Files
wehub-resource-sync 48b3ccf279
gitleaks / gitleaks (push) Has been skipped
Test / test (ubuntu-latest) (push) Failing after 0s
Test / test (windows-latest) (push) Has been cancelled
chore: import upstream snapshot with attribution
2026-07-13 12:12:29 +08:00

112 lines
3.5 KiB
Go

package rules
import (
"github.com/zricethezav/gitleaks/v8/cmd/generate/config/utils"
"github.com/zricethezav/gitleaks/v8/cmd/generate/secrets"
"github.com/zricethezav/gitleaks/v8/config"
"github.com/zricethezav/gitleaks/v8/regexp"
)
var githubAllowlist = []*config.Allowlist{
{
Paths: []*regexp.Regexp{
// https://github.com/octokit/auth-token.js/?tab=readme-ov-file#createtokenauthtoken-options
regexp.MustCompile(`(?:^|/)@octokit/auth-token/README\.md$`),
},
},
}
func GitHubPat() *config.Rule {
// define rule
r := config.Rule{
RuleID: "github-pat",
Description: "Uncovered a GitHub Personal Access Token, potentially leading to unauthorized repository access and sensitive content exposure.",
Regex: regexp.MustCompile(`ghp_[0-9a-zA-Z]{36}`),
Entropy: 3,
Keywords: []string{"ghp_"},
Allowlists: githubAllowlist,
}
// validate
tps := utils.GenerateSampleSecrets("github", "ghp_"+secrets.NewSecret(utils.AlphaNumeric("36")))
fps := []string{
"ghp_xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx",
}
return utils.Validate(r, tps, fps)
}
func GitHubFineGrainedPat() *config.Rule {
// define rule
r := config.Rule{
RuleID: "github-fine-grained-pat",
Description: "Found a GitHub Fine-Grained Personal Access Token, risking unauthorized repository access and code manipulation.",
Regex: regexp.MustCompile(`github_pat_\w{82}`),
Entropy: 3,
Keywords: []string{"github_pat_"},
}
// validate
tps := utils.GenerateSampleSecrets("github", "github_pat_"+secrets.NewSecret(utils.AlphaNumeric("82")))
fps := []string{
"github_pat_xxxxxxxxxxxxxxxxxxxxxx_xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx",
}
return utils.Validate(r, tps, fps)
}
func GitHubOauth() *config.Rule {
// define rule
r := config.Rule{
RuleID: "github-oauth",
Description: "Discovered a GitHub OAuth Access Token, posing a risk of compromised GitHub account integrations and data leaks.",
Regex: regexp.MustCompile(`gho_[0-9a-zA-Z]{36}`),
Entropy: 3,
Keywords: []string{"gho_"},
}
// validate
tps := utils.GenerateSampleSecrets("github", "gho_"+secrets.NewSecret(utils.AlphaNumeric("36")))
fps := []string{
"gho_xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx",
}
return utils.Validate(r, tps, fps)
}
func GitHubApp() *config.Rule {
// define rule
r := config.Rule{
RuleID: "github-app-token",
Description: "Identified a GitHub App Token, which may compromise GitHub application integrations and source code security.",
Regex: regexp.MustCompile(`(?:ghu|ghs)_[0-9a-zA-Z]{36}`),
Entropy: 3,
Keywords: []string{"ghu_", "ghs_"},
Allowlists: githubAllowlist,
}
// validate
tps := utils.GenerateSampleSecrets("github", "ghs_"+secrets.NewSecret(utils.AlphaNumeric("36")))
tps = append(tps, utils.GenerateSampleSecrets("github", "ghu_"+secrets.NewSecret(utils.AlphaNumeric("36")))...)
fps := []string{
"ghu_xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx",
"ghs_xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx",
}
return utils.Validate(r, tps, fps)
}
func GitHubRefresh() *config.Rule {
// define rule
r := config.Rule{
RuleID: "github-refresh-token",
Description: "Detected a GitHub Refresh Token, which could allow prolonged unauthorized access to GitHub services.",
Regex: regexp.MustCompile(`ghr_[0-9a-zA-Z]{36}`),
Entropy: 3,
Keywords: []string{"ghr_"},
}
// validate
tps := utils.GenerateSampleSecrets("github", "ghr_"+secrets.NewSecret(utils.AlphaNumeric("36")))
fps := []string{
"ghr_xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx",
}
return utils.Validate(r, tps, fps)
}