chore: import upstream snapshot with attribution
gitleaks / gitleaks (push) Has been skipped
Test / test (ubuntu-latest) (push) Failing after 0s
Test / test (windows-latest) (push) Has been cancelled

This commit is contained in:
wehub-resource-sync
2026-07-13 12:12:29 +08:00
commit 48b3ccf279
454 changed files with 32865 additions and 0 deletions
BIN
View File
Binary file not shown.
BIN
View File
Binary file not shown.
BIN
View File
Binary file not shown.
BIN
View File
Binary file not shown.
BIN
View File
Binary file not shown.
+6
View File
@@ -0,0 +1,6 @@
DB_HOST=example.com
DB_PORT=443
DB_USERNAME=postgres
DB_PASSWORD=8ae31cacf141669ddfb5da
DB_NAME=best_db
DB_SSL=true
+1
View File
@@ -0,0 +1 @@
../testdata/repos/nogit/api.go:aws-access-key:20
+24
View File
@@ -0,0 +1,24 @@
package main
import "fmt"
func main() {
var a = "initial"
fmt.Println(a)
var b, c int = 1, 2
fmt.Println(b, c)
var d = true
fmt.Println(d)
var e int
fmt.Println(e)
// opps I added a secret at line 20
awsToken := "AKIALALEMEL33243OLIA"
f := "apple"
fmt.Println(f)
}
+24
View File
@@ -0,0 +1,24 @@
package main
import "fmt"
func main() {
var a = "initial"
fmt.Println(a)
var b, c int = 1, 2
fmt.Println(b, c)
var d = true
fmt.Println(d)
var e int
fmt.Println(e)
// opps I added a secret at line 20
awsToken := "AKIALALEMEL33243OLIA"
f := "apple"
fmt.Println(f)
}
Binary file not shown.
Binary file not shown.
Binary file not shown.
BIN
View File
Binary file not shown.
+2
View File
@@ -0,0 +1,2 @@
RuleID,Commit,File,Secret,Match,StartLine,EndLine,StartColumn,EndColumn,Author,Message,Date,Email,Fingerprint
1,b,c,f,s,m,s,e,s,e,a,m,f,r,f
1 RuleID,Commit,File,Secret,Match,StartLine,EndLine,StartColumn,EndColumn,Author,Message,Date,Email,Fingerprint
2 1,b,c,f,s,m,s,e,s,e,a,m,f,r,f
+40
View File
@@ -0,0 +1,40 @@
[
{
"Description": "PyPI upload token",
"StartLine": 32,
"EndLine": 32,
"StartColumn": 21,
"EndColumn": 106,
"Match": "************************",
"Secret": "************************",
"File": "detect/detect_test.go",
"Commit": "9326f35380636bcbe61e94b0584d1618c4b5c2c2",
"Entropy": 1.9606875,
"Author": "****",
"Email": "****",
"Date": "2022-03-07T14:33:06Z",
"Message": "Escape - character in regex character groups (#802)\n\n* fix char escape\n\n* add test\n\n* fix verbosity in make test",
"Tags": [],
"RuleID": "pypi-upload-token",
"Fingerprint": "9326f35380636bcbe61e94b0584d1618c4b5c2c2:detect/detect_test.go:pypi-upload-token:32"
},
{
"Description": "PyPI upload token",
"StartLine": 33,
"EndLine": 33,
"StartColumn": 21,
"EndColumn": 106,
"Match": "************************",
"Secret": "************************",
"File": "detect/detect_test.go",
"Commit": "9326f35380636bcbe61e94b0584d1618c4b5c2c2",
"Entropy": 1.9606875,
"Author": "****",
"Email": "****",
"Date": "2022-03-07T14:33:06Z",
"Message": "Escape - character in regex character groups (#802)\n\n* fix char escape\n\n* add test\n\n* fix verbosity in make test",
"Tags": [],
"RuleID": "pypi-upload-token",
"Fingerprint": "9326f35380636bcbe61e94b0584d1618c4b5c2c2:detect/detect_test.go:pypi-upload-token:33"
}
]
+6
View File
@@ -0,0 +1,6 @@
{
"$schema": "https://json.schemastore.org/sarif-2.1.0.json",
"version": "2.1.0",
"runs": [
]
}
+21
View File
@@ -0,0 +1,21 @@
title = "gitleaks config"
# https://learnxinyminutes.com/docs/toml/ for toml reference
[[rules]]
id = "aws-access-key"
description = "AWS Access Key"
regex = '''(?:A3T[A-Z0-9]|AKIA|ASIA|ABIA|ACCA)[A-Z0-9]{16}'''
tags = ["key", "AWS"]
# Here to confirm that allowlists work in archives
[[rules]]
id = 'password'
description = "Find the DB password in .env.prod"
path = '''\.env\.prod$'''
regex = '''(?i)password=([^\s]+)'''
# Now ignore it to confirm allowlists work
[[allowlists]]
paths = [
'''\.env\.prod$''',
]
+14
View File
@@ -0,0 +1,14 @@
title = "Fragment level composite rule"
[[rules]]
id = "primary-rule"
description = "Primary rule"
regex = 'password\s*=\s*"([^"]+)"'
[[rules.required]]
id = "username-rule"
[[rules]]
id = "username-rule"
description = "Username rule"
regex = 'username\s*=\s*"([^"]+)"'
skipReport = true
+126
View File
@@ -0,0 +1,126 @@
# We want to be able to find this key regardless if it's b64 encoded or not
[[rules]]
id = 'private-key'
description = 'Private Key'
regex = '''(?i)-----BEGIN[ A-Z0-9_-]{0,100}PRIVATE KEY(?: BLOCK)?-----[\s\S-]*?-----END[ A-Z0-9_-]{0,100}PRIVATE KEY(?: BLOCK)?-----'''
tags = ['key', 'private']
keywords = [
'-----begin',
]
# This exists to test what would happen if a normal rule matched something that
# also gets decoded. We don't want to break anyone's existing rules that might
# be looking for specific segments of b64 encoded data.
[[rules]]
id = 'b64-encoded-private-key'
description = 'Private Key'
regex = '''(?:LS0tLS1CRUdJTiBQUklWQVRFIEtFWS0tLS0t|0tLS0tQkVHSU4gUFJJVkFURSBLRVktLS0tL|tLS0tLUJFR0lOIFBSSVZBVEUgS0VZLS0tLS)[a-zA-Z0-9+\/]+={0,3}'''
tags = ['key', 'private']
keywords = [
'ls0tls1crudjtibquklwqvrfietfws0tls0t',
'0tls0tqkvhsu4gufjjvkfursblrvktls0tl',
'tls0tlujfr0loifbssvzbveugs0vzls0tls',
]
[[rules]]
id = 'aws-iam-unique-identifier'
description = 'AWS IAM Unique Identifier'
# The funky not group at the beginning consists of ascii ranges
regex = '''(?:^|[^!$-&\(-9<>-~])((?:A3T[A-Z0-9]|ACCA|ABIA|AKIA|AGPA|AIDA|AROA|AIPA|ANPA|ANVA|ASIA)[A-Z0-9]{16})\b'''
tags = ['aws', 'identifier']
entropy = 3.2
secretGroup = 1
keywords = [
'a3t',
'abia',
'acca',
'agpa',
'aida',
'aipa',
'akia',
'anpa',
'anva',
'aroa',
'asia',
]
[[rules]]
id = 'aws-secret-access-key'
description = 'AWS Secret Access Key'
regex = '''(?i)aws[\w\-]{0,32}[\'\"]?\s*?[:=\(]\s*?[\'\"]?([a-z0-9\/+]{40})\b'''
tags = ['aws', 'secret']
entropy = 4
secretGroup = 1
keywords = [
'aws',
]
[[rules]]
# Use a small one for making sure things shifting around are kept up with
# appropriately
id = 'small-secret'
description = 'Small Secret'
regex = '''\bsmall-secret\b'''
tags = ['small', 'secret']
[[rules]]
# When the example value is decoded this will overlap and this is here to
# test that the location information is reported accurately when the match
# goes outside the bounds of the encoded value
id = 'overlapping'
description = 'Overlapping'
regex = '''secret=(decoded-secret-value\w*)'''
tags = ['overlapping']
secretGroup = 1
# -----BEGIN REGEX TARGET DECODED MATCH PATTERNS-----
[[rules]]
id = 'decoded-password-dont-ignore'
description = 'Make sure this would be detected with no allowlist'
regex = '''password\s*=\s*\"([^\"]+please-ignore-me[^\"]+)\"'''
tags = ['decode-ignore']
secretGroup = 1
[[rules]]
id = 'decoded-password-ignore-secret'
description = 'Test ignore on decoded secrets: regexTarget = "secret"'
regex = '''password\s*=\s*\"([^\"]+please-ignore-me[^\"]+)\"'''
tags = ['decode-ignore']
secretGroup = 1
[[rules.allowlists]]
regexTarget = 'secret'
regexes = [
# The decoded segment that we are testing against
'please-ignore-me',
]
[[rules]]
id = 'decoded-password-ignore-match'
description = 'Test ignore on decoded secrets: regexTarget = "match"'
regex = '''password\s*=\s*\"([^\"]+please-ignore-me[^\"]+)\"'''
tags = ['decode-ignore']
secretGroup = 1
[[rules.allowlists]]
regexTarget = 'match'
regexes = [
# The decoded segment that we are testing against
'please-ignore-me',
]
[[rules]]
id = 'decoded-password-ignore-line'
description = 'Test ignore on decoded secrets: regexTarget = "line"'
regex = '''password\s*=\s*\"([^\"]+please-ignore-me[^\"]+)\"'''
tags = ['decode-ignore']
secretGroup = 1
[[rules.allowlists]]
regexTarget = 'line'
regexes = [
# The decoded segment that we are testing against
'please-ignore-me',
]
# -----END REGEX TARGET DECODED MATCH PATTERNS-----
+10
View File
@@ -0,0 +1,10 @@
title = "gitleaks config"
[[rules]]
id = "generic-api-key"
description = "Generic API Key"
regex = '''(?i)(?:key|api|token|secret|client|passwd|password|auth|access)(?:[0-9a-z\-_\t .]{0,20})(?:[\s|']|[\s|"]){0,3}(?:=|>|:{1,3}=|\|\|:|<=|=>|:|\?=)(?:'|\"|\s|=|\x60){0,5}([0-9a-z\-_.=]{10,150})(?:['|\"|\n|\r|\s|\x60|;]|$)'''
entropy = 3.5
keywords = [
"key","api","token","secret","client","passwd","password","auth","access",
]
+35
View File
@@ -0,0 +1,35 @@
title = "gitleaks config"
[[rules]]
id = "generic-api-key"
description = "Generic API Key"
path = '''.py'''
regex = '''(?i)((key|api|token|secret|password)[a-z0-9_ .\-,]{0,25})(=|>|:=|\|\|:|<=|=>|:).{0,5}['\"]([0-9a-zA-Z\-_=]{8,64})['\"]'''
secretGroup = 4
entropy = 3.7
[allowlist]
description = "global allow lists"
paths = [
'''gitleaks.toml''',
'''(.*?)(jpg|gif|doc|pdf|bin|svg|socket)$''',
'''(go.mod|go.sum)$'''
]
regexes = [
'''219-09-9999''',
'''078-05-1120''',
'''(9[0-9]{2}|666)-\d{2}-\d{4}''',
'''process''',
'''getenv''',
'''\.env''',
'''env\(''',
'''env\.''',
'''setting''',
'''load''',
'''token''',
'''password''',
'''secret''',
'''api\_key''',
'''apikey''',
'''api\-key''',
]
+2
View File
@@ -0,0 +1,2 @@
[[allowlists]]
@@ -0,0 +1,4 @@
[allowlist]
regexes = ['''123''']
[[allowlists]]
regexes = ['''456''']
@@ -0,0 +1,3 @@
[[allowlists]]
regexTarget = "mtach"
regexes = ['''456''']
@@ -0,0 +1,7 @@
[[rules]]
id = "github-app-token"
regex = '''(?:ghu|ghs)_[0-9a-zA-Z]{36}'''
[[allowlists]]
targetRules = ["github-app-token", "github-pat"]
regexes = ['''.*fake.*''']
+4
View File
@@ -0,0 +1,4 @@
[[rules]]
id = "example"
regex = '''example\d+'''
[[rules.allowlists]]
@@ -0,0 +1,7 @@
[[rules]]
id = "example"
regex = '''example\d+'''
[rules.allowlist]
regexes = ['''123''']
[[rules.allowlists]]
regexes = ['''456''']
@@ -0,0 +1,6 @@
[[rules]]
id = "example"
regex = '''example\d+'''
[[rules.allowlists]]
regexTarget = "mtach"
regexes = ['''456''']
+10
View File
@@ -0,0 +1,10 @@
title = "gitleaks extended 1"
[extend]
path="../testdata/config/invalid/does_not_exist.toml"
[[rules]]
description = "AWS Access Key"
id = "aws-access-key"
regex = '''(?:A3T[A-Z0-9]|AKIA|ASIA|ABIA|ACCA)[A-Z0-9]{16}'''
tags = ["key", "AWS"]
+7
View File
@@ -0,0 +1,7 @@
[extend]
useDefault = true
[[rules]]
[[rules.allowlists]]
paths = ['^.*\.(xml|log|json)$']
+8
View File
@@ -0,0 +1,8 @@
title = "gitleaks config"
[[rules]]
id = "discord-api-key"
description = "Discord API key"
regex = '''(?i)(discord[a-z0-9_ .\-,]{0,25})(=|>|:=|\|\|:|<=|=>|:).{0,5}['\"]([a-h0-9]{64})['\"]'''
secretGroup = 5
entropy = 3.5
+7
View File
@@ -0,0 +1,7 @@
title = "gitleaks config"
[[rules]]
description = "Discord API key"
regex = '''(?i)(discord[a-z0-9_ .\-,]{0,25})(=|>|:=|\|\|:|<=|=>|:).{0,5}['\"]([a-h0-9]{64})['\"]'''
secretGroup = 5
entropy = 3.5
+5
View File
@@ -0,0 +1,5 @@
title = "gitleaks config"
[[rules]]
id = 'discord-api-key'
description = "Discord API key"
+227
View File
@@ -0,0 +1,227 @@
title = "gitleaks config"
# https://learnxinyminutes.com/docs/toml/ for toml reference
[[rules]]
description = "1Password Secret Key"
id = "1password-secret-key"
regex = '''A3-[A-Z0-9]{6}-(?:(?:[A-Z0-9]{11})|(?:[A-Z0-9]{6}-[A-Z0-9]{5}))-[A-Z0-9]{5}-[A-Z0-9]{5}-[A-Z0-9]{5}'''
tags = ["1Password"]
[[rules]]
description = "AWS Access Key"
id = "aws-access-key"
regex = '''(?:A3T[A-Z0-9]|AKIA|ASIA|ABIA|ACCA)[A-Z0-9]{16}'''
tags = ["key", "AWS"]
[[rules]]
description = "AWS Secret Key"
id = "aws-secret-key"
regex = '''(?i)aws_(.{0,20})?=?.[\'\"0-9a-zA-Z\/+]{40}'''
tags = ["key", "AWS"]
[[rules]]
description = "AWS MWS key"
id = "aws-mws-key"
regex = '''amzn\.mws\.[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}'''
tags = ["key", "AWS", "MWS"]
[[rules]]
description = "Facebook Secret Key"
id = "facebook-secret-key"
regex = '''(?i)(facebook|fb)(.{0,20})?(?-i)['\"][0-9a-f]{32}['\"]'''
tags = ["key", "Facebook"]
[[rules]]
description = "Facebook Client ID"
id = "facebook-client-id"
regex = '''(?i)(facebook|fb)(.{0,20})?['\"][0-9]{13,17}['\"]'''
tags = ["key", "Facebook"]
[[rules]]
description = "Twitter Secret Key"
id = "twitter-secret-key"
regex = '''(?i)twitter(.{0,20})?['\"][0-9a-z]{35,44}['\"]'''
tags = ["key", "Twitter"]
[[rules]]
description = "Twitter Client ID"
id = "twitter-client-id"
regex = '''(?i)twitter(.{0,20})?['\"][0-9a-z]{18,25}['\"]'''
tags = ["client", "Twitter"]
[[rules]]
description = "Github Personal Access Token"
id = "github-pat"
regex = '''ghp_[0-9a-zA-Z]{36}'''
tags = ["key", "Github"]
[[rules]]
description = "Github OAuth Access Token"
id = "github-oauth"
regex = '''gho_[0-9a-zA-Z]{36}'''
tags = ["key", "Github"]
[[rules]]
id = "github-app"
description = "Github App Token"
regex = '''(ghu|ghs)_[0-9a-zA-Z]{36}'''
tags = ["key", "Github"]
[[rules]]
id = "github-refresh"
description = "Github Refresh Token"
regex = '''ghr_[0-9a-zA-Z]{76}'''
tags = ["key", "Github"]
[[rules]]
id = "linkedin-client"
description = "LinkedIn Client ID"
regex = '''(?i)linkedin(.{0,20})?(?-i)[0-9a-z]{12}'''
tags = ["client", "LinkedIn"]
[[rules]]
id = "linkedin-secret"
description = "LinkedIn Secret Key"
regex = '''(?i)linkedin(.{0,20})?[0-9a-z]{16}'''
tags = ["secret", "LinkedIn"]
[[rules]]
id = "slack"
description = "Slack"
regex = '''xox[baprs]-(?:[0-9a-zA-Z]{10,48})?'''
tags = ["key", "Slack"]
[[rules]]
id = "apkey"
description = "Asymmetric Private Key"
regex = '''-----BEGIN (?:(?:EC|PGP|DSA|RSA|OPENSSH) )?PRIVATE KEY(?: BLOCK)?-----'''
tags = ["key", "AsymmetricPrivateKey"]
[[rules]]
id = "google"
description = "Google API key"
regex = '''AIza[0-9A-Za-z\-_]{35}'''
tags = ["key", "Google"]
[[rules]]
id = "google"
description = "Google (GCP) Service Account"
regex = '''"type": "service_account"'''
tags = ["key", "Google"]
[[rules]]
id = "heroku"
description = "Heroku API key"
regex = '''(?i)heroku(.{0,20})?[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}'''
tags = ["key", "Heroku"]
[[rules]]
id = "mailchimp"
description = "MailChimp API key"
regex = '''(?i)(mailchimp|mc)(.{0,20})?[0-9a-f]{32}-us[0-9]{1,2}'''
tags = ["key", "Mailchimp"]
[[rules]]
id = "mailgun"
description = "Mailgun API key"
regex = '''((?i)(mailgun|mg)(.{0,20})?)?key-[0-9a-z]{32}'''
tags = ["key", "Mailgun"]
[[rules]]
id = "paypal"
description = "PayPal Braintree access token"
regex = '''access_token\$production\$[0-9a-z]{16}\$[0-9a-f]{32}'''
tags = ["key", "Paypal"]
[[rules]]
id = "piacatic"
description = "Picatic API key"
regex = '''sk_live_[0-9a-z]{32}'''
tags = ["key", "Picatic"]
[[rules]]
id = "sendgrid"
description = "SendGrid API Key"
regex = '''SG\.[\w_]{16,32}\.[\w_]{16,64}'''
tags = ["key", "SendGrid"]
[[rules]]
description = "Sidekiq Secret"
id = "sidekiq-secret"
regex = '''(?i)(?:BUNDLE_ENTERPRISE__CONTRIBSYS__COM|BUNDLE_GEMS__CONTRIBSYS__COM)(?:[0-9a-z\-_\t .]{0,20})(?:[\s|']|[\s|"]){0,3}(?:=|>|:=|\|\|:|<=|=>|:)(?:'|\"|\s|=|\x60){0,5}([a-f0-9]{8}:[a-f0-9]{8})(?:['|\"|\n|\r|\s|\x60|;]|$)'''
secretGroup = 1
keywords = [
"bundle_enterprise__contribsys__com","bundle_gems__contribsys__com",
]
[[rules]]
description = "Sidekiq Sensitive URL"
id = "sidekiq-sensitive-url"
regex = '''(?i)\b(http(?:s??):\/\/)([a-f0-9]{8}:[a-f0-9]{8})@(?:gems.contribsys.com|enterprise.contribsys.com)(?:[\/|\#|\?|:]|$)'''
secretGroup = 2
keywords = [
"gems.contribsys.com","enterprise.contribsys.com",
]
[[rules]]
id = "slack-webhook"
description = "Slack Webhook"
regex = '''https://hooks.slack.com/services/T[a-zA-Z0-9_]{8}/B[a-zA-Z0-9_]{8,12}/[a-zA-Z0-9_]{24}'''
tags = ["key", "slack"]
[[rules]]
id = "stripe"
description = "Stripe API key"
regex = '''(?i)stripe(.{0,20})?[sr]k_live_[0-9a-zA-Z]{24}'''
tags = ["key", "Stripe"]
[[rules]]
id = "square"
description = "Square access token"
regex = '''sq0atp-[0-9A-Za-z\-_]{22}'''
tags = ["key", "square"]
[[rules]]
id = "square-oauth"
description = "Square OAuth secret"
regex = '''sq0csp-[0-9A-Za-z\-_]{43}'''
tags = ["key", "square"]
[[rules]]
id = "twilio"
description = "Twilio API key"
regex = '''(?i)twilio(.{0,20})?SK[0-9a-f]{32}'''
tags = ["key", "twilio"]
[[rules]]
id = "dynatrace"
description = "Dynatrace ttoken"
regex = '''dt0[a-zA-Z]{1}[0-9]{2}\.[A-Z0-9]{24}\.[A-Z0-9]{64}'''
tags = ["key", "Dynatrace"]
[[rules]]
id = "shopify"
description = "Shopify shared secret"
regex = '''shpss_[a-fA-F0-9]{32}'''
tags = ["key", "Shopify"]
[[rules]]
id = "shopify-access"
description = "Shopify access token"
regex = '''shpat_[a-fA-F0-9]{32}'''
tags = ["key", "Shopify"]
[[rules]]
id = "shopify-custom"
description = "Shopify custom app access token"
regex = '''shpca_[a-fA-F0-9]{32}'''
tags = ["key", "Shopify"]
[[rules]]
id = "shopify-private"
description = "Shopify private app access token"
regex = '''shppa_[a-fA-F0-9]{32}'''
tags = ["key", "Shopify"]
[[rules]]
id = "pypi"
description = "PyPI upload token"
regex = '''pypi-AgEIcHlwaS5vcmc[A-Za-z0-9-_]{50,1000}'''
tags = ["key", "pypi"]
+10
View File
@@ -0,0 +1,10 @@
[[rules]]
id = "test"
regex = '''token = "(.+)"'''
[[allowlists]]
regexes = ["^changeit$"]
[[allowlists]]
condition = "AND"
paths = ["^node_modules/.*"]
stopwords = ["mock"]
@@ -0,0 +1,2 @@
[allowlist]
stopwords = ["0989c462-69c9-49fa-b7d2-30dc5c576a97"]
+2
View File
@@ -0,0 +1,2 @@
[allowlist]
regexes = ['''AKIALALEM.L33243OLIA''']
@@ -0,0 +1,20 @@
[[rules]]
id = "github-app-token"
regex = '''(?:ghu|ghs)_[0-9a-zA-Z]{36}'''
[[rules]]
id = "github-oauth"
regex = '''gho_[0-9a-zA-Z]{36}'''
[[rules]]
id = "github-pat"
regex = '''ghp_[0-9a-zA-Z]{36}'''
[[allowlists]]
regexes = ['''.*fake.*''']
[[allowlists]]
targetRules = ["github-app-token", "github-pat"]
paths = [
'''(?:^|/)@octokit/auth-token/README\.md$''',
]
+9
View File
@@ -0,0 +1,9 @@
title = "simple config with allowlist for a specific commit"
[[rules]]
description = "AWS Access Key"
id = "aws-access-key"
regex = '''(?:A3T[A-Z0-9]|AKIA|ASIA|ABIA|ACCA)[A-Z0-9]{16}'''
tags = ["key", "AWS"]
[[rules.allowlists]]
commits = ['''allowthiscommit''']
@@ -0,0 +1,11 @@
# https://github.com/gitleaks/gitleaks/issues/1844
[extend]
useDefault = true
[[rules]]
id = "generic-api-key"
[[rules.allowlists]]
description = "Exclude a specific file from generic-api-key rule"
paths = [
'''^path/to/your/problematic/file\.js$'''
]
+5
View File
@@ -0,0 +1,5 @@
[[rules]]
id = "example"
regex = '''example\d+'''
[rules.allowlist]
regexes = ['''123''']
+9
View File
@@ -0,0 +1,9 @@
title = "simple config with allowlist for .go files"
[[rules]]
description = "AWS Access Key"
id = "aws-access-key"
regex = '''(?:A3T[A-Z0-9]|AKIA|ASIA|ABIA|ACCA)[A-Z0-9]{16}'''
tags = ["key", "AWS"]
[[rules.allowlists]]
paths = ['''.go''']
+9
View File
@@ -0,0 +1,9 @@
title = "simple config with allowlist for aws"
[[rules]]
description = "AWS Access Key"
id = "aws-access-key"
regex = '''(?:A3T[A-Z0-9]|AKIA|ASIA|ABIA|ACCA)[A-Z0-9]{16}'''
tags = ["key", "AWS"]
[[rules.allowlists]]
regexes = ['''AKIALALEMEL33243OLIA''']
+8
View File
@@ -0,0 +1,8 @@
[extend]
path="../testdata/config/valid/extend_base_1.toml"
[[rules]]
description = "AWS Secret Key"
id = "aws-secret-key"
regex = '''(?i)aws_(.{0,20})?=?.[\'\"0-9a-zA-Z\/+]{40}'''
tags = ["key", "AWS"]
+10
View File
@@ -0,0 +1,10 @@
title = "gitleaks extended 1"
[extend]
path="../testdata/config/valid/extend_base_2.toml"
[[rules]]
description = "AWS Access Key"
id = "aws-access-key"
regex = '''(?:A3T[A-Z0-9]|AKIA|ASIA|ABIA|ACCA)[A-Z0-9]{16}'''
tags = ["key", "AWS"]
+10
View File
@@ -0,0 +1,10 @@
title = "gitleaks extended 2"
[extend]
path="../testdata/config/extend_3.toml"
[[rules]]
description = "AWS Secret Key"
id = "aws-secret-key-again"
regex = '''(?i)aws_(.{0,20})?=?.[\'\"0-9a-zA-Z\/+]{40}'''
tags = ["key", "AWS"]
+9
View File
@@ -0,0 +1,9 @@
title = "gitleaks extended 3"
## This should not be loaded since we can only extend configs to a depth of 3
[[rules]]
id = "aws-secret-key-again-again"
description = "AWS Secret Key"
regex = '''(?i)aws_(.{0,20})?=?.[\'\"0-9a-zA-Z\/+]{40}'''
tags = ["key", "AWS"]
@@ -0,0 +1,8 @@
title = "gitleaks extended 3"
[extend]
path="../testdata/config/valid/extend_rule_keywords_base.toml"
[[rules]]
id = "aws-secret-key-again-again"
description = "A new description"
+11
View File
@@ -0,0 +1,11 @@
title = "gitleaks extend disable"
[extend]
path = "../testdata/config/valid/extend_disabled_base.toml"
disabledRules = [
'custom-rule1'
]
[[rules]]
id = "pypi-upload-token"
regex = '''pypi-AgEIcHlwaS5vcmc[A-Za-z0-9\-_]{50,1000}'''
+11
View File
@@ -0,0 +1,11 @@
title = "gitleaks extended 3"
[[rules]]
id = "aws-secret-key"
regex = '''(?i)aws_(.{0,20})?=?.[\'\"0-9a-zA-Z\/+]{40}'''
tags = ["key", "AWS"]
[[rules]]
id = "custom-rule1"
regex = '''[Cc]ustom!'''
+14
View File
@@ -0,0 +1,14 @@
title = "gitleaks extended 3"
[extend]
path="../testdata/config/valid/extend_rule_allowlist_base.toml"
[[rules]]
id = "aws-secret-key-again-again"
[[rules.allowlists]]
condition = "AND"
commits = ['''abcdefg1''']
regexes = ['''foo.+bar''']
regexTarget = "line"
paths = ['''ignore\.xaml''']
stopwords = ['''example''']
+11
View File
@@ -0,0 +1,11 @@
title = "gitleaks extended 3"
## This should not be loaded since we can only extend configs to a depth of 3
[[rules]]
id = "aws-secret-key-again-again"
description = "AWS Secret Key"
regex = '''(?i)aws_(.{0,20})?=?.[\'\"0-9a-zA-Z\/+]{40}'''
tags = ["key", "AWS"]
[[rules.allowlists]]
stopwords = ["fake"]
+13
View File
@@ -0,0 +1,13 @@
title = "gitleaks extended 3"
[extend]
path="../testdata/config/valid/extend_rule_allowlist_base.toml"
[[rules]]
id = "aws-secret-key-again-again"
[[rules.allowlists]]
commits = ['''abcdefg1''']
regexes = ['''foo.+bar''']
regexTarget = "line"
paths = ['''ignore\.xaml''']
stopwords = ['''example''']
+12
View File
@@ -0,0 +1,12 @@
title = "gitleaks extended 3"
## This should not be loaded since we can only extend configs to a depth of 3
[[rules]]
id = "aws-secret-key-again-again"
description = "AWS Secret Key"
regex = '''(?i)aws_(.{0,20})?=?.[\'\"0-9a-zA-Z\/+]{40}'''
tags = ["key", "AWS"]
keywords = ["AWS"]
[[rules.allowlists]]
stopwords = ["fake"]
+8
View File
@@ -0,0 +1,8 @@
title = "gitleaks extended 3"
[extend]
path="../testdata/config/valid/extend_rule_keywords_base.toml"
[[rules]]
id = "aws-rule-that-is-not-in-base"
keywords = ["CMS"]
+8
View File
@@ -0,0 +1,8 @@
[extend]
path="../testdata/config/valid/extend_base_3.toml"
[[rules]]
id = "aws-secret-key-again-again"
[[rules.allowlists]]
description = "False positive. Keys used for colors match the rule, and should be excluded."
paths = ['''something.py''']
@@ -0,0 +1,8 @@
title = "override a built-in rule's description"
[extend]
path = "../testdata/config/simple.toml"
[[rules]]
id = "aws-access-key"
description = "Puppy Doggy"
@@ -0,0 +1,8 @@
title = "override a built-in rule's entropy"
[extend]
path = "../testdata/config/simple.toml"
[[rules]]
id = "aws-access-key"
entropy = 999
@@ -0,0 +1,8 @@
title = "override a built-in rule's keywords"
[extend]
path = "../testdata/config/simple.toml"
[[rules]]
id = "aws-access-key"
keywords = ["puppy"]
+8
View File
@@ -0,0 +1,8 @@
title = "override a built-in rule's path"
[extend]
path = "../testdata/config/simple.toml"
[[rules]]
id = "aws-access-key"
path = '''(?:puppy)'''
+8
View File
@@ -0,0 +1,8 @@
title = "override a built-in rule's regex"
[extend]
path = "../testdata/config/simple.toml"
[[rules]]
id = "aws-access-key"
regex = '''(?:a)'''
@@ -0,0 +1,9 @@
title = "override a built-in rule's secretGroup"
[extend]
path = "../testdata/config/simple.toml"
[[rules]]
id = "aws-access-key"
regex = '''(a)(a)'''
secretGroup = 2
+8
View File
@@ -0,0 +1,8 @@
title = "override a built-in rule's tags"
[extend]
path = "../testdata/config/simple.toml"
[[rules]]
id = "aws-access-key"
tags = ["puppy"]
+6
View File
@@ -0,0 +1,6 @@
[[rules]]
id = "discord-api-key"
description = "Discord API key"
regex = '''(?i)(discord[a-z0-9_ .\-,]{0,25})(=|>|:=|\|\|:|<=|=>|:).{0,5}['\"]([a-h0-9]{64})['\"]'''
secretGroup = 3
entropy = 3.5
+4
View File
@@ -0,0 +1,4 @@
[[rules]]
description = "Python Files"
id = "python-files-only"
path = '''.py'''
@@ -0,0 +1,5 @@
[[rules]]
id = "pypi-upload-token"
description = "PyPI upload token"
regex = '''pypi-AgEIcHlwaS5vcmc[A-Za-z0-9\-_]{50,1000}'''
tags = ["key", "pypi"]
+17
View File
@@ -0,0 +1,17 @@
import (
"fmt"
"os"
)
// seems safer
aws_token := os.Getenv("AWS_TOKEN")
package foo
import "fmt"
func Foo() {
fmt.Println("foo")
// seems safe
aws_token := "AKIALALEMEL33243OLIA"
fmt.Println(aws_token)
}
+67
View File
@@ -0,0 +1,67 @@
import (
"fmt"
"os"
)
// seems safer
aws_token := os.Getenv("AWS_TOKEN")
package foo
import "fmt"
func Foo() {
fmt.Println("foo")
// seems safe
aws_token := "AKIALALEMEL33243OLIA"
fmt.Println(aws_token)
}
package api
import "fmt"
func PrintHello() {
fmt.Println("hello")
}
import (
"fmt"
"os"
)
var a = "initial"
fmt.Println(a)
var b, c int = 1, 2
fmt.Println(b, c)
var d = true
fmt.Println(d)
var e int
fmt.Println(e)
// load secret via env
awsToken := os.Getenv("AWS_TOKEN")
f := "apple"
fmt.Println(f)
// opps I added a secret at line 20
awsToken := "AKIALALEMEL33243OLIA"
package main
import "fmt"
func main() {
var a = "initial"
fmt.Println(a)
var b, c int = 1, 2
fmt.Println(b, c)
var d = true
fmt.Println(d)
var e int
fmt.Println(e)
f := "apple"
fmt.Println(f)
}
# test
This is a repo used for testing gitleaks
+2
View File
@@ -0,0 +1,2 @@
RuleID,Commit,File,SymlinkFile,Secret,Match,StartLine,EndLine,StartColumn,EndColumn,Author,Message,Date,Email,Fingerprint,Tags
test-rule,0000000000000000,auth.py,,a secret,line containing secret,1,2,1,2,John Doe,opps,10-19-2003,johndoe@gmail.com,fingerprint,tag1 tag2 tag3
1 RuleID Commit File SymlinkFile Secret Match StartLine EndLine StartColumn EndColumn Author Message Date Email Fingerprint Tags
2 test-rule 0000000000000000 auth.py a secret line containing secret 1 2 1 2 John Doe opps 10-19-2003 johndoe@gmail.com fingerprint tag1 tag2 tag3
+1
View File
@@ -0,0 +1 @@
[]
+22
View File
@@ -0,0 +1,22 @@
[
{
"RuleID": "test-rule",
"Description": "",
"StartLine": 1,
"EndLine": 2,
"StartColumn": 1,
"EndColumn": 2,
"Match": "line containing secret",
"Secret": "a secret",
"File": "auth.py",
"SymlinkFile": "",
"Commit": "0000000000000000",
"Entropy": 0,
"Author": "John Doe",
"Email": "johndoe@gmail.com",
"Date": "10-19-2003",
"Message": "opps",
"Tags": [],
"Fingerprint": ""
}
]
+4
View File
@@ -0,0 +1,4 @@
<?xml version="1.0" encoding="UTF-8"?>
<testsuites>
<testsuite failures="0" name="gitleaks" tests="0" time=""></testsuite>
</testsuites>
+11
View File
@@ -0,0 +1,11 @@
<?xml version="1.0" encoding="UTF-8"?>
<testsuites>
<testsuite failures="2" name="gitleaks" tests="2" time="">
<testcase classname="Test Rule" file="auth.py" name="test-rule has detected a secret in file auth.py, line 1, at commit 0000000000000000." time="">
<failure message="test-rule has detected a secret in file auth.py, line 1, at commit 0000000000000000." type="Test Rule">{&#xA;&#x9;&#34;RuleID&#34;: &#34;test-rule&#34;,&#xA;&#x9;&#34;Description&#34;: &#34;Test Rule&#34;,&#xA;&#x9;&#34;StartLine&#34;: 1,&#xA;&#x9;&#34;EndLine&#34;: 2,&#xA;&#x9;&#34;StartColumn&#34;: 1,&#xA;&#x9;&#34;EndColumn&#34;: 2,&#xA;&#x9;&#34;Match&#34;: &#34;line containing secret&#34;,&#xA;&#x9;&#34;Secret&#34;: &#34;a secret&#34;,&#xA;&#x9;&#34;File&#34;: &#34;auth.py&#34;,&#xA;&#x9;&#34;SymlinkFile&#34;: &#34;&#34;,&#xA;&#x9;&#34;Commit&#34;: &#34;0000000000000000&#34;,&#xA;&#x9;&#34;Entropy&#34;: 0,&#xA;&#x9;&#34;Author&#34;: &#34;John Doe&#34;,&#xA;&#x9;&#34;Email&#34;: &#34;johndoe@gmail.com&#34;,&#xA;&#x9;&#34;Date&#34;: &#34;10-19-2003&#34;,&#xA;&#x9;&#34;Message&#34;: &#34;opps&#34;,&#xA;&#x9;&#34;Tags&#34;: [],&#xA;&#x9;&#34;Fingerprint&#34;: &#34;&#34;&#xA;}</failure>
</testcase>
<testcase classname="Test Rule" file="auth.py" name="test-rule has detected a secret in file auth.py, line 2." time="">
<failure message="test-rule has detected a secret in file auth.py, line 2." type="Test Rule">{&#xA;&#x9;&#34;RuleID&#34;: &#34;test-rule&#34;,&#xA;&#x9;&#34;Description&#34;: &#34;Test Rule&#34;,&#xA;&#x9;&#34;StartLine&#34;: 2,&#xA;&#x9;&#34;EndLine&#34;: 3,&#xA;&#x9;&#34;StartColumn&#34;: 1,&#xA;&#x9;&#34;EndColumn&#34;: 2,&#xA;&#x9;&#34;Match&#34;: &#34;line containing secret&#34;,&#xA;&#x9;&#34;Secret&#34;: &#34;a secret&#34;,&#xA;&#x9;&#34;File&#34;: &#34;auth.py&#34;,&#xA;&#x9;&#34;SymlinkFile&#34;: &#34;&#34;,&#xA;&#x9;&#34;Commit&#34;: &#34;&#34;,&#xA;&#x9;&#34;Entropy&#34;: 0,&#xA;&#x9;&#34;Author&#34;: &#34;&#34;,&#xA;&#x9;&#34;Email&#34;: &#34;&#34;,&#xA;&#x9;&#34;Date&#34;: &#34;&#34;,&#xA;&#x9;&#34;Message&#34;: &#34;&#34;,&#xA;&#x9;&#34;Tags&#34;: [],&#xA;&#x9;&#34;Fingerprint&#34;: &#34;&#34;&#xA;}</failure>
</testcase>
</testsuite>
</testsuites>
+69
View File
@@ -0,0 +1,69 @@
{
"$schema": "https://json.schemastore.org/sarif-2.1.0.json",
"version": "2.1.0",
"runs": [
{
"tool": {
"driver": {
"name": "gitleaks",
"semanticVersion": "v8.0.0",
"informationUri": "https://github.com/gitleaks/gitleaks",
"rules": [
{
"id": "aws-access-key",
"shortDescription": {
"text": "AWS Access Key"
}
},
{
"id": "pypi",
"shortDescription": {
"text": "PyPI upload token"
}
}
]
}
},
"results": [
{
"message": {
"text": "test-rule has detected secret for file auth.py at commit 0000000000000000."
},
"ruleId": "test-rule",
"locations": [
{
"physicalLocation": {
"artifactLocation": {
"uri": "auth.py"
},
"region": {
"startLine": 1,
"startColumn": 1,
"endLine": 2,
"endColumn": 2,
"snippet": {
"text": "a secret"
}
}
}
}
],
"partialFingerprints": {
"commitSha": "0000000000000000",
"email": "johndoe@gmail.com",
"author": "John Doe",
"date": "10-19-2003",
"commitMessage": "opps"
},
"properties": {
"tags": [
"tag1",
"tag2",
"tag3"
]
}
}
]
}
]
}
+23
View File
@@ -0,0 +1,23 @@
[
{
"Description": "A test rule",
"StartLine": 1,
"EndLine": 2,
"StartColumn": 1,
"EndColumn": 2,
"Line": "whole line containing secret",
"Match": "line containing secret",
"Secret": "a secret",
"File": "auth.py",
"SymlinkFile": "",
"Commit": "0000000000000000",
"Entropy": 0,
"Author": "John Doe",
"Email": "johndoe@gmail.com",
"Date": "10-19-2003",
"Message": "opps",
"Tags": ["tag1","tag2","tag3"],
"RuleID": "test-rule",
"Fingerprint": ""
}
]
+3
View File
@@ -0,0 +1,3 @@
| File | Line | Secret |
|:-----|-----:|--------|
| auth.py | 1 | "a secret" |
+4
View File
@@ -0,0 +1,4 @@
foo\bar\gitleaks-false-positive.yaml:aws-access-token:4
b55d88dc151f7022901cda41a03d43e0e508f2b7:test_data\test_local_repo_three_leaks.json:aws-access-token:73
foo/bar/gitleaks-false-positive.yaml:aws-access-token:5
# comment
+25
View File
@@ -0,0 +1,25 @@
[{{ $lastFinding := (sub (len . ) 1) }}
{{- range $i, $finding := . }}{{with $finding}}
{
"Description": {{ quote .Description }},
"StartLine": {{ .StartLine }},
"EndLine": {{ .EndLine }},
"StartColumn": {{ .StartColumn }},
"EndColumn": {{ .EndColumn }},
"Line": {{ quote .Line }},
"Match": {{ quote .Match }},
"Secret": {{ quote .Secret }},
"File": "{{ .File }}",
"SymlinkFile": {{ quote .SymlinkFile }},
"Commit": {{ quote .Commit }},
"Entropy": {{ .Entropy }},
"Author": {{ quote .Author }},
"Email": {{ quote .Email }},
"Date": {{ quote .Date }},
"Message": {{ quote .Message }},
"Tags": [{{ $lastTag := (sub (len .Tags ) 1) }}{{ range $j, $tag := .Tags }}{{ quote . }}{{ if ne $j $lastTag }},{{ end }}{{ end }}],
"RuleID": {{ quote .RuleID }},
"Fingerprint": {{ quote .Fingerprint }}
}{{ if ne $i $lastFinding }},{{ end }}
{{- end}}{{ end }}
]
+5
View File
@@ -0,0 +1,5 @@
| File | Line | Secret |
|:-----|-----:|--------|
{{ range . -}}
| {{ .File }} | {{ .StartLine }} | {{ quote .Secret }} |
{{ end -}}
View File
+10
View File
@@ -0,0 +1,10 @@
# Archives
This repo has some archive files in its history!
Commits:
```
07d2bd71800f1abf0421abe9bc4a83a6fdca1f68 nested.tar.gz
db8789716fc664dbce0ed2d492570e92abf717a5 main.go.zst
```
+1
View File
@@ -0,0 +1 @@
ref: refs/heads/main
+1
View File
@@ -0,0 +1 @@
15fa60c13dccec6add267b7baa065977a6cc748a
+13
View File
@@ -0,0 +1,13 @@
[core]
repositoryformatversion = 0
filemode = true
bare = false
logallrefupdates = true
[remote "origin"]
url = git@github.com:gitleaks/test.git
fetch = +refs/heads/*:refs/remotes/origin/*
[branch "main"]
remote = origin
merge = refs/heads/main
+1
View File
@@ -0,0 +1 @@
Unnamed repository; edit this file 'description' to name the repository.
Binary file not shown.
+6
View File
@@ -0,0 +1,6 @@
# git ls-files --others --exclude-from=.git/info/exclude
# Lines that start with '#' are comments.
# For a project mostly in C, the following would be a good set of
# exclude patterns (uncomment them if you want to use them):
# *.[oa]
# *~
+1
View File
@@ -0,0 +1 @@
15fa60c13dccec6add267b7baa065977a6cc748a refs/heads/main
Binary file not shown.
+2
View File
@@ -0,0 +1,2 @@
P pack-9d774732f0e985d717a26e126e6574d089375b0d.pack
+2
View File
@@ -0,0 +1,2 @@
# pack-refs with: peeled fully-peeled sorted
15fa60c13dccec6add267b7baa065977a6cc748a refs/heads/main
View File
Binary file not shown.
+6
View File
@@ -0,0 +1,6 @@
DB_HOST=example.com
DB_PORT=443
DB_USERNAME=postgres
DB_PASSWORD=8ae31cacf141669ddfb5da
DB_NAME=best_db
DB_SSL=true
+1
View File
@@ -0,0 +1 @@
../testdata/repos/nogit/api.go:aws-access-key:20
+24
View File
@@ -0,0 +1,24 @@
package main
import "fmt"
func main() {
var a = "initial"
fmt.Println(a)
var b, c int = 1, 2
fmt.Println(b, c)
var d = true
fmt.Println(d)
var e int
fmt.Println(e)
// opps I added a secret at line 20
awsToken := "AKIALALEMEL33243OLIA"
f := "apple"
fmt.Println(f)
}
+24
View File
@@ -0,0 +1,24 @@
package main
import "fmt"
func main() {
var a = "initial"
fmt.Println(a)
var b, c int = 1, 2
fmt.Println(b, c)
var d = true
fmt.Println(d)
var e int
fmt.Println(e)
// opps I added a secret at line 20
awsToken := "AKIALALEMEL33243OLIA"
f := "apple"
fmt.Println(f)
}

Some files were not shown because too many files have changed in this diff Show More