generic

Generic Secrets / Passwords

Generic Passwords

⚠️ WARNING: THIS RULE IS EXPERIMENTAL AND MIGHT CAUSE A HIGH FALSE POSITIVE RATE (test before commiting to org level) ⚠️

version: v0.5

Comments / Notes:

• Likely to cause large numbers of false positives - use with caution

• password, secret, key, or password like prefix (fuzzy)

• Delimiters like = or : (with padding)

• String with a number of chars until a breaking char

• Not matching variables, placeholders or common configuration constants such as 'read' and 'write'

Pattern Format

[a-zA-Z0-9!.,$%&*+?^_`{|}()[\]\\/~-][a-zA-Z0-9\t !.,$%&*+?^_`{|}()[\]\\/~-]*

Start Pattern

(?:\A|[^a-zA-Z0-9])(?i)[a-z0-9_.-]*(?:api|auth[a-z]+|jwt|mysql|db)?[_.-]?(?:pass?(?:wo?r?d|code|phrase)|secret|key|token)([_-][a-z0-9]+){0,3}([ \t]+As[ \t]+String)?[\t ]*(={1,3}|:)[\t ]*(?:["']|b["'])?

End Pattern

(\z|[\r\n'"])

Additional Matches

Add these additional matches to the Secret Scanning Custom Pattern.

• Not Match:

  ^(?i)_?\)?((a-zA-Z0-9._]+[_.])?(?:the )?(?:pass?(wo?r?d|code|phrase)|pass|pwd|secret|token|key|tok|pw)|redacted|placeholder|dummy|thephrase|write|read|on|off|true|false|none|value|null( \? )?|nil|undefined|eof|ignore|eol|git|yes|no|y|n|f[0-9]{1,2}|[a-zA-Z]),?\s*\){0,2}[\]>)]?(?:\)\s*\{)?\\?(( or | \|\| ).*)?$

• Not Match:

  ^\s*(?:(?:typing\.)?(?:(?:[Tt]uple|[Ll]ist|[Dd]ict|Callable|Iterable|Sequence|Optional|Union)\[.*|(?:int|str|float|(?:typing.)?Any|None|bytes|bool|ReadableBuffer)\s*(?:[,|].*)?|(?:Int|Swift\.Int|Int32)\.*))\s*$

• Not Match:

  ^\s*(?:\.\.\.|\\|\\n|\\0|\?|\$\(|[,()[\]{}`.]\\?|-[)(]|\\f21b|0x[A-Fa-f0-9]+|[0-9]{1,4}|(?:~|/tmp|\.\.|\.|(/[a-zA-Z0-9./_-]+/)?[a-zA-Z0-9]+(\.(pem|crt|key|cer|pub|der)|_rsa))|\\{1,2}w\+/g,( \\?)?|%[sr]|geheim\$parole|\([Oo]ptional\).*|\$?(?:\{\{?[^}]+\}\}?|\(\(?[^)]+\)\)?|\[\[?[^\]+]\]\]?)|(before|hover|focus)(,| \{))?,?\s*(?:\s*(?:/\*|#|//).*)?$

• Not Match:

  ^(?:function\s*\([^)]*\)\s*{\s*.*|\([^)]*\)\s*=>\s*(?:{\s*|[^;)]+[;)])|(?:new |\([A-Za-z]+\)\s*)?[a-zA-Z0-9_.]+\s*\(.*|(?:public|private) [A-Za-z0-9_]+ \{|[A-Za-z0-9_.-]+\s*\) \{)$|\{\{[^}]+\}\}|\$\{\{|\{\}$|\[\]$|(0x)?%[0-9]+x|%[dusx]\.$

• Not Match:

  ^\s*(?:(?:self|this)\.[a-zA-Z_][a-zA-Z0-9_.]+[,[]?|[a-zA-Z0-9_.]+\[(?:[a-zA-Z0-9_.]+)?\]?|\$(?:[1-9]|[A-Za-z0-9_]+)\{?|os\.environ\[[^\]]\]|process\.env\.[A-Z0-9_]+)\s*(?:,|\|\||&&)?\s*$|`(%s|\+)

Generic Passwords (fewer FPs)

version: v0.1

Comments / Notes:

• Expect many false positives if run against vendored-in code, such as JS libraries - use with caution

• password, secret, key, token etc. password-like prefix (fuzzy)

• Delimiters like = or : (with padding)

• Matches fewer characters (A-Za-z0-9_/+.!-), and requires matching quotes around the string

• Attempts to remove variables, placeholders, and common configuration constants such as 'read' and 'write'

Pattern Format

((?i)[a-z0-9_.-]*(api|auth[a-z]*|jwt|mysql|db)[_.-]?)?((?i)pass?(wo?r?d|code|phrase)|secret|token|key)([_-][A-Za-z0-9]+){0,4}_{0,2}(["'`]|[ \t]+As[ \t]+String)?[\t ]*(?:=|>|:{1,3}=|\|\|:|<=|=>|:|\?=)[\t ]*([br]?"[A-Za-z0-9_/+.!-]+"|[br]?'[A-Za-z0-9_/+.!-]+')

Start Pattern

\A|[^0-9A-Za-z]

End Pattern

\z|[^A-Za-z0-9]

Additional Matches

Add these additional matches to the Secret Scanning Custom Pattern.

• Not Match:

  ^[A-Za-z0-9_.-]*(key|KEY|[Tt]oken|TOKEN)(_[a-zA-Z]+)?['"]?\s*([:=]|=>)\s*["']([Ee]mploye[er]|[Ss]taff|([Ss]earch)?[Rr]esult|[a-z][a-zA-Z]+CSX[A-Z][A-Za-z]+|[A-Za-z]*[Bb]ase(64|32|58)|object|claret|assigns?|clean|contains|error|expand|generate|hoist|indent(ation)?|invert|jumps?|pairs?|param(eter)?s?|pop|rewrite|temp(orary)?|token(s|i[sz]e)?|type|((un)?(quote|shift|wrap|finished))|[a-z]{2,10}([A-Z][a-z]{1,15}){1,6}|(compile|is|has|make|add|each|check|close|cache|format|tag|get|set)([A-Z][A-Za-z]+)?|gadget|classic|(try_)?(base|mode|grade|model)|words|identifier|[a-z.-]+\.(jpe?g|(x|ht)ml|txt|docx?|xlsx?|pdf|png)|enabled|name\.invalidPattern|\.|\.data-api|expect|file|config|ansi|Default(Type)?|Cache-Control|((notD|d)eepE|e)qual|name|NAME|package|version|VERSION|start|end|step|async|Event|throws|ok|notOK|verbose|push(Result)?|slimAssertions|(p|notP)ropEqual|((notS|s)trict|not)Equal|value|prev|next|year|key[0-9]?|destroy|[a-z]+EventListeners|timeout|str(ing)?|hmac|uuid|update|find|true|false|val|VAL|REDACTED|redacted|nop|F[0-9]{1,2}|[A-Za-z0-9]|[Nn][ui]ll|[Nn]one|[a-z_]+\.((tf)?state|id|key)|(hibernate|ws|err|i18n|employee|bs|org|com|sun|java)(\.[a-zA-Z0-9_]+){1,4}|[A-Z_]+_KEY)["']$

• Not Match:

  (?i)(token|key)[_-](name|format|type|enabled|success|type|method)\b

• Not Match:

  ^(?i)token(_[A-Z]+)?['"]?\s*[:=]\s*['"](barline|parenthesis|qualified|suport|symbol|statementEnd|singleLineTitle|character|pageBreak|operator|optionalTitle|option|zupfnoter|chordname|macro|error|escape|indent|term|titleUnderline|tag|link|literal|(other|table)Block|list|value|control|set|support|injections|array|doc|source|heading|tokens|storage|empty|newline|empty_line|keyword|(line)?comment|meta|[lr]?paren|class|punctuation|regexp?|constant|string|entity|invalid|support|variable|multiline|language|paren|markup|singleline|nospell|text|array|doc|source|heading|tokens)(\.{1,2}[A-Za-z0-9_-]+){0,6}[!.]?["']$

• Not Match:

  ^KEY_[A-Z]+[0-9]{0,3}: 'k[a-zA-Z0-9]{1,6}'$

• Not Match:

  ['"` ](/dev/u?random|(/[a-zA-Z0-9./_-]+/)?[a-zA-Z0-9_-]{5,}(\.(pem|crt|key|cer|pub|der)|_rsa)|https?://.*|file://.*)['"`]$

Generic Password with hex encoded secrets

version: v0.1

Comments / Notes:

• password, secret, key, or password like prefix (fuzzy)

• Delimiters like = or : (with padding)

• Has to be a token-like value - a 32, 40 or 64 character hex string

Pattern Format

[0-9a-f]{32}|[0-9a-f]{40}|[0-9a-f]{64}

Start Pattern

(?:\A|[^a-zA-Z0-9])(?i)[a-z0-9._-]*(?:api|auth[a-z]+|jwt|mysql|db)?[_.-]?(?:pass?(?:wo?r?d|code|phrase)|secret|key|token)([_-][a-z0-9]+){0,3}([ \t]+As[ \t]+String)?[\t ]*(={1,3}|:)[\t ]*(?:["']|b["'])?

End Pattern

(\z|[\r\n'"])

Generic Password with Base64 encoded secrets

version: v0.1

Comments / Notes:

• The Base64 must contain numbers, upper case and lower case and be at least 12 characters long

• password, secret, key, or password like prefix (fuzzy)

• Delimiters like = or : (with padding)

Pattern Format

(([A-Za-z0-9+/]){4})*([A-Za-z0-9+/]{4}|[A-Za-z0-9+/]{3}=|[A-Za-z0-9+/]{2}==)

Start Pattern

(?:\A|[^a-zA-Z0-9])(?i)[a-z0-9._-]*(?:api|auth[a-z]+|jwt|mysql|db)?[_.-]?(?:pass?(?:wo?r?d|code|phrase)|secret|key|token)([_-][a-z0-9]+){0,3}([ \t]+As[ \t]+String)?[\t ]*(={1,3}|:)[\t ]*(?:["']|b["'])?

End Pattern

(\z|[\r\n'"])

Additional Matches

Add these additional matches to the Secret Scanning Custom Pattern.

• Match:

  [0-9]

• Match:

  [A-Z]

• Match:

  [a-z]

• Match:

  ^.{12,}$

Generic Password with URI-safe Base64 encoded secrets

version: v0.1

Comments / Notes:

• The Base64 must contain numbers, upper case and lower case and be at least 12 characters long

• password, secret, key, or password like prefix (fuzzy)

• Delimiters like = or : (with padding)

• This matches _- instead of +/, for URI-safe Base64

Pattern Format

(([A-Za-z0-9_-]){4})*([A-Za-z0-9_-]{4}|[A-Za-z0-9_-]{3}=|[A-Za-z0-9_-]{2}==)

Start Pattern

(?:\A|[^a-zA-Z0-9])(?i)[a-z0-9._-]*(?:api|auth[a-z]+|jwt|mysql|db)?[_.-]?(?:pass?(?:wo?r?d|code|phrase)|secret|key|token)([_-][a-z0-9]+){0,3}([ \t]+As[ \t]+String)?[\t ]*(={1,3}|:)[\t ]*(?:["']|b["'])?

End Pattern

(\z|[\r\n'"])

Additional Matches

Add these additional matches to the Secret Scanning Custom Pattern.

• Match:

  [0-9]

• Match:

  [A-Z]

• Match:

  [a-z]

• Match:

  ^.{12,}$

UUIDs

version: v0.1

Pattern Format

(?i)[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}

Start Pattern

\A|[^0-9A-Fa-f-]

End Pattern

\z|[^0-9A-Fa-f-]

Additional Matches

Add these additional matches to the Secret Scanning Custom Pattern.

• Not Match:

  ^12345678-1234-5678-1234-567812345678$

• Not Match:

  ^00000000-0000-0000-0000-000000000000$

• Not Match:

  ^(?i)00010203-0405-0607-0809-0a0b0c0d0e0f$

• Not Match:

  ^(?i)12345678-1234-1234-1234-123456789abc$

Bearer Tokens

version: v0.2

Comments / Notes:

• As used in an Authorization header

• We try to remove common placeholders

• Lower length limit of 12 to remove common false positives on "Token ", since most words are below 12 characters in length

Pattern Format

[a-zA-Z0-9_.=/+:-]{12,}

Start Pattern

(Authorization: |['"])([Bb]earer |[Tt]oken (token=)?)

End Pattern

\z|[\s'"]

Additional Matches

Add these additional matches to the Secret Scanning Custom Pattern.

• Not Match:

  ^(?:letmein|Oracle|SuperSecretString|foo|ababbdbbebbbebdbbe5538003023|XYZ_INVALID_ACCESTOKEN_XYZ|QQ==|Shizuku|mF_9.B5f-4.1JqM|h480djs93hd8|SlAV32hkKG|YmVlcDpib29w)$

• Not Match:

  ^(?i)(?:dummy|fake|bearer|auth|invalid|your|my|the|undefined|github|oidc|database)(?:_api)?(?:_?token|key|secret)?$

• Not Match:

  ^(?i)(?:[a-z0-9]|XYZ|ABC|123|.*_token)$

• Not Match:

  (^(?i)(x+|y+|z+|a+|\.+|.*\.\.\.)$|(?i)x{5})

OAuth client secret and ID pair

version: v0.1

Pattern Format

(?i)client[_.-]?Id\s*([:=]|[=-]>|to|[!=]={1,2}|<>)\s*['"`]?[^\s'"`[\]{}()<>]+['"`]?\s*[,\r\n]\s*\bclient[_.-]?Secret\s*([:=]|[=-]>|to|[!=]={1,2}|<>)\s*['"`]?[^\s'"`[\]{}()<>]+['"`]?

Start Pattern

\A|\b

End Pattern

\z|\b

Additional Matches

Add these additional matches to the Secret Scanning Custom Pattern.

• Not Match:

  ^(?i)client[_.-]?id\s*[:=]?\s*(string|str|None)\b|\.\.\.|\(string\)|(?i)Client(ID|Secret)[a-z]|^(?i)client[_.-]?id["'`]\)|"\$\{

• Not Match:

  ^(?i)client[_.-]?id\s*[=:]\s*([a-z.]+(\[|\.get\())?["'`]?(\$\{|@)?[a-z0-9_.-]*((client|app)[_.-]?id|key)\b

• Not Match:

  (?i)client[_.-]?secret\s*[=:]\s*["'`]?(\$\{|@)?[a-z_.-]*(secret|token)\b

• Not Match:

  ^(?i)client[_.-]?Id(:.,|:\s*client[_.-]?secret:)

• Not Match:

  xxxxx|\?\?\?\?\?|example|00000|123-?45|['"][^'"\s]{1,5}['"]|(?i)<client[_-]?id>