fileName": "positive8.json"
},
{
"queryName": "Passwords And Secrets - Generic Password",
"severity": "HIGH",
- "line": 8,
+ "line": 9,
"fileName": "positive9.tf"
},
{
"queryName": "Passwords And Secrets - Password in URL",
"severity": "HIGH",
- "line": 7,
+ "line": 10,
"fileName": "positive10.json"
},
{
"queryName": "Passwords And Secrets - Slack Webhook",
"severity": "HIGH",
- "line": 17,
+ "line": 20,
"fileName": "positive10.json"
},
{
"queryName": "Passwords And Secrets - MSTeams Webhook",
"severity": "HIGH",
- "line": 27,
+ "line": 30,
"fileName": "positive10.json"
},
{
"queryName": "Passwords And Secrets - Password in URL",
"severity": "HIGH",
- "line": 7,
+ "line": 10,
"fileName": "positive11.yaml"
},
{
"queryName": "Passwords And Secrets - Slack Webhook",
"severity": "HIGH",
- "line": 9,
+ "line": 12,
"fileName": "positive11.yaml"
},
{
"queryName": "Passwords And Secrets - MSTeams Webhook",
"severity": "HIGH",
- "line": 11,
+ "line": 14,
"fileName": "positive11.yaml"
},
{
"queryName": "Passwords And Secrets - Generic Password",
"severity": "HIGH",
- "line": 8,
+ "line": 12,
"fileName": "positive12.json"
},
{
"queryName": "Passwords And Secrets - Password in URL",
"severity": "HIGH",
- "line": 11,
+ "line": 15,
"fileName": "positive12.json"
},
{
"queryName": "Passwords And Secrets - Slack Webhook",
"severity": "HIGH",
- "line": 15,
+ "line": 19,
"fileName": "positive12.json"
},
{
"queryName": "Passwords And Secrets - MSTeams Webhook",
"severity": "HIGH",
- "line": 19,
+ "line": 23,
"fileName": "positive12.json"
},
{
"queryName": "Passwords And Secrets - Asymmetric private key",
"severity": "HIGH",
- "line": 6,
+ "line": 7,
"fileName": "positive13.tf"
},
{
"queryName": "Passwords And Secrets - AWS Access Key",
"severity": "HIGH",
- "line": 17,
+ "line": 18,
"fileName": "positive14.tf"
},
{
"queryName": "Passwords And Secrets - AWS Secret Key",
"severity": "HIGH",
- "line": 18,
+ "line": 19,
"fileName": "positive14.tf"
},
{
"queryName": "Passwords And Secrets - AWS Access Key",
"severity": "HIGH",
- "line": 14,
+ "line": 16,
"fileName": "positive15.tf"
},
{
"queryName": "Passwords And Secrets - AWS Secret Key",
"severity": "HIGH",
- "line": 15,
+ "line": 17,
"fileName": "positive15.tf"
},
{
"queryName": "Passwords And Secrets - K8s Environment Variable Password",
"severity": "HIGH",
- "line": 34,
+ "line": 35,
"fileName": "positive16.yaml"
},
{
"queryName": "Passwords And Secrets - K8s Environment Variable Password",
"severity": "HIGH",
- "line": 36,
+ "line": 37,
"fileName": "positive16.yaml"
},
{
"queryName": "Passwords And Secrets - Generic Password",
"severity": "HIGH",
- "line": 7,
+ "line": 8,
"fileName": "positive17.tf"
},
{
"queryName": "Passwords And Secrets - Google OAuth",
"severity": "HIGH",
- "line": 5,
+ "line": 6,
"fileName": "positive18.tf"
},
{
"queryName": "Passwords And Secrets - Slack Token",
"severity": "HIGH",
- "line": 2,
+ "line": 4,
"fileName": "positive19.tf"
},
{
"queryName": "Passwords And Secrets - Stripe API Key",
"severity": "HIGH",
- "line": 2,
+ "line": 3,
"fileName": "positive20.tf"
},
{
"queryName": "Passwords And Secrets - Google API Key",
"severity": "HIGH",
- "line": 50,
+ "line": 51,
"fileName": "positive21.tf"
},
{
"queryName": "Passwords And Secrets - Heroku API Key",
"severity": "HIGH",
- "line": 3,
+ "line": 4,
"fileName": "positive22.tf"
},
{
@@ -212,163 +212,187 @@
{
"queryName": "Passwords And Secrets - Generic API Key",
"severity": "HIGH",
- "line": 4,
+ "line": 5,
"fileName": "positive24.tf"
},
{
"queryName": "Passwords And Secrets - Square Access Token",
"severity": "HIGH",
- "line": 3,
+ "line": 11,
"fileName": "positive25.dockerfile"
},
{
"queryName": "Passwords And Secrets - Picatic API Key",
"severity": "HIGH",
- "line": 5,
+ "line": 14,
"fileName": "positive25.dockerfile"
},
{
"queryName": "Passwords And Secrets - Amazon MWS Auth Token",
"severity": "HIGH",
- "line": 7,
+ "line": 17,
"fileName": "positive25.dockerfile"
},
{
"queryName": "Passwords And Secrets - MailChimp API Key",
"severity": "HIGH",
- "line": 9,
+ "line": 20,
"fileName": "positive25.dockerfile"
},
{
"queryName": "Passwords And Secrets - SendGrid API Key",
"severity": "HIGH",
- "line": 11,
+ "line": 23,
"fileName": "positive25.dockerfile"
},
{
"queryName": "Passwords And Secrets - Generic Private Key",
"severity": "HIGH",
- "line": 9,
+ "line": 10,
"fileName": "positive26.yaml"
},
{
"queryName": "Passwords And Secrets - Generic Token",
"severity": "HIGH",
- "line": 5,
+ "line": 6,
"fileName": "positive27.yaml"
},
{
"queryName": "Passwords And Secrets - Generic Token",
"severity": "HIGH",
- "line": 22,
+ "line": 23,
"fileName": "positive27.yaml"
},
{
"queryName": "Passwords And Secrets - Generic Token",
"severity": "HIGH",
- "line": 5,
+ "line": 6,
"fileName": "positive28.yaml"
},
{
"queryName": "Passwords And Secrets - Mailgun API Key",
"severity": "HIGH",
- "line": 2,
+ "line": 3,
"fileName": "positive29.tf"
},
{
"queryName": "Passwords And Secrets - Stripe Restricted API Key",
"severity": "HIGH",
- "line": 2,
+ "line": 3,
"fileName": "positive30.tf"
},
{
"queryName": "Passwords And Secrets - Twilio API Key",
"severity": "HIGH",
- "line": 4,
+ "line": 6,
"fileName": "positive31.yaml"
},
{
"queryName": "Passwords And Secrets - PayPal Braintree Access Token",
"severity": "HIGH",
- "line": 4,
+ "line": 6,
"fileName": "positive32.yaml"
},
{
"queryName": "Passwords And Secrets - Facebook Access Token",
"severity": "HIGH",
- "line": 13,
+ "line": 15,
+ "fileName": "positive33.yaml"
+ },
+ {
+ "queryName": "Passwords And Secrets - Facebook Access Token",
+ "severity": "HIGH",
+ "line": 17,
"fileName": "positive33.yaml"
},
{
"queryName": "Passwords And Secrets - Square OAuth Secret",
"severity": "HIGH",
- "line": 13,
+ "line": 15,
+ "fileName": "positive34.yaml"
+ },
+ {
+ "queryName": "Passwords And Secrets - Square OAuth Secret",
+ "severity": "HIGH",
+ "line": 16,
"fileName": "positive34.yaml"
},
{
"queryName": "Passwords And Secrets - Google OAuth Access Token",
"severity": "HIGH",
- "line": 13,
+ "line": 15,
"fileName": "positive35.yaml"
},
{
"queryName": "Passwords And Secrets - Putty User Key File Content",
"severity": "HIGH",
- "line": 5,
+ "line": 6,
"fileName": "positive36.tf"
},
{
"queryName": "Passwords And Secrets - Generic Secret",
"severity": "HIGH",
- "line": 14,
+ "line": 15,
"fileName": "positive37.tf"
},
{
"queryName": "Passwords And Secrets - CloudFormation Secret Template",
"severity": "HIGH",
- "line": 16,
+ "line": 9,
"fileName": "positive38.yaml"
},
{
"queryName": "Passwords And Secrets - Generic Secret",
"severity": "HIGH",
- "line": 3,
+ "line": 4,
"fileName": "positive39.tf"
},
{
"queryName": "Passwords And Secrets - AWS Context-specific credential",
"severity": "HIGH",
- "line": 14,
+ "line": 15,
"fileName": "positive40.tf"
},
{
"queryName": "Passwords And Secrets - AWS Certificate",
"severity": "HIGH",
- "line": 15,
+ "line": 16,
"fileName": "positive40.tf"
},
{
"queryName": "Passwords And Secrets - Asymmetric private key",
"severity": "HIGH",
- "line": 6,
+ "line": 7,
"fileName": "positive41.tf"
},
{
"queryName": "Passwords And Secrets - Generic Access Key",
"severity": "HIGH",
- "line": 7,
+ "line": 8,
"fileName": "positive42.tf"
},
{
"queryName": "Passwords And Secrets - Generic Token",
"severity": "HIGH",
- "line": 5,
+ "line": 6,
"fileName": "positive43.yaml"
},
{
- "queryName": "Passwords And Secrets - Generic Secret",
+ "queryName": "Passwords And Secrets - Encryption Key",
"severity": "HIGH",
- "line": 17,
+ "line": 5,
+ "fileName": "positive44.yaml"
+ },
+ {
+ "queryName": "Passwords And Secrets - Encryption Key",
+ "severity": "HIGH",
+ "line": 6,
+ "fileName": "positive44.yaml"
+ },
+ {
+ "queryName": "Passwords And Secrets - Encryption Key",
+ "severity": "HIGH",
+ "line": 7,
"fileName": "positive44.yaml"
},
{
@@ -380,67 +404,67 @@
{
"queryName": "Passwords And Secrets - Generic Password",
"severity": "HIGH",
- "line": 20,
+ "line": 21,
"fileName": "positive46.yaml"
},
{
"queryName": "Passwords And Secrets - Generic Password",
"severity": "HIGH",
- "line": 21,
+ "line": 22,
"fileName": "positive46.yaml"
},
{
"queryName": "Passwords And Secrets - Google OAuth",
"severity": "HIGH",
- "line": 5,
+ "line": 7,
"fileName": "positive47.tf"
},
{
"queryName": "Passwords And Secrets - Generic Secret",
"severity": "HIGH",
- "line": 6,
+ "line": 8,
"fileName": "positive47.tf"
},
{
"queryName": "Passwords And Secrets - Generic Password",
"severity": "HIGH",
- "line": 8,
+ "line": 10,
"fileName": "positive48.tf"
},
{
"queryName": "Passwords And Secrets - Generic Private Key",
"severity": "HIGH",
- "line": 7,
+ "line": 9,
"fileName": "positive49.yml"
},
{
"queryName": "Passwords And Secrets - Generic Password on YAML files when value in tuple",
"severity": "HIGH",
- "line": 56,
+ "line": 22,
"fileName": "positive50.yaml"
},
{
"queryName": "Passwords And Secrets - Generic Password on YAML files when value in tuple",
"severity": "HIGH",
- "line": 68,
+ "line": 26,
"fileName": "positive50.yaml"
},
{
"queryName": "Passwords And Secrets - Dockerfile ENV hardcoded password with omitted equals",
"severity": "HIGH",
- "line": 4,
+ "line": 5,
"fileName": "positive51.dockerfile"
},
{
"queryName": "Passwords And Secrets - Generic Password",
"severity": "HIGH",
- "line": 4,
+ "line": 5,
"fileName": "positive52.dockerfile"
},
{
"queryName": "Passwords And Secrets - Generic Password",
"severity": "HIGH",
- "line": 54,
+ "line": 55,
"fileName": "positive53.json"
},
{
@@ -458,43 +482,25 @@
{
"queryName": "Passwords And Secrets - Generic Secret",
"severity": "HIGH",
- "line": 4,
+ "line": 5,
"fileName": "positive55.json"
},
{
"queryName": "Passwords And Secrets - Generic Password",
"severity": "HIGH",
- "line": 4,
+ "line": 11,
"fileName": "positive56.proto"
},
{
"queryName": "Passwords And Secrets - Generic Secret",
"severity": "HIGH",
- "line": 5,
+ "line": 12,
"fileName": "positive56.proto"
},
{
"queryName": "Passwords And Secrets - Generic Token",
"severity": "HIGH",
- "line": 6,
+ "line": 13,
"fileName": "positive56.proto"
- },
- {
- "queryName": "Passwords And Secrets - Encryption Key",
- "severity": "HIGH",
- "line": 5,
- "fileName": "positive57.yaml"
- },
- {
- "queryName": "Passwords And Secrets - Encryption Key",
- "severity": "HIGH",
- "line": 6,
- "fileName": "positive57.yaml"
- },
- {
- "queryName": "Passwords And Secrets - Encryption Key",
- "severity": "HIGH",
- "line": 7,
- "fileName": "positive57.yaml"
}
]
\ No newline at end of file
From 2727a7fd38304c08771f38e1d34c526246c656b8 Mon Sep 17 00:00:00 2001
From: Andre Pereira <219305055+cx-andre-pereira@users.noreply.github.com>
Date: Mon, 30 Mar 2026 16:48:30 +0100
Subject: [PATCH 15/30] Updated E2E 32 simId on CloudFormation Secret Template
since uuid was changed
---
e2e/fixtures/E2E_CLI_032_RESULT.json | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/e2e/fixtures/E2E_CLI_032_RESULT.json b/e2e/fixtures/E2E_CLI_032_RESULT.json
index 7ac89974e07..99f443ac9a5 100644
--- a/e2e/fixtures/E2E_CLI_032_RESULT.json
+++ b/e2e/fixtures/E2E_CLI_032_RESULT.json
@@ -126,7 +126,7 @@
"files": [
{
"file_name": "/path/e2e/fixtures/samples/positive.yaml",
- "similarity_id": "5f948e5c0c97f3e7c43cd531de50c6c54a2cec221a45f113a34a571165d30553",
+ "similarity_id": "aa3fd914f960f2ee04950affedb46169e1feb602f3501370da9acdafe288c407",
"line": 273,
"issue_type": "RedundantAttribute",
"search_key": "",
From 562027091c015c82162bb44e4efb4411cbfb1031 Mon Sep 17 00:00:00 2001
From: Andre Pereira <219305055+cx-andre-pereira@users.noreply.github.com>
Date: Mon, 30 Mar 2026 17:51:07 +0100
Subject: [PATCH 16/30] Fix expected results query name
---
.../passwords_and_secrets/test/positive_expected_result.json | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/assets/queries/common/passwords_and_secrets/test/positive_expected_result.json b/assets/queries/common/passwords_and_secrets/test/positive_expected_result.json
index b97ffd3a0ed..041056e2a6b 100644
--- a/assets/queries/common/passwords_and_secrets/test/positive_expected_result.json
+++ b/assets/queries/common/passwords_and_secrets/test/positive_expected_result.json
@@ -348,13 +348,13 @@
"fileName": "positive39.tf"
},
{
- "queryName": "Passwords And Secrets - AWS Context-specific credential",
+ "queryName": "Passwords And Secrets - AWS Access Key",
"severity": "HIGH",
"line": 15,
"fileName": "positive40.tf"
},
{
- "queryName": "Passwords And Secrets - AWS Certificate",
+ "queryName": "Passwords And Secrets - AWS Access Key",
"severity": "HIGH",
"line": 16,
"fileName": "positive40.tf"
From bc0c27f2e211325a3bbd223ac8c8fbbe8148a1bd Mon Sep 17 00:00:00 2001
From: Andre Pereira <219305055+cx-andre-pereira@users.noreply.github.com>
Date: Tue, 31 Mar 2026 09:56:29 +0100
Subject: [PATCH 17/30] Revert change to results query name in expected results
and fix positive22 false positive
---
.../queries/common/passwords_and_secrets/test/positive22.tf | 2 +-
.../passwords_and_secrets/test/positive_expected_result.json | 4 ++--
2 files changed, 3 insertions(+), 3 deletions(-)
diff --git a/assets/queries/common/passwords_and_secrets/test/positive22.tf b/assets/queries/common/passwords_and_secrets/test/positive22.tf
index 78e8c4c205a..2b37d8e6e92 100644
--- a/assets/queries/common/passwords_and_secrets/test/positive22.tf
+++ b/assets/queries/common/passwords_and_secrets/test/positive22.tf
@@ -1,4 +1,4 @@
-# "Heroku API Key" - 9a3650af-5b88-48cd-ab89-cd77fd0b633f positive-test
+# "Her oku API Key"(extra space to prevent false positive) - 9a3650af-5b88-48cd-ab89-cd77fd0b633f positive-test
provider "heroku" {
email = "ops@company.com"
api_key = "C71AAAAE-1D1D-1D1D-1D1D-1D1D1D1D1D1D" # positive1
diff --git a/assets/queries/common/passwords_and_secrets/test/positive_expected_result.json b/assets/queries/common/passwords_and_secrets/test/positive_expected_result.json
index 041056e2a6b..b97ffd3a0ed 100644
--- a/assets/queries/common/passwords_and_secrets/test/positive_expected_result.json
+++ b/assets/queries/common/passwords_and_secrets/test/positive_expected_result.json
@@ -348,13 +348,13 @@
"fileName": "positive39.tf"
},
{
- "queryName": "Passwords And Secrets - AWS Access Key",
+ "queryName": "Passwords And Secrets - AWS Context-specific credential",
"severity": "HIGH",
"line": 15,
"fileName": "positive40.tf"
},
{
- "queryName": "Passwords And Secrets - AWS Access Key",
+ "queryName": "Passwords And Secrets - AWS Certificate",
"severity": "HIGH",
"line": 16,
"fileName": "positive40.tf"
From bce7e45a7aedf1a0790b6e83ab4dba2b6e6912d4 Mon Sep 17 00:00:00 2001
From: Andre Pereira <219305055+cx-andre-pereira@users.noreply.github.com>
Date: Tue, 31 Mar 2026 16:07:32 +0100
Subject: [PATCH 18/30] Small tweaks to a lot of regex to remove unnecessary
groups and improve easy of interpretation, fixed some comments in samples
referencing incorrect allow rules, added a new test to 'Avoiding array
access' allow rules (large index)
---
.../passwords_and_secrets/regex_rules.json | 136 +++++++++---------
.../test/negative18.yaml | 2 +-
.../test/negative19.yaml | 2 +-
.../passwords_and_secrets/test/negative2.yaml | 2 +-
.../test/negative32.yaml | 2 +-
.../test/negative37.yaml | 3 +-
.../test/positive11.yaml | 1 +
.../test/positive35.yaml | 4 +-
.../test/positive38.yaml | 4 +-
9 files changed, 77 insertions(+), 79 deletions(-)
diff --git a/assets/queries/common/passwords_and_secrets/regex_rules.json b/assets/queries/common/passwords_and_secrets/regex_rules.json
index e8b60a70c95..eaeff19cf26 100644
--- a/assets/queries/common/passwords_and_secrets/regex_rules.json
+++ b/assets/queries/common/passwords_and_secrets/regex_rules.json
@@ -3,11 +3,11 @@
{
"id": "487f4be7-3fd9-4506-a07a-eae252180c08",
"name": "Generic Password",
- "regex": "(?i)['\"]?password['\"]?\\s*[:=]\\s*['\"]?([A-Za-z0-9/~^_!@&%()=?*+\\-,. ]{4,})['\"]?",
+ "regex": "(?i)['\"]?password['\"]?\\s*[:=]\\s*['\"]?[A-Za-z0-9/~^_!@&%()=?*+\\-,. ]{4,}['\"]?",
"allowRules": [
{
"description": "Avoiding TF resource access",
- "regex": "(?i)['\"]?password['\"]?\\s*[:=]\\s*(([a-zA-Z_]+(\\[([a-zA-Z_]+\\.[a-zA-Z_]+.*|\\d+)\\])?\\.[a-zA-Z_]+(\\[([a-zA-Z_]+\\.[a-zA-Z_]+.*|\\d+)\\])?)\\s*([\\[\\.\\)\\]\\}\\$]|(:\\s*null))|null)"
+ "regex": "(?i)['\"]?password['\"]?\\s*[:=]\\s*([a-zA-Z_]+(\\[([a-zA-Z_]+\\.[a-zA-Z_]+.*|\\d+)\\])?\\.[a-zA-Z_]+(\\[([a-zA-Z_]+\\.[a-zA-Z_]+.*|\\d+)\\])?\\s*([\\[\\.\\)\\]\\}\\$]|:\\s*null)|null)"
},
{
"description": "Avoiding description field",
@@ -23,7 +23,7 @@
},
{
"description": "Avoiding Ansible playbook update_password",
- "regex": "['\"]?update_password['\"]?\\s*[:=]\\s*['\"]?([A-Za-z0-9/~^_!@&%()=?*+\\-,.]{4,})['\"]?"
+ "regex": "['\"]?update_password['\"]?\\s*[:=]\\s*['\"]?[A-Za-z0-9/~^_!@&%()=?*+\\-,.]{4,}['\"]?"
},
{
"description": "Allow placeholders",
@@ -35,7 +35,7 @@
},
{
"description": "Allow password retrieved from ARM parameters",
- "regex": "(?i)['\"]?password['\"]?\\s*[:=]\\s*['\"]?\\s*,\\s*parameters\\(['\"]([a-zA-Z][a-zA-Z0-9_\\-]*)['\"]['\"]?\\)"
+ "regex": "(?i)['\"]?password['\"]?\\s*[:=]\\s*['\"]?\\s*,\\s*parameters\\(['\"][a-zA-Z][a-zA-Z0-9_\\-]*['\"]['\"]?\\)"
},
{
"description": "Avoiding Proto File fields",
@@ -47,7 +47,7 @@
{
"id": "3e2d3b2f-c22a-4df1-9cc6-a7a0aebb0c99",
"name": "Generic Secret",
- "regex": "(?i)['\"]?secret[_]?(key|value)?['\"]?\\s*[:=]\\s*['\"]?([A-Za-z0-9/~^_!@#&%(){};=?*+\\-.<>,:;[\\]%$]{10,})['\"]?",
+ "regex": "(?i)['\"]?secret_?(key|value)?['\"]?\\s*[:=]\\s*['\"]?([A-Za-z0-9/~^_!@#&%(){};=?*+\\-.<>,:;\\[\\]%$]{10,})['\"]?",
"entropies": [
{
"group": 2,
@@ -58,15 +58,15 @@
"allowRules": [
{
"description": "Avoiding Square OAuth Secret",
- "regex": "(?i)['\"]?secret[_]?(key)?['\"]?\\s*[:=]\\s*['\"]?(sq0csp-[0-9A-Za-z\\-_]{43})['\"]?"
+ "regex": "(?i)['\"]?secret_?(key)?['\"]?\\s*[:=]\\s*['\"]?sq0csp-[0-9A-Za-z\\-_]{43}['\"]?"
},
{
"description": "Avoiding TF resource access",
- "regex": "(?i)['\"]?secret[_]?(key)?['\"]?\\s*[:=]\\s*(([a-zA-Z_]+(\\[([a-zA-Z_]+\\.[a-zA-Z_]+.*|\\d+)\\])?\\.[a-zA-Z_]+(\\[([a-zA-Z_]+\\.[a-zA-Z_]+.*|\\d+)\\])?)\\s*([\\.\\)\\]\\$]|(:\\s*null))|null)"
+ "regex": "(?i)['\"]?secret_?(key)?['\"]?\\s*[:=]\\s*([a-zA-Z_]+(\\[([a-zA-Z_]+\\.[a-zA-Z_]+.*|\\d+)\\])?\\.[a-zA-Z_]+(\\[([a-zA-Z_]+\\.[a-zA-Z_]+.*|\\d+)\\])?\\s*([\\[\\.\\)\\]\\}\\$]|:\\s*null)|null)"
},
{
"description": "Avoiding Secrets Manager arn",
- "regex": ":secretsmanager:[a-z0-9-*?]+:[0-9*?]+:(?i)['\"]?secret[_]?(key)?['\"]?\\s*[:=]\\s*['\"]?([A-Za-z0-9/~^_!@&%()=?*+\\-]+)['\"]?"
+ "regex": ":secretsmanager:[a-z0-9-*?]+:[0-9*?]+:(?i)['\"]?secret_?(key)?['\"]?\\s*[:=]\\s*['\"]?[A-Za-z0-9/~^_!@&%()=?*+\\-]+['\"]?"
},
{
"description": "Avoiding CloudFormation Parameters Descriptions",
@@ -74,23 +74,23 @@
},
{
"description": "Avoiding Secrets from Variable Interpolation",
- "regex": "(?i)['\"]?secret[_]?(key)?['\"]?\\s*[:=]\\s*['\"]?[${]+[A-Za-z0-9/~^_!@&%()=?*+\\-]+}?"
+ "regex": "(?i)['\"]?secret_?(key)?['\"]?\\s*[:=]\\s*['\"]?[${]+[A-Za-z0-9/~^_!@&%()=?*+\\-]+}?"
},
{
"description": "Allow secret retrieved from ARM parameters",
- "regex": "(?i)['\"]?secret[_]?(key)?['\"]?\\s*[:=]\\s*['\"]?\\[\\s*parameters\\(['\"][a-zA-Z][a-zA-Z0-9_\\-]*['\"]\\s*\\)\\s*\\]"
+ "regex": "(?i)['\"]?secret_?(key)?['\"]?\\s*[:=]\\s*['\"]?\\[\\s*parameters\\(['\"][a-zA-Z][a-zA-Z0-9_\\-]*['\"]\\s*\\)\\s*\\]"
},
{
"description": "Allow secrets retrieved from Bicep getSecret built in function",
- "regex": "(?i)['\"]?secret[_]?(key|value)?['\"]?\\s*[:=]\\s*[a-zA-Z]*\\.getSecret\\(\\s*[\"']([A-Za-z0-9/~^_!@#&%(){};=?*+\\-<>,:;[\\]%$]+)[\"']\\)"
+ "regex": "(?i)['\"]?secret_?(key|value)?['\"]?\\s*[:=]\\s*[a-zA-Z]*\\.getSecret\\(\\s*['\"][A-Za-z0-9/~^_!@#&%(){};=?*+\\-<>,:;\\[\\]%$]+['\"]\\)"
}
],
- "specialMask": "(?i)['\"]?secret[_]?(key)?['\"]?\\s*[:=]\\s*"
+ "specialMask": "(?i)['\"]?secret_?(key)?['\"]?\\s*[:=]\\s*"
},
{
"id": "51b5b840-cd0c-4556-98a7-fe5f4def80cf",
"name": "Asymmetric private key",
- "regex": "-----BEGIN ((EC|PGP|DSA|RSA|OPENSSH) )?PRIVATE KEY( BLOCK)?-----\\s*(([A-Za-z0-9+,:\\-\\/=\\n\\r]+\\s*)+)-----END ((EC|PGP|DSA|RSA|OPENSSH) )?PRIVATE KEY( BLOCK)?-----",
+ "regex": "-----BEGIN ((EC|PGP|DSA|RSA|OPENSSH) )?PRIVATE KEY( BLOCK)?-----\\s*(([A-Za-z0-9+,:\\-\/=\\n\\r]+\\s*)+)-----END ((EC|PGP|DSA|RSA|OPENSSH) )?PRIVATE KEY( BLOCK)?-----",
"multiline": {
"detectLineGroup": 4
},
@@ -135,7 +135,7 @@
{
"id": "83ab47ff-381d-48cd-bac5-fb32222f54af",
"name": "AWS Secret Key",
- "regex": "(?i)AWS_SECRET(_ACCESS)?(_KEY)?\\s*[:=]\\s*['\"]?([a-zA-Z0-9/]{40})[\"']?",
+ "regex": "(?i)AWS_SECRET(_ACCESS)?(_KEY)?\\s*[:=]\\s*['\"]?([a-zA-Z0-9/]{40})['\"]?",
"entropies": [
{
"group": 3,
@@ -148,11 +148,11 @@
{
"id": "4b2b5fd3-364d-4093-bac2-17391b2a5297",
"name": "K8s Environment Variable Password",
- "regex": "apiVersion((.*)\\s*)*env:((.*)\\s*)*name:\\s*\\w+(?i)pass((?i)word)?\\w*\\s*(value):\\s*([\"|'].*[\"|'])",
+ "regex": "apiVersion(.*\\s*)*env:(.*\\s*)*name:\\s*\\w+(?i)pass((?i)word)?\\w*\\s*value:\\s*(['\"].*['\"])",
"multiline": {
- "detectLineGroup": 7
+ "detectLineGroup": 4
},
- "specialMask": "\\s*(value):\\s*"
+ "specialMask": "\\s*value:\\s*"
},
{
"id": "d651cca2-2156-4d17-8e76-423e68de5c8b",
@@ -172,7 +172,7 @@
{
"id": "7908a9e3-5cac-41b1-b514-5f6d82ce02d5",
"name": "Slack Token",
- "regex": "['\"]?(xox[p|b|o|a]-[0-9]{12}-[0-9]{12}-[0-9]{12}-[a-z0-9]{32})['\"]?"
+ "regex": "['\"]?xox[pboa]-[0-9]{12}-[0-9]{12}-[0-9]{12}-[a-z0-9]{32}['\"]?"
},
{
"id": "6abcae17-b175-4698-a9a5-b07661974749",
@@ -197,9 +197,9 @@
{
"id": "9a3650af-5b88-48cd-ab89-cd77fd0b633f",
"name": "Heroku API Key",
- "regex": "['\"]?(?i)heroku((.|\\n)*)\\b([0-9A-F]{8}-[0-9A-F]{4}-[0-9A-F]{4}-[0-9A-F]{4}-[0-9A-F]{12})\\b['\"]?",
+ "regex": "['\"]?(?i)heroku(.|\\n)*\\b([0-9A-F]{8}-[0-9A-F]{4}-[0-9A-F]{4}-[0-9A-F]{4}-[0-9A-F]{12})\\b['\"]?",
"multiline": {
- "detectLineGroup": 3
+ "detectLineGroup": 2
},
"specialMask": "['\"]?(?i)api_key[^\\w\"']+"
},
@@ -236,14 +236,14 @@
{
"id": "74736dd1-dd11-4139-beb6-41cd43a50317",
"name": "Generic API Key",
- "regex": "(?i)['\"]?api[_]?key['\"]?\\s*[:=]\\s*['\"]?([0-9a-zA-Z]{32,45})['\"]?",
+ "regex": "(?i)['\"]?api_?key['\"]?\\s*[:=]\\s*['\"]?[0-9a-zA-Z]{32,45}['\"]?",
"allowRules": [
{
"description": "Avoiding Twilio API Key",
- "regex": "(?i)['\"]?api[_]?key['\"]?\\s*[:=]\\s*['\"]?(SK[0-9a-fA-F]{32})['\"]?"
+ "regex": "(?i)['\"]?api_?key['\"]?\\s*[:=]\\s*['\"]?SK[0-9a-fA-F]{32}['\"]?"
}
],
- "specialMask": "(?i)['\"]?api[_]?key['\"]?\\s*[:=]\\s*"
+ "specialMask": "(?i)['\"]?api_?key['\"]?\\s*[:=]\\s*"
},
{
"id": "62d0025d-9575-4eff-b60b-d3b4fcec0d04",
@@ -263,14 +263,13 @@
{
"id": "7f370dd5-eea3-4e5f-8354-3cb2506f9f13",
"name": "Generic Access Key",
- "regex": "(?i)^\\s*['\"]?access[_]?key['\"]?\\s*[:=]\\s*['\"]?([[A-Za-z0-9\/~^_!@&%()=?*+\\-]+)['\"]?",
- "specialMask": "(?i)['\"]?access[_]?key['\"]?\\s*[:=]\\s*"
+ "regex": "(?i)^\\s*['\"]?access_?key['\"]?\\s*[:=]\\s*['\"]?[\\[A-Za-z0-9/~^_!@&%()=?*+\\-]+['\"]?",
+ "specialMask": "(?i)['\"]?access_?key['\"]?\\s*[:=]\\s*"
},
{
"id": "2f665079-c383-4b33-896e-88268c1fa258",
"name": "Generic Private Key",
- "regex": "(?i)['\"]?private[_]?key['\"]?\\s*[:=]\\s*['\"]?([[A-Za-z0-9/~^_!@&%()=?*+\\-]+)['\"]?",
- "specialMask": "(?i)['\"]?private[_]?key['\"]?\\s*[:=]\\s*",
+ "regex": "(?i)['\"]?private_?key['\"]?\\s*[:=]\\s*['\"]?[\\[A-Za-z0-9/~^_!@&%()=?*+\\-]+['\"]?",
"allowRules": [
{
"description": "Avoiding bash variables",
@@ -278,58 +277,59 @@
},
{
"description": "Avoid Docker Compose secrets paths",
- "regex": "(?i)['\"]?private[_]?key['\"]?\\s*[:=]\\s*['\"]?/run/secrets/\\w+['\"]?"
+ "regex": "(?i)['\"]?private_?key['\"]?\\s*[:=]\\s*['\"]?/run/secrets/\\w+['\"]?"
},
{
"description": "Avoiding Proto File fields",
- "regex": "(?i)private[_]?key\\s*=\\s*[1-9][0-9]{0,8}\\s*;"
+ "regex": "(?i)private_?key\\s*=\\s*[1-9][0-9]{0,8}\\s*;"
}
- ]
+ ],
+ "specialMask": "(?i)['\"]?private_?key['\"]?\\s*[:=]\\s*"
},
{
"id": "baee238e-1921-4801-9c3f-79ae1d7b2cbc",
"name": "Generic Token",
- "regex": "(?i)['\"]?token(_)?(key)?['\"]?\\s*[:=]\\s*['\"]?([[A-Za-z0-9/~^_!@&%()=?*+\\-]+)['\"]?",
+ "regex": "(?i)['\"]?token_?(key)?['\"]?\\s*[:=]\\s*['\"]?[\\[A-Za-z0-9/~^_!@&%()=?*+\\-]+['\"]?",
"allowRules": [
{
"description": "Avoiding Amazon MWS Auth Token",
- "regex": "(?i)['\"]?token(_)?(key)?['\"]?\\s*[=:]\\s*['\"]?(amzn\\.mws\\.[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12})['\"]?"
+ "regex": "(?i)['\"]?token_?(key)?['\"]?\\s*[=:]\\s*['\"]?amzn\\.mws\\.[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}['\"]?"
},
{
"description": "Avoiding Slack Token",
- "regex": "(?i)['\"]?token(_)?(key)?['\"]?\\s*[=:]\\s*['\"]?(xox[p|b|o|a]-[0-9]{12}-[0-9]{12}-[0-9]{12}-[a-z0-9]{32})['\"]?"
+ "regex": "(?i)['\"]?token_?(key)?['\"]?\\s*[=:]\\s*['\"]?xox[pboa]-[0-9]{12}-[0-9]{12}-[0-9]{12}-[a-z0-9]{32}['\"]?"
},
{
"description": "Avoiding Square Access Token",
- "regex": "(?i)['\"]?token(_)?(key)?['\"]?\\s*[=:]\\s*['\"]?(sq0atp-[0-9A-Za-z\\-_]{22})['\"]?"
+ "regex": "(?i)['\"]?token_?(key)?['\"]?\\s*[=:]\\s*['\"]?sq0atp-[0-9A-Za-z\\-_]{22}['\"]?"
},
{
"description": "Avoiding Google OAuth Access Token",
- "regex": "(?i)['\"]?token(_)?(key)?['\"]?\\s*[=:]\\s*['\"]?(ya29\\.[0-9A-Za-z\\-_]+)['\"]?"
+ "regex": "(?i)['\"]?token_?(key)?['\"]?\\s*[=:]\\s*['\"]?ya29\\.[0-9A-Za-z\\-_]+['\"]?"
},
{
"description": "Avoiding PayPal Braintree Access Token",
- "regex": "(?i)['\"]?token(_)?(key)?['\"]?\\s*[=:]\\s*['\"]?(access_token\\$production\\$[0-9a-z]{16}\\$[0-9a-f]{32})['\"]?"
+ "regex": "(?i)['\"]?token_?(key)?['\"]?\\s*[=:]\\s*['\"]?access_token\\$production\\$[0-9a-z]{16}\\$[0-9a-f]{32}['\"]?"
},
{
"description": "Avoiding Facebook Access Token",
- "regex": "(?i)['\"]?token(_)?(key)?['\"]?\\s*[=:]\\s*['\"]?(EAACEdEose0cBA[0-9A-Za-z]+)['\"]?"
+ "regex": "(?i)['\"]?token_?(key)?['\"]?\\s*[=:]\\s*['\"]?EAACEdEose0cBA[0-9A-Za-z]+['\"]?"
},
{
"description": "Avoiding TF resource access",
- "regex": "(?i)['\"]?token(_)?(key)?['\"]?\\s*[:=]\\s*(([a-zA-Z_]+(\\[([a-zA-Z_]+\\.[a-zA-Z_]+.*|\\d+)\\])?\\.[a-zA-Z_]+(\\[([a-zA-Z_]+\\.[a-zA-Z_]+.*|\\d+)\\])?)\\s*([\\[\\.\\)\\]\\}\\$]|(:\\s*null))|null)"
+ "regex": "(?i)['\"]?token_?(key)?['\"]?\\s*[:=]\\s*([a-zA-Z_]+(\\[([a-zA-Z_]+\\.[a-zA-Z_]+.*|\\d+)\\])?\\.[a-zA-Z_]+(\\[([a-zA-Z_]+\\.[a-zA-Z_]+.*|\\d+)\\])?\\s*([\\[\\.\\)\\]\\}\\$]|:\\s*null)|null)"
},
{
"description": "Avoiding TF creation token",
- "regex": "(?i)['\"]?creation_token['\"]?\\s*[:=]\\s*['\"]?([[A-Za-z0-9/~^_!@&%()=?*+\\-]+)['\"]?"
+ "regex": "(?i)['\"]?creation_token['\"]?\\s*[:=]\\s*['\"]?[\\[A-Za-z0-9/~^_!@&%()=?*+\\-]+['\"]?"
},
{
- "description": "Avoiding CLoudformation ServiceToken",
- "regex": "['\"]?ServiceToken['\"]?\\s*[:=]\\s*['\"]?([A-Za-z0-9/~^_!@&%()=?*+\\-,.]+)['\"]?"
+ "description": "Avoiding CloudFormation ServiceToken",
+ "regex": "['\"]?ServiceToken['\"]?\\s*[:=]\\s*['\"]?[A-Za-z0-9/~^_!@&%()=?*+\\-,.]+['\"]?"
},
{
"description": "Avoiding LifecycleActionToken Var",
- "regex": "(?i)['\"]?LifecycleActionToken['\"]?\\s*[:=]\\s*['\"]?([[A-Za-z0-9/~^_!@&%()=?*+\\-]+)['\"]?"
+ "regex": "(?i)['\"]?LifecycleActionToken['\"]?\\s*[:=]\\s*['\"]?[\\[A-Za-z0-9/~^_!@&%()=?*+\\-]+['\"]?"
},
{
"description": "Avoiding Github id-token Default Values",
@@ -337,53 +337,53 @@
},
{
"description": "Avoiding result_token Var",
- "regex": "(?i)['\"]?result(_)?token['\"]?\\s*[:=]\\s*['\"]?([[A-Za-z0-9/~^_!@&%()=?*+\\-]+)['\"]?"
+ "regex": "(?i)['\"]?result_?token['\"]?\\s*[:=]\\s*['\"]?[\\[A-Za-z0-9/~^_!@&%()=?*+\\-]+['\"]?"
},
{
"description": "Avoiding next_token Var",
- "regex": "(?i)['\"]?next(_)?token['\"]?\\s*[:=]\\s*['\"]?([[A-Za-z0-9/~^_!@&%()=?*+\\-]+)['\"]?"
+ "regex": "(?i)['\"]?next_?token['\"]?\\s*[:=]\\s*['\"]?[\\[A-Za-z0-9/~^_!@&%()=?*+\\-]+['\"]?"
},
{
"description": "Avoiding references to module outputs in Bicep",
- "regex": "(?i)token(_)?(key)?\\s*[:=]\\s*([a-zA-Z][a-zA-Z0-9_]*)\\.outputs\\.([a-zA-Z][a-zA-Z0-9_]*)"
+ "regex": "(?i)token_?(key)?\\s*[:=]\\s*[a-zA-Z][a-zA-Z0-9_]*\\.outputs\\.[a-zA-Z][a-zA-Z0-9_]*"
},
{
"description": "Avoiding Run After Triggers (if written in conformity with best practices)",
- "regex": "(?i)['\"](HTTP|Parse_JSON|Try|Catch)_-_(Get_)?OAuth_Token['\"]?\\s*[:=]\\s*['\"]?([[A-Za-z0-9/~^_!@&%()=?*+-]+)['\"]?"
+ "regex": "(?i)['\"](HTTP|Parse_JSON|Try|Catch)_-_(Get_)?OAuth_Token['\"]?\\s*[:=]\\s*['\"]?[\\[A-Za-z0-9/~^_!@&%()=?*+\\-]+['\"]?"
},
{
"description": "Avoiding Proto File fields",
- "regex": "(?i)token(_)?(key)?\\s*=\\s*[1-9][0-9]{0,8}\\s*;"
+ "regex": "(?i)token_?(key)?\\s*=\\s*[1-9][0-9]{0,8}\\s*;"
}
],
- "specialMask": "(?i)['\"]?token(_)?(key)?['\"]?\\s*[:=]\\s*"
+ "specialMask": "(?i)['\"]?token_?(key)?['\"]?\\s*[:=]\\s*"
},
{
"id": "0ec60fb3-5b78-4da0-bea0-b854fd9bf8b9",
"name": "CloudFormation Secret Template",
- "regex": "(?i)['\"]?SecretStringTemplate['\"]?\\s*:\\s*['\"]?{([\\\":A-Za-z0-9/~^_!@&%()=?*+\\-]{10,})}",
+ "regex": "(?i)['\"]?SecretStringTemplate['\"]?\\s*:\\s*['\"]?{[\\\":A-Za-z0-9/~^_!@&%()=?*+\\-]{10,}}",
"specialMask": "(?i)['\"]?SecretStringTemplate['\"]?\\s*:\\s*"
},
{
"id": "9fb1cd65-7a07-4531-9bcf-47589d0f82d6",
"name": "Encryption Key",
- "regex": "(?i)['\"]?encryption[_]?key['\"]?\\s*[:=]\\s*['\"]?[[A-Za-z0-9/~^_!@&%()=?*+\\-]+['\"]?",
+ "regex": "(?i)['\"]?encryption_?key['\"]?\\s*[:=]\\s*['\"]?[\\[A-Za-z0-9/~^_!@&%()=?*+\\-]+['\"]?",
"allowRules": [
{
"description": "Avoiding TF resource access",
- "regex": "(?i)['\"]?encryption[_]?key['\"]?\\s*[:=]\\s*(([a-zA-Z_]+(\\[([a-zA-Z_]+\\.[a-zA-Z_]+.*|\\d+)\\])?\\.[a-zA-Z_]+(\\[([a-zA-Z_]+\\.[a-zA-Z_]+.*|\\d+)\\])?)\\s*([\\[\\.\\)\\]\\}\\$]|(:\\s*null))|null)"
+ "regex": "(?i)['\"]?encryption_?key['\"]?\\s*[:=]\\s*([a-zA-Z_]+(\\[([a-zA-Z_]+\\.[a-zA-Z_]+.*|\\d+)\\])?\\.[a-zA-Z_]+(\\[([a-zA-Z_]+\\.[a-zA-Z_]+.*|\\d+)\\])?\\s*([\\[\\.\\)\\]\\}\\$]|:\\s*null)|null)"
},
{
- "description": "Avoiding CLoudformation KeyName",
- "regex": "['\"]?EncryptionKey['\"]?\\s*[:=]\\s*['\"]?([A-Za-z0-9/~^_!@&%()=?*+\\-,.]+)['\"]?"
+ "description": "Avoiding CloudFormation KeyName",
+ "regex": "['\"]?EncryptionKey['\"]?\\s*[:=]\\s*['\"]?[A-Za-z0-9/~^_!@&%()=?*+\\-,.]+['\"]?"
},
{
"description": "Avoiding Proto File fields",
- "regex": "(?i)encryption[_]?key\\s*=\\s*[1-9][0-9]{0,8}\\s*;"
+ "regex": "(?i)encryption_?key\\s*=\\s*[1-9][0-9]{0,8}\\s*;"
}
],
- "specialMask": "(?i)['\"]?encryption[_]?key['\"]?\\s*[:=]\\s*"
+ "specialMask": "(?i)['\"]?encryption_?key['\"]?\\s*[:=]\\s*"
},
{
"id": "8a879bc7-6f82-40fd-bb48-74d25d557fe8",
@@ -393,30 +393,26 @@
{
"id": "be0ed753-d304-4363-844a-144050d4006d",
"name": "Generic Password on YAML files when value in tuple",
- "regex": ".*password\\s*:[\\n|\\r]\\s*value:([^\\n|\\r]*)",
+ "regex": ".*password\\s*:[\\n\\r]\\s*value:([^\\n\\r]*)",
"multiline": {
"detectLineGroup": 1
},
- "specialMask": ".*password\\s*:[\\n|\\r]\\s*value:"
+ "specialMask": ".*password\\s*:[\\n\\r]\\s*value:"
},
{
"id": "f05f238a-2ef0-4c39-9a36-951de1ba6dc9",
"name": "Dockerfile ENV hardcoded password with omitted equals",
- "regex": "(?i)ENV\\s+[A-Za-z0-9/~^_!@&%()=?*+\\-,.]*password[A-Za-z0-9/~^_!@&%()=?*+\\-,.]*\\s+['\"]?([A-Za-z0-9/~^_!@&%()=?*+\\-,. ]{4,})['\"]?"
+ "regex": "(?i)ENV\\s+[A-Za-z0-9/~^_!@&%()=?*+\\-,.]*password[A-Za-z0-9/~^_!@&%()=?*+\\-,.]*\\s+['\"]?[A-Za-z0-9/~^_!@&%()=?*+\\-,. ]{4,}['\"]?"
}
],
"allowRules": [
{
"description": "Avoiding TF variables",
- "regex": "(?i)['\"]?[a-zA-Z_]+['\"]?\\s*=\\s*['\"]?(var\\.)['\"]?"
- },
- {
- "description": "!Ref is a cloudFormation reference",
- "regex": "(?i)['\"]?[a-zA-Z_]+['\"]?\\s*:\\s+!Ref\\s+\\.*"
+ "regex": "(?i)['\"]?[a-zA-Z_]+['\"]?\\s*=\\s*['\"]?var\\.['\"]?"
},
{
- "description": "Avoiding cloudFormation intrinsic functions",
- "regex": "(?i)['\"]?[a-zA-Z_]+['\"]?\\s*:\\s+(!GetAtt|!Sub|!FindInMap|!If|!GetAZs|!ImportValue|!Join|!Select|!Split|!Not|Fn::Transform(:)?)\\s+\\.*"
+ "description": "Avoiding CloudFormation intrinsic functions",
+ "regex": "(?i)['\"]?[a-zA-Z_]+['\"]?\\s*:\\s+(!Ref|!GetAtt|!Sub|!FindInMap|!If|!GetAZs|!ImportValue|!Join|!Select|!Split|!Not|Fn::Transform:?)\\s+.*"
},
{
"description": "Avoiding Boolean's",
@@ -424,23 +420,23 @@
},
{
"description": "Avoiding arn",
- "regex": "(?i)['\"]?[a-zA-Z_]+['\"]?\\s*[=:]\\s*['\"]?(arn:)['\"]?"
+ "regex": "(?i)['\"]?[a-zA-Z_]+['\"]?\\s*[=:]\\s*['\"]?arn:['\"]?"
},
{
"description": "Avoiding array access",
- "regex": "(?i)['\"]?[a-zA-Z_]+['\"]?\\s*[=:]\\s*['\"]?([A-Za-z0-9/~^_!@&%()=?*+\\-,.]{4,}\\[([0-9]|['\"][a-zA-Z0-9]+['\"])\\])['\"]?"
+ "regex": "(?i)['\"]?[a-zA-Z_]+['\"]?\\s*[=:]\\s*['\"]?[A-Za-z0-9/~^_!@&%()=?*+\\-,.]{4,}\\[([0-9]+|['\"][a-zA-Z0-9]+['\"])]['\"]?"
},
{
"description": "Avoiding TF file function",
- "regex": "(?i)['\"]?[a-zA-Z_]+['\"]?\\s*=\\s*['\"]?(file\\()['\"]?"
+ "regex": "(?i)['\"]?[a-zA-Z_]+['\"]?\\s*=\\s*['\"]?file\\(['\"]?"
},
{
"description": "Avoiding ansible-vault encrypted variables",
- "regex": "(?i)['\"]?[a-zA-Z_]+['\"]?\\s*[=:]\\s*['\"]?(!vault \\|)['\"]?"
+ "regex": "(?i)['\"]?[a-zA-Z_]+['\"]?\\s*[=:]\\s*['\"]?!vault \\|['\"]?"
},
{
"description": "Avoiding sha-hashed mysql native passwords",
- "regex": "(?i)['\"]?[a-zA-Z_]+['\"]?\\s*[=:]\\s*['\"]?(\\*[0-9A-F]{40})['\"]?"
+ "regex": "(?i)['\"]?[a-zA-Z_]+['\"]?\\s*[=:]\\s*['\"]?\\*[0-9A-F]{40}['\"]?"
}
]
}
diff --git a/assets/queries/common/passwords_and_secrets/test/negative18.yaml b/assets/queries/common/passwords_and_secrets/test/negative18.yaml
index 72b93cd1a70..0d42068cccf 100644
--- a/assets/queries/common/passwords_and_secrets/test/negative18.yaml
+++ b/assets/queries/common/passwords_and_secrets/test/negative18.yaml
@@ -1,4 +1,4 @@
-# Global allow rule - a88baa34-e2ad-44ea-ad6f-8cac87bc7c71 - "!Ref is a cloudFormation reference" allow-rule-test - #2
+# Global allow rule - a88baa34-e2ad-44ea-ad6f-8cac87bc7c71 - "Avoiding CloudFormation intrinsic functions" allow-rule-test
Parameters:
PrivateKey1:
Type: String
diff --git a/assets/queries/common/passwords_and_secrets/test/negative19.yaml b/assets/queries/common/passwords_and_secrets/test/negative19.yaml
index 6ce2d03bc45..2b3b2b20099 100644
--- a/assets/queries/common/passwords_and_secrets/test/negative19.yaml
+++ b/assets/queries/common/passwords_and_secrets/test/negative19.yaml
@@ -1,4 +1,4 @@
-# Global allow rule - a88baa34-e2ad-44ea-ad6f-8cac87bc7c71 - "!Ref is a cloudFormation reference" allow-rule-test
+# Global allow rule - a88baa34-e2ad-44ea-ad6f-8cac87bc7c71 - "Avoiding CloudFormation intrinsic functions" allow-rule-test
Parameters:
PinpointAPNSVoipChannelTokenKey:
Type: String
diff --git a/assets/queries/common/passwords_and_secrets/test/negative2.yaml b/assets/queries/common/passwords_and_secrets/test/negative2.yaml
index 3ce5a39b7a4..f3271d4a6fb 100644
--- a/assets/queries/common/passwords_and_secrets/test/negative2.yaml
+++ b/assets/queries/common/passwords_and_secrets/test/negative2.yaml
@@ -1,4 +1,4 @@
-# Global allow rule - a88baa34-e2ad-44ea-ad6f-8cac87bc7c71 - "!Ref is a cloudFormation reference" allow-rule-test
+# Global allow rule - a88baa34-e2ad-44ea-ad6f-8cac87bc7c71 - "Avoiding CloudFormation intrinsic functions" allow-rule-test
Resources:
RDSCluster:
Type: "AWS::RDS::DBCluster"
diff --git a/assets/queries/common/passwords_and_secrets/test/negative32.yaml b/assets/queries/common/passwords_and_secrets/test/negative32.yaml
index 12c4c5f871f..0a89c460fa4 100644
--- a/assets/queries/common/passwords_and_secrets/test/negative32.yaml
+++ b/assets/queries/common/passwords_and_secrets/test/negative32.yaml
@@ -1,4 +1,4 @@
-# Global allow rule - a88baa34-e2ad-44ea-ad6f-8cac87bc7c71 - "!Ref is a cloudFormation reference" allow-rule-test - #2
+# Global allow rule - a88baa34-e2ad-44ea-ad6f-8cac87bc7c71 - "Avoiding CloudFormation intrinsic functions" allow-rule-test
Conditions:
HasKmsKey: !Not [!Equals [!Ref ParentKmsKeyStack, '']]
HasSecretName: !Not [!Equals [!Ref ParentKmsKeyStack, '']]
diff --git a/assets/queries/common/passwords_and_secrets/test/negative37.yaml b/assets/queries/common/passwords_and_secrets/test/negative37.yaml
index 876687a757e..8f9081a631b 100644
--- a/assets/queries/common/passwords_and_secrets/test/negative37.yaml
+++ b/assets/queries/common/passwords_and_secrets/test/negative37.yaml
@@ -1,4 +1,4 @@
-# Global allow rule - a88baa34-e2ad-44ea-ad6f-8cac87bc7c71 - "Avoiding array access" allow-rule-test (line 10)
+# Global allow rule - a88baa34-e2ad-44ea-ad6f-8cac87bc7c71 - "Avoiding array access" allow-rule-test (line 10/11)
Resources:
MytFunction:
Type: AWS::Lambda::Function
@@ -8,4 +8,5 @@ Resources:
ZipFile: !Sub | # negative1:
function msg(userPass) {
return {"username": userPass[1], "password": userPass[2]}
+ return {"Busername": userPass[1312], "Bpassword": userPass[2412]}
}
diff --git a/assets/queries/common/passwords_and_secrets/test/positive11.yaml b/assets/queries/common/passwords_and_secrets/test/positive11.yaml
index ee595f50188..08cef3e44dd 100644
--- a/assets/queries/common/passwords_and_secrets/test/positive11.yaml
+++ b/assets/queries/common/passwords_and_secrets/test/positive11.yaml
@@ -13,3 +13,4 @@ servers:
description: My API Server 2
- url: https://team_name.webhook.office.com/webhookb2/7aa49aa6-7840-443d-806c-08ebe8f59966@c662313f-14fc-43a2-9a7a-d2e27f4f3478/IncomingWebhook/8592f62b50cf41b9b93ba0c0a00a0b88/eff4cd58-1bb8-4899-94de-795f656b4a18 #3
description: My API Server 3
+
diff --git a/assets/queries/common/passwords_and_secrets/test/positive35.yaml b/assets/queries/common/passwords_and_secrets/test/positive35.yaml
index fc933812bb7..0fb7b837f23 100644
--- a/assets/queries/common/passwords_and_secrets/test/positive35.yaml
+++ b/assets/queries/common/passwords_and_secrets/test/positive35.yaml
@@ -1,5 +1,5 @@
-# "Google OAuth Access Token" - 41a1ca8d-f466-4084-a8c9-50f8b22200d5 positive-test
-# "Generic Token" - baee238e-1921-4801-9c3f-79ae1d7b2cbc - "Avoiding Square Access Token" allow-rule-test
+# "Google OAuth Access Token" - 41a1ca8d-f466-4084-a8c9-50f8b22200d5 positive-test
+# "Generic Token" - baee238e-1921-4801-9c3f-79ae1d7b2cbc - "Avoiding Google OAuth Access Token" allow-rule-test
apiVersion: v1
kind: Config
users:
diff --git a/assets/queries/common/passwords_and_secrets/test/positive38.yaml b/assets/queries/common/passwords_and_secrets/test/positive38.yaml
index ec55e6b1bd6..eb223d9dbdc 100644
--- a/assets/queries/common/passwords_and_secrets/test/positive38.yaml
+++ b/assets/queries/common/passwords_and_secrets/test/positive38.yaml
@@ -1,5 +1,5 @@
-# "CloudFormation Secret Template" - 0ec60fb3-5b78-4da0-bea0-b854fd9bf8b9 positive-test - #1
-# Global allow rule - a88baa34-e2ad-44ea-ad6f-8cac87bc7c71 - "!Ref is a cloudFormation reference" allow-rule-test - #2
+# "CloudFormation Secret Template" - 0ec60fb3-5b78-4da0-bea0-b854fd9bf8b9 positive-test - #1
+# Global allow rule - a88baa34-e2ad-44ea-ad6f-8cac87bc7c71 - "Avoiding CloudFormation intrinsic functions" allow-rule-test - #2
Resources:
MyAmpAppSecretManagerRotater:
Type: AWS::SecretsManager::Secret
From 745e83289ad2639f7a907bdd377f7d98d9460f47 Mon Sep 17 00:00:00 2001
From: Andre Pereira <219305055+cx-andre-pereira@users.noreply.github.com>
Date: Tue, 31 Mar 2026 18:17:39 +0100
Subject: [PATCH 19/30] Improvements to comments on many tests
---
.../common/passwords_and_secrets/test/negative26.yaml | 2 +-
.../common/passwords_and_secrets/test/negative33.yaml | 1 -
.../common/passwords_and_secrets/test/negative38.yaml | 6 +++---
.../common/passwords_and_secrets/test/negative40.yaml | 4 ++--
.../common/passwords_and_secrets/test/negative53.json | 2 +-
.../common/passwords_and_secrets/test/negative54.json | 2 +-
.../common/passwords_and_secrets/test/negative57.bicep | 2 +-
.../common/passwords_and_secrets/test/negative59.bicep | 2 +-
.../common/passwords_and_secrets/test/negative64.tf | 4 ++--
.../common/passwords_and_secrets/test/negative66.json | 2 +-
.../common/passwords_and_secrets/test/negative67.yaml | 2 +-
.../common/passwords_and_secrets/test/negative68.yaml | 2 +-
.../common/passwords_and_secrets/test/negative69.tf | 2 +-
.../common/passwords_and_secrets/test/positive13.tf | 2 +-
.../common/passwords_and_secrets/test/positive14.tf | 4 ++--
.../common/passwords_and_secrets/test/positive15.tf | 4 ++--
.../common/passwords_and_secrets/test/positive21.tf | 2 +-
.../common/passwords_and_secrets/test/positive31.yaml | 6 +++---
.../common/passwords_and_secrets/test/positive32.yaml | 6 +++---
.../common/passwords_and_secrets/test/positive34.yaml | 8 ++++----
.../common/passwords_and_secrets/test/positive35.yaml | 6 +++---
.../common/passwords_and_secrets/test/positive36.tf | 2 +-
.../common/passwords_and_secrets/test/positive40.tf | 2 +-
.../common/passwords_and_secrets/test/positive41.tf | 2 +-
.../common/passwords_and_secrets/test/positive49.yml | 2 +-
.../passwords_and_secrets/test/positive52.dockerfile | 1 +
26 files changed, 40 insertions(+), 40 deletions(-)
diff --git a/assets/queries/common/passwords_and_secrets/test/negative26.yaml b/assets/queries/common/passwords_and_secrets/test/negative26.yaml
index 8c9ab401d81..353adbccd2e 100644
--- a/assets/queries/common/passwords_and_secrets/test/negative26.yaml
+++ b/assets/queries/common/passwords_and_secrets/test/negative26.yaml
@@ -11,7 +11,7 @@ users:
user:
auth-provider:
config:
- access-token: '{.credential.oauth_access_token_}'
+ access-token: '{.credential.oauth_access_token_}' # negative1
cmd-args: config config-helper --format=json
cmd-path: /Users/dave/google-cloud-sdk/bin/gcloud
expiry: 2021-10-28T15:12:03.000Z
diff --git a/assets/queries/common/passwords_and_secrets/test/negative33.yaml b/assets/queries/common/passwords_and_secrets/test/negative33.yaml
index 3d55552fe66..05d13abcbba 100644
--- a/assets/queries/common/passwords_and_secrets/test/negative33.yaml
+++ b/assets/queries/common/passwords_and_secrets/test/negative33.yaml
@@ -1,6 +1,5 @@
# "Generic Password" - 487f4be7-3fd9-4506-a07a-eae252180c08 - "Avoiding TF resource access" allow-rule-test - #1 (line 10)
# Global allow rule - a88baa34-e2ad-44ea-ad6f-8cac87bc7c71 - "Avoiding Boolean's" allow-rule-test - #2 (line 11)
-# Done through "Avoiding TF resource access" and "Avoiding Boolean's" allow rules
Resources:
LambdaFunctionV2:
Type: 'AWS::Lambda::Function'
diff --git a/assets/queries/common/passwords_and_secrets/test/negative38.yaml b/assets/queries/common/passwords_and_secrets/test/negative38.yaml
index d4c334302bd..a33a464cf0d 100644
--- a/assets/queries/common/passwords_and_secrets/test/negative38.yaml
+++ b/assets/queries/common/passwords_and_secrets/test/negative38.yaml
@@ -10,18 +10,18 @@ Resources:
- ""
- - "mongodb://{{resolve:secretsmanager:arn:"
- Ref: AWS::Partition
- - :secretsmanager:eu-west-1:1111111111111:secret:/test/resources/docdb-test:SecretString:endpoint::}}/test # positive1
+ - :secretsmanager:eu-west-1:1111111111111:secret:/test/resources/docdb-test:SecretString:endpoint::}}/test # negative1
USERNAME:
Fn::Join:
- ""
- - "{{resolve:secretsmanager:arn:"
- Ref: AWS::Partition
- - :secretsmanager:eu-west-1:1111111111111:secret:/test/resources/docdb-test:SecretString:username::}} # positive2
+ - :secretsmanager:eu-west-1:1111111111111:secret:/test/resources/docdb-test:SecretString:username::}} # negative2
PASSWORD:
Fn::Join:
- ""
- - "{{resolve:secretsmanager:arn:"
- Ref: AWS::Partition
- - :secretsmanager:eu-west-1:1111111111111:secret:/test/resources/docdb-test:SecretString:password::}} # positive3
+ - :secretsmanager:eu-west-1:1111111111111:secret:/test/resources/docdb-test:SecretString:password::}} # negative3
JDBC_ENFORCE_SSL: true
ConnectionType: MONGODB
diff --git a/assets/queries/common/passwords_and_secrets/test/negative40.yaml b/assets/queries/common/passwords_and_secrets/test/negative40.yaml
index a004d424b8f..715678a895e 100644
--- a/assets/queries/common/passwords_and_secrets/test/negative40.yaml
+++ b/assets/queries/common/passwords_and_secrets/test/negative40.yaml
@@ -10,13 +10,13 @@ Resources:
- ""
- - "mongodb://{{resolve:secretsmanager:arn:"
- Ref: AWS::Partition
- - :secretsmanager:*:1111111111111:secret:/test/resources/docdb-test:SecretString:endpoint::}}/test # positive1
+ - :secretsmanager:*:1111111111111:secret:/test/resources/docdb-test:SecretString:endpoint::}}/test # negative1
USERNAME:
Fn::Join:
- ""
- - "{{resolve:secretsmanager:arn:"
- Ref: AWS::Partition
- - :secretsmanager:eu-west-1:*:secret:/test/resources/docdb-test:SecretString:username::}} # positive2
+ - :secretsmanager:eu-west-1:*:secret:/test/resources/docdb-test:SecretString:username::}} # negative2
PASSWORD:
Fn::Join:
- ""
diff --git a/assets/queries/common/passwords_and_secrets/test/negative53.json b/assets/queries/common/passwords_and_secrets/test/negative53.json
index 424b5a1de8e..512f353dcdd 100644
--- a/assets/queries/common/passwords_and_secrets/test/negative53.json
+++ b/assets/queries/common/passwords_and_secrets/test/negative53.json
@@ -1,5 +1,5 @@
{
- "metadata" : "# 'Generic Password' - 487f4be7-3fd9-4506-a07a-eae252180c08 - 'Allow password retrieved from ARM parameters' allow rule test",
+ "metadata" : "# 'Generic Password' - 487f4be7-3fd9-4506-a07a-eae252180c08 - 'Allow password retrieved from ARM parameters' allow rule test (line 12)",
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"resources": [
diff --git a/assets/queries/common/passwords_and_secrets/test/negative54.json b/assets/queries/common/passwords_and_secrets/test/negative54.json
index c20dfc90e20..67aa0f3aaef 100644
--- a/assets/queries/common/passwords_and_secrets/test/negative54.json
+++ b/assets/queries/common/passwords_and_secrets/test/negative54.json
@@ -1,5 +1,5 @@
{
- "metadata": "'Generic Secret' - 3e2d3b2f-c22a-4df1-9cc6-a7a0aebb0c99 - 'Allow secret retrieved from ARM parameters' allow-rule-test",
+ "metadata": "'Generic Secret' - 3e2d3b2f-c22a-4df1-9cc6-a7a0aebb0c99 - 'Allow secret retrieved from ARM parameters' allow-rule-test (line 11)",
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {
diff --git a/assets/queries/common/passwords_and_secrets/test/negative57.bicep b/assets/queries/common/passwords_and_secrets/test/negative57.bicep
index 391f80920ec..e014e95c632 100644
--- a/assets/queries/common/passwords_and_secrets/test/negative57.bicep
+++ b/assets/queries/common/passwords_and_secrets/test/negative57.bicep
@@ -21,6 +21,6 @@ module consumerModule '../SecretConsumer/Resource.bicep' = {
systemName: systemName
resourceName: resourceName
tags: tags
- apiClientSecret: kvTest.getSecret('secret-sample') // positive1
+ apiClientSecret: kvTest.getSecret('secret-sample') // negative1
}
}
diff --git a/assets/queries/common/passwords_and_secrets/test/negative59.bicep b/assets/queries/common/passwords_and_secrets/test/negative59.bicep
index 81980d26005..e0f7ac7b1f3 100644
--- a/assets/queries/common/passwords_and_secrets/test/negative59.bicep
+++ b/assets/queries/common/passwords_and_secrets/test/negative59.bicep
@@ -1,4 +1,4 @@
-// "Generic Token" - baee238e-1921-4801-9c3f-79ae1d7b2cbc - "Avoiding references to module outputs in Bicep" allow-rule-test (also detected as TF resource access)
+// "Generic Token" - baee238e-1921-4801-9c3f-79ae1d7b2cbc - "Avoiding references to module outputs in Bicep" allow-rule-test (also avoided by TF resource access allow rule)
param systemName string
param resourceName string
param tags object
diff --git a/assets/queries/common/passwords_and_secrets/test/negative64.tf b/assets/queries/common/passwords_and_secrets/test/negative64.tf
index 64a973d6622..557963d0b35 100644
--- a/assets/queries/common/passwords_and_secrets/test/negative64.tf
+++ b/assets/queries/common/passwords_and_secrets/test/negative64.tf
@@ -1,6 +1,6 @@
# "Generic Token" - baee238e-1921-4801-9c3f-79ae1d7b2cbc - "Avoiding TF creation token" allow-rule-test
resource "aws_efs_file_system" "example" {
- creation_token = "my-efs-filesystem" # positive1
+ creation_token = "my-efs-filesystem" # negative1
tags = {
Name = "MyEFS"
@@ -8,5 +8,5 @@ resource "aws_efs_file_system" "example" {
}
resource "aws_efs_file_system" "quoted_key" {
- creation_token = "my-efs-token-123" # positive2
+ creation_token = "my-efs-token-123" # negative2
}
\ No newline at end of file
diff --git a/assets/queries/common/passwords_and_secrets/test/negative66.json b/assets/queries/common/passwords_and_secrets/test/negative66.json
index 90679701540..dbc0a3f5375 100644
--- a/assets/queries/common/passwords_and_secrets/test/negative66.json
+++ b/assets/queries/common/passwords_and_secrets/test/negative66.json
@@ -1,5 +1,5 @@
{
- "metadata": "'Generic Token' - baee238e-1921-4801-9c3f-79ae1d7b2cbc - 'Avoiding LifecycleActionToken Var' allow-rule-test",
+ "metadata": "'Generic Token' - baee238e-1921-4801-9c3f-79ae1d7b2cbc - 'Avoiding LifecycleActionToken Var' allow-rule-test (line 13)",
"contentVersion": "1.0.0.0",
"resources": [
{
diff --git a/assets/queries/common/passwords_and_secrets/test/negative67.yaml b/assets/queries/common/passwords_and_secrets/test/negative67.yaml
index 3cc66ec6b20..75c9fc9d974 100644
--- a/assets/queries/common/passwords_and_secrets/test/negative67.yaml
+++ b/assets/queries/common/passwords_and_secrets/test/negative67.yaml
@@ -1,4 +1,4 @@
-# "Generic Token" - baee238e-1921-4801-9c3f-79ae1d7b2cbc - "Avoiding LifecycleActionToken Var" allow-rule-test
+# "Generic Token" - baee238e-1921-4801-9c3f-79ae1d7b2cbc - "Avoiding LifecycleActionToken Var" allow-rule-test (line 10)
Resources:
LifecycleHookAction:
Type: AWS::AutoScaling::LifecycleHook
diff --git a/assets/queries/common/passwords_and_secrets/test/negative68.yaml b/assets/queries/common/passwords_and_secrets/test/negative68.yaml
index 92fc008849f..a1f9e129049 100644
--- a/assets/queries/common/passwords_and_secrets/test/negative68.yaml
+++ b/assets/queries/common/passwords_and_secrets/test/negative68.yaml
@@ -1,4 +1,4 @@
-# "Generic Token" - baee238e-1921-4801-9c3f-79ae1d7b2cbc - "Avoiding result_token Var" allow-rule-test
+# "Generic Token" - baee238e-1921-4801-9c3f-79ae1d7b2cbc - "Avoiding result_token Var" allow-rule-test (line 13)
Resources:
ConfigEvaluatorFunction:
Type: AWS::Lambda::Function
diff --git a/assets/queries/common/passwords_and_secrets/test/negative69.tf b/assets/queries/common/passwords_and_secrets/test/negative69.tf
index 5cc8cde4783..9a47f903e50 100644
--- a/assets/queries/common/passwords_and_secrets/test/negative69.tf
+++ b/assets/queries/common/passwords_and_secrets/test/negative69.tf
@@ -1,4 +1,4 @@
-# "Generic Token" - baee238e-1921-4801-9c3f-79ae1d7b2cbc - "Avoiding next_token Var" allow-rule-test
+# "Generic Token" - baee238e-1921-4801-9c3f-79ae1d7b2cbc - "Avoiding next_token Var" allow-rule-test (line 21)
resource "aws_lambda_function" "list_resources" {
function_name = "list-all-resources"
runtime = "python3.12"
diff --git a/assets/queries/common/passwords_and_secrets/test/positive13.tf b/assets/queries/common/passwords_and_secrets/test/positive13.tf
index 4e12a16ea14..d6b0639d443 100644
--- a/assets/queries/common/passwords_and_secrets/test/positive13.tf
+++ b/assets/queries/common/passwords_and_secrets/test/positive13.tf
@@ -1,4 +1,4 @@
-# "Asymmetric private key" - 51b5b840-cd0c-4556-98a7-fe5f4def80cf positive-test
+# "Asymmetric private key" - 51b5b840-cd0c-4556-98a7-fe5f4def80cf positive-test (line 5)
resource "aws_transfer_ssh_key" "example" {
server_id = aws_transfer_server.example.id
user_name = aws_transfer_user.example.user_name
diff --git a/assets/queries/common/passwords_and_secrets/test/positive14.tf b/assets/queries/common/passwords_and_secrets/test/positive14.tf
index 3ccb7f8341b..a978fd50257 100644
--- a/assets/queries/common/passwords_and_secrets/test/positive14.tf
+++ b/assets/queries/common/passwords_and_secrets/test/positive14.tf
@@ -1,5 +1,5 @@
-# "AWS Access Key" - 76c0bcde-903d-456e-ac13-e58c34987852 positive-test
-# "AWS Secret Key" - 83ab47ff-381d-48cd-bac5-fb32222f54af positive-test
+# "AWS Access Key" - 76c0bcde-903d-456e-ac13-e58c34987852 positive-test (line 18)
+# "AWS Secret Key" - 83ab47ff-381d-48cd-bac5-fb32222f54af positive-test (line 19)
provider "aws" {
region = "us-east-1"
}
diff --git a/assets/queries/common/passwords_and_secrets/test/positive15.tf b/assets/queries/common/passwords_and_secrets/test/positive15.tf
index 585d817b68b..285e7192a0b 100644
--- a/assets/queries/common/passwords_and_secrets/test/positive15.tf
+++ b/assets/queries/common/passwords_and_secrets/test/positive15.tf
@@ -1,5 +1,5 @@
-# "AWS Access Key" - 76c0bcde-903d-456e-ac13-e58c34987852 positive-test
-# "AWS Secret Key" - 83ab47ff-381d-48cd-bac5-fb32222f54af positive-test
+# "AWS Access Key" - 76c0bcde-903d-456e-ac13-e58c34987852 positive-test (line 16)
+# "AWS Secret Key" - 83ab47ff-381d-48cd-bac5-fb32222f54af positive-test (line 17)
resource "aws_instance" "web_host" {
# ec2 have plain text secrets in user data
ami = var.ami
diff --git a/assets/queries/common/passwords_and_secrets/test/positive21.tf b/assets/queries/common/passwords_and_secrets/test/positive21.tf
index 12e78d0ab5d..1617afcdc4f 100644
--- a/assets/queries/common/passwords_and_secrets/test/positive21.tf
+++ b/assets/queries/common/passwords_and_secrets/test/positive21.tf
@@ -1,4 +1,4 @@
-# "Google API Key" - e9856348-4069-4ac0-bd91-415f6a7b84a4 positive-test
+# "Google API Key" - e9856348-4069-4ac0-bd91-415f6a7b84a4 positive-test (line 51)
resource "aws_ecs_task_definition" "webapp" {
family = "tomato-webapp"
task_role_arn = data.aws_iam_role.ecs_task_role.arn
diff --git a/assets/queries/common/passwords_and_secrets/test/positive31.yaml b/assets/queries/common/passwords_and_secrets/test/positive31.yaml
index 9c76de998b4..5574246ac66 100644
--- a/assets/queries/common/passwords_and_secrets/test/positive31.yaml
+++ b/assets/queries/common/passwords_and_secrets/test/positive31.yaml
@@ -1,7 +1,7 @@
-# "Twilio API Key" - e0f01838-b1c2-4669-b84b-981949ebe5ed positive-test
-# "Generic API Key" - 74736dd1-dd11-4139-beb6-41cd43a50317 - "Avoiding Twilio API Key" allow-rule-test
+# "Twilio API Key" - e0f01838-b1c2-4669-b84b-981949ebe5ed positive-test - #1
+# "Generic API Key" - 74736dd1-dd11-4139-beb6-41cd43a50317 - "Avoiding Twilio API Key" allow-rule-test - #2
- hosts: all
remote_user: root
vars:
- twilio_api_key: SKa7CF7acdcaf92Be4CCC52F4a2923BBB3 # positive1
+ twilio_api_key: SKa7CF7acdcaf92Be4CCC52F4a2923BBB3 #1 & #2
diff --git a/assets/queries/common/passwords_and_secrets/test/positive32.yaml b/assets/queries/common/passwords_and_secrets/test/positive32.yaml
index b08c28aba98..92d7376c0e1 100644
--- a/assets/queries/common/passwords_and_secrets/test/positive32.yaml
+++ b/assets/queries/common/passwords_and_secrets/test/positive32.yaml
@@ -1,7 +1,7 @@
-# "PayPal Braintree Access Token" - 4919b847-e3da-402a-acf8-6cea8e529993 positive-test
-# "Generic Token" - baee238e-1921-4801-9c3f-79ae1d7b2cbc - "Avoiding PayPal Braintree Access Token" allow-rule-test
+# "PayPal Braintree Access Token" - 4919b847-e3da-402a-acf8-6cea8e529993 positive-test - #1
+# "Generic Token" - baee238e-1921-4801-9c3f-79ae1d7b2cbc - "Avoiding PayPal Braintree Access Token" allow-rule-test - #2
- hosts: all
remote_user: root
vars:
- paypal_access_token: access_token$production$1s2d3f4g5h6j7k8k$1b2b3c4a3a1b2b3c4a3a1b2b3c4a3a1b # positive1
+ paypal_access_token: access_token$production$1s2d3f4g5h6j7k8k$1b2b3c4a3a1b2b3c4a3a1b2b3c4a3a1b #1 & #2
diff --git a/assets/queries/common/passwords_and_secrets/test/positive34.yaml b/assets/queries/common/passwords_and_secrets/test/positive34.yaml
index b76e295d1ff..c5540af9bc2 100644
--- a/assets/queries/common/passwords_and_secrets/test/positive34.yaml
+++ b/assets/queries/common/passwords_and_secrets/test/positive34.yaml
@@ -1,5 +1,5 @@
-# "Square OAuth Secret" - bb51eb1e-0357-44a2-86d7-dd5350cffd43 positive-test
-# "Generic Secret" - 3e2d3b2f-c22a-4df1-9cc6-a7a0aebb0c99 - "Avoiding Square OAuth Secret" allow-rule-test (positive2)
+# "Square OAuth Secret" - bb51eb1e-0357-44a2-86d7-dd5350cffd43 positive-test - #1
+# "Generic Secret" - 3e2d3b2f-c22a-4df1-9cc6-a7a0aebb0c99 - "Avoiding Square OAuth Secret" allow-rule-test - #2
apiVersion: v1
kind: Pod
metadata:
@@ -12,6 +12,6 @@ spec:
image: gcr.io/google-samples/node-hello:1.0
env:
- name: Square_OAuth_Secret
- value: "sq0csp-0p9h7g6f4s3s3s3-4a3ardgwa6ADRDJDDKUFYDYDYDY" # positive1
- secret: "sq0csp-0p9h7g6f4s3s3s3-4a3ardgwa6ADRDJDDKUFYDYDYDY" # positive2
+ value: "sq0csp-0p9h7g6f4s3s3s3-4a3ardgwa6ADRDJDDKUFYDYDYDY" #1
+ secret: "sq0csp-0p9h7g6f4s3s3s3-4a3ardgwa6ADRDJDDKUFYDYDYDY" #2
diff --git a/assets/queries/common/passwords_and_secrets/test/positive35.yaml b/assets/queries/common/passwords_and_secrets/test/positive35.yaml
index 0fb7b837f23..dd065b50aa6 100644
--- a/assets/queries/common/passwords_and_secrets/test/positive35.yaml
+++ b/assets/queries/common/passwords_and_secrets/test/positive35.yaml
@@ -1,5 +1,5 @@
-# "Google OAuth Access Token" - 41a1ca8d-f466-4084-a8c9-50f8b22200d5 positive-test
-# "Generic Token" - baee238e-1921-4801-9c3f-79ae1d7b2cbc - "Avoiding Google OAuth Access Token" allow-rule-test
+# "Google OAuth Access Token" - 41a1ca8d-f466-4084-a8c9-50f8b22200d5 positive-test - #1
+# "Generic Token" - baee238e-1921-4801-9c3f-79ae1d7b2cbc - "Avoiding Google OAuth Access Token" allow-rule-test - #2
apiVersion: v1
kind: Config
users:
@@ -12,7 +12,7 @@ users:
user:
auth-provider:
config:
- access-token: ya29.Radftwefewuifdebkw2_23232427t42wdbjsvdjavdajvdadkd # positive1
+ access-token: ya29.Radftwefewuifdebkw2_23232427t42wdbjsvdjavdajvdadkd #1 & #2
cmd-args: config config-helper --format=json
cmd-path: /Users/dave/google-cloud-sdk/bin/gcloud
expiry: 2021-10-28T15:12:03.000Z
diff --git a/assets/queries/common/passwords_and_secrets/test/positive36.tf b/assets/queries/common/passwords_and_secrets/test/positive36.tf
index d6585259b61..91ce27a7ab3 100644
--- a/assets/queries/common/passwords_and_secrets/test/positive36.tf
+++ b/assets/queries/common/passwords_and_secrets/test/positive36.tf
@@ -1,4 +1,4 @@
-# "Putty User Key File Content" - a007a85e-a2a7-4a81-803a-7a2ca0c65abb positive-test
+# "Putty User Key File Content" - a007a85e-a2a7-4a81-803a-7a2ca0c65abb positive-test (line 6)
resource "aws_transfer_ssh_key" "example2" {
server_id = aws_transfer_server.example.id
user_name = aws_transfer_user.example.user_name
diff --git a/assets/queries/common/passwords_and_secrets/test/positive40.tf b/assets/queries/common/passwords_and_secrets/test/positive40.tf
index 2596a0ffb3d..456c4d9146f 100644
--- a/assets/queries/common/passwords_and_secrets/test/positive40.tf
+++ b/assets/queries/common/passwords_and_secrets/test/positive40.tf
@@ -1,4 +1,4 @@
-# "AWS Context-specific credential" - 76c0bcde-903d-456e-ac13-e58c34987852 positive-test
+# "AWS Context-specific credential" - 76c0bcde-903d-456e-ac13-e58c34987852 positive-test (line 15/16)
resource "aws_instance" "web_host" {
# ec2 have plain text secrets in user data
ami = var.ami
diff --git a/assets/queries/common/passwords_and_secrets/test/positive41.tf b/assets/queries/common/passwords_and_secrets/test/positive41.tf
index 0fc8ad5be65..1a65ae9e270 100644
--- a/assets/queries/common/passwords_and_secrets/test/positive41.tf
+++ b/assets/queries/common/passwords_and_secrets/test/positive41.tf
@@ -1,4 +1,4 @@
-# "Asymmetric private key" - 51b5b840-cd0c-4556-98a7-fe5f4def80cf positive-test
+# "Asymmetric private key" - 51b5b840-cd0c-4556-98a7-fe5f4def80cf positive-test (line 7)
resource "aws_transfer_ssh_key" "positive44" {
server_id = aws_transfer_server.example.id
user_name = aws_transfer_user.example.user_name
diff --git a/assets/queries/common/passwords_and_secrets/test/positive49.yml b/assets/queries/common/passwords_and_secrets/test/positive49.yml
index 8a0cc9fbec2..89496e85ba6 100644
--- a/assets/queries/common/passwords_and_secrets/test/positive49.yml
+++ b/assets/queries/common/passwords_and_secrets/test/positive49.yml
@@ -11,7 +11,7 @@ variables:
jobs:
job_build:
stage: build
- script: #2:
+ script: #2:
- if [[ -z "${GIT_PRIVATE_KEY:-}" ]]; then
echo "Missing GIT_PRIVATE_KEY variable!"
exit 1
diff --git a/assets/queries/common/passwords_and_secrets/test/positive52.dockerfile b/assets/queries/common/passwords_and_secrets/test/positive52.dockerfile
index 1d4bb917502..5aee16fdf39 100644
--- a/assets/queries/common/passwords_and_secrets/test/positive52.dockerfile
+++ b/assets/queries/common/passwords_and_secrets/test/positive52.dockerfile
@@ -2,6 +2,7 @@
FROM baseImage
ENV ARTEMIS_USER=artemis
+# positive1:
ENV ARTEMIS_PASSWORD=artemis
RUN apk add --no-cache git \
From 60c711930f5fa88b0529a7fc4afadb28ee37fc18 Mon Sep 17 00:00:00 2001
From: Andre Pereira <219305055+cx-andre-pereira@users.noreply.github.com>
Date: Wed, 1 Apr 2026 10:06:03 +0100
Subject: [PATCH 20/30] Mini fix expected values
---
.../passwords_and_secrets/test/positive_expected_result.json | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/assets/queries/common/passwords_and_secrets/test/positive_expected_result.json b/assets/queries/common/passwords_and_secrets/test/positive_expected_result.json
index b97ffd3a0ed..2f2f1ee99dc 100644
--- a/assets/queries/common/passwords_and_secrets/test/positive_expected_result.json
+++ b/assets/queries/common/passwords_and_secrets/test/positive_expected_result.json
@@ -458,7 +458,7 @@
{
"queryName": "Passwords And Secrets - Generic Password",
"severity": "HIGH",
- "line": 5,
+ "line": 6,
"fileName": "positive52.dockerfile"
},
{
From 851a982a764cc6e0b38eb7adbc5b1fea2fdf2a7e Mon Sep 17 00:00:00 2001
From: Andre Pereira <219305055+cx-andre-pereira@users.noreply.github.com>
Date: Wed, 1 Apr 2026 12:21:12 +0100
Subject: [PATCH 21/30] Small regex change
---
assets/queries/common/passwords_and_secrets/regex_rules.json | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/assets/queries/common/passwords_and_secrets/regex_rules.json b/assets/queries/common/passwords_and_secrets/regex_rules.json
index eaeff19cf26..37289f6f3f1 100644
--- a/assets/queries/common/passwords_and_secrets/regex_rules.json
+++ b/assets/queries/common/passwords_and_secrets/regex_rules.json
@@ -70,7 +70,7 @@
},
{
"description": "Avoiding CloudFormation Parameters Descriptions",
- "regex": "(?i)['\"]?Description['\"]?\\s*[:=]\\s*['\"]?.*['\"]?"
+ "regex": "['\"]?Description['\"]?\\s*[:=]\\s*['\"]?.*['\"]?"
},
{
"description": "Avoiding Secrets from Variable Interpolation",
From 5b844cfad4ef3f874308acb3183bedd7b76f95b3 Mon Sep 17 00:00:00 2001
From: Andre Pereira <219305055+cx-andre-pereira@users.noreply.github.com>
Date: Wed, 1 Apr 2026 14:54:07 +0100
Subject: [PATCH 22/30] Some CloudFormation casing fixes
---
.../queries/common/passwords_and_secrets/test/negative39.yaml | 2 +-
.../queries/common/passwords_and_secrets/test/negative41.yaml | 2 +-
assets/queries/common/passwords_and_secrets/test/positive2.yaml | 2 +-
3 files changed, 3 insertions(+), 3 deletions(-)
diff --git a/assets/queries/common/passwords_and_secrets/test/negative39.yaml b/assets/queries/common/passwords_and_secrets/test/negative39.yaml
index e2a11754245..b206ac87ebe 100644
--- a/assets/queries/common/passwords_and_secrets/test/negative39.yaml
+++ b/assets/queries/common/passwords_and_secrets/test/negative39.yaml
@@ -1,4 +1,4 @@
-# "Encryption Key" - 9fb1cd65-7a07-4531-9bcf-47589d0f82d6 - "Avoiding CLoudformation KeyName" allow-rule-test
+# "Encryption Key" - 9fb1cd65-7a07-4531-9bcf-47589d0f82d6 - "Avoiding CloudFormation KeyName" allow-rule-test
AWSTemplateFormatVersion: "2010-09-09"
Resources:
somecode:
diff --git a/assets/queries/common/passwords_and_secrets/test/negative41.yaml b/assets/queries/common/passwords_and_secrets/test/negative41.yaml
index c8206ad0e25..5a71b8ae22b 100644
--- a/assets/queries/common/passwords_and_secrets/test/negative41.yaml
+++ b/assets/queries/common/passwords_and_secrets/test/negative41.yaml
@@ -1,4 +1,4 @@
-# "Generic Token" - baee238e-1921-4801-9c3f-79ae1d7b2cbc - "Avoiding CLoudformation ServiceToken" allow-rule-test
+# "Generic Token" - baee238e-1921-4801-9c3f-79ae1d7b2cbc - "Avoiding CloudFormation ServiceToken" allow-rule-test
---
AWSTemplateFormatVersion: "2010-09-09"
Description: >
diff --git a/assets/queries/common/passwords_and_secrets/test/positive2.yaml b/assets/queries/common/passwords_and_secrets/test/positive2.yaml
index 1c7fa8e3902..0faeaf1c240 100644
--- a/assets/queries/common/passwords_and_secrets/test/positive2.yaml
+++ b/assets/queries/common/passwords_and_secrets/test/positive2.yaml
@@ -1,4 +1,4 @@
-# "Generic Password" - 487f4be7-3fd9-4506-a07a-eae252180c08 positive-test (cloudformation)
+# "Generic Password" - 487f4be7-3fd9-4506-a07a-eae252180c08 positive-test (CloudFormation)
Resources:
RDSCluster1:
Type: "AWS::RDS::DBCluster"
From 88eee324e0cf6d1cb1257e56e339c6d395734f98 Mon Sep 17 00:00:00 2001
From: Andre Pereira <219305055+cx-andre-pereira@users.noreply.github.com>
Date: Wed, 1 Apr 2026 15:42:23 +0100
Subject: [PATCH 23/30] Made positive38 closer to original, re instated
Avoiding CF resolve with some tweaks so it is actually useful for scenarios
not covered by other allow rules
---
.../passwords_and_secrets/regex_rules.json | 26 +++++++++++--------
.../test/negative74.yaml | 13 ++++++++++
.../test/positive38.yaml | 24 ++++++++---------
.../test/positive_expected_result.json | 2 +-
4 files changed, 41 insertions(+), 24 deletions(-)
create mode 100644 assets/queries/common/passwords_and_secrets/test/negative74.yaml
diff --git a/assets/queries/common/passwords_and_secrets/regex_rules.json b/assets/queries/common/passwords_and_secrets/regex_rules.json
index 37289f6f3f1..2470a328f41 100644
--- a/assets/queries/common/passwords_and_secrets/regex_rules.json
+++ b/assets/queries/common/passwords_and_secrets/regex_rules.json
@@ -293,27 +293,27 @@
"allowRules": [
{
"description": "Avoiding Amazon MWS Auth Token",
- "regex": "(?i)['\"]?token_?(key)?['\"]?\\s*[=:]\\s*['\"]?amzn\\.mws\\.[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}['\"]?"
+ "regex": "(?i)['\"]?token_?(key)?['\"]?\\s*[:=]\\s*['\"]?amzn\\.mws\\.[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}['\"]?"
},
{
"description": "Avoiding Slack Token",
- "regex": "(?i)['\"]?token_?(key)?['\"]?\\s*[=:]\\s*['\"]?xox[pboa]-[0-9]{12}-[0-9]{12}-[0-9]{12}-[a-z0-9]{32}['\"]?"
+ "regex": "(?i)['\"]?token_?(key)?['\"]?\\s*[:=]\\s*['\"]?xox[pboa]-[0-9]{12}-[0-9]{12}-[0-9]{12}-[a-z0-9]{32}['\"]?"
},
{
"description": "Avoiding Square Access Token",
- "regex": "(?i)['\"]?token_?(key)?['\"]?\\s*[=:]\\s*['\"]?sq0atp-[0-9A-Za-z\\-_]{22}['\"]?"
+ "regex": "(?i)['\"]?token_?(key)?['\"]?\\s*[:=]\\s*['\"]?sq0atp-[0-9A-Za-z\\-_]{22}['\"]?"
},
{
"description": "Avoiding Google OAuth Access Token",
- "regex": "(?i)['\"]?token_?(key)?['\"]?\\s*[=:]\\s*['\"]?ya29\\.[0-9A-Za-z\\-_]+['\"]?"
+ "regex": "(?i)['\"]?token_?(key)?['\"]?\\s*[:=]\\s*['\"]?ya29\\.[0-9A-Za-z\\-_]+['\"]?"
},
{
"description": "Avoiding PayPal Braintree Access Token",
- "regex": "(?i)['\"]?token_?(key)?['\"]?\\s*[=:]\\s*['\"]?access_token\\$production\\$[0-9a-z]{16}\\$[0-9a-f]{32}['\"]?"
+ "regex": "(?i)['\"]?token_?(key)?['\"]?\\s*[:=]\\s*['\"]?access_token\\$production\\$[0-9a-z]{16}\\$[0-9a-f]{32}['\"]?"
},
{
"description": "Avoiding Facebook Access Token",
- "regex": "(?i)['\"]?token_?(key)?['\"]?\\s*[=:]\\s*['\"]?EAACEdEose0cBA[0-9A-Za-z]+['\"]?"
+ "regex": "(?i)['\"]?token_?(key)?['\"]?\\s*[:=]\\s*['\"]?EAACEdEose0cBA[0-9A-Za-z]+['\"]?"
},
{
"description": "Avoiding TF resource access",
@@ -414,17 +414,21 @@
"description": "Avoiding CloudFormation intrinsic functions",
"regex": "(?i)['\"]?[a-zA-Z_]+['\"]?\\s*:\\s+(!Ref|!GetAtt|!Sub|!FindInMap|!If|!GetAZs|!ImportValue|!Join|!Select|!Split|!Not|Fn::Transform:?)\\s+.*"
},
+ {
+ "description": "Avoiding CF resolve",
+ "regex": "(?i)['\"]?[a-zA-Z_]+['\"]?\\s*[:=]\\s*['\"]?{{resolve:[^'\"]*['\"]?"
+ },
{
"description": "Avoiding Boolean's",
- "regex": "(?i)['\"]?[a-zA-Z_]+['\"]?\\s*[=:]\\s*['\"]?(true|false)['\"]?"
+ "regex": "(?i)['\"]?[a-zA-Z_]+['\"]?\\s*[:=]\\s*['\"]?(true|false)['\"]?"
},
{
"description": "Avoiding arn",
- "regex": "(?i)['\"]?[a-zA-Z_]+['\"]?\\s*[=:]\\s*['\"]?arn:['\"]?"
+ "regex": "(?i)['\"]?[a-zA-Z_]+['\"]?\\s*[:=]\\s*['\"]?arn:['\"]?"
},
{
"description": "Avoiding array access",
- "regex": "(?i)['\"]?[a-zA-Z_]+['\"]?\\s*[=:]\\s*['\"]?[A-Za-z0-9/~^_!@&%()=?*+\\-,.]{4,}\\[([0-9]+|['\"][a-zA-Z0-9]+['\"])]['\"]?"
+ "regex": "(?i)['\"]?[a-zA-Z_]+['\"]?\\s*[:=]\\s*['\"]?[A-Za-z0-9/~^_!@&%()=?*+\\-,.]{4,}\\[([0-9]+|['\"][a-zA-Z0-9]+['\"])]['\"]?"
},
{
"description": "Avoiding TF file function",
@@ -432,11 +436,11 @@
},
{
"description": "Avoiding ansible-vault encrypted variables",
- "regex": "(?i)['\"]?[a-zA-Z_]+['\"]?\\s*[=:]\\s*['\"]?!vault \\|['\"]?"
+ "regex": "(?i)['\"]?[a-zA-Z_]+['\"]?\\s*[:=]\\s*['\"]?!vault \\|['\"]?"
},
{
"description": "Avoiding sha-hashed mysql native passwords",
- "regex": "(?i)['\"]?[a-zA-Z_]+['\"]?\\s*[=:]\\s*['\"]?\\*[0-9A-F]{40}['\"]?"
+ "regex": "(?i)['\"]?[a-zA-Z_]+['\"]?\\s*[:=]\\s*['\"]?\\*[0-9A-F]{40}['\"]?"
}
]
}
diff --git a/assets/queries/common/passwords_and_secrets/test/negative74.yaml b/assets/queries/common/passwords_and_secrets/test/negative74.yaml
new file mode 100644
index 00000000000..8d160b4203f
--- /dev/null
+++ b/assets/queries/common/passwords_and_secrets/test/negative74.yaml
@@ -0,0 +1,13 @@
+# Global allow rule - a88baa34-e2ad-44ea-ad6f-8cac87bc7c71 - "Avoiding CF resolve" allow-rule-test
+AWSTemplateFormatVersion: '2010-09-09'
+Description: Example showing ambiguous secretsmanager resolve syntax
+
+Resources:
+ MyDatabase:
+ Type: AWS::RDS::DBInstance
+ Properties:
+ DBInstanceIdentifier: !Sub '${Environment}-myapp-db'
+ DBInstanceClass: !Ref DBInstanceClass
+ Engine: postgres
+ EngineVersion: '15.4'
+ MasterUserPassword: '{{resolve:secretsmanager:prod/db/creds:SecretString:password:number1:value}}' # negative1
\ No newline at end of file
diff --git a/assets/queries/common/passwords_and_secrets/test/positive38.yaml b/assets/queries/common/passwords_and_secrets/test/positive38.yaml
index eb223d9dbdc..c4ef2d444ff 100644
--- a/assets/queries/common/passwords_and_secrets/test/positive38.yaml
+++ b/assets/queries/common/passwords_and_secrets/test/positive38.yaml
@@ -1,21 +1,21 @@
-# "CloudFormation Secret Template" - 0ec60fb3-5b78-4da0-bea0-b854fd9bf8b9 positive-test - #1
-# Global allow rule - a88baa34-e2ad-44ea-ad6f-8cac87bc7c71 - "Avoiding CloudFormation intrinsic functions" allow-rule-test - #2
+# Global allow rule - a88baa34-e2ad-44ea-ad6f-8cac87bc7c71 - "Avoiding CloudFormation intrinsic functions" allow-rule-test - #1
+# "CloudFormation Secret Template" - 0ec60fb3-5b78-4da0-bea0-b854fd9bf8b9 positive-test - #2
Resources:
- MyAmpAppSecretManagerRotater:
- Type: AWS::SecretsManager::Secret
- Properties:
- Description: 'This is my amp app instance secret'
- GenerateSecretString:
- SecretStringTemplate: '{"username":"admin"}' #1
- GenerateStringKey: 'password'
- PasswordLength: 16
- ExcludeCharacters: '"@/\'
NewAmpApp2:
Type: AWS::DocDB::DBCluster
Properties:
- MasterUserPassword: !Sub '{{resolve:secretsmanager:${MyAmpAppSecretManagerRotater}::password}}' #2
+ MasterUserPassword: !Sub '{{resolve:secretsmanager:${MyAmpAppSecretManagerRotater}::password}}' #1
Port: 27017
PreferredBackupWindow: "07:34-08:04"
PreferredMaintenanceWindow: "sat:04:51-sat:05:21"
SnapshotIdentifier: "sample-cluster-snapshot-id"
StorageEncrypted: true
+ MyAmpAppSecretManagerRotater:
+ Type: AWS::SecretsManager::Secret
+ Properties:
+ Description: 'This is my amp app instance secret'
+ GenerateSecretString:
+ SecretStringTemplate: '{"username":"admin"}' #2
+ GenerateStringKey: 'password'
+ PasswordLength: 16
+ ExcludeCharacters: '"@/\'
diff --git a/assets/queries/common/passwords_and_secrets/test/positive_expected_result.json b/assets/queries/common/passwords_and_secrets/test/positive_expected_result.json
index 2f2f1ee99dc..2c76eee12ef 100644
--- a/assets/queries/common/passwords_and_secrets/test/positive_expected_result.json
+++ b/assets/queries/common/passwords_and_secrets/test/positive_expected_result.json
@@ -338,7 +338,7 @@
{
"queryName": "Passwords And Secrets - CloudFormation Secret Template",
"severity": "HIGH",
- "line": 9,
+ "line": 7,
"fileName": "positive38.yaml"
},
{
From 0b497cd11f4b60012411b02db6cb3266af7a8dc4 Mon Sep 17 00:00:00 2001
From: Andre Pereira <219305055+cx-andre-pereira@users.noreply.github.com>
Date: Wed, 1 Apr 2026 16:38:09 +0100
Subject: [PATCH 24/30] Fallback on needless regex change
---
assets/queries/common/passwords_and_secrets/regex_rules.json | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/assets/queries/common/passwords_and_secrets/regex_rules.json b/assets/queries/common/passwords_and_secrets/regex_rules.json
index 2470a328f41..48702ac920d 100644
--- a/assets/queries/common/passwords_and_secrets/regex_rules.json
+++ b/assets/queries/common/passwords_and_secrets/regex_rules.json
@@ -90,7 +90,7 @@
{
"id": "51b5b840-cd0c-4556-98a7-fe5f4def80cf",
"name": "Asymmetric private key",
- "regex": "-----BEGIN ((EC|PGP|DSA|RSA|OPENSSH) )?PRIVATE KEY( BLOCK)?-----\\s*(([A-Za-z0-9+,:\\-\/=\\n\\r]+\\s*)+)-----END ((EC|PGP|DSA|RSA|OPENSSH) )?PRIVATE KEY( BLOCK)?-----",
+ "regex": "-----BEGIN ((EC|PGP|DSA|RSA|OPENSSH) )?PRIVATE KEY( BLOCK)?-----\\s*(([A-Za-z0-9+,:\\-\\/=\\n\\r]+\\s*)+)-----END ((EC|PGP|DSA|RSA|OPENSSH) )?PRIVATE KEY( BLOCK)?-----",
"multiline": {
"detectLineGroup": 4
},
From 494c0fe04dcf044c6b013876f52127c285cd7916 Mon Sep 17 00:00:00 2001
From: Andre Pereira <219305055+cx-andre-pereira@users.noreply.github.com>
Date: Wed, 1 Apr 2026 17:03:43 +0100
Subject: [PATCH 25/30] updated positive43 test
---
.../common/passwords_and_secrets/test/positive43.yaml | 6 ++++--
1 file changed, 4 insertions(+), 2 deletions(-)
diff --git a/assets/queries/common/passwords_and_secrets/test/positive43.yaml b/assets/queries/common/passwords_and_secrets/test/positive43.yaml
index 868f92d41d4..cd081f33f68 100644
--- a/assets/queries/common/passwords_and_secrets/test/positive43.yaml
+++ b/assets/queries/common/passwords_and_secrets/test/positive43.yaml
@@ -1,9 +1,11 @@
-# "Generic Token" - baee238e-1921-4801-9c3f-79ae1d7b2cbc positive-test
+# "Generic Token" - baee238e-1921-4801-9c3f-79ae1d7b2cbc positive-test - #1
+# Global allow rule - a88baa34-e2ad-44ea-ad6f-8cac87bc7c71 - "Avoiding CF resolve" allow-rule-test - #2
Resources:
ElastiCacheReplicationGroup:
Type: AWS::ElastiCache::ReplicationGroup
Properties:
- AuthToken: '{{resolve:secretsmanager:/elasticache/replicationgroup/authtoken:SecretString:password}}' # positive1
+ First_AuthToken: 'exposed_token' #1
+ Second_AuthToken: '{{resolve:secretsmanager:/elasticache/replicationgroup/authtoken:SecretString:password}}' #2
CacheNodeType: cache.m5.large
CacheSubnetGroupName: subnet-foobar
Engine: redis
From f459ff555978068685bb928bef88ac3e22604f03 Mon Sep 17 00:00:00 2001
From: Andre Pereira <219305055+cx-andre-pereira@users.noreply.github.com>
Date: Wed, 1 Apr 2026 17:30:18 +0100
Subject: [PATCH 26/30] Fix expected results again
---
.../passwords_and_secrets/test/positive_expected_result.json | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/assets/queries/common/passwords_and_secrets/test/positive_expected_result.json b/assets/queries/common/passwords_and_secrets/test/positive_expected_result.json
index 2c76eee12ef..12231e24e88 100644
--- a/assets/queries/common/passwords_and_secrets/test/positive_expected_result.json
+++ b/assets/queries/common/passwords_and_secrets/test/positive_expected_result.json
@@ -338,7 +338,7 @@
{
"queryName": "Passwords And Secrets - CloudFormation Secret Template",
"severity": "HIGH",
- "line": 7,
+ "line": 18,
"fileName": "positive38.yaml"
},
{
@@ -374,7 +374,7 @@
{
"queryName": "Passwords And Secrets - Generic Token",
"severity": "HIGH",
- "line": 6,
+ "line": 7,
"fileName": "positive43.yaml"
},
{
From be886e9ef5c37688d081ecc95912040f1d44e42e Mon Sep 17 00:00:00 2001
From: Andre Pereira <219305055+cx-andre-pereira@users.noreply.github.com>
Date: Thu, 2 Apr 2026 10:42:42 +0100
Subject: [PATCH 27/30] Removed tiny needless regex excerpt
---
assets/queries/common/passwords_and_secrets/regex_rules.json | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/assets/queries/common/passwords_and_secrets/regex_rules.json b/assets/queries/common/passwords_and_secrets/regex_rules.json
index 48702ac920d..17989ff168d 100644
--- a/assets/queries/common/passwords_and_secrets/regex_rules.json
+++ b/assets/queries/common/passwords_and_secrets/regex_rules.json
@@ -263,7 +263,7 @@
{
"id": "7f370dd5-eea3-4e5f-8354-3cb2506f9f13",
"name": "Generic Access Key",
- "regex": "(?i)^\\s*['\"]?access_?key['\"]?\\s*[:=]\\s*['\"]?[\\[A-Za-z0-9/~^_!@&%()=?*+\\-]+['\"]?",
+ "regex": "(?i)['\"]?access_?key['\"]?\\s*[:=]\\s*['\"]?[\\[A-Za-z0-9/~^_!@&%()=?*+\\-]+['\"]?",
"specialMask": "(?i)['\"]?access_?key['\"]?\\s*[:=]\\s*"
},
{
From 83511d9922124bee58eff63389973af240f4131b Mon Sep 17 00:00:00 2001
From: Andre Pereira <219305055+cx-andre-pereira@users.noreply.github.com>
Date: Thu, 2 Apr 2026 10:59:58 +0100
Subject: [PATCH 28/30] Fallback regex excerpt is there as a sort of allow rule
different from other queries
---
.../common/passwords_and_secrets/regex_rules.json | 2 +-
.../common/passwords_and_secrets/temp_sample.yaml | 12 ++++++++++++
2 files changed, 13 insertions(+), 1 deletion(-)
create mode 100644 assets/queries/common/passwords_and_secrets/temp_sample.yaml
diff --git a/assets/queries/common/passwords_and_secrets/regex_rules.json b/assets/queries/common/passwords_and_secrets/regex_rules.json
index 17989ff168d..48702ac920d 100644
--- a/assets/queries/common/passwords_and_secrets/regex_rules.json
+++ b/assets/queries/common/passwords_and_secrets/regex_rules.json
@@ -263,7 +263,7 @@
{
"id": "7f370dd5-eea3-4e5f-8354-3cb2506f9f13",
"name": "Generic Access Key",
- "regex": "(?i)['\"]?access_?key['\"]?\\s*[:=]\\s*['\"]?[\\[A-Za-z0-9/~^_!@&%()=?*+\\-]+['\"]?",
+ "regex": "(?i)^\\s*['\"]?access_?key['\"]?\\s*[:=]\\s*['\"]?[\\[A-Za-z0-9/~^_!@&%()=?*+\\-]+['\"]?",
"specialMask": "(?i)['\"]?access_?key['\"]?\\s*[:=]\\s*"
},
{
diff --git a/assets/queries/common/passwords_and_secrets/temp_sample.yaml b/assets/queries/common/passwords_and_secrets/temp_sample.yaml
new file mode 100644
index 00000000000..9b356498020
--- /dev/null
+++ b/assets/queries/common/passwords_and_secrets/temp_sample.yaml
@@ -0,0 +1,12 @@
+# Generic Negative Test - no secrets (k8s)
+apiVersion: v1
+kind: Pod
+metadata:
+ name: nginx
+ labels:
+ env: test
+spec:
+ containers:
+ - name: nginx
+ image: nginx
+ # trigger validation
From a342cec0d2c7305d0b153848760c9d91444b0990 Mon Sep 17 00:00:00 2001
From: Andre Pereira <219305055+cx-andre-pereira@users.noreply.github.com>
Date: Tue, 14 Apr 2026 13:53:13 +0100
Subject: [PATCH 29/30] Changes to allign with #8013
---
.../passwords_and_secrets/regex_rules.json | 12 +-
.../test/negative61.proto | 128 ++++++++++++++----
.../test/positive56.proto | 35 +++--
.../test/positive_expected_result.json | 30 +++-
4 files changed, 162 insertions(+), 43 deletions(-)
diff --git a/assets/queries/common/passwords_and_secrets/regex_rules.json b/assets/queries/common/passwords_and_secrets/regex_rules.json
index 48702ac920d..909d6cf9cc6 100644
--- a/assets/queries/common/passwords_and_secrets/regex_rules.json
+++ b/assets/queries/common/passwords_and_secrets/regex_rules.json
@@ -39,7 +39,7 @@
},
{
"description": "Avoiding Proto File fields",
- "regex": "(?i)password\\s*=\\s*[1-9][0-9]{0,8}\\s*;"
+ "regex": "(?i)password\\s*=\\s*(0|[1-9][0-9]{0,8})\\s*(\\[.+=.+\\]\\s*;|\\[.+=.+,|;|\\[)"
}
],
"specialMask": "(?i)['\"]?password['\"]?\\s*[:=]\\s*"
@@ -83,6 +83,10 @@
{
"description": "Allow secrets retrieved from Bicep getSecret built in function",
"regex": "(?i)['\"]?secret_?(key|value)?['\"]?\\s*[:=]\\s*[a-zA-Z]*\\.getSecret\\(\\s*['\"][A-Za-z0-9/~^_!@#&%(){};=?*+\\-<>,:;\\[\\]%$]+['\"]\\)"
+ },
+ {
+ "description": "Avoiding Proto File fields",
+ "regex": "(?i)secret_?(key|value)?\\s*=\\s*(0|[1-9][0-9]{0,8})\\s*(\\[.+=.+\\]\\s*;|\\[.+=.+,|;|\\[)"
}
],
"specialMask": "(?i)['\"]?secret_?(key)?['\"]?\\s*[:=]\\s*"
@@ -281,7 +285,7 @@
},
{
"description": "Avoiding Proto File fields",
- "regex": "(?i)private_?key\\s*=\\s*[1-9][0-9]{0,8}\\s*;"
+ "regex": "(?i)private_?key\\s*=\\s*(0|[1-9][0-9]{0,8})\\s*(\\[.+=.+\\]\\s*;|\\[.+=.+,|;|\\[)"
}
],
"specialMask": "(?i)['\"]?private_?key['\"]?\\s*[:=]\\s*"
@@ -353,7 +357,7 @@
},
{
"description": "Avoiding Proto File fields",
- "regex": "(?i)token_?(key)?\\s*=\\s*[1-9][0-9]{0,8}\\s*;"
+ "regex": "(?i)token_?(key)?\\s*=\\s*(0|[1-9][0-9]{0,8})\\s*(\\[.+=.+\\]\\s*;|\\[.+=.+,|;|\\[\\s*$)"
}
],
"specialMask": "(?i)['\"]?token_?(key)?['\"]?\\s*[:=]\\s*"
@@ -380,7 +384,7 @@
},
{
"description": "Avoiding Proto File fields",
- "regex": "(?i)encryption_?key\\s*=\\s*[1-9][0-9]{0,8}\\s*;"
+ "regex": "(?i)encryption_?key\\s*=\\s*(0|[1-9][0-9]{0,8})\\s*(\\[.+=.+\\]\\s*;|\\[.+=.+,|;|\\[)"
}
],
"specialMask": "(?i)['\"]?encryption_?key['\"]?\\s*[:=]\\s*"
diff --git a/assets/queries/common/passwords_and_secrets/test/negative61.proto b/assets/queries/common/passwords_and_secrets/test/negative61.proto
index 346dc9bdb1d..07d80ad3f45 100644
--- a/assets/queries/common/passwords_and_secrets/test/negative61.proto
+++ b/assets/queries/common/passwords_and_secrets/test/negative61.proto
@@ -2,53 +2,131 @@
// "Generic Private Key" - 2f665079-c383-4b33-896e-88268c1fa258 - "Avoiding Proto File fields" allow rule test - #2
// "Encryption Key" - 9fb1cd65-7a07-4531-9bcf-47589d0f82d6 - "Avoiding Proto File fields" allow-rule-test - #3
// "Generic Password" - 487f4be7-3fd9-4506-a07a-eae252180c08 - "Avoiding Proto File fields" allow rule test - #4
+// "Generic Secret" - 3e2d3b2f-c22a-4df1-9cc6-a7a0aebb0c99 - "Avoiding Proto File fields" allow rule test - #5
+// Global allow rule - a88baa34-e2ad-44ea-ad6f-8cac87bc7c71 - "Avoiding Boolean's" allow-rule-test - #6
syntax = "proto3";
-
-// Contains "secret", "key", "password" and "token" keywords - would flag if not for allow rules
-// Note - This is as valid proto file that generates output with "protoc" command as of version "libprotoc 34.0"
-
package com.example.security_test.v1;
-
import "google/protobuf/wrappers.proto";
+option go_package = "github.com/CheckmarxDev/router-audit/gen/presets/v1;presets";
+// Scenario 1 - Simple attribution
message SampleMessageNegative {
google.protobuf.StringValue refresh_token = 536870911; // if value is larger - out of range error "Field numbers cannot be greater than 536870911." - Generic Token #1
google.protobuf.StringValue sonar_token = 39;google.protobuf.StringValue codecov_token = 40;// trailing comment test - Generic Token #1
+
google.protobuf.StringValue access_token= 111111111; // Generic Token #1
- google.protobuf.StringValue id_token = 3; // Generic Token #1
- google.protobuf.StringValue bearer_toaken = 4;;; // Generic Token #1
- google.protobuf.StringValue api_token = 7 ; // Generic Token #1
+ google.protobuf.StringValue api_token = 7 ; // Generic Token #1
google.protobuf.StringValue token = 8; // Generic Token #1
google.protobuf.StringValue aws_session_token = 9; // Generic Token #1
- google.protobuf.StringValue sas_token = 12; // Generic Token #1
- google.protobuf.StringValue auth_token = 13; // Generic Token #1
- google.protobuf.StringValue bot_token = 14; // Generic Token #1
- google.protobuf.StringValue callback_token = 32; // Generic Token #1
- google.protobuf.StringValue k8s_service_account_token = 33; // Generic Token #1
- google.protobuf.StringValue registry_token = 34; // Generic Token #1
- google.protobuf.StringValue deploy_token = 35; // Generic Token #1
- google.protobuf.StringValue ci_token = 36; // Generic Token #1
- google.protobuf.StringValue npm_token = 37; // Generic Token #1
- google.protobuf.StringValue pypi_token = 38; // Generic Token #1
- google.protobuf.StringValue app_installation_token = 20; // Generic Token #1
google.protobuf.StringValue twilio_auth_token = 21; // Generic Token #1
- google.protobuf.StringValue twilio_auth_token_key = 121; // Generic Token #1
google.protobuf.StringValue test_token_ = 122 ; // Generic Token #1
+
google.protobuf.StringValue jwt_private_key = 25; // Generic Private Key #2
google.protobuf.StringValue ssh_private_key = 26; // Generic Private Key #2
google.protobuf.StringValue tls_private_key = 27; // Generic Private Key #2
google.protobuf.StringValue ca_private_key = 28 ; // Generic Private Key #2
- google.protobuf.StringValue cosign_private_key = 41; // Generic Private Key #2
- google.protobuf.StringValue service_account_private_key = 30; // Generic Private Key #2
- google.protobuf.StringValue app_private_key = 19; // Generic Private Key #2
- google.protobuf.StringValue gcp_private_key = 10; // Generic Private Key #2
google.protobuf.StringValue private_key = 5; // Generic Private Key #2
- google.protobuf.StringValue sp_private_key = 6; // Generic Private Key #2
+
google.protobuf.StringValue encryption_key = 22; // Encryption Key #3
google.protobuf.StringValue data_encryption_key= 23 ; // Encryption Key #3
google.protobuf.StringValue key_encryption_key=24; // Encryption Key #3
+
google.protobuf.StringValue registry_password = 10421; // Generic Password #4
google.protobuf.StringValue artifactory_password = 10731 ; // Generic Password #4
google.protobuf.StringValue nexus_password = 10853; // Generic Password #4
string password = 64114; // Generic Password #4
+
+ string secret_key = 123456789; // Generic Secret #5
+ string secret_value = 123456790; // Generic Secret #5
+ string secret = 123456791; // Generic Secret #5
+}
+
+// Scenario 2 - Attribution with options
+message SampleMessageNegative2 {
+ google.protobuf.StringValue next_page_token = 5 [(grpc.gateway.protoc_gen_openapiv3.options.openapiv3_field) = {example: "\"test\""}]; // Generic Token #1
+ google.protobuf.StringValue next_next_page_token = 6[(grpc.gateway.protoc_gen_openapiv3.options.openapiv3_field) = {example: "\"test\""} ] ; // Generic Token #1
+ google.protobuf.StringValue api_token = 7 [(grpc.gateway.protoc_gen_openapiv3.options.openapiv3_field) = {example: "\"jira_api_token\""}]; // Generic Token #1
+
+ google.protobuf.StringValue next_page_private_key = 8 [(grpc.gateway.protoc_gen_openapiv3.options.openapiv3_field) = {example: "\"test\""}]; // Generic Private Key #2
+ google.protobuf.StringValue next_next_page_private_key = 8[(grpc.gateway.protoc_gen_openapiv3.options.openapiv3_field) = {example: "\"test\""} ] ; // Generic Private Key #2
+ google.protobuf.StringValue api_private_key = 10 [(grpc.gateway.protoc_gen_openapiv3.options.openapiv3_field) = {example: "\"jira_api_private_key\""}]; // Generic Private Key #2
+
+ google.protobuf.StringValue next_page_encryption_key = 11 [(grpc.gateway.protoc_gen_openapiv3.options.openapiv3_field) = {example: "\"test\""}]; // Encryption Key #3
+ google.protobuf.StringValue next_next_page_encryption_key = 12[(grpc.gateway.protoc_gen_openapiv3.options.openapiv3_field) = {example: "\"test\""} ] ; // Encryption Key #3
+ google.protobuf.StringValue api_encryption_key = 13 [(grpc.gateway.protoc_gen_openapiv3.options.openapiv3_field) = {example: "\"jira_api_encryption_key\""}]; // Encryption Key #3
+
+ google.protobuf.StringValue next_page_password = 14 [(grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {example: "\"test\""}]; // Generic Password #4
+ google.protobuf.StringValue next_next_page_password = 15[(grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {example: "\"test\""} ] ; // Generic Password #4
+ google.protobuf.StringValue api_password = 16 [(grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {example: "\"jira_api_password\""}]; // Generic Password #4
+
+ google.protobuf.StringValue next_page_secret = 17[(grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {example: "\"test\""}]; // Generic Secret #5
+ google.protobuf.StringValue next_next_page_secret = 18[(grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {example: "\"test\""} ] ; // Generic Secret #5
+ google.protobuf.StringValue api_secret = 19[(grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {example: "\"jira_api_secret\""}]; // Generic Secret #5
+}
+
+message MyOptions {
+ string file_only_option_token = 1 [targets = TARGET_TYPE_FILE]; // Generic Token #1
+ int message_and_enum_option_token = 2 [targets = TARGET_TYPE_MESSAGE,
+ targets = TARGET_TYPE_ENUM]; // Generic Token #1 (line above)
+
+ string file_only_option_private_key = 11 [targets = TARGET_TYPE_FILE]; // Generic Private Key #2
+ int message_and_enum_option_private_key = 21 [targets = TARGET_TYPE_MESSAGE,
+ targets = TARGET_TYPE_ENUM]; // Generic Private Key #2 (line above)
+
+ string file_only_option_encryption_key = 13 [targets = TARGET_TYPE_FILE]; // Encryption Key #3
+ int message_and_enum_option_encryption_key = 23 [targets = TARGET_TYPE_MESSAGE,
+ targets = TARGET_TYPE_ENUM]; // Encryption Key #3 (line above)
+
+ string file_only_option_password = 14 [targets = TARGET_TYPE_FILE]; // Generic Password #4
+ int message_and_enum_option_password = 24 [targets = TARGET_TYPE_MESSAGE,
+ targets = TARGET_TYPE_ENUM]; // Generic Password #4 (line above)
+
+ string file_only_option_secret = 15[targets = TARGET_TYPE_FILE]; // Generic Secret #5
+ int message_and_enum_option_secret = 25[targets = TARGET_TYPE_MESSAGE,
+ targets = TARGET_TYPE_ENUM]; // Generic Secret #5 (line above)
+}
+
+message Not_a_Token {
+ string token = 1 [json_name = "tk"]; // Generic Token #1
+ string private_key = 4 [json_name = "pk"]; // Generic Private Key #2
+ string encryption_key = 3 [json_name = "ek"]; // Encryption Key #3
+ string password = 2 [json_name = "ps"]; // Generic Password #4
+ string secret = 5[json_name = "se"]; // Generic Secret #5
+}
+
+// Scenario 3 - Enum attributions
+enum Corpus {
+ DATA_A_UNSPECIFIED_TOKEN = 0 [ deprecated = true ] ; // Generic Token #1
+ DATA_A_TOKEN = 11[deprecated=true] ; // Generic Token #1 & #6
+ DATA_A_PRIVATE_KEY = 2[deprecated = false]; // Generic Private Key #2 & #6
+ DATA_A_ENCRYPTION_KEY = 3[deprecated = true]; // Encryption Key #3 & #6
+ DATA_A_PASSWORD = 1234 [deprecated = false]; // Generic Password #4 & #6
+ DATA_A_SECRET = 5[deprecated=true]; // Generic Secret #5 & #6
+
+ // Generic Token #1 (line below)
+ DATA_B_TOKEN = 2[
+ (string_name) = "display_value"
+ ];
+ // Generic Private Key #2 (line below)
+ DATA_B_PRIVATE_KEY = 2 [
+ (string_name) = "display_value"
+ ];
+ // Encryption Key #3 (line below)
+ DATA_B_ENCRYPTION_KEY = 2 [
+ (string_name) = "display_value"
+ ];
+ // Generic Password #4 (line below)
+ DATA_B_PASSWORD = 28970[
+ (string_name) = "display_value"
+ ];
+ // Generic Secret #5 (line below)
+ DATA_B_SECRET = 123456789[
+ (string_name) = "display_value"
+ ];
+}
+
+// Scenario 4 - Generic keywords in "reserved"
+enum EnumAllowingAlias {
+ reserved "password", "api_token", "private_key", "encryption_key", "exposed_secret";
+ option end_of_sample = true;
}
\ No newline at end of file
diff --git a/assets/queries/common/passwords_and_secrets/test/positive56.proto b/assets/queries/common/passwords_and_secrets/test/positive56.proto
index 1f45d1eba27..8904d103b5a 100644
--- a/assets/queries/common/passwords_and_secrets/test/positive56.proto
+++ b/assets/queries/common/passwords_and_secrets/test/positive56.proto
@@ -1,9 +1,11 @@
-// "Generic Password" - 487f4be7-3fd9-4506-a07a-eae252180c08 positive-test - #1
-// "Generic Secret" - 3e2d3b2f-c22a-4df1-9cc6-a7a0aebb0c99 positive-test - #2
-// "Generic Token" - baee238e-1921-4801-9c3f-79ae1d7b2cbc positive-test - #3
-// "Generic Password" - 487f4be7-3fd9-4506-a07a-eae252180c08 - "Avoiding Proto File fields" allow rule test - #4
-// "Generic Token" - baee238e-1921-4801-9c3f-79ae1d7b2cbc - "Avoiding Proto File fields" allow-rule-test - #5
-// "Encryption Key" - 9fb1cd65-7a07-4531-9bcf-47589d0f82d6 - "Avoiding Proto File fields" allow-rule-test - #6
+// "Generic Password" - 487f4be7-3fd9-4506-a07a-eae252180c08 - positive-test - #1
+// "Generic Secret" - 3e2d3b2f-c22a-4df1-9cc6-a7a0aebb0c99 - positive-test - #2
+// "Generic Token" - baee238e-1921-4801-9c3f-79ae1d7b2cbc - positive-test - #3
+// "Generic Private Key" - 2f665079-c383-4b33-896e-88268c1fa258 - positive-test - #4
+// "Encryption Key" - 9fb1cd65-7a07-4531-9bcf-47589d0f82d6 - positive-test - #5
+// "Generic Password" - 487f4be7-3fd9-4506-a07a-eae252180c08 - "Avoiding Proto File fields" allow rule test - #6
+// "Generic Token" - baee238e-1921-4801-9c3f-79ae1d7b2cbc - "Avoiding Proto File fields" allow-rule-test - #7
+// "Encryption Key" - 9fb1cd65-7a07-4531-9bcf-47589d0f82d6 - "Avoiding Proto File fields" allow-rule-test - #8
syntax = "proto3";
@@ -11,7 +13,6 @@ syntax = "proto3";
// "password" = "test_sample" #1
// "secret_key" : minimum_ten_characters #2
// "unsafe_token" : "is_this_safe" #3
-// Note - This is as valid proto file that generates output with "protoc" command as of version "libprotoc 34.0"
package com.example.security_test.v1;
@@ -19,7 +20,19 @@ import "google/protobuf/wrappers.proto";
message InocentMessage {
google.protobuf.StringValue safe_value = 1;
- double not_a_password = 22222; // #4
- float not_a_token = 3; // #5
- string not_an_encryption_key = 4; // #6
-}
\ No newline at end of file
+ double not_a_password = 22222; // #6
+ float not_a_token = 3; // #7
+ string not_an_encryption_key = 4; // #8
+}
+
+
+extend google.protobuf.FileOptions { // too generic for an allow rule
+ int32 source_retention_password = 12342134 //#1
+ [retention = RETENTION_SOURCE];
+ string source_retention_token = 12342135 //#3
+ [retention = RETENTION_SOURCE];
+ float source_retention_private_key = 12342137 //#4
+ [retention = RETENTION_SOURCE];
+ double source_retention_encryption_key = 12342136 //#5
+ [retention = RETENTION_SOURCE];
+}
diff --git a/assets/queries/common/passwords_and_secrets/test/positive_expected_result.json b/assets/queries/common/passwords_and_secrets/test/positive_expected_result.json
index 12231e24e88..2271644b04c 100644
--- a/assets/queries/common/passwords_and_secrets/test/positive_expected_result.json
+++ b/assets/queries/common/passwords_and_secrets/test/positive_expected_result.json
@@ -488,19 +488,43 @@
{
"queryName": "Passwords And Secrets - Generic Password",
"severity": "HIGH",
- "line": 11,
+ "line": 13,
"fileName": "positive56.proto"
},
{
"queryName": "Passwords And Secrets - Generic Secret",
"severity": "HIGH",
- "line": 12,
+ "line": 14,
"fileName": "positive56.proto"
},
{
"queryName": "Passwords And Secrets - Generic Token",
"severity": "HIGH",
- "line": 13,
+ "line": 15,
+ "fileName": "positive56.proto"
+ },
+ {
+ "queryName": "Passwords And Secrets - Generic Password",
+ "severity": "HIGH",
+ "line": 30,
+ "fileName": "positive56.proto"
+ },
+ {
+ "queryName": "Passwords And Secrets - Generic Token",
+ "severity": "HIGH",
+ "line": 32,
+ "fileName": "positive56.proto"
+ },
+ {
+ "queryName": "Passwords And Secrets - Generic Private Key",
+ "severity": "HIGH",
+ "line": 34,
+ "fileName": "positive56.proto"
+ },
+ {
+ "queryName": "Passwords And Secrets - Encryption Key",
+ "severity": "HIGH",
+ "line": 36,
"fileName": "positive56.proto"
}
]
\ No newline at end of file
From 5abc72e245c59de6a893987a24008dfdbd05221b Mon Sep 17 00:00:00 2001
From: Andre Pereira <219305055+cx-andre-pereira@users.noreply.github.com>
Date: Tue, 14 Apr 2026 15:00:13 +0100
Subject: [PATCH 30/30] More changes to align with #8013
---
.../common/passwords_and_secrets/regex_rules.json | 10 +++++-----
.../passwords_and_secrets/test/negative61.proto | 13 +++++++++++--
2 files changed, 16 insertions(+), 7 deletions(-)
diff --git a/assets/queries/common/passwords_and_secrets/regex_rules.json b/assets/queries/common/passwords_and_secrets/regex_rules.json
index 909d6cf9cc6..c6b32e5f000 100644
--- a/assets/queries/common/passwords_and_secrets/regex_rules.json
+++ b/assets/queries/common/passwords_and_secrets/regex_rules.json
@@ -39,7 +39,7 @@
},
{
"description": "Avoiding Proto File fields",
- "regex": "(?i)password\\s*=\\s*(0|[1-9][0-9]{0,8})\\s*(\\[.+=.+\\]\\s*;|\\[.+=.+,|;|\\[)"
+ "regex": "(?i)password\\s*=\\s*(0|[1-9][0-9]{0,8})\\s*(\\[.+=.+\\]\\s*;|\\[.+=.+,\\s*$|\\[\\s*$|;)"
}
],
"specialMask": "(?i)['\"]?password['\"]?\\s*[:=]\\s*"
@@ -86,7 +86,7 @@
},
{
"description": "Avoiding Proto File fields",
- "regex": "(?i)secret_?(key|value)?\\s*=\\s*(0|[1-9][0-9]{0,8})\\s*(\\[.+=.+\\]\\s*;|\\[.+=.+,|;|\\[)"
+ "regex": "(?i)secret_?(key|value)?\\s*=\\s*(0|[1-9][0-9]{0,8})\\s*(\\[.+=.+\\]\\s*;|\\[.+=.+,\\s*$|\\[\\s*$|;)"
}
],
"specialMask": "(?i)['\"]?secret_?(key)?['\"]?\\s*[:=]\\s*"
@@ -285,7 +285,7 @@
},
{
"description": "Avoiding Proto File fields",
- "regex": "(?i)private_?key\\s*=\\s*(0|[1-9][0-9]{0,8})\\s*(\\[.+=.+\\]\\s*;|\\[.+=.+,|;|\\[)"
+ "regex": "(?i)private_?key\\s*=\\s*(0|[1-9][0-9]{0,8})\\s*(\\[.+=.+\\]\\s*;|\\[.+=.+,\\s*$|\\[\\s*$|;)"
}
],
"specialMask": "(?i)['\"]?private_?key['\"]?\\s*[:=]\\s*"
@@ -357,7 +357,7 @@
},
{
"description": "Avoiding Proto File fields",
- "regex": "(?i)token_?(key)?\\s*=\\s*(0|[1-9][0-9]{0,8})\\s*(\\[.+=.+\\]\\s*;|\\[.+=.+,|;|\\[\\s*$)"
+ "regex": "(?i)token_?(key)?\\s*=\\s*(0|[1-9][0-9]{0,8})\\s*(\\[.+=.+\\]\\s*;|\\[.+=.+,\\s*$|\\[\\s*$|;)"
}
],
"specialMask": "(?i)['\"]?token_?(key)?['\"]?\\s*[:=]\\s*"
@@ -384,7 +384,7 @@
},
{
"description": "Avoiding Proto File fields",
- "regex": "(?i)encryption_?key\\s*=\\s*(0|[1-9][0-9]{0,8})\\s*(\\[.+=.+\\]\\s*;|\\[.+=.+,|;|\\[)"
+ "regex": "(?i)encryption_?key\\s*=\\s*(0|[1-9][0-9]{0,8})\\s*(\\[.+=.+\\]\\s*;|\\[.+=.+,\\s*$|\\[\\s*$|;)"
}
],
"specialMask": "(?i)['\"]?encryption_?key['\"]?\\s*[:=]\\s*"
diff --git a/assets/queries/common/passwords_and_secrets/test/negative61.proto b/assets/queries/common/passwords_and_secrets/test/negative61.proto
index 07d80ad3f45..eec951cfa45 100644
--- a/assets/queries/common/passwords_and_secrets/test/negative61.proto
+++ b/assets/queries/common/passwords_and_secrets/test/negative61.proto
@@ -84,6 +84,16 @@ message MyOptions {
string file_only_option_secret = 15[targets = TARGET_TYPE_FILE]; // Generic Secret #5
int message_and_enum_option_secret = 25[targets = TARGET_TYPE_MESSAGE,
targets = TARGET_TYPE_ENUM]; // Generic Secret #5 (line above)
+
+ int B_message_and_enum_option_token = 2 [targets = TARGET_TYPE_MESSAGE, targets = TARGET_TYPE_ENUM]; // Generic Token #1
+
+ int B_message_and_enum_option_private_key = 211 [targets = TARGET_TYPE_MESSAGE, targets = TARGET_TYPE_ENUM]; // Generic Private Key #2
+
+ int B_message_and_enum_option_encryption_key = 232 [targets = TARGET_TYPE_MESSAGE, targets = TARGET_TYPE_ENUM]; // Encryption Key #3
+
+ int B_message_and_enum_option_password = 243 [targets = TARGET_TYPE_MESSAGE, targets = TARGET_TYPE_ENUM]; // Generic Password #4
+
+ int B_message_and_enum_option_secret = 254[targets = TARGET_TYPE_MESSAGE, targets = TARGET_TYPE_ENUM]; // Generic Secret #5
}
message Not_a_Token {
@@ -128,5 +138,4 @@ enum Corpus {
// Scenario 4 - Generic keywords in "reserved"
enum EnumAllowingAlias {
reserved "password", "api_token", "private_key", "encryption_key", "exposed_secret";
- option end_of_sample = true;
-}
\ No newline at end of file
+ option end_of_sample = false;}enum InlineMessageFormat{option end_of_sample = true;}
\ No newline at end of file