custom rule-set secret detection
Everyone can contribute. Help move this issue forward while earning points, leveling up and collecting rewards.
We are currently facing issues with adding a custom secret-detection-ruleset.toml file for detecting secrets that are not being captured by the existing Secret Detection pipeline. The custom ruleset is intended to enhance the detection of additional sensitive credentials, but it's not functioning as expected.
Issue 1: Unable to create a remote configuration file. Despite adding the correct access tokens to each repository, projects are not recognizing the authentication field. This issue has been tested on both public and private repositories, but the authentication field continues to be ignored.
[INFO] [secrets] [2024-09-12T05:43:40Z] ▶ Loading remote ruleset configuration file [FATA] [secrets] [2024-09-12T05:43:40Z] ▶ cloneGit error: authorization failed
Issue 2: Add a custom rule set containing multiple regex rules. The goal is to create a rule that can detect various patterns, such as API usernames, passwords, and tool credentials that aren't currently being captured. However, the current configuration only applies the last regex rule in the set, causing earlier patterns to be ignored.
[secrets] description = "Custom rule for detecting RabbitMQ and Redis credentials"
secrets.passthrough type = "raw" target = "gitleaks.toml" value = """
rules description = "Detect RabbitMQ password" regex = '''(?i)(rabbitmq.password\s[=:]\s*["']?([a-zA-Z0-9!@#$%^&*()_+=-]+)["']?)''' tags = ["password", "rabbitmq"]
rules description = "Detect Redis password" regex = '''(?i)(redis.password\s[=:]\s*["']?([a-zA-Z0-9!@#$%^&*()_+=-]+)["']?)''' tags = ["password", "redis"]
rules description = "Detect RabbitMQ username" regex = '''(?i)(rabbitmq.user(name)?\s[=:]\s*["']?([a-zA-Z0-9_-]+)["']?)''' tags = ["user", "rabbitmq", "spring"]