Close any possible GitLab Secret Detection gaps compared to kics Passwords and Secrets rules
As a follow-up to Disable secret detection in KICS SAST IAC scanner (#346181 - closed) this issue is meant to contrast and compare the secret detection rules that we are disabling with Disable kics secret detection (gitlab-org/security-products/analyzers/kics!43 - merged) for our kics analyzer.
The current kics
secrets patterns can be found at https://github.com/Checkmarx/kics/blob/master/assets/queries/common/passwords_and_secrets/regex_rules.json And a series of tests can be found at https://github.com/Checkmarx/kics/blob/master/assets/queries/common/passwords_and_secrets/test
The following list was created by comparing the kics
regex_rules.json file with https://gitlab.com/gitlab-org/security-products/analyzers/secrets/-/blob/master/gitleaks.toml It contains rules that exist in kics
that do not appear to exist in the gitleaks.toml.
- Putty Private Key
- AWS Access Key
- AWS Context-specific credential
- AWS Certificate
- AWS Secret Key
- K8s Environment Variable Password
- Google OAuth
- Square Access Token
- Square OAuth Secret
- Amazon MWS Auth Token
- PayPal Braintree Access Token
- Picatic API Key
- CloudFormation Secret Template
- *Stripe Restricted API Key
- *Facebook Access Token
- *Google API Key
`* Secret Detection currently has rules for these, but there are some differences that should be checked.