From faf54c83d023cd687a9d255d65c70af6ef71de07 Mon Sep 17 00:00:00 2001
From: "Security Research (r2c-argo)" <securityresearch@r2c.dev>
Date: Fri, 6 Sep 2024 00:30:28 +0000
Subject: [PATCH] Merge Gitleaks rules 2024-09-06 # 00:30

---
 .../secrets/gitleaks/clojars-api-token.yaml   |  2 +-
 .../secrets/gitleaks/doppler-api-token.yaml   |  2 +-
 .../secrets/gitleaks/duffel-api-token.yaml    |  2 +-
 .../secrets/gitleaks/github-app-token.yaml    |  2 +-
 generic/secrets/gitleaks/harness-api-key.yaml |  2 +-
 .../gitleaks/hashicorp-tf-api-token.yaml      |  2 +-
 .../kubernetes-secret-with-data-after.yaml    | 26 +++++++++++++++++++
 .../kubernetes-secret-with-data-before.yaml   | 26 +++++++++++++++++++
 .../gitleaks/openshift-user-token.yaml        | 26 +++++++++++++++++++
 generic/secrets/gitleaks/private-key.yaml     |  2 +-
 .../gitleaks/sidekiq-sensitive-url.yaml       |  2 +-
 generic/secrets/gitleaks/slack-app-token.yaml |  2 +-
 .../gitleaks/slack-config-access-token.yaml   |  2 +-
 .../gitleaks/slack-config-refresh-token.yaml  |  2 +-
 .../secrets/gitleaks/slack-legacy-token.yaml  |  2 +-
 .../secrets/gitleaks/slack-user-token.yaml    |  2 +-
 .../gitleaks/telegram-bot-api-token.yaml      |  2 +-
 .../secrets/gitleaks/vault-service-token.yaml |  2 +-
 18 files changed, 93 insertions(+), 15 deletions(-)
 create mode 100644 generic/secrets/gitleaks/kubernetes-secret-with-data-after.yaml
 create mode 100644 generic/secrets/gitleaks/kubernetes-secret-with-data-before.yaml
 create mode 100644 generic/secrets/gitleaks/openshift-user-token.yaml

diff --git a/generic/secrets/gitleaks/clojars-api-token.yaml b/generic/secrets/gitleaks/clojars-api-token.yaml
index 1bd151c065..307b0aacfb 100644
--- a/generic/secrets/gitleaks/clojars-api-token.yaml
+++ b/generic/secrets/gitleaks/clojars-api-token.yaml
@@ -23,4 +23,4 @@ rules:
       technology:
         - gitleaks
   patterns:
-    - pattern-regex: (?i)(CLOJARS_)[a-z0-9]{60}
+    - pattern-regex: (?i)CLOJARS_[a-z0-9]{60}
diff --git a/generic/secrets/gitleaks/doppler-api-token.yaml b/generic/secrets/gitleaks/doppler-api-token.yaml
index 4fa906b50d..e0a1bb2a79 100644
--- a/generic/secrets/gitleaks/doppler-api-token.yaml
+++ b/generic/secrets/gitleaks/doppler-api-token.yaml
@@ -23,4 +23,4 @@ rules:
       technology:
         - gitleaks
   patterns:
-    - pattern-regex: (dp\.pt\.)(?i)[a-z0-9]{43}
+    - pattern-regex: dp\.pt\.(?i)[a-z0-9]{43}
diff --git a/generic/secrets/gitleaks/duffel-api-token.yaml b/generic/secrets/gitleaks/duffel-api-token.yaml
index 93a67e4ea9..0948b07470 100644
--- a/generic/secrets/gitleaks/duffel-api-token.yaml
+++ b/generic/secrets/gitleaks/duffel-api-token.yaml
@@ -23,4 +23,4 @@ rules:
       technology:
         - gitleaks
   patterns:
-    - pattern-regex: duffel_(test|live)_(?i)[a-z0-9_\-=]{43}
+    - pattern-regex: duffel_(?:test|live)_(?i)[a-z0-9_\-=]{43}
diff --git a/generic/secrets/gitleaks/github-app-token.yaml b/generic/secrets/gitleaks/github-app-token.yaml
index 269ba4b25a..05beb4f806 100644
--- a/generic/secrets/gitleaks/github-app-token.yaml
+++ b/generic/secrets/gitleaks/github-app-token.yaml
@@ -23,4 +23,4 @@ rules:
       technology:
         - gitleaks
   patterns:
-    - pattern-regex: (ghu|ghs)_[0-9a-zA-Z]{36}
+    - pattern-regex: (?:ghu|ghs)_[0-9a-zA-Z]{36}
diff --git a/generic/secrets/gitleaks/harness-api-key.yaml b/generic/secrets/gitleaks/harness-api-key.yaml
index c668ea9573..02b833c231 100644
--- a/generic/secrets/gitleaks/harness-api-key.yaml
+++ b/generic/secrets/gitleaks/harness-api-key.yaml
@@ -23,4 +23,4 @@ rules:
       technology:
         - gitleaks
   patterns:
-    - pattern-regex: ((?:pat|sat)\.[a-zA-Z0-9]{22}\.[a-zA-Z0-9]{24}\.[a-zA-Z0-9]{20})
+    - pattern-regex: (?:pat|sat)\.[a-zA-Z0-9]{22}\.[a-zA-Z0-9]{24}\.[a-zA-Z0-9]{20}
diff --git a/generic/secrets/gitleaks/hashicorp-tf-api-token.yaml b/generic/secrets/gitleaks/hashicorp-tf-api-token.yaml
index 8e8e8b1e32..730566458d 100644
--- a/generic/secrets/gitleaks/hashicorp-tf-api-token.yaml
+++ b/generic/secrets/gitleaks/hashicorp-tf-api-token.yaml
@@ -23,4 +23,4 @@ rules:
       technology:
         - gitleaks
   patterns:
-    - pattern-regex: (?i)[a-z0-9]{14}\.atlasv1\.[a-z0-9\-_=]{60,70}
+    - pattern-regex: (?i)[a-z0-9]{14}\.(?-i:atlasv1)\.[a-z0-9\-_=]{60,70}
diff --git a/generic/secrets/gitleaks/kubernetes-secret-with-data-after.yaml b/generic/secrets/gitleaks/kubernetes-secret-with-data-after.yaml
new file mode 100644
index 0000000000..0cdafcd1d1
--- /dev/null
+++ b/generic/secrets/gitleaks/kubernetes-secret-with-data-after.yaml
@@ -0,0 +1,26 @@
+rules:
+- id: kubernetes-secret-with-data-after
+  message: A gitleaks kubernetes-secret-with-data-after was detected which attempts to identify hard-coded credentials. It is not recommended to store credentials in source-code, as this risks secrets being leaked and used by either an internal or external malicious adversary. It is recommended to use environment variables to securely provide credentials or retrieve credentials from a secure vault or HSM (Hardware Security Module).
+  languages:
+    - regex
+  severity: INFO
+  metadata:
+      likelihood: LOW
+      impact: MEDIUM
+      confidence: LOW
+      category: security
+      cwe:
+        - "CWE-798: Use of Hard-coded Credentials"
+      cwe2021-top25: true
+      cwe2022-top25: true
+      owasp:
+        - A07:2021 - Identification and Authentication Failures
+      references:
+        - https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html
+      source-rule-url: https://github.com/zricethezav/gitleaks/tree/master/cmd/generate/config/rules
+      subcategory:
+        - vuln
+      technology:
+        - gitleaks
+  patterns:
+    - pattern-regex: (?i)\b((?i)(?:\bkind:.{0,10}Secret\b)(?:.|\s){0,200}?\b(?:data:)\s*(.+))(?:['|\"|\n|\r|\s|\x60|;]|$)
diff --git a/generic/secrets/gitleaks/kubernetes-secret-with-data-before.yaml b/generic/secrets/gitleaks/kubernetes-secret-with-data-before.yaml
new file mode 100644
index 0000000000..2fda270f5c
--- /dev/null
+++ b/generic/secrets/gitleaks/kubernetes-secret-with-data-before.yaml
@@ -0,0 +1,26 @@
+rules:
+- id: kubernetes-secret-with-data-before
+  message: A gitleaks kubernetes-secret-with-data-before was detected which attempts to identify hard-coded credentials. It is not recommended to store credentials in source-code, as this risks secrets being leaked and used by either an internal or external malicious adversary. It is recommended to use environment variables to securely provide credentials or retrieve credentials from a secure vault or HSM (Hardware Security Module).
+  languages:
+    - regex
+  severity: INFO
+  metadata:
+      likelihood: LOW
+      impact: MEDIUM
+      confidence: LOW
+      category: security
+      cwe:
+        - "CWE-798: Use of Hard-coded Credentials"
+      cwe2021-top25: true
+      cwe2022-top25: true
+      owasp:
+        - A07:2021 - Identification and Authentication Failures
+      references:
+        - https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html
+      source-rule-url: https://github.com/zricethezav/gitleaks/tree/master/cmd/generate/config/rules
+      subcategory:
+        - vuln
+      technology:
+        - gitleaks
+  patterns:
+    - pattern-regex: (?i)\b((?i)(?:\b(?:data:))(\W+(?:\w+\W+){0,200}?)\bkind:.{0,10}Secret\b)(?:['|\"|\n|\r|\s|\x60|;]|$)
diff --git a/generic/secrets/gitleaks/openshift-user-token.yaml b/generic/secrets/gitleaks/openshift-user-token.yaml
new file mode 100644
index 0000000000..00bcab0a58
--- /dev/null
+++ b/generic/secrets/gitleaks/openshift-user-token.yaml
@@ -0,0 +1,26 @@
+rules:
+- id: openshift-user-token
+  message: A gitleaks openshift-user-token was detected which attempts to identify hard-coded credentials. It is not recommended to store credentials in source-code, as this risks secrets being leaked and used by either an internal or external malicious adversary. It is recommended to use environment variables to securely provide credentials or retrieve credentials from a secure vault or HSM (Hardware Security Module).
+  languages:
+    - regex
+  severity: INFO
+  metadata:
+      likelihood: LOW
+      impact: MEDIUM
+      confidence: LOW
+      category: security
+      cwe:
+        - "CWE-798: Use of Hard-coded Credentials"
+      cwe2021-top25: true
+      cwe2022-top25: true
+      owasp:
+        - A07:2021 - Identification and Authentication Failures
+      references:
+        - https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html
+      source-rule-url: https://github.com/zricethezav/gitleaks/tree/master/cmd/generate/config/rules
+      subcategory:
+        - vuln
+      technology:
+        - gitleaks
+  patterns:
+    - pattern-regex: \b(sha256~[\w-]{43})(?:[^\w-]|\z)
diff --git a/generic/secrets/gitleaks/private-key.yaml b/generic/secrets/gitleaks/private-key.yaml
index 13e8f3fef4..63123256b0 100644
--- a/generic/secrets/gitleaks/private-key.yaml
+++ b/generic/secrets/gitleaks/private-key.yaml
@@ -23,4 +23,4 @@ rules:
       technology:
         - gitleaks
   patterns:
-    - pattern-regex: (?i)-----BEGIN[ A-Z0-9_-]{0,100}PRIVATE KEY( BLOCK)?-----[\s\S-]*KEY( BLOCK)?----
+    - pattern-regex: (?i)-----BEGIN[ A-Z0-9_-]{0,100}PRIVATE KEY(?: BLOCK)?-----[\s\S-]*KEY(?: BLOCK)?----
diff --git a/generic/secrets/gitleaks/sidekiq-sensitive-url.yaml b/generic/secrets/gitleaks/sidekiq-sensitive-url.yaml
index 72d9b8d4e5..7e77566c8a 100644
--- a/generic/secrets/gitleaks/sidekiq-sensitive-url.yaml
+++ b/generic/secrets/gitleaks/sidekiq-sensitive-url.yaml
@@ -23,4 +23,4 @@ rules:
       technology:
         - gitleaks
   patterns:
-    - pattern-regex: (?i)\b(http(?:s??):\/\/)([a-f0-9]{8}:[a-f0-9]{8})@(?:gems.contribsys.com|enterprise.contribsys.com)(?:[\/|\#|\?|:]|$)
+    - pattern-regex: (?i)\bhttps?://([a-f0-9]{8}:[a-f0-9]{8})@(?:gems.contribsys.com|enterprise.contribsys.com)(?:[\/|\#|\?|:]|$)
diff --git a/generic/secrets/gitleaks/slack-app-token.yaml b/generic/secrets/gitleaks/slack-app-token.yaml
index 51c5c8c0b8..163fbdd84e 100644
--- a/generic/secrets/gitleaks/slack-app-token.yaml
+++ b/generic/secrets/gitleaks/slack-app-token.yaml
@@ -23,4 +23,4 @@ rules:
       technology:
         - gitleaks
   patterns:
-    - pattern-regex: (?i)(xapp-\d-[A-Z0-9]+-\d+-[a-z0-9]+)
+    - pattern-regex: (?i)xapp-\d-[A-Z0-9]+-\d+-[a-z0-9]+
diff --git a/generic/secrets/gitleaks/slack-config-access-token.yaml b/generic/secrets/gitleaks/slack-config-access-token.yaml
index 3d51c7269d..97615b0f22 100644
--- a/generic/secrets/gitleaks/slack-config-access-token.yaml
+++ b/generic/secrets/gitleaks/slack-config-access-token.yaml
@@ -23,4 +23,4 @@ rules:
       technology:
         - gitleaks
   patterns:
-    - pattern-regex: (?i)(xoxe.xox[bp]-\d-[A-Z0-9]{163,166})
+    - pattern-regex: (?i)xoxe.xox[bp]-\d-[A-Z0-9]{163,166}
diff --git a/generic/secrets/gitleaks/slack-config-refresh-token.yaml b/generic/secrets/gitleaks/slack-config-refresh-token.yaml
index f76799ee1e..97233d5573 100644
--- a/generic/secrets/gitleaks/slack-config-refresh-token.yaml
+++ b/generic/secrets/gitleaks/slack-config-refresh-token.yaml
@@ -23,4 +23,4 @@ rules:
       technology:
         - gitleaks
   patterns:
-    - pattern-regex: (?i)(xoxe-\d-[A-Z0-9]{146})
+    - pattern-regex: (?i)xoxe-\d-[A-Z0-9]{146}
diff --git a/generic/secrets/gitleaks/slack-legacy-token.yaml b/generic/secrets/gitleaks/slack-legacy-token.yaml
index e5565a553b..e38bc74a8b 100644
--- a/generic/secrets/gitleaks/slack-legacy-token.yaml
+++ b/generic/secrets/gitleaks/slack-legacy-token.yaml
@@ -23,4 +23,4 @@ rules:
       technology:
         - gitleaks
   patterns:
-    - pattern-regex: (xox[os]-\d+-\d+-\d+-[a-fA-F\d]+)
+    - pattern-regex: xox[os]-\d+-\d+-\d+-[a-fA-F\d]+
diff --git a/generic/secrets/gitleaks/slack-user-token.yaml b/generic/secrets/gitleaks/slack-user-token.yaml
index 70c5cb0277..26445b53bd 100644
--- a/generic/secrets/gitleaks/slack-user-token.yaml
+++ b/generic/secrets/gitleaks/slack-user-token.yaml
@@ -23,4 +23,4 @@ rules:
       technology:
         - gitleaks
   patterns:
-    - pattern-regex: (xox[pe](?:-[0-9]{10,13}){3}-[a-zA-Z0-9-]{28,34})
+    - pattern-regex: xox[pe](?:-[0-9]{10,13}){3}-[a-zA-Z0-9-]{28,34}
diff --git a/generic/secrets/gitleaks/telegram-bot-api-token.yaml b/generic/secrets/gitleaks/telegram-bot-api-token.yaml
index a9edae9d57..b73dfe043a 100644
--- a/generic/secrets/gitleaks/telegram-bot-api-token.yaml
+++ b/generic/secrets/gitleaks/telegram-bot-api-token.yaml
@@ -23,4 +23,4 @@ rules:
       technology:
         - gitleaks
   patterns:
-    - pattern-regex: (?i:(?:telegr)(?:[0-9a-z\(-_\t .\\]{0,40})(?:[\s|']|[\s|"]){0,3})(?:=|\|\|:|<=|=>|:|\?=|\()(?:'|\"|\s|=|\x60){0,5}([0-9]{5,16}:A[a-z0-9_\-]{34})(?:['|\"|\n|\r|\s|\x60|;|\\]|$)
+    - pattern-regex: (?i:telegr(?:[0-9a-z\(-_\t .\\]{0,40})(?:[\s|']|[\s|"]){0,3})(?:=|\|\|:|<=|=>|:|\?=|\()(?:'|\"|\s|=|\x60){0,5}([0-9]{5,16}:A[a-z0-9_\-]{34})(?:['|\"|\n|\r|\s|\x60|;|\\]|$)
diff --git a/generic/secrets/gitleaks/vault-service-token.yaml b/generic/secrets/gitleaks/vault-service-token.yaml
index 87e757131c..34f1b706af 100644
--- a/generic/secrets/gitleaks/vault-service-token.yaml
+++ b/generic/secrets/gitleaks/vault-service-token.yaml
@@ -23,4 +23,4 @@ rules:
       technology:
         - gitleaks
   patterns:
-    - pattern-regex: (?i)\b(hvs\.[a-z0-9_-]{90,100})(?:['|\"|\n|\r|\s|\x60|;]|$)
+    - pattern-regex: \b((?:hvs\.[\w-]{90,120}|s\.(?i:[a-z0-9]{24})))(?:['|\"|\n|\r|\s|\x60|;]|$)