![](https://seccdn.libravatar.org/avatar/128a7b98d536a9cf9b4d4d5a90d63475.jpg?s=120&d=mm&r=g)
Script 'mail_helper' called by obssrc Hello community, here is the log from the commit of package gitleaks for openSUSE:Factory checked in at 2024-06-03 17:42:43 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/gitleaks (Old) and /work/SRC/openSUSE:Factory/.gitleaks.new.24587 (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Package is "gitleaks" Mon Jun 3 17:42:43 2024 rev:4 rq:1178068 version:8.18.3 Changes: -------- --- /work/SRC/openSUSE:Factory/gitleaks/gitleaks.changes 2024-05-06 17:56:09.317427129 +0200 +++ /work/SRC/openSUSE:Factory/.gitleaks.new.24587/gitleaks.changes 2024-06-03 17:42:51.913711428 +0200 @@ -1,0 +2,19 @@ +Sat Jun 01 15:28:13 UTC 2024 - opensuse_buildservice@ojkastl.de + +- Update to version 8.18.3: + * extend FB access token discovery (#1407) + * tests: scalingo validation consistent test (#1359) + * add real (test) standard and restricted keys (#1375) + * Add Cloudflare API and Origin CA keys (#1374) + * Update "contributing guidelines" link (#1390) + * add update token from square (#1370) + * feat: facebook secret, access token, and page access token + rules (#1372) + * update mailchimp with new tokens (#1376) + * Append ordered rules when extending (#1304) + * fix: age rule id with dashes (#1349) + * patching golang.org/x/text for CVE-2021-38561 and + CVE-2022-32149 (#1342) + * Use latest base images. (#1334) + +------------------------------------------------------------------- @@ -5 +24,2 @@ - * Remove IAM identifiers for non-credential resources in the aws-access-token rule + * Remove IAM identifiers for non-credential resources in the + aws-access-token rule @@ -7 +27,2 @@ - * --max-target-megabytes flag now supported for --no-git flag as well + * --max-target-megabytes flag now supported for --no-git flag as + well @@ -13,2 +34,4 @@ - * chore(config): refactor to go generate; simplify configRules init - * pretty apparent 'protect' and 'detect' should be merged into one command + * chore(config): refactor to go generate; simplify configRules + init + * pretty apparent 'protect' and 'detect' should be merged into + one command Old: ---- gitleaks-8.18.2.tar.gz New: ---- gitleaks-8.18.3.tar.gz ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ gitleaks.spec ++++++ --- /var/tmp/diff_new_pack.fZB3aH/_old 2024-06-03 17:42:53.105755359 +0200 +++ /var/tmp/diff_new_pack.fZB3aH/_new 2024-06-03 17:42:53.109755506 +0200 @@ -1,7 +1,7 @@ # # spec file for package gitleaks # -# Copyright (c) 2023 SUSE LLC +# Copyright (c) 2024 SUSE LLC # Copyright (c) 2024 Andreas Stieger <Andreas.Stieger@gmx.de> # # All modifications and additions to the file contributed by third parties @@ -20,7 +20,7 @@ %define __arch_install_post export NO_BRP_STRIP_DEBUG=true Name: gitleaks -Version: 8.18.2 +Version: 8.18.3 Release: 0 Summary: Protect and discover secrets using Gitleaks License: MIT ++++++ _service ++++++ --- /var/tmp/diff_new_pack.fZB3aH/_old 2024-06-03 17:42:53.157757275 +0200 +++ /var/tmp/diff_new_pack.fZB3aH/_new 2024-06-03 17:42:53.161757423 +0200 @@ -3,7 +3,7 @@ <param name="url">https://github.com/zricethezav/gitleaks</param> <param name="scm">git</param> <param name="exclude">.git</param> - <param name="revision">v8.18.2</param> + <param name="revision">v8.18.3</param> <param name="versionformat">@PARENT_TAG@</param> <param name="changesgenerate">enable</param> <param name="versionrewrite-pattern">v(.*)</param> ++++++ _servicedata ++++++ --- /var/tmp/diff_new_pack.fZB3aH/_old 2024-06-03 17:42:53.185758307 +0200 +++ /var/tmp/diff_new_pack.fZB3aH/_new 2024-06-03 17:42:53.189758455 +0200 @@ -1,6 +1,6 @@ <servicedata> <service name="tar_scm"> <param name="url">https://github.com/zricethezav/gitleaks</param> - <param name="changesrevision">ac4b5146b0f112df989b4374abb2b12799e37cba</param></service></servicedata> + <param name="changesrevision">39947b0b0d3f1829438000819c1ba9dbeb023a89</param></service></servicedata> (No newline at EOF) ++++++ gitleaks-8.18.2.tar.gz -> gitleaks-8.18.3.tar.gz ++++++ diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/gitleaks-8.18.2/Dockerfile new/gitleaks-8.18.3/Dockerfile --- old/gitleaks-8.18.2/Dockerfile 2024-02-01 15:23:13.000000000 +0100 +++ new/gitleaks-8.18.3/Dockerfile 2024-05-31 22:51:43.000000000 +0200 @@ -1,10 +1,10 @@ -FROM golang:1.19 AS build +FROM golang:1.21 AS build WORKDIR /go/src/github.com/zricethezav/gitleaks COPY . . RUN VERSION=$(git describe --tags --abbrev=0) && \ CGO_ENABLED=0 go build -o bin/gitleaks -ldflags "-X="github.com/zricethezav/gitleaks/v8/cmd.Version=${VERSION} -FROM alpine:3.16 +FROM alpine:3.19 RUN apk add --no-cache bash git openssh-client COPY --from=build /go/src/github.com/zricethezav/gitleaks/bin/* /usr/bin/ diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/gitleaks-8.18.2/README.md new/gitleaks-8.18.3/README.md --- old/gitleaks-8.18.2/README.md 2024-02-01 15:23:13.000000000 +0100 +++ new/gitleaks-8.18.3/README.md 2024-05-31 22:51:43.000000000 +0200 @@ -382,7 +382,7 @@ ] ``` -Refer to the default [gitleaks config](https://github.com/zricethezav/gitleaks/blob/master/config/gitleaks.toml) for examples or follow the [contributing guidelines](https://github.com/zricethezav/gitleaks/blob/master/README.md) if you would like to contribute to the default configuration. Additionally, you can check out [this gitleaks blog post](https://blog.gitleaks.io/stop-leaking-secrets-configuration-2-3-aeed293b1fbf) which covers advanced configuration setups. +Refer to the default [gitleaks config](https://github.com/zricethezav/gitleaks/blob/master/config/gitleaks.toml) for examples or follow the [contributing guidelines](https://github.com/gitleaks/gitleaks/blob/master/CONTRIBUTING.md) if you would like to contribute to the default configuration. Additionally, you can check out [this gitleaks blog post](https://blog.gitleaks.io/stop-leaking-secrets-configuration-2-3-aeed293b1fbf) which covers advanced configuration setups. ### Additional Configuration diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/gitleaks-8.18.2/cmd/generate/config/main.go new/gitleaks-8.18.3/cmd/generate/config/main.go --- old/gitleaks-8.18.2/cmd/generate/config/main.go 2024-02-01 15:23:13.000000000 +0100 +++ new/gitleaks-8.18.3/cmd/generate/config/main.go 2024-05-31 22:51:43.000000000 +0200 @@ -45,6 +45,9 @@ rules.CodecovAccessToken(), rules.CoinbaseAccessToken(), rules.Clojars(), + rules.CloudflareAPIKey(), + rules.CloudflareGlobalAPIKey(), + rules.CloudflareOriginCAKey(), rules.ConfluentAccessToken(), rules.ConfluentSecretKey(), rules.Contentful(), @@ -67,7 +70,9 @@ rules.EasyPost(), rules.EasyPostTestAPI(), rules.EtsyAccessToken(), - rules.Facebook(), + rules.FacebookSecret(), + rules.FacebookAccessToken(), + rules.FacebookPageAccessToken(), rules.FastlyAPIToken(), rules.FinicityClientSecret(), rules.FinicityAPIToken(), diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/gitleaks-8.18.2/cmd/generate/config/rules/age.go new/gitleaks-8.18.3/cmd/generate/config/rules/age.go --- old/gitleaks-8.18.2/cmd/generate/config/rules/age.go 2024-02-01 15:23:13.000000000 +0100 +++ new/gitleaks-8.18.3/cmd/generate/config/rules/age.go 2024-05-31 22:51:43.000000000 +0200 @@ -10,7 +10,7 @@ // define rule r := config.Rule{ Description: "Discovered a potential Age encryption tool secret key, risking data decryption and unauthorized access to sensitive information.", - RuleID: "age secret key", + RuleID: "age-secret-key", Regex: regexp.MustCompile(`AGE-SECRET-KEY-1[QPZRY9X8GF2TVDW0S3JN54KHCE6MUA7L]{58}`), Keywords: []string{"AGE-SECRET-KEY-1"}, } diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/gitleaks-8.18.2/cmd/generate/config/rules/cloudflare.go new/gitleaks-8.18.3/cmd/generate/config/rules/cloudflare.go --- old/gitleaks-8.18.2/cmd/generate/config/rules/cloudflare.go 1970-01-01 01:00:00.000000000 +0100 +++ new/gitleaks-8.18.3/cmd/generate/config/rules/cloudflare.go 2024-05-31 22:51:43.000000000 +0200 @@ -0,0 +1,76 @@ +package rules + +import ( + "github.com/zricethezav/gitleaks/v8/config" +) + +var global_keys = []string{ + `cloudflare_global_api_key = "d3d1443e0adc9c24564c6c5676d679d47e2ca"`, // gitleaks:allow + `CLOUDFLARE_GLOBAL_API_KEY: 674538c7ecac77d064958a04a83d9e9db068c`, // gitleaks:allow + `cloudflare: "0574b9f43978174cc2cb9a1068681225433c4"`, // gitleaks:allow +} + +var api_keys = []string{ + `cloudflare_api_key = "Bu0rrK-lerk6y0Suqo1qSqlDDajOk61wZchCkje4"`, // gitleaks:allow + `CLOUDFLARE_API_KEY: 5oK0U90ME14yU6CVxV90crvfqVlNH2wRKBwcLWDc`, // gitleaks:allow + `cloudflare: "oj9Yoyq0zmOyWmPPob1aoY5YSNNuJ0fbZSOURBlX"`, // gitleaks:allow +} + +var origin_ca_keys = []string{ + `CLOUDFLARE_ORIGIN_CA: v1.0-aaa334dc886f30631ba0a610-0d98ef66290d7e50aac7c27b5986c99e6f3f1084c881d8ac0eae5de1d1aa0644076ff57022069b3237d19afe60ad045f207ef2b16387ee37b749441b2ae2e9ebe5b4606e846475d4a5`, + `CLOUDFLARE_ORIGIN_CA: v1.0-15d20c7fccb4234ac5cdd756-d5c2630d1b606535cf9320ae7456b090e0896cec64169a92fae4e931ab0f72f111b2e4ffed5b2bb40f6fba6b2214df23b188a23693d59ce3fb0d28f7e89a2206d98271b002dac695ed`, +} + +var identifiers = []string{"cloudflare"} + +func CloudflareGlobalAPIKey() *config.Rule { + // define rule + r := config.Rule{ + Description: "Detected a Cloudflare Global API Key, potentially compromising cloud application deployments and operational security.", + RuleID: "cloudflare-global-api-key", + Regex: generateSemiGenericRegex(identifiers, hex("37"), true), + + Keywords: identifiers, + } + + // validate + tps := global_keys + fps := append(api_keys, origin_ca_keys...) + + return validate(r, tps, fps) +} + +func CloudflareAPIKey() *config.Rule { + // define rule + r := config.Rule{ + Description: "Detected a Cloudflare API Key, potentially compromising cloud application deployments and operational security.", + RuleID: "cloudflare-api-key", + Regex: generateSemiGenericRegex(identifiers, alphaNumericExtendedShort("40"), true), + + Keywords: identifiers, + } + + // validate + tps := api_keys + fps := append(global_keys, origin_ca_keys...) + + return validate(r, tps, fps) +} + +func CloudflareOriginCAKey() *config.Rule { + ca_identifiers := append(identifiers, "v1.0-") + // define rule + r := config.Rule{ + Description: "Detected a Cloudflare Origin CA Key, potentially compromising cloud application deployments and operational security.", + RuleID: "cloudflare-origin-ca-key", + Regex: generateUniqueTokenRegex(`v1\.0-`+hex("24")+"-"+hex("146"), false), + + Keywords: ca_identifiers, + } + + // validate + tps := origin_ca_keys + fps := append(global_keys, api_keys...) + + return validate(r, tps, fps) +} diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/gitleaks-8.18.2/cmd/generate/config/rules/facebook.go new/gitleaks-8.18.3/cmd/generate/config/rules/facebook.go --- old/gitleaks-8.18.2/cmd/generate/config/rules/facebook.go 2024-02-01 15:23:13.000000000 +0100 +++ new/gitleaks-8.18.3/cmd/generate/config/rules/facebook.go 2024-05-31 22:51:43.000000000 +0200 @@ -5,11 +5,13 @@ "github.com/zricethezav/gitleaks/v8/config" ) -func Facebook() *config.Rule { +// This rule includes both App Secret and Client Access Token +// https://developers.facebook.com/docs/facebook-login/guides/access-tokens/ +func FacebookSecret() *config.Rule { // define rule r := config.Rule{ - Description: "Discovered a Facebook Access Token, posing a risk of unauthorized access to Facebook accounts and personal data exposure.", - RuleID: "facebook", + Description: "Discovered a Facebook Application secret, posing a risk of unauthorized access to Facebook accounts and personal data exposure.", + RuleID: "facebook-secret", Regex: generateSemiGenericRegex([]string{"facebook"}, hex("32"), true), Keywords: []string{"facebook"}, @@ -18,6 +20,46 @@ // validate tps := []string{ generateSampleSecret("facebook", secrets.NewSecret(hex("32"))), + `facebook_app_secret = "6dca6432e45d933e13650d1882bd5e69"`, // gitleaks:allow + `facebook_client_access_token: 26f5fd13099f2c1331aafb86f6489692`, // gitleaks:allow + } + return validate(r, tps, nil) +} + +// https://developers.facebook.com/docs/facebook-login/guides/access-tokens/#ap... +func FacebookAccessToken() *config.Rule { + // define rule + r := config.Rule{ + Description: "Discovered a Facebook Access Token, posing a risk of unauthorized access to Facebook accounts and personal data exposure.", + RuleID: "facebook-access-token", + Regex: generateUniqueTokenRegex(`\d{15,16}(\||%)[0-9a-z\-_]{27,40}`, true), + } + + // validate + tps := []string{ + `{"access_token":"911602140448729|AY-lRJZq9BoDLobvAiP25L7RcMg","token_type":"bearer"}`, // gitleaks:allow + `1308742762612587|rhoK1cbv0DOU_RTX_87O4MkX7AI`, // gitleaks:allow + `1477036645700765|wRPf2v3mt2JfMqCLK8n7oltrEmc`, // gitleaks:allow + } + return validate(r, tps, nil) +} + +// https://developers.facebook.com/docs/facebook-login/guides/access-tokens/#pa... +func FacebookPageAccessToken() *config.Rule { + // define rule + r := config.Rule{ + Description: "Discovered a Facebook Page Access Token, posing a risk of unauthorized access to Facebook accounts and personal data exposure.", + RuleID: "facebook-page-access-token", + Regex: generateUniqueTokenRegex("EAA[MC]"+alphaNumeric("20,"), true), + Keywords: []string{"EAAM", "EAAC"}, + } + + // validate + tps := []string{ + `EAAM9GOnCB9kBO2frzOAWGN2zMnZClQshlWydZCrBNdodesbwimx1mfVJgqZBP5RSpMfUzWhtjTTXHG5I1UlvlwRZCgjm3ZBVGeTYiqAAoxyED6HaUdhpGVNoPUwAuAWWFsi9OvyYBQt22DGLqMIgD7VktuCTTZCWKasz81Q822FPhMTB9VFFyClNzQ0NLZClt9zxpsMMrUZCo1VU1rL3CKavir5QTfBjfCEzHNlWAUDUV2YZD`, // gitleaks:allow + `EAAM9GOnCB9kBO2zXpAtRBmCrsPPjdA3KeBl4tqsEpcYd09cpjm9MZCBIklZBjIQBKGIJgFwm8IE17G5pipsfRBRBEHMWxvJsL7iHLUouiprxKRQfAagw8BEEDucceqxTiDhVW2IZAQNNbf0d1JhcapAGntx5S1Csm4j0GgZB3DuUfI2HJ9aViTtdfH2vjBy0wtpXm2iamevohGfoF4NgyRHusDLjqy91uYMkfrkc`, // gitleaks:allow + `- name: FACEBOOK_TOKEN + value: "EAACEdEose0cBA1bad3afsf2aew"`, // gitleaks:allow } return validate(r, tps, nil) } diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/gitleaks-8.18.2/cmd/generate/config/rules/heroku.go new/gitleaks-8.18.3/cmd/generate/config/rules/heroku.go --- old/gitleaks-8.18.2/cmd/generate/config/rules/heroku.go 2024-02-01 15:23:13.000000000 +0100 +++ new/gitleaks-8.18.3/cmd/generate/config/rules/heroku.go 2024-05-31 22:51:43.000000000 +0200 @@ -17,6 +17,7 @@ // validate tps := []string{ `const HEROKU_KEY = "12345678-ABCD-ABCD-ABCD-1234567890AB"`, // gitleaks:allow + `heroku_api_key = "832d2129-a846-4e27-99f4-7004b6ad53ef"`, // gitleaks:allow } return validate(r, tps, nil) } diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/gitleaks-8.18.2/cmd/generate/config/rules/mailchimp.go new/gitleaks-8.18.3/cmd/generate/config/rules/mailchimp.go --- old/gitleaks-8.18.2/cmd/generate/config/rules/mailchimp.go 2024-02-01 15:23:13.000000000 +0100 +++ new/gitleaks-8.18.3/cmd/generate/config/rules/mailchimp.go 2024-05-31 22:51:43.000000000 +0200 @@ -10,7 +10,7 @@ r := config.Rule{ RuleID: "mailchimp-api-key", Description: "Identified a Mailchimp API key, potentially compromising email marketing campaigns and subscriber data.", - Regex: generateSemiGenericRegex([]string{"mailchimp"}, `[a-f0-9]{32}-us20`, true), + Regex: generateSemiGenericRegex([]string{"MailchimpSDK.initialize", "mailchimp"}, hex("32")+`-us\d\d`, true), Keywords: []string{ "mailchimp", @@ -20,6 +20,12 @@ // validate tps := []string{ generateSampleSecret("mailchimp", secrets.NewSecret(hex("32"))+"-us20"), + `mailchimp_api_key: cefa780880ba5f5696192a34f6292c35-us18`, // gitleaks:allow + `MAILCHIMPE_KEY = "b5b9f8e50c640da28993e8b6a48e3e53-us18"`, // gitleaks:allow } - return validate(r, tps, nil) + fps := []string{ + // False Negative + `MailchimpSDK.initialize(token: 3012a5754bbd716926f99c028f7ea428-us18)`, // gitleaks:allow + } + return validate(r, tps, fps) } diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/gitleaks-8.18.2/cmd/generate/config/rules/scalingo.go new/gitleaks-8.18.3/cmd/generate/config/rules/scalingo.go --- old/gitleaks-8.18.2/cmd/generate/config/rules/scalingo.go 2024-02-01 15:23:13.000000000 +0100 +++ new/gitleaks-8.18.3/cmd/generate/config/rules/scalingo.go 2024-05-31 22:51:43.000000000 +0200 @@ -1,8 +1,6 @@ package rules import ( - "regexp" - "github.com/zricethezav/gitleaks/v8/cmd/generate/secrets" "github.com/zricethezav/gitleaks/v8/config" ) @@ -12,13 +10,14 @@ r := config.Rule{ Description: "Found a Scalingo API token, posing a risk to cloud platform services and application deployment security.", RuleID: "scalingo-api-token", - Regex: regexp.MustCompile(`\btk-us-[a-zA-Z0-9-_]{48}\b`), + Regex: generateUniqueTokenRegex(`tk-us-[a-zA-Z0-9-_]{48}`, false), Keywords: []string{"tk-us-"}, } // validate tps := []string{ generateSampleSecret("scalingo", "tk-us-"+secrets.NewSecret(alphaNumericExtendedShort("48"))), + `scalingo_api_token = "tk-us-loys7ib9yrxcys_ta2sq85mjar6lgcsspkd9x61s7h5epf_-"`, // gitleaks:allow } return validate(r, tps, nil) } diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/gitleaks-8.18.2/cmd/generate/config/rules/square.go new/gitleaks-8.18.3/cmd/generate/config/rules/square.go --- old/gitleaks-8.18.2/cmd/generate/config/rules/square.go 2024-02-01 15:23:13.000000000 +0100 +++ new/gitleaks-8.18.3/cmd/generate/config/rules/square.go 2024-05-31 22:51:43.000000000 +0200 @@ -10,13 +10,15 @@ r := config.Rule{ RuleID: "square-access-token", Description: "Detected a Square Access Token, risking unauthorized payment processing and financial transaction exposure.", - Regex: generateUniqueTokenRegex(`sq0atp-[0-9A-Za-z\-_]{22}`, true), - Keywords: []string{"sq0atp-"}, + Regex: generateUniqueTokenRegex(`(EAAA|sq0atp-)[0-9A-Za-z\-_]{22,60}`, true), + Keywords: []string{"sq0atp-", "EAAA"}, } // validate tps := []string{ generateSampleSecret("square", secrets.NewSecret(`sq0atp-[0-9A-Za-z\-_]{22}`)), + "ARG token=sq0atp-812erere3wewew45678901", // gitleaks:allow + "ARG token=EAAAlsBxkkVgvmr7FasTFbM6VUGZ31EJ4jZKTJZySgElBDJ_wyafHuBFquFexY7E", // gitleaks:allow", } return validate(r, tps, nil) } @@ -33,6 +35,7 @@ // validate tps := []string{ generateSampleSecret("square", secrets.NewSecret(`sq0csp-[0-9A-Za-z\\-_]{43}`)), + `value: "sq0csp-0p9h7g6f4s3s3s3-4a3ardgwa6ADRDJDDKUFYDYDYDY"`, // gitleaks:allow } return validate(r, tps, nil) } diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/gitleaks-8.18.2/cmd/generate/config/rules/stripe.go new/gitleaks-8.18.3/cmd/generate/config/rules/stripe.go --- old/gitleaks-8.18.2/cmd/generate/config/rules/stripe.go 2024-02-01 15:23:13.000000000 +0100 +++ new/gitleaks-8.18.3/cmd/generate/config/rules/stripe.go 2024-05-31 22:51:43.000000000 +0200 @@ -10,15 +10,23 @@ r := config.Rule{ Description: "Found a Stripe Access Token, posing a risk to payment processing services and sensitive financial data.", RuleID: "stripe-access-token", - Regex: generateUniqueTokenRegex(`(sk)_(test|live)_[0-9a-z]{10,32}`, true), + Regex: generateUniqueTokenRegex(`(sk|rk)_(test|live|prod)_[0-9a-z]{10,99}`, true), Keywords: []string{ "sk_test", "sk_live", + "sk_prod", + "rk_test", + "rk_live", + "rk_prod", }, } // validate - tps := []string{"stripeToken := \"sk_test_" + secrets.NewSecret(alphaNumeric("30")) + "\""} + tps := []string{ + "stripeToken := \"sk_test_" + secrets.NewSecret(alphaNumeric("30")) + "\"", + "sk_test_51OuEMLAlTWGaDypq4P5cuDHbuKeG4tAGPYHJpEXQ7zE8mKK3jkhTFPvCxnSSK5zB5EQZrJsYdsatNmAHGgb0vSKD00GTMSWRHs", // gitleaks:allow + "rk_prod_51OuEMLAlTWGaDypquDn9aZigaJOsa9NR1w1BxZXs9JlYsVVkv5XDu6aLmAxwt5Tgun5WcSwQMKzQyqV16c9iD4sx00BRijuoon", // gitleaks:allow + } fps := []string{"nonMatchingToken := \"task_test_" + secrets.NewSecret(alphaNumeric("30")) + "\""} return validate(r, tps, fps) } diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/gitleaks-8.18.2/config/allowlist.go new/gitleaks-8.18.3/config/allowlist.go --- old/gitleaks-8.18.2/config/allowlist.go 2024-02-01 15:23:13.000000000 +0100 +++ new/gitleaks-8.18.3/config/allowlist.go 2024-05-31 22:51:43.000000000 +0200 @@ -14,7 +14,13 @@ // Regexes is slice of content regular expressions that are allowed to be ignored. Regexes []*regexp.Regexp - // RegexTarget + // Can be `match` or `line`. + // + // If `match` the _Regexes_ will be tested against the match of the _Rule.Regex_. + // + // If `line` the _Regexes_ will be tested against the entire line. + // + // If RegexTarget is empty, it will be tested against the found secret. RegexTarget string // Paths is a slice of path regular expressions that are allowed to be ignored. diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/gitleaks-8.18.2/config/config.go new/gitleaks-8.18.3/config/config.go --- old/gitleaks-8.18.2/config/config.go 2024-02-01 15:23:13.000000000 +0100 +++ new/gitleaks-8.18.3/config/config.go 2024-05-31 22:51:43.000000000 +0200 @@ -4,6 +4,7 @@ _ "embed" "fmt" "regexp" + "sort" "strings" "github.com/rs/zerolog/log" @@ -62,7 +63,7 @@ Keywords []string // used to keep sarif results consistent - orderedRules []string + OrderedRules []string } // Extend is a struct that allows users to define how they want their @@ -158,7 +159,7 @@ StopWords: vc.Allowlist.StopWords, }, Keywords: keywords, - orderedRules: orderedRules, + OrderedRules: orderedRules, } if maxExtendDepth != extendDepth { @@ -177,9 +178,9 @@ return c, nil } -func (c *Config) OrderedRules() []Rule { +func (c *Config) GetOrderedRules() []Rule { var orderedRules []Rule - for _, id := range c.orderedRules { + for _, id := range c.OrderedRules { if _, ok := c.Rules[id]; ok { orderedRules = append(orderedRules, c.Rules[id]) } @@ -240,6 +241,7 @@ log.Trace().Msgf("adding %s to base config", ruleID) c.Rules[ruleID] = rule c.Keywords = append(c.Keywords, rule.Keywords...) + c.OrderedRules = append(c.OrderedRules, ruleID) } } @@ -250,4 +252,7 @@ extensionConfig.Allowlist.Paths...) c.Allowlist.Regexes = append(c.Allowlist.Regexes, extensionConfig.Allowlist.Regexes...) + + // sort to keep extended rules in order + sort.Strings(c.OrderedRules) } diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/gitleaks-8.18.2/config/gitleaks.toml new/gitleaks-8.18.3/config/gitleaks.toml --- old/gitleaks-8.18.2/config/gitleaks.toml 2024-02-01 15:23:13.000000000 +0100 +++ new/gitleaks-8.18.3/config/gitleaks.toml 2024-05-31 22:51:43.000000000 +0200 @@ -50,7 +50,7 @@ ] [[rules]] -id = "age secret key" +id = "age-secret-key" description = "Discovered a potential Age encryption tool secret key, risking data decryption and unauthorized access to sensitive information." regex = '''AGE-SECRET-KEY-1[QPZRY9X8GF2TVDW0S3JN54KHCE6MUA7L]{58}''' keywords = [ @@ -178,6 +178,30 @@ ] [[rules]] +id = "cloudflare-api-key" +description = "Detected a Cloudflare API Key, potentially compromising cloud application deployments and operational security." +regex = '''(?i)(?:cloudflare)(?:[0-9a-z\-_\t .]{0,20})(?:[\s|']|[\s|"]){0,3}(?:=|>|:{1,3}=|\|\|:|<=|=>|:|\?=)(?:'|\"|\s|=|\x60){0,5}([a-z0-9_-]{40})(?:['|\"|\n|\r|\s|\x60|;]|$)''' +keywords = [ + "cloudflare", +] + +[[rules]] +id = "cloudflare-global-api-key" +description = "Detected a Cloudflare Global API Key, potentially compromising cloud application deployments and operational security." +regex = '''(?i)(?:cloudflare)(?:[0-9a-z\-_\t .]{0,20})(?:[\s|']|[\s|"]){0,3}(?:=|>|:{1,3}=|\|\|:|<=|=>|:|\?=)(?:'|\"|\s|=|\x60){0,5}([a-f0-9]{37})(?:['|\"|\n|\r|\s|\x60|;]|$)''' +keywords = [ + "cloudflare", +] + +[[rules]] +id = "cloudflare-origin-ca-key" +description = "Detected a Cloudflare Origin CA Key, potentially compromising cloud application deployments and operational security." +regex = '''\b(v1\.0-[a-f0-9]{24}-[a-f0-9]{146})(?:['|\"|\n|\r|\s|\x60|;]|$)''' +keywords = [ + "cloudflare","v1.0-", +] + +[[rules]] id = "codecov-access-token" description = "Found a pattern resembling a Codecov Access Token, posing a risk of unauthorized access to code coverage reports and sensitive data." regex = '''(?i)(?:codecov)(?:[0-9a-z\-_\t .]{0,20})(?:[\s|']|[\s|"]){0,3}(?:=|>|:{1,3}=|\|\|:|<=|=>|:|\?=)(?:'|\"|\s|=|\x60){0,5}([a-z0-9]{32})(?:['|\"|\n|\r|\s|\x60|;]|$)''' @@ -370,8 +394,21 @@ ] [[rules]] -id = "facebook" +id = "facebook-access-token" description = "Discovered a Facebook Access Token, posing a risk of unauthorized access to Facebook accounts and personal data exposure." +regex = '''(?i)\b(\d{15,16}(\||%)[0-9a-z\-_]{27,40})(?:['|\"|\n|\r|\s|\x60|;]|$)''' + +[[rules]] +id = "facebook-page-access-token" +description = "Discovered a Facebook Page Access Token, posing a risk of unauthorized access to Facebook accounts and personal data exposure." +regex = '''(?i)\b(EAA[MC][a-z0-9]{20,})(?:['|\"|\n|\r|\s|\x60|;]|$)''' +keywords = [ + "eaam","eaac", +] + +[[rules]] +id = "facebook-secret" +description = "Discovered a Facebook Application secret, posing a risk of unauthorized access to Facebook accounts and personal data exposure." regex = '''(?i)(?:facebook)(?:[0-9a-z\-_\t .]{0,20})(?:[\s|']|[\s|"]){0,3}(?:=|>|:{1,3}=|\|\|:|<=|=>|:|\?=)(?:'|\"|\s|=|\x60){0,5}([a-f0-9]{32})(?:['|\"|\n|\r|\s|\x60|;]|$)''' keywords = [ "facebook", @@ -2237,7 +2274,7 @@ [[rules]] id = "mailchimp-api-key" description = "Identified a Mailchimp API key, potentially compromising email marketing campaigns and subscriber data." -regex = '''(?i)(?:mailchimp)(?:[0-9a-z\-_\t .]{0,20})(?:[\s|']|[\s|"]){0,3}(?:=|>|:{1,3}=|\|\|:|<=|=>|:|\?=)(?:'|\"|\s|=|\x60){0,5}([a-f0-9]{32}-us20)(?:['|\"|\n|\r|\s|\x60|;]|$)''' +regex = '''(?i)(?:MailchimpSDK.initialize|mailchimp)(?:[0-9a-z\-_\t .]{0,20})(?:[\s|']|[\s|"]){0,3}(?:=|>|:{1,3}=|\|\|:|<=|=>|:|\?=)(?:'|\"|\s|=|\x60){0,5}([a-f0-9]{32}-us\d\d)(?:['|\"|\n|\r|\s|\x60|;]|$)''' keywords = [ "mailchimp", ] @@ -2487,7 +2524,7 @@ [[rules]] id = "scalingo-api-token" description = "Found a Scalingo API token, posing a risk to cloud platform services and application deployment security." -regex = '''\btk-us-[a-zA-Z0-9-_]{48}\b''' +regex = '''\b(tk-us-[a-zA-Z0-9-_]{48})(?:['|\"|\n|\r|\s|\x60|;]|$)''' keywords = [ "tk-us-", ] @@ -2672,9 +2709,9 @@ [[rules]] id = "square-access-token" description = "Detected a Square Access Token, risking unauthorized payment processing and financial transaction exposure." -regex = '''(?i)\b(sq0atp-[0-9A-Za-z\-_]{22})(?:['|\"|\n|\r|\s|\x60|;]|$)''' +regex = '''(?i)\b((EAAA|sq0atp-)[0-9A-Za-z\-_]{22,60})(?:['|\"|\n|\r|\s|\x60|;]|$)''' keywords = [ - "sq0atp-", + "sq0atp-","eaaa", ] [[rules]] @@ -2688,9 +2725,9 @@ [[rules]] id = "stripe-access-token" description = "Found a Stripe Access Token, posing a risk to payment processing services and sensitive financial data." -regex = '''(?i)\b((sk)_(test|live)_[0-9a-z]{10,32})(?:['|\"|\n|\r|\s|\x60|;]|$)''' +regex = '''(?i)\b((sk|rk)_(test|live|prod)_[0-9a-z]{10,99})(?:['|\"|\n|\r|\s|\x60|;]|$)''' keywords = [ - "sk_test","sk_live", + "sk_test","sk_live","sk_prod","rk_test","rk_live","rk_prod", ] [[rules]] diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/gitleaks-8.18.2/go.mod new/gitleaks-8.18.3/go.mod --- old/gitleaks-8.18.2/go.mod 2024-02-01 15:23:13.000000000 +0100 +++ new/gitleaks-8.18.3/go.mod 2024-05-31 22:51:43.000000000 +0200 @@ -41,7 +41,7 @@ github.com/subosito/gotenv v1.2.0 // indirect golang.org/x/sync v0.0.0-20210220032951-036812b2e83c // indirect golang.org/x/sys v0.6.0 // indirect - golang.org/x/text v0.3.6 // indirect + golang.org/x/text v0.3.8 // indirect gopkg.in/ini.v1 v1.62.0 // indirect gopkg.in/yaml.v2 v2.4.0 // indirect gopkg.in/yaml.v3 v3.0.0-20210107192922-496545a6307b // indirect diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/gitleaks-8.18.2/go.sum new/gitleaks-8.18.3/go.sum --- old/gitleaks-8.18.2/go.sum 2024-02-01 15:23:13.000000000 +0100 +++ new/gitleaks-8.18.3/go.sum 2024-05-31 22:51:43.000000000 +0200 @@ -448,8 +448,9 @@ golang.org/x/text v0.3.3/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ= golang.org/x/text v0.3.4/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ= golang.org/x/text v0.3.5/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ= -golang.org/x/text v0.3.6 h1:aRYxNxv6iGQlyVaZmk6ZgYEDa+Jg18DxebPSrd6bg1M= golang.org/x/text v0.3.6/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ= +golang.org/x/text v0.3.8 h1:nAL+RVCQ9uMn3vJZbV+MRnydTJFPf8qqY42YiA6MrqY= +golang.org/x/text v0.3.8/go.mod h1:E6s5w1FMmriuDzIBO73fBruAKo1PCIq6d2Q6DHfQ8WQ= golang.org/x/time v0.0.0-20181108054448-85acf8d2951c/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ= golang.org/x/time v0.0.0-20190308202827-9d24e82272b4/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ= golang.org/x/time v0.0.0-20191024005414-555d28b269f0/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ= diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/gitleaks-8.18.2/report/sarif.go new/gitleaks-8.18.3/report/sarif.go --- old/gitleaks-8.18.2/report/sarif.go 2024-02-01 15:23:13.000000000 +0100 +++ new/gitleaks-8.18.3/report/sarif.go 2024-05-31 22:51:43.000000000 +0200 @@ -55,7 +55,7 @@ func getRules(cfg config.Config) []Rules { // TODO for _, rule := range cfg.Rules { var rules []Rules - for _, rule := range cfg.OrderedRules() { + for _, rule := range cfg.GetOrderedRules() { shortDescription := ShortDescription{ Text: rule.Description, } ++++++ vendor.tar.gz ++++++ diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/vendor/golang.org/x/text/AUTHORS new/vendor/golang.org/x/text/AUTHORS --- old/vendor/golang.org/x/text/AUTHORS 2024-05-05 17:19:32.000000000 +0200 +++ new/vendor/golang.org/x/text/AUTHORS 1970-01-01 01:00:00.000000000 +0100 @@ -1,3 +0,0 @@ -# This source code refers to The Go Authors for copyright purposes. -# The master list of authors is in the main Go distribution, -# visible at http://tip.golang.org/AUTHORS. diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/vendor/golang.org/x/text/CONTRIBUTORS new/vendor/golang.org/x/text/CONTRIBUTORS --- old/vendor/golang.org/x/text/CONTRIBUTORS 2024-05-05 17:19:32.000000000 +0200 +++ new/vendor/golang.org/x/text/CONTRIBUTORS 1970-01-01 01:00:00.000000000 +0100 @@ -1,3 +0,0 @@ -# This source code was written by the Go contributors. -# The master list of contributors is in the main Go distribution, -# visible at http://tip.golang.org/CONTRIBUTORS. diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/vendor/golang.org/x/text/unicode/norm/forminfo.go new/vendor/golang.org/x/text/unicode/norm/forminfo.go --- old/vendor/golang.org/x/text/unicode/norm/forminfo.go 2024-05-05 17:19:32.000000000 +0200 +++ new/vendor/golang.org/x/text/unicode/norm/forminfo.go 2024-06-01 17:28:17.000000000 +0200 @@ -110,10 +110,11 @@ } // We pack quick check data in 4 bits: -// 5: Combines forward (0 == false, 1 == true) -// 4..3: NFC_QC Yes(00), No (10), or Maybe (11) -// 2: NFD_QC Yes (0) or No (1). No also means there is a decomposition. -// 1..0: Number of trailing non-starters. +// +// 5: Combines forward (0 == false, 1 == true) +// 4..3: NFC_QC Yes(00), No (10), or Maybe (11) +// 2: NFD_QC Yes (0) or No (1). No also means there is a decomposition. +// 1..0: Number of trailing non-starters. // // When all 4 bits are zero, the character is inert, meaning it is never // influenced by normalization. diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/vendor/golang.org/x/text/unicode/norm/normalize.go new/vendor/golang.org/x/text/unicode/norm/normalize.go --- old/vendor/golang.org/x/text/unicode/norm/normalize.go 2024-05-05 17:19:32.000000000 +0200 +++ new/vendor/golang.org/x/text/unicode/norm/normalize.go 2024-06-01 17:28:17.000000000 +0200 @@ -18,16 +18,17 @@ // A Form denotes a canonical representation of Unicode code points. // The Unicode-defined normalization and equivalence forms are: // -// NFC Unicode Normalization Form C -// NFD Unicode Normalization Form D -// NFKC Unicode Normalization Form KC -// NFKD Unicode Normalization Form KD +// NFC Unicode Normalization Form C +// NFD Unicode Normalization Form D +// NFKC Unicode Normalization Form KC +// NFKD Unicode Normalization Form KD // // For a Form f, this documentation uses the notation f(x) to mean // the bytes or string x converted to the given form. // A position n in x is called a boundary if conversion to the form can // proceed independently on both sides: -// f(x) == append(f(x[0:n]), f(x[n:])...) +// +// f(x) == append(f(x[0:n]), f(x[n:])...) // // References: https://unicode.org/reports/tr15/ and // https://unicode.org/notes/tn5/. diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/vendor/golang.org/x/text/unicode/norm/tables13.0.0.go new/vendor/golang.org/x/text/unicode/norm/tables13.0.0.go --- old/vendor/golang.org/x/text/unicode/norm/tables13.0.0.go 2024-05-05 17:19:32.000000000 +0200 +++ new/vendor/golang.org/x/text/unicode/norm/tables13.0.0.go 2024-06-01 17:28:17.000000000 +0200 @@ -7315,7 +7315,7 @@ "\x00V\x03\x03\x00\x00\x1e|" + // 0x00560303: 0x00001E7C "\x00v\x03\x03\x00\x00\x1e}" + // 0x00760303: 0x00001E7D "\x00V\x03#\x00\x00\x1e~" + // 0x00560323: 0x00001E7E - "\x00v\x03#\x00\x00\x1e\u007f" + // 0x00760323: 0x00001E7F + "\x00v\x03#\x00\x00\x1e\x7f" + // 0x00760323: 0x00001E7F "\x00W\x03\x00\x00\x00\x1e\x80" + // 0x00570300: 0x00001E80 "\x00w\x03\x00\x00\x00\x1e\x81" + // 0x00770300: 0x00001E81 "\x00W\x03\x01\x00\x00\x1e\x82" + // 0x00570301: 0x00001E82 @@ -7342,7 +7342,7 @@ "\x00t\x03\b\x00\x00\x1e\x97" + // 0x00740308: 0x00001E97 "\x00w\x03\n\x00\x00\x1e\x98" + // 0x0077030A: 0x00001E98 "\x00y\x03\n\x00\x00\x1e\x99" + // 0x0079030A: 0x00001E99 - "\x01\u007f\x03\a\x00\x00\x1e\x9b" + // 0x017F0307: 0x00001E9B + "\x01\x7f\x03\a\x00\x00\x1e\x9b" + // 0x017F0307: 0x00001E9B "\x00A\x03#\x00\x00\x1e\xa0" + // 0x00410323: 0x00001EA0 "\x00a\x03#\x00\x00\x1e\xa1" + // 0x00610323: 0x00001EA1 "\x00A\x03\t\x00\x00\x1e\xa2" + // 0x00410309: 0x00001EA2 diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/vendor/modules.txt new/vendor/modules.txt --- old/vendor/modules.txt 2024-05-05 17:19:32.000000000 +0200 +++ new/vendor/modules.txt 2024-06-01 17:28:17.000000000 +0200 @@ -116,8 +116,8 @@ golang.org/x/sys/internal/unsafeheader golang.org/x/sys/unix golang.org/x/sys/windows -# golang.org/x/text v0.3.6 -## explicit; go 1.11 +# golang.org/x/text v0.3.8 +## explicit; go 1.17 golang.org/x/text/transform golang.org/x/text/unicode/norm # gopkg.in/ini.v1 v1.62.0