Files
wehub-resource-sync 48b3ccf279
gitleaks / gitleaks (push) Has been skipped
Test / test (ubuntu-latest) (push) Failing after 0s
Test / test (windows-latest) (push) Has been cancelled
chore: import upstream snapshot with attribution
2026-07-13 12:12:29 +08:00

127 lines
3.7 KiB
TOML

# We want to be able to find this key regardless if it's b64 encoded or not
[[rules]]
id = 'private-key'
description = 'Private Key'
regex = '''(?i)-----BEGIN[ A-Z0-9_-]{0,100}PRIVATE KEY(?: BLOCK)?-----[\s\S-]*?-----END[ A-Z0-9_-]{0,100}PRIVATE KEY(?: BLOCK)?-----'''
tags = ['key', 'private']
keywords = [
'-----begin',
]
# This exists to test what would happen if a normal rule matched something that
# also gets decoded. We don't want to break anyone's existing rules that might
# be looking for specific segments of b64 encoded data.
[[rules]]
id = 'b64-encoded-private-key'
description = 'Private Key'
regex = '''(?:LS0tLS1CRUdJTiBQUklWQVRFIEtFWS0tLS0t|0tLS0tQkVHSU4gUFJJVkFURSBLRVktLS0tL|tLS0tLUJFR0lOIFBSSVZBVEUgS0VZLS0tLS)[a-zA-Z0-9+\/]+={0,3}'''
tags = ['key', 'private']
keywords = [
'ls0tls1crudjtibquklwqvrfietfws0tls0t',
'0tls0tqkvhsu4gufjjvkfursblrvktls0tl',
'tls0tlujfr0loifbssvzbveugs0vzls0tls',
]
[[rules]]
id = 'aws-iam-unique-identifier'
description = 'AWS IAM Unique Identifier'
# The funky not group at the beginning consists of ascii ranges
regex = '''(?:^|[^!$-&\(-9<>-~])((?:A3T[A-Z0-9]|ACCA|ABIA|AKIA|AGPA|AIDA|AROA|AIPA|ANPA|ANVA|ASIA)[A-Z0-9]{16})\b'''
tags = ['aws', 'identifier']
entropy = 3.2
secretGroup = 1
keywords = [
'a3t',
'abia',
'acca',
'agpa',
'aida',
'aipa',
'akia',
'anpa',
'anva',
'aroa',
'asia',
]
[[rules]]
id = 'aws-secret-access-key'
description = 'AWS Secret Access Key'
regex = '''(?i)aws[\w\-]{0,32}[\'\"]?\s*?[:=\(]\s*?[\'\"]?([a-z0-9\/+]{40})\b'''
tags = ['aws', 'secret']
entropy = 4
secretGroup = 1
keywords = [
'aws',
]
[[rules]]
# Use a small one for making sure things shifting around are kept up with
# appropriately
id = 'small-secret'
description = 'Small Secret'
regex = '''\bsmall-secret\b'''
tags = ['small', 'secret']
[[rules]]
# When the example value is decoded this will overlap and this is here to
# test that the location information is reported accurately when the match
# goes outside the bounds of the encoded value
id = 'overlapping'
description = 'Overlapping'
regex = '''secret=(decoded-secret-value\w*)'''
tags = ['overlapping']
secretGroup = 1
# -----BEGIN REGEX TARGET DECODED MATCH PATTERNS-----
[[rules]]
id = 'decoded-password-dont-ignore'
description = 'Make sure this would be detected with no allowlist'
regex = '''password\s*=\s*\"([^\"]+please-ignore-me[^\"]+)\"'''
tags = ['decode-ignore']
secretGroup = 1
[[rules]]
id = 'decoded-password-ignore-secret'
description = 'Test ignore on decoded secrets: regexTarget = "secret"'
regex = '''password\s*=\s*\"([^\"]+please-ignore-me[^\"]+)\"'''
tags = ['decode-ignore']
secretGroup = 1
[[rules.allowlists]]
regexTarget = 'secret'
regexes = [
# The decoded segment that we are testing against
'please-ignore-me',
]
[[rules]]
id = 'decoded-password-ignore-match'
description = 'Test ignore on decoded secrets: regexTarget = "match"'
regex = '''password\s*=\s*\"([^\"]+please-ignore-me[^\"]+)\"'''
tags = ['decode-ignore']
secretGroup = 1
[[rules.allowlists]]
regexTarget = 'match'
regexes = [
# The decoded segment that we are testing against
'please-ignore-me',
]
[[rules]]
id = 'decoded-password-ignore-line'
description = 'Test ignore on decoded secrets: regexTarget = "line"'
regex = '''password\s*=\s*\"([^\"]+please-ignore-me[^\"]+)\"'''
tags = ['decode-ignore']
secretGroup = 1
[[rules.allowlists]]
regexTarget = 'line'
regexes = [
# The decoded segment that we are testing against
'please-ignore-me',
]
# -----END REGEX TARGET DECODED MATCH PATTERNS-----