WIP: Update rules from Gitleaks 3.3.0
What does this MR do?
Updates rules for Gitleaks 3.3.0 with the rules from Gitleaks 3.3.0.
Complements !23 (merged)
Adds
- AWS Secret Key
- Amazon Marketplace Web Service key (upstream mentioning as
AWS MWS key, which might be incorrect) - Facebook Client ID (besides Facebook Secret Key)
- Twitter Client ID (besides Twitter Secret Key)
- LinkedIn Client ID and Secret Key
- Asymmetric Private Key (EC, PGP, DSA, RSA, OpenSSH private keys)
- Google API key
- Heroku API key
- MailChimp API key
- Mailgun API key
- PayPal Braintree access token
- Picatic API key
- SendGrid API key
- Slack Webhook URL (besides Slack bot, workspace, user, secret, and legacy token)
- Square access token
- Square OAuth secret
- Twilio API key
Environment variablesPortsWordPress configurations
Updates
- AWS Manager ID (sometimes known as
Access key ID) - Generic credentials (formerly known as
Generic API Key) - Stripe API key
Removes
- Entropy-based credential detection
What are the relevant issue numbers?
Closes gitlab-org/gitlab#205172 (closed)
Relates to gitlab-org/gitlab#205171 (closed), gitlab-org/gitlab#12948 (closed)
Does this MR meet the acceptance criteria?
-
Changelog entry added -
Documentation created/updated for GitLab EE, if necessary -
Documentation created/updated for this project, if necessary -
Documentation reviewed by technical writer or follow-up review issue created -
Tests added for this feature/bug -
Job definition updated, if necessary -
Conforms to the code review guidelines -
Conforms to the Go guidelines -
Security reports checked/validated by reviewer
Merge request reports
Activity
mentioned in merge request !23 (merged)
changed milestone to %12.9
added devopssecure label and removed backstage [DEPRECATED] label
assigned to @tnir
@zrice this looks like another great MR for you to review. Are you able to take a look?
@tnir how does this differ from !23 (merged) ?
This MR should be part of !23 (merged)I take that back, this MR should be separate. @dsearles this MR differs from !23 (merged) in that it adds additional rules to check. !23 (merged) bumps the version of gitleaks which requires some analyzer code changes.
Edited by Zach Ricementioned in merge request gitlab-org/security-products/tests/secrets!8 (merged)
mentioned in issue gitlab-org/gitlab#11009 (closed)
@zrice - would you please investigate this MR while you're in this part of the codebase?
assigned to @zrice
added backend label
changed milestone to %13.0
9 9 ARG GITLEAKS_VERSION 10 10 ARG TRUFFLEHOG_VERSION 11 11 12 ENV GITLEAKS_VERSION ${GITLEAKS_VERSION:-v1.24.0} 12 ENV GITLEAKS_VERSION ${GITLEAKS_VERSION:-v3.3.0} -
we are on
v4.1.1now !38 (diffs). This should be fixed when you merge master into this branch.
110 111 [[rules]] 112 description = "Square OAuth secret" 113 regex = '''sq0csp-[0-9A-Za-z\\-_]{43}''' 114 tags = ["key", "square"] 115 116 [[rules]] 117 description = "Twilio API key" 118 regex = '''(?i)twilio(.{0,20})?['\"][0-9a-f]{32}['\"]''' 119 tags = ["key", "twilio"] 120 # end of adaption from Gitleaks's default config (as of v3.3.0) from the following: 121 # https://github.com/zricethezav/gitleaks/blob/e7fbcf53338e283bd4c92ecb1e59de7a6df5fa14/config/default.go#L7-L137 122 123 # Generic Credential including "-", "_", "/" should be detected 124 [[rules]] 125 description = "Generic Credential" 124 [[rules]] 125 description = "Generic Credential" 126 regex = '''(?i)(api_key|apikey|secret)(.{0,20})?['|"][0-9a-zA-Z-_/]{16,45}['|"]''' 127 tags = ["key", "API", "generic"] 128 129 # Stripe API key in test mode ("_test_") should be detected as well as ones in live mode 130 # https://stripe.com/docs/keys#test-live-modes 131 [[rules]] 132 description = "Stripe API key" 133 regex = '''(?i)stripe(.{0,20})?['\"][sk|rk]_(test|live)_[0-9a-zA-Z]{24}''' 134 tags = ["key", "Stripe"] 135 136 # This config is adapted from Gitleaks's config example (as of v3.3.0) from the following: 137 # https://github.com/zricethezav/gitleaks/blob/e7fbcf53338e283bd4c92ecb1e59de7a6df5fa14/examples/leaky-repo.toml#L149-L161 138 [[rules]] 139 description = "Pure Entropy" 146 description = "Entropy plus Generic Credential" 147 regex = '''(?i)(api_key|apikey|secret|key|api|password|pw)''' 148 entropies = [ 149 "5.2-5.5" 150 ] 151 # end of adaption from Gitleaks's config example (as of v3.3.0) from the following: 152 153 [Global] 154 file = '''(?i)(id_rsa|passwd|id_rsa.pub|pgpass|pem|key|shadow)''' 155 50 156 [whitelist] 51 files = [ 52 "(.*?)(jpg|gif|doc|pdf|bin|svg|socket)$" 53 ] 157 description = "image whitelists" 158 file = '''(.*?)(jpg|gif|doc|pdf|bin|svg|socket)$''' unassigned @zrice