Skip to content

Latest commit

 

History

History

configs

README.md

Configuration Secrets

Hardcoded Database Passwords

version: v0.1

Comments / Notes:

  • Only support for Postgres and MySQL password strings

  • Checks if the password is null / length of 0

  • Supports quoted passwords

  • Case insensitive

Pattern Format 
[^\r\n\x00-\x08]+
Start Pattern 
(?:[^0-9A-Za-z]|\A)(?i)(?:postgres|mysql|mysql_root)_password[\t ]*[=:][\t ]*['"]?
End Pattern 
\z|[\r\n'"]

Hardcoded Spring SQL passwords

Hardcoded JDBC / Spring datasource passwords which typically are in property files or passed in at runtime

version: v0.1

Pattern Format 
[^\r\n'"\x00-\x08]+
Start Pattern 
(\A|\b)(?:spring\.datasource|jdbc)\.password[ \t]*=[ \t]*['"]?
End Pattern 
\z|['"\r\n]

Django Secret Key

version: v0.1

Pattern Format 
[^\r\n"']+
Start Pattern 
(\b|\A)SECRET_KEY[ \t]*=[ \t]*["']
End Pattern 
['"]

YAML Static Password Fields

⚠️ WARNING: THIS RULE IS EXPERIMENTAL AND MIGHT CAUSE A HIGH FALSE POSITIVE RATE (test before commiting to org level) ⚠️ Pattern to find hardcoded passwords in YAML configuration files

version: v0.2

Comments / Notes:

  • Expect large numbers of false positives on variables containing 'key' or 'token'

  • The hardcoded password is any length

  • Some false positives in code might appear

  • The pattern only checks for certain key words to end the variable name (secret, password, etc.)

  • Does not allow for multline blocks

Pattern Format 
[^\r\n`'"\x00-\x08]+
Start Pattern 
(?:\n|\A)[ \t]*(?i)[a-z_-]*(?:secret|service_pass(wd|word|code|phrase)|pass(?:wd|word|code|phrase)?|key|token)[ \t]*:[ \t]*['"]?
End Pattern 
['"\r\n]|\z
Additional Matches

Add these additional matches to the Secret Scanning Custom Pattern.

  • Not Match:

    ^(keyPassphrase|password|key|[ \t]+|\$\{[^}]+}|(str|string|int|bool)( +#.*)?),?$

  • Not Match:

    ^(.* = )?(None|[Tt]rue|[Ff]alse|[Nn]ull|Default(Type)?|Event|[A-Z]+_KEY|VERSION|NAME|update|destroy|(?:dis|en)ableEventListeners|\.\.\.),?$

  • Not Match:

    ^(((this|self|obj)\.)([A-Za-z_]+\,|[A-Za-z_].*)|\{\}|\[\]|[0-9a-zA-Z],|\{)$

  • Not Match:

    ^(([a-zA-Z_]+(\(\))?\.)*[a-zA-Z_]+\(\)|\|\s*)$|\{\{[^}]+\}\}|\$\{\{ |^!Ref |^\$\(.*\)|^(https?|file)://|^(/[a-zA-Z0-9./_-]+/)?[a-zA-Z0-9_-]{5,}(\.(pem|crt|key|cer|pub|der)|_rsa)$|^=|\(\) => |\([^)]+\) => \{

  • Not Match:

    ^\s*(typing\.)?([Tt]uple|[Ll]ist|[Dd]ict|Callable|Iterable|Sequence|Optional|Union)\[.*$

YAML hardcoded passwords (plain scalars)

⚠️ WARNING: THIS RULE IS EXPERIMENTAL AND MIGHT CAUSE A HIGH FALSE POSITIVE RATE (test before commiting to org level) ⚠️ Hardcoded passwords in YAML configuration files, using plain scalars

version: v0.1

Comments / Notes:

  • The hardcoded password is any length

  • Some false positives in code might appear

  • The pattern only checks for certain key words to end the variable name (secret, password, etc.)

  • Only allows for plain scalars, not quoted or multi-line, to better control false positives

Pattern Format 
[^\r\n`'"\x00-\x08]+
Start Pattern 
(?:\n|\A)[ \t]*(?i)[a-z_-]*(?:secret|service_pass(wd|word|code|phrase)|pass(?:wd|word|code|phrase)?|key|token)[ \t]*:[ \t]*
End Pattern 
[\r\n]|\z
Additional Matches

Add these additional matches to the Secret Scanning Custom Pattern.

  • Not Match:

    ^(keyPassphrase|password|key|[ \t]+|\$\{[^}]+}|(str|string|int|bool)( +#.*)?),?$

  • Not Match:

    ^(.* = )?(None|[Tt]rue|[Ff]alse|[Nn]ull|Default(Type)?|Event|[A-Z]+_KEY|VERSION|NAME|update|destroy|(?:dis|en)ableEventListeners|\.\.\.),?$

  • Not Match:

    ^(((this|self|obj)\.)([A-Za-z_]+\,|[A-Za-z_].*)|\{\}|\[\]|[0-9a-zA-Z],|\{)$

  • Not Match:

    ^(([a-zA-Z_]+(\(\))?\.)*[a-zA-Z_]+\(\)|\|\s*)$|\{\{[^}]+\}\}|\$\{\{ |^!Ref |^\$\(.*\)|^(https?|file)://|^(/[a-zA-Z0-9./_-]+/)?[a-zA-Z0-9_-]{5,}(\.(pem|crt|key|cer|pub|der)|_rsa)$|^=|\(\) => |\([^)]+\) => \{

  • Not Match:

    ^\s*(typing\.)?([Tt]uple|[Ll]ist|[Dd]ict|Callable|Iterable|Sequence|Optional|Union)\[.*$

YAML hardcoded passwords (single quoted strings)

⚠️ WARNING: THIS RULE IS EXPERIMENTAL AND MIGHT CAUSE A HIGH FALSE POSITIVE RATE (test before commiting to org level) ⚠️ Hardcoded passwords in YAML configuration files, using single quotes

version: v0.1

Comments / Notes:

  • The hardcoded password is any length

  • Some false positives in code might appear

  • The pattern only checks for certain key words to end the variable name (secret, password, etc.)

  • Only allows for only single-quoted passwords, to better control false positives

Pattern Format 
[^\r\n'\x00-\x08]+
Start Pattern 
(?:\n|\A)[ \t]*(?i)[a-z_-]*(?:secret|service_pass(wd|word|code|phrase)|pass(?:wd|word|code|phrase)?|key|token)[ \t]*:[ \t]*'
End Pattern 
'([ \t]*[\r\n]|\z)
Additional Matches

Add these additional matches to the Secret Scanning Custom Pattern.

  • Not Match:

    \{\{[^{}]+\}\}

YAML hardcoded passwords (double quoted strings)

⚠️ WARNING: THIS RULE IS EXPERIMENTAL AND MIGHT CAUSE A HIGH FALSE POSITIVE RATE (test before commiting to org level) ⚠️ Hardcoded passwords in YAML configuration files, using single quotes

version: v0.1

Comments / Notes:

  • The hardcoded password is any length

  • Some false positives in code might appear

  • The pattern only checks for certain key words to end the variable name (secret, password, etc.)

  • Only allows for only double-quoted passwords, to better control false positives

Pattern Format 
[^\r\n"\x00-\x08]+
Start Pattern 
(?:\n|\A)[ \t]*(?i)[a-z_-]*(?:secret|service_pass(wd|word|code|phrase)|pass(?:wd|word|code|phrase)?|key|token)[ \t]*:[ \t]*"
End Pattern 
"([ \t]*[\r\n]|\z)
Additional Matches

Add these additional matches to the Secret Scanning Custom Pattern.

  • Not Match:

    \{\{[^{}]+\}\}

YAML hardcoded passwords (multiline strings)

⚠️ WARNING: THIS RULE IS EXPERIMENTAL AND MIGHT CAUSE A HIGH FALSE POSITIVE RATE (test before commiting to org level) ⚠️ Hardcoded passwords in YAML configuration files, using multiline strings

version: v0.1

Comments / Notes:

  • The hardcoded password is any length

  • Some false positives in code or YAML files might appear, especially where the variable is called 'key' or 'token'

  • The pattern checks for certain key words to end the variable name (secret, password, etc.)

Pattern Format 
[^\x00-\x08]+?
Start Pattern 
(?:\n|\A)[ \t]*(?i)[a-z_-]*(?:secret|service_pass(wd|word|code|phrase)|pass(?:wd|word|code|phrase)?|key|token)[ \t]*:[ \t]*[|>][+-]?[ \t]*(\n|\r\n)[ \t]+
End Pattern 
\n\n|\r\n\r\n|(\n|\r\n)[ \t]+\S+:|(\n|\r\n)\.\.\.[ \t\n\r]|\z

GitHub Actions SHA Checker

version: v0.1

Comments / Notes:

  • Checks for all github actions using a version that isn't a pinned SHA-1 commit hash

  • Checks for uses: org name / repo name @ string under 40 characters

  • Not case sensitive

  • Exclude all actions in actions, github and advanced-security repo

Pattern Format 
[a-z0-9_-]{1,39}\/[a-z0-9_-]{1,100}@[a-z0-9._-]{1,39}
Start Pattern 
\buses:[ \t]{1,5}
End Pattern 
\s|\z
Additional Matches

Add these additional matches to the Secret Scanning Custom Pattern.

  • Not Match:

    ^(actions|github|advanced-security)/

.NET Configuration file

version: v0.1

Comments / Notes:

  • XML key/value format,
Pattern Format 
[^"\x00\x08]+
Start Pattern 
<add\s+key="[^"]*(?i)(password|secret|pass(?:wd|word|code|phrase)?|key|token)"\s+value="
End Pattern 
\"

.NET MachineKey

version: v0.1

Comments / Notes:

  • contents of the validationKey or decryptionKey of a machineKey XML element
Pattern Format 
[A-Fa-f0-9]+
Start Pattern 
<machineKey\s+[^>]*(validation|decryption)Key="
End Pattern 
\"

.env file style secrets

⚠️ WARNING: THIS RULE IS EXPERIMENTAL AND MIGHT CAUSE A HIGH FALSE POSITIVE RATE (test before commiting to org level) ⚠️ Find .env file style secrets in configuration files such as .env, Dockerfile, shell scripts etc.

version: v0.1

Comments / Notes:

  • Looks for secrets in the format of SECRET=secret at the start of a line, possibly with an ENV or export prefix

  • Allows no whitespace in the secret, to cut false positives

  • Some false positives in code might appear, especially where the variable name is 'key' or 'token'

  • The pattern only checks for certain key words to begin the pattern (secret, password, etc.)

  • More restrictive than the Generic Passwords pattern, so less prone to false positives

  • Lower length limit of 8 to remove FPs

Pattern Format 
[^\r\n\x00-\x08'"#]{8,}
Start Pattern 
(?:\n|\A)((export|ENV|ARG) )?[A-Z_]*(?:SECRET|PASS(?:WD|WOR[TD]|CODE|PHRASE)?|KEY|TOKEN)=['"]?
End Pattern 
[\r\n#]|['"]\s*[\r\n]|\z
Additional Matches

Add these additional matches to the Secret Scanning Custom Pattern.

  • Not Match:

    ^\$(\{[^}]+\}|\([^)]+\)|[A-Za-z_]+|[0-9])$

  • Not Match:

    ^(<[^>]+>|\[[^]+\]|\{[^}+\}|(your|my|the|a)_[a-z_]+|.*(passwor[t]|key|secret|token|).*|\.\.\.|xxx+|yyy+|zzz+|aaa+|bbb+|ccc+)$

  • Not Match:

    ^(test|value)([._-][a-z_.-]+)?$

  • Not Match:

    ^(?i)(true|false|y(es)?|no?|on|off|0|1|nill|null|none|(\\x[a-f0-9]{2})+)$

  • Not Match:

    ^(/|file:///|https?://[A-Za-z]:/)[A-Za-z0-9._-]{3,}+(/[a-z._-]{1,}){2,}/?$

YAML with Base64 encoded secrets

⚠️ WARNING: THIS RULE IS EXPERIMENTAL AND MIGHT CAUSE A HIGH FALSE POSITIVE RATE (test before commiting to org level) ⚠️ Hardcoded Base64-encoded passwords in YAML configuration files

version: v0.1

Comments / Notes:

  • The Base64 must contain numbers, upper case and lower case and be at least 12 characters long

  • Some false positives in code might appear

Pattern Format 
(([A-Za-z0-9+/]){4})*([A-Za-z0-9+/]{4}|[A-Za-z0-9+/]{3}=|[A-Za-z0-9+/]{2}==)
Start Pattern 
(?:\n|\A)[ \t]*(?i)[a-z_-]*(?:secret|service_pass(wd|word|code|phrase)|pass(?:wd|word|code|phrase)?|key|token)[ \t]*:[ \t]*(['"]?|[|>]-?[ \t]*\n[ \t]*)
End Pattern 
['"\r\n]|\z
Additional Matches

Add these additional matches to the Secret Scanning Custom Pattern.

  • Match:

    [0-9]

  • Match:

    [A-Z]

  • Match:

    [a-z]

  • Match:

    ^.{12,}$

YAML with URI-safe Base64 encoded secrets

⚠️ WARNING: THIS RULE IS EXPERIMENTAL AND MIGHT CAUSE A HIGH FALSE POSITIVE RATE (test before commiting to org level) ⚠️ Hardcoded URI-safe Base64-encoded passwords in YAML configuration files

version: v0.1

Comments / Notes:

  • The Base64 must contain numbers, upper case and lower case and be at least 12 characters long

  • Some false positives in code might appear

  • This matches _- instead of +/, for URI-safe Base64

Pattern Format 
(([A-Za-z0-9_-]){4})*([A-Za-z0-9_-]{4}|[A-Za-z0-9_-]{3}=|[A-Za-z0-9_-]{2}==)
Start Pattern 
(?:\n|\A)[ \t]*(?i)[a-z_-]*(?:secret|service_pass(wd|word|code|phrase)|pass(?:wd|word|code|phrase)?|key|token)[ \t]*:[ \t]*(['"]?|[|>]-?[ \t]*\n[ \t]*)
End Pattern 
['"\r\n]|\z
Additional Matches

Add these additional matches to the Secret Scanning Custom Pattern.

  • Match:

    [0-9]

  • Match:

    [A-Z]

  • Match:

    [a-z]

  • Match:

    ^.{12,}$

YAML with hex token

⚠️ WARNING: THIS RULE IS EXPERIMENTAL AND MIGHT CAUSE A HIGH FALSE POSITIVE RATE (test before commiting to org level) ⚠️ Hardcoded hex-encoded tokens in YAML configuration files

version: v0.1

Comments / Notes:

  • The hex token must be 32, 40 or 64 characters long, and contain numbers and letters

  • Some false positives in code might appear

Pattern Format 
[0-9a-f]{32}|[0-9a-f]{40}|[0-9a-f]{64}
Start Pattern 
(?:\n|\A)[ \t]*(?i)[a-z_-]*(?:secret|service_pass(wd|word|code|phrase)|pass(?:wd|word|code|phrase)?|key|token)[ \t]*:[ \t]*(['"]?|[|>]-?[ \t]*\n[ \t]*)
End Pattern 
['"\r\n]|\z
Additional Matches

Add these additional matches to the Secret Scanning Custom Pattern.

  • Match:

    [0-9]

  • Match:

    [a-f]

JSON with Base64 encoded secrets

⚠️ WARNING: THIS RULE IS EXPERIMENTAL AND MIGHT CAUSE A HIGH FALSE POSITIVE RATE (test before commiting to org level) ⚠️ Hardcoded Base64-encoded passwords in JSON configuration files

version: v0.1

Comments / Notes:

  • The Base64 must contain numbers, upper case and lower case and be at least 12 characters long

  • This may match in code, such as Python, that resembles JSON

  • This will not match some isolated fragments of JSON, so be aware of that when testing it

Pattern Format 
(([A-Za-z0-9+/]){4})*([A-Za-z0-9+/]{4}|[A-Za-z0-9+/]{3}=|[A-Za-z0-9+/]{2}==)
Start Pattern 
[{[,][ \t]*[ \t\r\n]*"(?i)[a-z_.-]*(?:secret|service_pass(wd|word|code|phrase)|pass(?:wd|word|code|phrase)?|key|token)"[ \t]*:[ \t]*"
End Pattern 
"[ \t\r\n]*[,}\]]
Additional Matches

Add these additional matches to the Secret Scanning Custom Pattern.

  • Match:

    [0-9]

  • Match:

    [A-Z]

  • Match:

    [a-z]

  • Match:

    ^.{12,}$

JSON with URI-safe Base64 encoded secrets

⚠️ WARNING: THIS RULE IS EXPERIMENTAL AND MIGHT CAUSE A HIGH FALSE POSITIVE RATE (test before commiting to org level) ⚠️ Hardcoded URI-safe Base64-encoded passwords in JSON configuration files

version: v0.1

Comments / Notes:

  • The Base64 must contain numbers, upper case and lower case and be at least 12 characters long

  • This may match in code, such as Python, that resembles JSON

  • This will not match some isolated fragments of JSON, so be aware of that when testing it

  • This matches _- instead of +/, for URI-safe Base64

Pattern Format 
(([A-Za-z0-9_-]){4})*([A-Za-z0-9_-]{4}|[A-Za-z0-9_-]{3}=|[A-Za-z0-9_-]{2}==)
Start Pattern 
[{[,][ \t]*[ \t\r\n]*"(?i)[a-z_.-]*(?:secret|service_pass(wd|word|code|phrase)|pass(?:wd|word|code|phrase)?|key|token)"[ \t]*:[ \t]*"
End Pattern 
"[ \t\r\n]*[,}\]]
Additional Matches

Add these additional matches to the Secret Scanning Custom Pattern.

  • Match:

    [0-9]

  • Match:

    [A-Z]

  • Match:

    [a-z]

  • Match:

    ^.{12,}$

JSON with hex encoded secrets

⚠️ WARNING: THIS RULE IS EXPERIMENTAL AND MIGHT CAUSE A HIGH FALSE POSITIVE RATE (test before commiting to org level) ⚠️ Hardcoded hex-encoded tokens in JSON configuration files

version: v0.1

Comments / Notes:

  • The hex token must be 32, 40 or 64 characters long, and contain numbers and letters

  • This may match in code, such as Python, that resembles JSON

  • This will not match some isolated fragments of JSON, so be aware of that when testing it

Pattern Format 
[0-9a-f]{32}|[0-9a-f]{40}|[0-9a-f]{64}
Start Pattern 
[{[,][ \t]*[ \t\r\n]*"(?i)[a-z_-]*(?:secret|service_pass(wd|word|code|phrase)|pass(?:wd|word|code|phrase)?|key|token)"[ \t]*:[ \t]*"
End Pattern 
"[ \t\r\n]*[,}\]]
Additional Matches

Add these additional matches to the Secret Scanning Custom Pattern.

  • Match:

    [0-9]

  • Match:

    [a-f]