Add support for 15 more rules to Secret Push Protection
Problem
Today, push protection supports 36 high quality patterns to ensure we do not create unnecessary friction for developers by blocking pushes due to false positives. Now that developers can skip push protection and maintainers can add exclusions for noisy rules, we should extend the default ruleset for push protection to work toward getting parity with the ~150 pipeline SD rules.
Requirements
- Identify 15 high precision rules that can be added to the push protection default ruleset
- Add those 15 rules
Rule candidates
One push protection rule was already added in v0.6.0: GitLab routable tokens.
We have identified 22 existing pipeline rules that are good candidates for push protection. Additionally, there are 16 new rules under development, not yet available in pipelines, that we believe also could meet the high precision requirement.
| Nr. | GitLab Rule ID | Already available in pipelines | Baseline precision | Updated precision |
|---|---|---|---|---|
| 1 | Adobe Client Secret | 50% | 100% (https://gitlab.com/gitlab-org/gitlab/-/issues/526237) | |
| 2 | AsanaPersonalAccessToken | 0% | TBD | |
| 3 | AtlassianUserApiToken | 0% | TBD | |
| 4 | Bitbucket client secret | 0% | TBD | |
| 5 | CircleCIPersonalAccessToken | 100% | 100% (https://gitlab.com/gitlab-org/gitlab/-/issues/527282) | |
| 6 | ContentfulPersonalAccessToken | 30% | 100% (https://gitlab.com/gitlab-org/gitlab/-/issues/527278) | |
| 7 | Databricks API token | 10% | TBD | |
| 8 | digitalocean-access-token | 0% | TBD | |
| 9 | digitalocean-pat | 0% | TBD | |
| 10 | digitalocean-refresh-token | 0% | TBD | |
| 11 | DiscordBotApiToken | 0% | TBD | |
| 12 | Doppler API token | 20% | 100% (https://gitlab.com/gitlab-org/gitlab/-/issues/527301) | |
| 13 | Dropbox short lived API token | 0% | TBD | |
| 14 | Duffel API token | 10% | TBD | |
| 15 | EasyPost API token | 0% | TBD | |
| 16 | FlutterwaveProdSecretKey | 0% | TBD | |
| 17 | GithubFineGrainedPersonalAccessToken | 0% | TBD | |
| 18 | GrafanaCloudAccessPolicyToken | 0% | TBD | |
| 19 | GrafanaServiceAccountToken | 0% | TBD | |
| 20 | Hubspot API token | 0% | TBD | |
| 21 | IntercomAppAccessToken | 0% | TBD | |
| 22 | Ionic API token | 0% | TBD | |
| 23 | ArtifactoryApiKey | 0% | TBD | |
| 24 | Linear API token | 40% | 100% (https://gitlab.com/gitlab-org/gitlab/-/issues/527314) | |
| 25 | OpenAiProjectKey | 0% | TBD | |
| 26 | PlanetscaleOAuthSecret | 0% | TBD | |
| 27 | Planetscale API token | 20% | 100% (https://gitlab.com/gitlab-org/gitlab/-/issues/527319) | |
| 28 | Postman API token | 0% | TBD | |
| 29 | PostmanCollectionAccessKey | 0% | TBD | |
| 30 | Sendinblue API token | 70% | 100% (https://gitlab.com/gitlab-org/gitlab/-/issues/527326) | |
| 31 | Sendinblue SMTP token | 20% | 100% (https://gitlab.com/gitlab-org/gitlab/-/issues/527339) | |
| 32 | Shippo API token | 60% | 100% (https://gitlab.com/gitlab-org/gitlab/-/issues/527340) | |
| 33 | ShopifyPartnerAccessToken | 0% | TBD | |
| 34 | SlackAppLevelToken | 100% | 100% (https://gitlab.com/gitlab-org/gitlab/-/issues/527342) | |
| 35 | StripeLiveSecretKey | 100% | 100% (https://gitlab.com/gitlab-org/gitlab/-/issues/527343) | |
| 36 | Twilio API Key | 100% | 100% (https://gitlab.com/gitlab-org/gitlab/-/issues/527344) | |
| 37 | Typeform API token | 0% | TBD | |
| 38 | Yandex.Cloud AWS API compatible Access Secret | 0% | TBD | |
| 39 | MaxMind | 0% | 100% (https://gitlab.com/gitlab-org/gitlab/-/issues/533873) | |
| 40 | Onfido | 0% | 100% (https://gitlab.com/gitlab-org/gitlab/-/issues/514215) |
Edited by Dinesh Bolkensteyn