Fix comment

advanced-security · Jun 11, 2024 · 7e39a08 · 7e39a08
1 parent 553d925
commit 7e39a08
Showing 1 changed file with 17 additions and 9 deletions.
diff --git a/configs/patterns.yml b/configs/patterns.yml
@@ -220,9 +220,8 @@ patterns:
         \n\n|\r\n\r\n|(\n|\r\n)[ \t]+\S+:|(\n|\r\n)\.\.\.[ \t\n\r]|\z
     comments:
       - "The hardcoded password is any length"
-      - "Some false positives in code might appear"
-      - "The pattern only checks for certain key words to end the variable name (`secret`, `password`, etc.)"
-      - "This will catch the start of a multiline password, but the end will not be found if it is on a different line"
+      - "Some false positives in code or YAML files might appear, especially where the variable is called 'key' or 'token'"
+      - "The pattern checks for certain key words to end the variable name (`secret`, `password`, etc.)"
     test:
       data: |
         password: |
@@ -308,22 +307,31 @@ patterns:
   - name: .env file style secrets
     type: env_passwords
     description: |
-      Find .env file style secrets in configuration files
+      Find .env file style secrets in configuration files such as .env, Dockerfile, shell scripts etc.
     experimental: true
     regex:
       version: 0.1
       pattern: |
         [^\r\n\x00-\x08'"#]+
       start: |
-        (?:\n|\A)(ENV |export )?[A-Z_]*(?:SECRET|SERVICE_PASS(WD|WORD|CODE|PHRASE)|PASS(?:WD|WORD|CODE|PHRASE)?|KEY)=['"]?
+        (?:\n|\A)((export|ENV|ARG) )?[A-Z_]*(?:SECRET|PASS(?:WD|WOR[TD]|CODE|PHRASE)?|KEY|TOKEN)=['"]?
       end: |
-        ['"\r\n#]|\z
+        [\r\n#]|['"]\s*[\r\n]|\z
       additional_not_match:
-        - ^\$[{(]
-        - ^<[^>]+>$
+        # variable, process substitution
+        - ^\$(\{[^}]+\}|\([^)]+)|[A-Za-z_]+|[0-9])$
+        # placeholders
+        - ^(<[^>]+>|\[[^]+\]|\{[^}+\}|(your|my|the|a)_[a-z_]+|.*(passwor[t]|key|secret|token|密码).*|\.\.\.|xxx+|yyy+|zzz+|aaa+|bbb+|ccc+)$
+        # non-secret related "key" content
+        - ^(test|value)([._-][a-z_.-]+)?$
+        # non-secret related content
+        - ^(?i)(true|false|y(es)?|no?|on|off|0|1|nill|null|none|(\\x[a-f0-9]{2})+)$
+        # a path
+        - '^(/|file:///|[A-Za-z]:/)[A-Za-z0-9._-]{3,}+(/[a-z._-]{1,}){2,}/?$'
     comments:
       - "Looks for secrets in the format of `SECRET=secret` at the start of a line, possibly with an `ENV ` or `export ` prefix"
-      - "Some false positives in code might appear"
+      - "Allows no whitespace in the secret, to cut false positives"
+      - "Some false positives in code might appear, especially where the variable name is 'key' or 'token'"
       - "The pattern only checks for certain key words to begin the pattern (`secret`, `password`, etc.)"
       - "More restrictive than the Generic Passwords pattern, so less prone to false positives"
     test: