Upgrade Secret Detection rules from upstream Gitleaks
Proposal
Secret Detection uses Gitleaks under the hood. Gitleaks has recently updated and added over 130+ rules for detecting secrets with more planned. Gitleaks provides a package to help develop and maintain rules here. The maintainer has also provided a contributing guidelines document that helps explain the process of developing new rules.
Examine GitLab's default ruleset and update relevant modified rules from upstream.
Old:
regex = '''(?i)(adobe[a-z0-9_ .\-,]{0,25})(=|>|:=|\|\|:|<=|=>|:).{0,5}['\"]([a-f0-9]{32})['\"]'''
adobe_api_token = "2df3838dd87483cf04555795a0d7d754" (detected)
ADOBE_API_TOKEN=2df3838dd87483cf04555795a0d7d754
'adobe_api_token':'2df3838dd87483cf04555795a0d7d754'
New
regex = '''(?i)(?:adobe)(?:[0-9a-z\-_\t .]{0,20})(?:[\s|']|[\s|"]){0,3}(?:=|>|:=|\|\|:|<=|=>|:)(?:'|\"|\s|=|\x60){0,5}([a-f0-9]{32})(?:['|\"|\n|\r|\s|\x60]|$)'''
adobe_api_token = "2df3838dd87483cf04555795a0d7d754" (detected)
ADOBE_API_TOKEN=2df3838dd87483cf04555795a0d7d754 (detected)
'adobe_api_token':'2df3838dd87483cf04555795a0d7d754' (detected)
Tasks
-
update current rules to enforce stricter, less FP prone regexes -
add select (or all) rules that are not currently in the secrets' gitleaks.toml -
update metadata, such as finding names, when modified in upstream (e.g. in this PR).
Edited by Connor Gilbert