From f9c95f6bafb5cacddbb11f885be6f632f131dab0 Mon Sep 17 00:00:00 2001 From: Nicolas Vuillamy Date: Fri, 25 Apr 2025 22:27:52 +0000 Subject: [PATCH 01/34] [automation] Auto-update linters version, help and documentation --- .automation/generated/linter-helps.json | 4 +- .automation/generated/linter-versions.json | 4 +- CHANGELOG.md | 2 + README.md | 3 +- docs/all_linters.md | 4 +- docs/descriptors/json_eslint_plugin_jsonc.md | 2 +- docs/descriptors/makefile_checkmake.md | 2 +- docs/descriptors/markdown_remark_lint.md | 2 +- docs/descriptors/repository_checkov.md | 4 +- docs/descriptors/repository_grype.md | 2 +- docs/descriptors/repository_syft.md | 2 +- docs/descriptors/snakemake_snakemake.md | 2 +- docs/descriptors/xml_xmllint.md | 2 +- docs/plugins.md | 1 + docs/used-by-stats.md | 61 ++++++++++---------- 15 files changed, 51 insertions(+), 46 deletions(-) diff --git a/.automation/generated/linter-helps.json b/.automation/generated/linter-helps.json index f25130b939b..854d7db37ed 100644 --- a/.automation/generated/linter-helps.json +++ b/.automation/generated/linter-helps.json @@ -805,7 +805,7 @@ " [--secrets-scan-file-type SECRETS_SCAN_FILE_TYPE]", " [--enable-secret-scan-all-files]", " [--block-list-secret-scan BLOCK_LIST_SECRET_SCAN]", - " [--summary-position {top,bottom}]", + " [--summary-position {bottom,top}]", " [--skip-resources-without-violations] [--deep-analysis]", " [--no-fail-on-crash] [--mask MASK] [--scan-secrets-history]", " [--secrets-history-timeout SECRETS_HISTORY_TIMEOUT]", @@ -1120,7 +1120,7 @@ " --block-list-secret-scan BLOCK_LIST_SECRET_SCAN", " List of files to filter out from the secret scanner", " [env var: CKV_SECRETS_SCAN_BLOCK_LIST]", - " --summary-position {top,bottom}", + " --summary-position {bottom,top}", " Chose whether the summary will be appended on top", " (before the checks results) or on bottom (after check", " results), default is on top.", diff --git a/.automation/generated/linter-versions.json b/.automation/generated/linter-versions.json index 63383f8d086..965fa74b56e 100644 --- a/.automation/generated/linter-versions.json +++ b/.automation/generated/linter-versions.json @@ -38,7 +38,7 @@ "golangci-lint": "1.64.8", "goodcheck": "3.1.0", "graphql-schema-linter": "3.0.1", - "grype": "0.91.0", + "grype": "0.91.2", "hadolint": "2.12.0", "helm": "3.16.3", "htmlhint": "1.1.4", @@ -108,7 +108,7 @@ "stylelint": "16.19.0", "stylua": "2.0.0", "swiftlint": "0.59.1", - "syft": "1.22.0", + "syft": "1.23.1", "tekton-lint": "1.1.0", "terraform-fmt": "1.11.4", "terragrunt": "0.77.20", diff --git a/CHANGELOG.md b/CHANGELOG.md index 77238a5c984..85b0e5c7d89 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -127,6 +127,8 @@ Note: Can be used with `oxsecurity/megalinter@beta` in your GitHub Action mega-l - [cfn-lint](https://github.com/aws-cloudformation/cfn-lint) from 1.33.2 to **1.34.1** on 2025-04-24 - [stylelint](https://stylelint.io) from 16.18.0 to **16.19.0** on 2025-04-24 - [sqlfluff](https://www.sqlfluff.com/) from 3.3.1 to **3.4.0** on 2025-04-24 + - [grype](https://github.com/anchore/grype) from 0.91.0 to **0.91.2** on 2025-04-25 + - [syft](https://github.com/anchore/syft) from 1.22.0 to **1.23.1** on 2025-04-25 ## [v8.5.0] - 2024-03-23 diff --git a/README.md b/README.md index 1edf3d668c4..876b19ff497 100644 --- a/README.md +++ b/README.md @@ -23,7 +23,7 @@ [![MegaLinter](https://github.com/oxsecurity/megalinter/workflows/MegaLinter/badge.svg?branch=main)](https://github.com/oxsecurity/megalinter/actions?query=workflow%3AMegaLinter+branch%3Amain) [![codecov](https://codecov.io/gh/oxsecurity/megalinter/branch/main/graph/badge.svg)](https://codecov.io/gh/oxsecurity/megalinter) -[![Generated by github-dependents-info](https://img.shields.io/static/v1?label=Used%20by&message=2915&color=informational&logo=slickpic)](https://github.com/oxsecurity/megalinter/blob/main/./docs/used-by-stats.md) +[![Generated by github-dependents-info](https://img.shields.io/static/v1?label=Used%20by&message=2916&color=informational&logo=slickpic)](https://github.com/oxsecurity/megalinter/blob/main/./docs/used-by-stats.md) [![Secured with Trivy](https://img.shields.io/badge/Trivy-secured-green?logo=docker)](https://github.com/aquasecurity/trivy) [![GitHub contributors](https://img.shields.io/github/contributors/oxsecurity/megalinter.svg)](https://github.com/oxsecurity/megalinter/graphs/contributors/) [![GitHub Sponsors](https://img.shields.io/github/sponsors/nvuillam)](https://github.com/sponsors/nvuillam) @@ -1493,6 +1493,7 @@ But our core architecture allows to build and publish MegaLinter Plugins ! | [**docker-compose-linter**](https://github.com/wesley-dean/mega-linter-plugin-dclint/blob/main/README.md) | Plugin to lint docker-compose files | [Wesley Dean](https://github.com/wesley-dean) | [Descriptor](https://github.com/wesley-dean/mega-linter-plugin-dclint/blob/main/mega-linter-plugin-dclint/dclint.megalinter-descriptor.yml) | | [**repolinter**](https://github.com/wesley-dean/mega-linter-plugin-repolinter/blob/main/README.md) | Plugin to run TODO Group's repolinter to look for repository best practices | [Wesley Dean](https://github.com/wesley-dean) | [Descriptor](https://github.com/wesley-dean/mega-linter-plugin-repolinter/blob/main/mega-linter-plugin-repolinter/repolinter.megalinter-descriptor.yml) | | [**j2lint**](https://github.com/wesley-dean/mega-linter-plugin-j2lint/blob/main/README.md) | Plugin to lint Jinja2 files | [Wesley Dean](https://github.com/wesley-dean) | [Descriptor](https://github.com/wesley-dean/mega-linter-plugin-j2lint/blob/main/mega-linter-plugin-j2lint/j2lint.megalinter-descriptor.yml) | +| [**fmlint**](https://github.com/wesley-dean/mega-linter-plugin-fmlint/blob/main/README.md) | Plugin to lint YAML frontmatter in Markdown documents | [Wesley Dean](https://github.com/wesley-dean) | [Descriptor](https://github.com/wesley-dean/mega-linter-plugin-fmlint/blob/main/mega-linter-plugin-fmlint/fmlint.megalinter-descriptor.yml) | > Note: Using an external plugin means you trust its author diff --git a/docs/all_linters.md b/docs/all_linters.md index ca74bdb804f..534d7364fbb 100644 --- a/docs/all_linters.md +++ b/docs/all_linters.md @@ -42,7 +42,7 @@ | [**gitleaks**](https://github.com/gitleaks/gitleaks){target=_blank} | 8.24.3 | [MIT](licenses/gitleaks.md) | [![GitHub stars](https://img.shields.io/github/stars/gitleaks/gitleaks?cacheSeconds=3600)](https://github.com/gitleaks/gitleaks){target=_blank} | [REPOSITORY](descriptors/repository_gitleaks.md) | :white_circle: | [Repository](https://github.com/gitleaks/gitleaks){target=_blank} | | [**golangci-lint**](https://github.com/golangci/golangci-lint){target=_blank} | 1.64.8 | [GPL-3.0](licenses/golangci-lint.md) | [![GitHub stars](https://img.shields.io/github/stars/golangci/golangci-lint?cacheSeconds=3600)](https://github.com/golangci/golangci-lint){target=_blank} | [GO](descriptors/go_golangci_lint.md) | :white_circle: | [Repository](https://github.com/golangci/golangci-lint){target=_blank} | | [**graphql-schema-linter**](https://github.com/cjoudrey/graphql-schema-linter){target=_blank} | 3.0.1 | [MIT](licenses/graphql-schema-linter.md) | [![GitHub stars](https://img.shields.io/github/stars/cjoudrey/graphql-schema-linter?cacheSeconds=3600)](https://github.com/cjoudrey/graphql-schema-linter){target=_blank} | [GRAPHQL](descriptors/graphql_graphql_schema_linter.md) | :hammer_and_wrench: | [Pull Request](https://github.com/cjoudrey/graphql-schema-linter/pull/272){target=_blank} | -| [**grype**](https://github.com/anchore/grype){target=_blank} | 0.91.0 | [Apache-2.0](licenses/grype.md) | [![GitHub stars](https://img.shields.io/github/stars/anchore/grype?cacheSeconds=3600)](https://github.com/anchore/grype){target=_blank} | [REPOSITORY](descriptors/repository_grype.md) | :white_circle: | [Repository](https://github.com/anchore/grype){target=_blank} | +| [**grype**](https://github.com/anchore/grype){target=_blank} | 0.91.2 | [Apache-2.0](licenses/grype.md) | [![GitHub stars](https://img.shields.io/github/stars/anchore/grype?cacheSeconds=3600)](https://github.com/anchore/grype){target=_blank} | [REPOSITORY](descriptors/repository_grype.md) | :white_circle: | [Repository](https://github.com/anchore/grype){target=_blank} | | [**hadolint**](https://github.com/hadolint/hadolint){target=_blank} | 2.12.0 | [GPL-3.0](licenses/hadolint.md) | [![GitHub stars](https://img.shields.io/github/stars/hadolint/hadolint?cacheSeconds=3600)](https://github.com/hadolint/hadolint){target=_blank} | [DOCKERFILE](descriptors/dockerfile_hadolint.md) | :heart: | [MegaLinter reference](https://github.com/hadolint/hadolint/blob/master/docs/INTEGRATION.md#mega-linter){target=_blank} | | [**helm**](https://github.com/helm/helm){target=_blank} | 3.16.3 | [Apache-2.0](licenses/helm.md) | [![GitHub stars](https://img.shields.io/github/stars/helm/helm?cacheSeconds=3600)](https://github.com/helm/helm){target=_blank} | [KUBERNETES](descriptors/kubernetes_helm.md) | :white_circle: | [Repository](https://github.com/helm/helm){target=_blank} | | [**htmlhint**](https://github.com/htmlhint/HTMLHint){target=_blank} | 1.1.4 | [MIT](licenses/htmlhint.md) | [![GitHub stars](https://img.shields.io/github/stars/htmlhint/HTMLHint?cacheSeconds=3600)](https://github.com/htmlhint/HTMLHint){target=_blank} | [HTML](descriptors/html_htmlhint.md) | :heart: | [MegaLinter reference](https://htmlhint.com/docs/user-guide/integrations/task-runner){target=_blank} | @@ -106,7 +106,7 @@ | [**stylelint**](https://github.com/stylelint/stylelint){target=_blank} | 16.19.0 | [MIT](licenses/stylelint.md) | [![GitHub stars](https://img.shields.io/github/stars/stylelint/stylelint?cacheSeconds=3600)](https://github.com/stylelint/stylelint){target=_blank} | [CSS](descriptors/css_stylelint.md) | :white_circle: | [Repository](https://github.com/stylelint/stylelint){target=_blank} | | [**stylua**](https://github.com/JohnnyMorganz/StyLua){target=_blank} | 2.0.0 | [MPL-2.0](licenses/stylua.md) | [![GitHub stars](https://img.shields.io/github/stars/JohnnyMorganz/StyLua?cacheSeconds=3600)](https://github.com/JohnnyMorganz/StyLua){target=_blank} | [LUA](descriptors/lua_stylua.md) | :no_entry_sign: | [Repository](https://github.com/JohnnyMorganz/StyLua){target=_blank} | | [**swiftlint**](https://github.com/realm/SwiftLint){target=_blank} | 0.59.1 | [MIT](licenses/swiftlint.md) | [![GitHub stars](https://img.shields.io/github/stars/realm/SwiftLint?cacheSeconds=3600)](https://github.com/realm/SwiftLint){target=_blank} | [SWIFT](descriptors/swift_swiftlint.md) | :white_circle: | [Repository](https://github.com/realm/SwiftLint){target=_blank} | -| [**syft**](https://github.com/anchore/syft){target=_blank} | 1.22.0 | [Apache-2.0](licenses/syft.md) | [![GitHub stars](https://img.shields.io/github/stars/anchore/syft?cacheSeconds=3600)](https://github.com/anchore/syft){target=_blank} | [REPOSITORY](descriptors/repository_syft.md) | :white_circle: | [Repository](https://github.com/anchore/syft){target=_blank} | +| [**syft**](https://github.com/anchore/syft){target=_blank} | 1.23.1 | [Apache-2.0](licenses/syft.md) | [![GitHub stars](https://img.shields.io/github/stars/anchore/syft?cacheSeconds=3600)](https://github.com/anchore/syft){target=_blank} | [REPOSITORY](descriptors/repository_syft.md) | :white_circle: | [Repository](https://github.com/anchore/syft){target=_blank} | | [**tekton-lint**](https://github.com/IBM/tekton-lint){target=_blank} | 1.1.0 | [Apache-2.0](licenses/tekton-lint.md) | [![GitHub stars](https://img.shields.io/github/stars/IBM/tekton-lint?cacheSeconds=3600)](https://github.com/IBM/tekton-lint){target=_blank} | [TEKTON](descriptors/tekton_tekton_lint.md) | :white_circle: | [Repository](https://github.com/IBM/tekton-lint){target=_blank} | | [**terraform-fmt**](https://github.com/hashicorp/terraform){target=_blank} | 1.11.4 | [MPL-2.0](licenses/terraform-fmt.md) | [![GitHub stars](https://img.shields.io/github/stars/hashicorp/terraform?cacheSeconds=3600)](https://github.com/hashicorp/terraform){target=_blank} | [TERRAFORM](descriptors/terraform_terraform_fmt.md) | :white_circle: | [Repository](https://github.com/hashicorp/terraform){target=_blank} | | [**terragrunt**](https://github.com/gruntwork-io/terragrunt){target=_blank} | 0.77.20 | [MIT](licenses/terragrunt.md) | [![GitHub stars](https://img.shields.io/github/stars/gruntwork-io/terragrunt?cacheSeconds=3600)](https://github.com/gruntwork-io/terragrunt){target=_blank} | [TERRAFORM](descriptors/terraform_terragrunt.md) | :white_circle: | [Repository](https://github.com/gruntwork-io/terragrunt){target=_blank} | diff --git a/docs/descriptors/json_eslint_plugin_jsonc.md b/docs/descriptors/json_eslint_plugin_jsonc.md index 39096f1f991..e07ba0fca8b 100644 --- a/docs/descriptors/json_eslint_plugin_jsonc.md +++ b/docs/descriptors/json_eslint_plugin_jsonc.md @@ -15,7 +15,7 @@ description: How to use eslint-plugin-jsonc (configure, ignore files, ignore err _This linter has been disabled in this version_ -_Disabled reason: Bug in eslint-plugin-jsonc: _ +_Disabled reason: Bug in eslint-plugin-jsonc: https://github.com/ota-meshi/eslint-plugin-jsonc/issues/328_ **eslint-plugin-jsonc** uses eslint to lint [**json**](https://www.json.org/), [**jsonc**](https://github.com/microsoft/node-jsonc-parser) and [**json5**](https://json5.org/) (extended JSON with comments & more). diff --git a/docs/descriptors/makefile_checkmake.md b/docs/descriptors/makefile_checkmake.md index d452da9f744..a5ba292c6ba 100644 --- a/docs/descriptors/makefile_checkmake.md +++ b/docs/descriptors/makefile_checkmake.md @@ -9,7 +9,7 @@ description: How to use checkmake (configure, ignore files, ignore errors, help _This linter has been disabled in this version_ -_Disabled reason: Security issues: _ +_Disabled reason: Security issues: https://github.com/mrtazz/checkmake/issues/99_ ## checkmake documentation diff --git a/docs/descriptors/markdown_remark_lint.md b/docs/descriptors/markdown_remark_lint.md index e4c769a85ae..5a01956700b 100644 --- a/docs/descriptors/markdown_remark_lint.md +++ b/docs/descriptors/markdown_remark_lint.md @@ -9,7 +9,7 @@ description: How to use remark-lint (configure, ignore files, ignore errors, hel _This linter has been disabled in this version_ -_Disabled reason: Bug in remark-lint: _ +_Disabled reason: Bug in remark-lint: https://github.com/remarkjs/remark-lint/issues/322_ ## remark-lint documentation diff --git a/docs/descriptors/repository_checkov.md b/docs/descriptors/repository_checkov.md index 78fcb1880a5..72d0ee5f93b 100644 --- a/docs/descriptors/repository_checkov.md +++ b/docs/descriptors/repository_checkov.md @@ -135,7 +135,7 @@ usage: checkov [-h] [-v] [--support] [-d DIRECTORY] [--add-check] [--secrets-scan-file-type SECRETS_SCAN_FILE_TYPE] [--enable-secret-scan-all-files] [--block-list-secret-scan BLOCK_LIST_SECRET_SCAN] - [--summary-position {top,bottom}] + [--summary-position {bottom,top}] [--skip-resources-without-violations] [--deep-analysis] [--no-fail-on-crash] [--mask MASK] [--scan-secrets-history] [--secrets-history-timeout SECRETS_HISTORY_TIMEOUT] @@ -450,7 +450,7 @@ options: --block-list-secret-scan BLOCK_LIST_SECRET_SCAN List of files to filter out from the secret scanner [env var: CKV_SECRETS_SCAN_BLOCK_LIST] - --summary-position {top,bottom} + --summary-position {bottom,top} Chose whether the summary will be appended on top (before the checks results) or on bottom (after check results), default is on top. diff --git a/docs/descriptors/repository_grype.md b/docs/descriptors/repository_grype.md index 3867a3bd3e7..2c6bce610e8 100644 --- a/docs/descriptors/repository_grype.md +++ b/docs/descriptors/repository_grype.md @@ -15,7 +15,7 @@ description: How to use grype (configure, ignore files, ignore errors, help & ve ## grype documentation -- Version in MegaLinter: **0.91.0** +- Version in MegaLinter: **0.91.2** - Visit [Official Web Site](https://github.com/anchore/grype#readme){target=_blank} - See [How to configure grype rules](https://github.com/anchore/grype#configuration){target=_blank} - If custom `.grype.yaml` config file isn't found, [.grype.yaml](https://github.com/oxsecurity/megalinter/tree/main/TEMPLATES/.grype.yaml){target=_blank} will be used diff --git a/docs/descriptors/repository_syft.md b/docs/descriptors/repository_syft.md index 0b384421ee4..01ca0becb48 100644 --- a/docs/descriptors/repository_syft.md +++ b/docs/descriptors/repository_syft.md @@ -17,7 +17,7 @@ Builds a SBOM (Software Build Of Materials) from your repository ## syft documentation -- Version in MegaLinter: **1.22.0** +- Version in MegaLinter: **1.23.1** - Visit [Official Web Site](https://github.com/anchore/syft#readme){target=_blank} [![syft - GitHub](https://gh-card.dev/repos/anchore/syft.svg?fullname=)](https://github.com/anchore/syft){target=_blank} diff --git a/docs/descriptors/snakemake_snakemake.md b/docs/descriptors/snakemake_snakemake.md index 70a0eec3dff..aa27984ca91 100644 --- a/docs/descriptors/snakemake_snakemake.md +++ b/docs/descriptors/snakemake_snakemake.md @@ -15,7 +15,7 @@ description: How to use snakemake (configure, ignore files, ignore errors, help _This linter has been disabled in this version_ -_Disabled reason: Dependency datrie not maintained, and issue open in snakemake repo since july - _ +_Disabled reason: Dependency datrie not maintained, and issue open in snakemake repo since july - https://github.com/snakemake/snakemake/issues/2970_ ## snakemake documentation diff --git a/docs/descriptors/xml_xmllint.md b/docs/descriptors/xml_xmllint.md index 3c17a088959..4a5f80ab268 100644 --- a/docs/descriptors/xml_xmllint.md +++ b/docs/descriptors/xml_xmllint.md @@ -25,7 +25,7 @@ To apply file formatting you must set `XML_XMLLINT_CLI_LINT_MODE: file` and `XML | Variable | Description | Default value | |-----------------------------------------|---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|--------------------| | XML_XMLLINT_AUTOFORMAT | If set to `true`, it will reformat and reindent the output | `false` | -| XML_XMLLINT_INDENT | The number of indentation spaces when `XML_XMLLINT_AUTOFORMAT` is `true` | `` | +| XML_XMLLINT_INDENT | The number of indentation spaces when `XML_XMLLINT_AUTOFORMAT` is `true` | ` ` | | XML_XMLLINT_ARGUMENTS | User custom arguments to add in linter CLI call
Ex: `-s --foo "bar"` | | | XML_XMLLINT_COMMAND_REMOVE_ARGUMENTS | User custom arguments to remove from command line before calling the linter
Ex: `-s --foo "bar"` | | | XML_XMLLINT_FILTER_REGEX_INCLUDE | Custom regex including filter
Ex: `(src\|lib)` | Include every file | diff --git a/docs/plugins.md b/docs/plugins.md index f7c30710a05..617f32911c8 100644 --- a/docs/plugins.md +++ b/docs/plugins.md @@ -25,6 +25,7 @@ But our core architecture allows to build and publish MegaLinter Plugins ! | [**docker-compose-linter**](https://github.com/wesley-dean/mega-linter-plugin-dclint/blob/main/README.md) | Plugin to lint docker-compose files | [Wesley Dean](https://github.com/wesley-dean) | [Descriptor](https://github.com/wesley-dean/mega-linter-plugin-dclint/blob/main/mega-linter-plugin-dclint/dclint.megalinter-descriptor.yml) | | [**repolinter**](https://github.com/wesley-dean/mega-linter-plugin-repolinter/blob/main/README.md) | Plugin to run TODO Group's repolinter to look for repository best practices | [Wesley Dean](https://github.com/wesley-dean) | [Descriptor](https://github.com/wesley-dean/mega-linter-plugin-repolinter/blob/main/mega-linter-plugin-repolinter/repolinter.megalinter-descriptor.yml) | | [**j2lint**](https://github.com/wesley-dean/mega-linter-plugin-j2lint/blob/main/README.md) | Plugin to lint Jinja2 files | [Wesley Dean](https://github.com/wesley-dean) | [Descriptor](https://github.com/wesley-dean/mega-linter-plugin-j2lint/blob/main/mega-linter-plugin-j2lint/j2lint.megalinter-descriptor.yml) | +| [**fmlint**](https://github.com/wesley-dean/mega-linter-plugin-fmlint/blob/main/README.md) | Plugin to lint YAML frontmatter in Markdown documents | [Wesley Dean](https://github.com/wesley-dean) | [Descriptor](https://github.com/wesley-dean/mega-linter-plugin-fmlint/blob/main/mega-linter-plugin-fmlint/fmlint.megalinter-descriptor.yml) | > Note: Using an external plugin means you trust its author diff --git a/docs/used-by-stats.md b/docs/used-by-stats.md index da21b52e0e4..5dfcf4ea76f 100644 --- a/docs/used-by-stats.md +++ b/docs/used-by-stats.md @@ -1,29 +1,29 @@ # Dependents stats for oxsecurity/megalinter -[![Generated by github-dependents-info](https://img.shields.io/static/v1?label=Used%20by&message=2915&color=informational&logo=slickpic)](https://github.com/oxsecurity/megalinter/network/dependents) -[![Generated by github-dependents-info](https://img.shields.io/static/v1?label=Used%20by%20(public)&message=2915&color=informational&logo=slickpic)](https://github.com/oxsecurity/megalinter/network/dependents) -[![Generated by github-dependents-info](https://img.shields.io/static/v1?label=Used%20by%20(private)&message=-2915&color=informational&logo=slickpic)](https://github.com/oxsecurity/megalinter/network/dependents) -[![Generated by github-dependents-info](https://img.shields.io/static/v1?label=Used%20by%20(stars)&message=94529&color=informational&logo=slickpic)](https://github.com/oxsecurity/megalinter/network/dependents) +[![Generated by github-dependents-info](https://img.shields.io/static/v1?label=Used%20by&message=2916&color=informational&logo=slickpic)](https://github.com/oxsecurity/megalinter/network/dependents) +[![Generated by github-dependents-info](https://img.shields.io/static/v1?label=Used%20by%20(public)&message=2916&color=informational&logo=slickpic)](https://github.com/oxsecurity/megalinter/network/dependents) +[![Generated by github-dependents-info](https://img.shields.io/static/v1?label=Used%20by%20(private)&message=-2916&color=informational&logo=slickpic)](https://github.com/oxsecurity/megalinter/network/dependents) +[![Generated by github-dependents-info](https://img.shields.io/static/v1?label=Used%20by%20(stars)&message=94598&color=informational&logo=slickpic)](https://github.com/oxsecurity/megalinter/network/dependents) | Repository | Stars | |:-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|------:| -|   [nektos](https://github.com/nektos) / [act](https://github.com/nektos/act) | 60114 | -|   [PRQL](https://github.com/PRQL) / [prql](https://github.com/PRQL/prql) | 10217 | -|   [IlanCosman](https://github.com/IlanCosman) / [tide](https://github.com/IlanCosman/tide) | 3368 | -|   [privacyguides](https://github.com/privacyguides) / [privacyguides.org](https://github.com/privacyguides/privacyguides.org) | 3224 | -|   [stepancheg](https://github.com/stepancheg) / [rust-protobuf](https://github.com/stepancheg/rust-protobuf) | 2886 | -|   [ever-co](https://github.com/ever-co) / [ever-gauzy](https://github.com/ever-co/ever-gauzy) | 2582 | -|   [PowerDNS-Admin](https://github.com/PowerDNS-Admin) / [PowerDNS-Admin](https://github.com/PowerDNS-Admin/PowerDNS-Admin) | 2572 | -|   [microsoft](https://github.com/microsoft) / [code-with-engineering-playbook](https://github.com/microsoft/code-with-engineering-playbook) | 2410 | -|   [meichthys](https://github.com/meichthys) / [foss_photo_libraries](https://github.com/meichthys/foss_photo_libraries) | 2328 | +|   [nektos](https://github.com/nektos) / [act](https://github.com/nektos/act) | 60176 | +|   [PRQL](https://github.com/PRQL) / [prql](https://github.com/PRQL/prql) | 10228 | +|   [IlanCosman](https://github.com/IlanCosman) / [tide](https://github.com/IlanCosman/tide) | 3367 | +|   [privacyguides](https://github.com/privacyguides) / [privacyguides.org](https://github.com/privacyguides/privacyguides.org) | 3228 | +|   [stepancheg](https://github.com/stepancheg) / [rust-protobuf](https://github.com/stepancheg/rust-protobuf) | 2888 | +|   [ever-co](https://github.com/ever-co) / [ever-gauzy](https://github.com/ever-co/ever-gauzy) | 2586 | +|   [PowerDNS-Admin](https://github.com/PowerDNS-Admin) / [PowerDNS-Admin](https://github.com/PowerDNS-Admin/PowerDNS-Admin) | 2573 | +|   [microsoft](https://github.com/microsoft) / [code-with-engineering-playbook](https://github.com/microsoft/code-with-engineering-playbook) | 2411 | +|   [meichthys](https://github.com/meichthys) / [foss_photo_libraries](https://github.com/meichthys/foss_photo_libraries) | 2332 | |   [oxsecurity](https://github.com/oxsecurity) / [megalinter](https://github.com/oxsecurity/megalinter) | 2119 | -|   [cisagov](https://github.com/cisagov) / [ScubaGear](https://github.com/cisagov/ScubaGear) | 2099 | -|   [Romanitho](https://github.com/Romanitho) / [Winget-AutoUpdate](https://github.com/Romanitho/Winget-AutoUpdate) | 1433 | +|   [cisagov](https://github.com/cisagov) / [ScubaGear](https://github.com/cisagov/ScubaGear) | 2100 | +|   [Romanitho](https://github.com/Romanitho) / [Winget-AutoUpdate](https://github.com/Romanitho/Winget-AutoUpdate) | 1438 | |   [jakehildreth](https://github.com/jakehildreth) / [Locksmith](https://github.com/jakehildreth/Locksmith) | 1091 | |   [unixorn](https://github.com/unixorn) / [git-extra-commands](https://github.com/unixorn/git-extra-commands) | 1054 | -|   [secureCodeBox](https://github.com/secureCodeBox) / [secureCodeBox](https://github.com/secureCodeBox/secureCodeBox) | 882 | +|   [secureCodeBox](https://github.com/secureCodeBox) / [secureCodeBox](https://github.com/secureCodeBox/secureCodeBox) | 883 | |   [unixorn](https://github.com/unixorn) / [zsh-quickstart-kit](https://github.com/unixorn/zsh-quickstart-kit) | 819 | -|   [ministryofjustice](https://github.com/ministryofjustice) / [modernisation-platform](https://github.com/ministryofjustice/modernisation-platform) | 698 | +|   [ministryofjustice](https://github.com/ministryofjustice) / [modernisation-platform](https://github.com/ministryofjustice/modernisation-platform) | 697 | |   [awslabs](https://github.com/awslabs) / [aws-deployment-framework](https://github.com/awslabs/aws-deployment-framework) | 676 | |   [cattle-ops](https://github.com/cattle-ops) / [terraform-aws-gitlab-runner](https://github.com/cattle-ops/terraform-aws-gitlab-runner) | 601 | |   [practicalli](https://github.com/practicalli) / [clojure-cli-config](https://github.com/practicalli/clojure-cli-config) | 540 | @@ -31,32 +31,32 @@ |   [scolladon](https://github.com/scolladon) / [sfdx-git-delta](https://github.com/scolladon/sfdx-git-delta) | 476 | |   [ruzickap](https://github.com/ruzickap) / [packer-templates](https://github.com/ruzickap/packer-templates) | 451 | |   [leosuncin](https://github.com/leosuncin) / [nest-auth-example](https://github.com/leosuncin/nest-auth-example) | 438 | +|   [co-browser](https://github.com/co-browser) / [browser-use-mcp-server](https://github.com/co-browser/browser-use-mcp-server) | 382 | |   [llaville](https://github.com/llaville) / [php-compatinfo](https://github.com/llaville/php-compatinfo) | 381 | -|   [co-browser](https://github.com/co-browser) / [browser-use-mcp-server](https://github.com/co-browser/browser-use-mcp-server) | 374 | |   [Boeing](https://github.com/Boeing) / [config-file-validator](https://github.com/Boeing/config-file-validator) | 371 | |   [OCSInventory-NG](https://github.com/OCSInventory-NG) / [OCSInventory-Server](https://github.com/OCSInventory-NG/OCSInventory-Server) | 369 | |   [brettdottech](https://github.com/brettdottech) / [info-orbs](https://github.com/brettdottech/info-orbs) | 361 | |   [ahmadnassri](https://github.com/ahmadnassri) / [action-dependabot-auto-merge](https://github.com/ahmadnassri/action-dependabot-auto-merge) | 348 | |   [unixorn](https://github.com/unixorn) / [fzf-zsh-plugin](https://github.com/unixorn/fzf-zsh-plugin) | 347 | |   [toboshii](https://github.com/toboshii) / [home-ops](https://github.com/toboshii/home-ops) | 341 | -|   [carpenike](https://github.com/carpenike) / [k8s-gitops](https://github.com/carpenike/k8s-gitops) | 270 | +|   [carpenike](https://github.com/carpenike) / [k8s-gitops](https://github.com/carpenike/k8s-gitops) | 271 | |   [NationalSecurityAgency](https://github.com/NationalSecurityAgency) / [emissary](https://github.com/NationalSecurityAgency/emissary) | 257 | -|   [github](https://github.com/github) / [local-action](https://github.com/github/local-action) | 252 | +|   [github](https://github.com/github) / [local-action](https://github.com/github/local-action) | 256 | |   [hardisgroupcom](https://github.com/hardisgroupcom) / [sfdx-hardis](https://github.com/hardisgroupcom/sfdx-hardis) | 248 | -|   [OCSInventory-NG](https://github.com/OCSInventory-NG) / [OCSInventory-ocsreports](https://github.com/OCSInventory-NG/OCSInventory-ocsreports) | 239 | +|   [OCSInventory-NG](https://github.com/OCSInventory-NG) / [OCSInventory-ocsreports](https://github.com/OCSInventory-NG/OCSInventory-ocsreports) | 240 | |   [Luzkan](https://github.com/Luzkan) / [smells](https://github.com/Luzkan/smells) | 237 | |   [IQEngine](https://github.com/IQEngine) / [IQEngine](https://github.com/IQEngine/IQEngine) | 237 | |   [brettinternet](https://github.com/brettinternet) / [homeops](https://github.com/brettinternet/homeops) | 229 | -|   [bevyengine](https://github.com/bevyengine) / [bevy-website](https://github.com/bevyengine/bevy-website) | 223 | +|   [bevyengine](https://github.com/bevyengine) / [bevy-website](https://github.com/bevyengine/bevy-website) | 224 | |   [orangekame3](https://github.com/orangekame3) / [paclear](https://github.com/orangekame3/paclear) | 223 | |   [nvuillam](https://github.com/nvuillam) / [npm-groovy-lint](https://github.com/nvuillam/npm-groovy-lint) | 219 | |   [philips-software](https://github.com/philips-software) / [amp-embedded-infra-lib](https://github.com/philips-software/amp-embedded-infra-lib) | 216 | |   [Uninett](https://github.com/Uninett) / [nav](https://github.com/Uninett/nav) | 205 | |   [T145](https://github.com/T145) / [black-mirror](https://github.com/T145/black-mirror) | 202 | |   [eth-protocol-fellows](https://github.com/eth-protocol-fellows) / [cohort-four](https://github.com/eth-protocol-fellows/cohort-four) | 202 | -|   [pantheon-systems](https://github.com/pantheon-systems) / [documentation](https://github.com/pantheon-systems/documentation) | 198 | +|   [pantheon-systems](https://github.com/pantheon-systems) / [documentation](https://github.com/pantheon-systems/documentation) | 199 | +|   [microsoft](https://github.com/microsoft) / [symphony](https://github.com/microsoft/symphony) | 197 | |   [apigee](https://github.com/apigee) / [devrel](https://github.com/apigee/devrel) | 196 | -|   [microsoft](https://github.com/microsoft) / [symphony](https://github.com/microsoft/symphony) | 196 | |   [newrelic](https://github.com/newrelic) / [newrelic-python-agent](https://github.com/newrelic/newrelic-python-agent) | 194 | |   [unixorn](https://github.com/unixorn) / [tumult.plugin.zsh](https://github.com/unixorn/tumult.plugin.zsh) | 191 | |   [davidB](https://github.com/davidB) / [tracing-opentelemetry-instrumentation-sdk](https://github.com/davidB/tracing-opentelemetry-instrumentation-sdk) | 181 | @@ -69,7 +69,7 @@ |   [ishioni](https://github.com/ishioni) / [homelab-ops](https://github.com/ishioni/homelab-ops) | 130 | |   [nvuillam](https://github.com/nvuillam) / [github-dependents-info](https://github.com/nvuillam/github-dependents-info) | 128 | |   [unixorn](https://github.com/unixorn) / [lima-xbar-plugin](https://github.com/unixorn/lima-xbar-plugin) | 123 | -|   [leosuncin](https://github.com/leosuncin) / [nest-api-example](https://github.com/leosuncin/nest-api-example) | 120 | +|   [leosuncin](https://github.com/leosuncin) / [nest-api-example](https://github.com/leosuncin/nest-api-example) | 121 | |   [unixorn](https://github.com/unixorn) / [ha-mqtt-discoverable](https://github.com/unixorn/ha-mqtt-discoverable) | 119 | |   [philips-software](https://github.com/philips-software) / [amp-devcontainer](https://github.com/philips-software/amp-devcontainer) | 117 | |   [practicalli](https://github.com/practicalli) / [spacemacs](https://github.com/practicalli/spacemacs) | 112 | @@ -106,9 +106,9 @@ |   [langgenius](https://github.com/langgenius) / [dify-plugin-sdks](https://github.com/langgenius/dify-plugin-sdks) | 52 | |   [hardisgroupcom](https://github.com/hardisgroupcom) / [vscode-sfdx-hardis](https://github.com/hardisgroupcom/vscode-sfdx-hardis) | 51 | |   [leeter](https://github.com/leeter) / [WinMTR-refresh](https://github.com/leeter/WinMTR-refresh) | 51 | +|   [ZEISS](https://github.com/ZEISS) / [libczi](https://github.com/ZEISS/libczi) | 51 | |   [quackduck](https://github.com/quackduck) / [cool](https://github.com/quackduck/cool) | 50 | |   [PowerDNS-Admin](https://github.com/PowerDNS-Admin) / [pda-next](https://github.com/PowerDNS-Admin/pda-next) | 50 | -|   [ZEISS](https://github.com/ZEISS) / [libczi](https://github.com/ZEISS/libczi) | 50 | |   [AliceO2Group](https://github.com/AliceO2Group) / [O2Physics](https://github.com/AliceO2Group/O2Physics) | 49 | |   [stepancheg](https://github.com/stepancheg) / [rust-tls-api](https://github.com/stepancheg/rust-tls-api) | 49 | |   [cdzombak](https://github.com/cdzombak) / [pi-fm-player](https://github.com/cdzombak/pi-fm-player) | 49 | @@ -149,7 +149,7 @@ |   [KristjanESPERANTO](https://github.com/KristjanESPERANTO) / [MMM-PublicTransportHafas](https://github.com/KristjanESPERANTO/MMM-PublicTransportHafas) | 29 | |   [nvuillam](https://github.com/nvuillam) / [markdown-table-formatter](https://github.com/nvuillam/markdown-table-formatter) | 29 | |   [unixorn](https://github.com/unixorn) / [docker-helpers.zshplugin](https://github.com/unixorn/docker-helpers.zshplugin) | 29 | -|   [meichthys](https://github.com/meichthys) / [foss_note_apps](https://github.com/meichthys/foss_note_apps) | 28 | +|   [meichthys](https://github.com/meichthys) / [foss_note_apps](https://github.com/meichthys/foss_note_apps) | 29 | |   [arbitraryexecution](https://github.com/arbitraryexecution) / [forta-bot-templates](https://github.com/arbitraryexecution/forta-bot-templates) | 27 | |   [rwaltr](https://github.com/rwaltr) / [home-ops](https://github.com/rwaltr/home-ops) | 27 | |   [MagicMirrorOrg](https://github.com/MagicMirrorOrg) / [MagicMirror-3rd-Party-Modules](https://github.com/MagicMirrorOrg/MagicMirror-3rd-Party-Modules) | 26 | @@ -181,13 +181,13 @@ |   [xoap-io](https://github.com/xoap-io) / [xoap-uberagent-kibana-dashboards](https://github.com/xoap-io/xoap-uberagent-kibana-dashboards) | 19 | |   [tvories](https://github.com/tvories) / [k8s-gitops](https://github.com/tvories/k8s-gitops) | 19 | |   [cdzombak](https://github.com/cdzombak) / [ecobee_influx_connector](https://github.com/cdzombak/ecobee_influx_connector) | 19 | +|   [tomorrow-one](https://github.com/tomorrow-one) / [transactional-outbox](https://github.com/tomorrow-one/transactional-outbox) | 19 | |   [camaraproject](https://github.com/camaraproject) / [EdgeCloud](https://github.com/camaraproject/EdgeCloud) | 19 | |   [ahmadnassri](https://github.com/ahmadnassri) / [node-metalsmith-paths](https://github.com/ahmadnassri/node-metalsmith-paths) | 19 | |   [ruzickap](https://github.com/ruzickap) / [action-my-markdown-link-checker](https://github.com/ruzickap/action-my-markdown-link-checker) | 18 | |   [janderssonse](https://github.com/janderssonse) / [gradle-versions-filter-plugin](https://github.com/janderssonse/gradle-versions-filter-plugin) | 18 | |   [victory-sokolov](https://github.com/victory-sokolov) / [dotfiles](https://github.com/victory-sokolov/dotfiles) | 18 | |   [ruzickap](https://github.com/ruzickap) / [ansible-role-proxy_settings](https://github.com/ruzickap/ansible-role-proxy_settings) | 18 | -|   [tomorrow-one](https://github.com/tomorrow-one) / [transactional-outbox](https://github.com/tomorrow-one/transactional-outbox) | 18 | |   [gwarf](https://github.com/gwarf) / [dotfiles](https://github.com/gwarf/dotfiles) | 18 | |   [camaraproject](https://github.com/camaraproject) / [NumberVerification](https://github.com/camaraproject/NumberVerification) | 18 | |   [ahmadnassri](https://github.com/ahmadnassri) / [node-metalsmith-imagemin](https://github.com/ahmadnassri/node-metalsmith-imagemin) | 18 | @@ -258,6 +258,7 @@ |   [philips-software](https://github.com/philips-software) / [amp-cucumber-cpp-runner](https://github.com/philips-software/amp-cucumber-cpp-runner) | 11 | |   [argoproj-labs](https://github.com/argoproj-labs) / [training-material](https://github.com/argoproj-labs/training-material) | 11 | |   [bjw-s](https://github.com/bjw-s) / [pmb](https://github.com/bjw-s/pmb) | 11 | +|   [camaraproject](https://github.com/camaraproject) / [OTPValidation](https://github.com/camaraproject/OTPValidation) | 11 | |   [ahmadnassri](https://github.com/ahmadnassri) / [action-template-repository-sync](https://github.com/ahmadnassri/action-template-repository-sync) | 11 | |   [curedao](https://github.com/curedao) / [docs](https://github.com/curedao/docs) | 10 | |   [hyperledger-identus](https://github.com/hyperledger-identus) / [sdk-swift](https://github.com/hyperledger-identus/sdk-swift) | 10 | @@ -270,7 +271,6 @@ |   [cdzombak](https://github.com/cdzombak) / [nut_influx_connector](https://github.com/cdzombak/nut_influx_connector) | 10 | |   [jokay](https://github.com/jokay) / [docker-prune](https://github.com/jokay/docker-prune) | 10 | |   [chgl](https://github.com/chgl) / [charts](https://github.com/chgl/charts) | 10 | -|   [camaraproject](https://github.com/camaraproject) / [OTPValidation](https://github.com/camaraproject/OTPValidation) | 10 | |   [scolladon](https://github.com/scolladon) / [apex-mutation-testing](https://github.com/scolladon/apex-mutation-testing) | 10 | |   [dysonltd](https://github.com/dysonltd) / [commitment-issues](https://github.com/dysonltd/commitment-issues) | 10 | |   [dysonltd](https://github.com/dysonltd) / [tmag5273](https://github.com/dysonltd/tmag5273) | 10 | @@ -1558,8 +1558,8 @@ |   [rciam](https://github.com/rciam) / [simplesamlphp-module-assurance](https://github.com/rciam/simplesamlphp-module-assurance) | 0 | |   [rciam](https://github.com/rciam) / [simplesamlphp-module-userid](https://github.com/rciam/simplesamlphp-module-userid) | 0 | |   [Teasel-Ian](https://github.com/Teasel-Ian) / [terraform](https://github.com/Teasel-Ian/terraform) | 0 | +|   [mauries-lopez](https://github.com/mauries-lopez) / [Personal-Web-Portfolio](https://github.com/mauries-lopez/Personal-Web-Portfolio) | 0 | |   [TJC-Tools](https://github.com/TJC-Tools) / [TJC.StateMachine](https://github.com/TJC-Tools/TJC.StateMachine) | 0 | -|   [LyiZri](https://github.com/LyiZri) / [demcp_browser_use](https://github.com/LyiZri/demcp_browser_use) | 0 | |   [MCP-Mirror](https://github.com/MCP-Mirror) / [co-browser_browser-use-mcp-server](https://github.com/MCP-Mirror/co-browser_browser-use-mcp-server) | 0 | |   [mitchell-gottlieb](https://github.com/mitchell-gottlieb) / [pyquations](https://github.com/mitchell-gottlieb/pyquations) | 0 | |   [ONSdigital](https://github.com/ONSdigital) / [eq-cir-management-ui](https://github.com/ONSdigital/eq-cir-management-ui) | 0 | @@ -2581,6 +2581,7 @@ |   [wesley-dean](https://github.com/wesley-dean) / [mega-linter-plugin-repolinter](https://github.com/wesley-dean/mega-linter-plugin-repolinter) | 0 | |   [metabsd](https://github.com/metabsd) / [toolbox-container](https://github.com/metabsd/toolbox-container) | 0 | |   [Jayllyz](https://github.com/Jayllyz) / [dockerize-project](https://github.com/Jayllyz/dockerize-project) | 0 | +|   [techtales-io](https://github.com/techtales-io) / [terraform-minio](https://github.com/techtales-io/terraform-minio) | 0 | |   [techtales-io](https://github.com/techtales-io) / [terraform-opnsense](https://github.com/techtales-io/terraform-opnsense) | 0 | |   [AhmadHamada1](https://github.com/AhmadHamada1) / [terraform-azure-github-actions](https://github.com/AhmadHamada1/terraform-azure-github-actions) | 0 | |   [nanlabs](https://github.com/nanlabs) / [terraform-modules](https://github.com/nanlabs/terraform-modules) | 0 | From 6e175bca726007c594f63a3393207a40b1de3ba0 Mon Sep 17 00:00:00 2001 From: nvuillam <17500430+nvuillam@users.noreply.github.com> Date: Fri, 25 Apr 2025 22:34:05 +0000 Subject: [PATCH 02/34] [MegaLinter] Apply linters fixes --- docs/descriptors/json_eslint_plugin_jsonc.md | 2 +- docs/descriptors/makefile_checkmake.md | 2 +- docs/descriptors/markdown_remark_lint.md | 2 +- docs/descriptors/snakemake_snakemake.md | 2 +- docs/descriptors/xml_xmllint.md | 2 +- 5 files changed, 5 insertions(+), 5 deletions(-) diff --git a/docs/descriptors/json_eslint_plugin_jsonc.md b/docs/descriptors/json_eslint_plugin_jsonc.md index e07ba0fca8b..39096f1f991 100644 --- a/docs/descriptors/json_eslint_plugin_jsonc.md +++ b/docs/descriptors/json_eslint_plugin_jsonc.md @@ -15,7 +15,7 @@ description: How to use eslint-plugin-jsonc (configure, ignore files, ignore err _This linter has been disabled in this version_ -_Disabled reason: Bug in eslint-plugin-jsonc: https://github.com/ota-meshi/eslint-plugin-jsonc/issues/328_ +_Disabled reason: Bug in eslint-plugin-jsonc: _ **eslint-plugin-jsonc** uses eslint to lint [**json**](https://www.json.org/), [**jsonc**](https://github.com/microsoft/node-jsonc-parser) and [**json5**](https://json5.org/) (extended JSON with comments & more). diff --git a/docs/descriptors/makefile_checkmake.md b/docs/descriptors/makefile_checkmake.md index a5ba292c6ba..d452da9f744 100644 --- a/docs/descriptors/makefile_checkmake.md +++ b/docs/descriptors/makefile_checkmake.md @@ -9,7 +9,7 @@ description: How to use checkmake (configure, ignore files, ignore errors, help _This linter has been disabled in this version_ -_Disabled reason: Security issues: https://github.com/mrtazz/checkmake/issues/99_ +_Disabled reason: Security issues: _ ## checkmake documentation diff --git a/docs/descriptors/markdown_remark_lint.md b/docs/descriptors/markdown_remark_lint.md index 5a01956700b..e4c769a85ae 100644 --- a/docs/descriptors/markdown_remark_lint.md +++ b/docs/descriptors/markdown_remark_lint.md @@ -9,7 +9,7 @@ description: How to use remark-lint (configure, ignore files, ignore errors, hel _This linter has been disabled in this version_ -_Disabled reason: Bug in remark-lint: https://github.com/remarkjs/remark-lint/issues/322_ +_Disabled reason: Bug in remark-lint: _ ## remark-lint documentation diff --git a/docs/descriptors/snakemake_snakemake.md b/docs/descriptors/snakemake_snakemake.md index aa27984ca91..70a0eec3dff 100644 --- a/docs/descriptors/snakemake_snakemake.md +++ b/docs/descriptors/snakemake_snakemake.md @@ -15,7 +15,7 @@ description: How to use snakemake (configure, ignore files, ignore errors, help _This linter has been disabled in this version_ -_Disabled reason: Dependency datrie not maintained, and issue open in snakemake repo since july - https://github.com/snakemake/snakemake/issues/2970_ +_Disabled reason: Dependency datrie not maintained, and issue open in snakemake repo since july - _ ## snakemake documentation diff --git a/docs/descriptors/xml_xmllint.md b/docs/descriptors/xml_xmllint.md index 4a5f80ab268..3c17a088959 100644 --- a/docs/descriptors/xml_xmllint.md +++ b/docs/descriptors/xml_xmllint.md @@ -25,7 +25,7 @@ To apply file formatting you must set `XML_XMLLINT_CLI_LINT_MODE: file` and `XML | Variable | Description | Default value | |-----------------------------------------|---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|--------------------| | XML_XMLLINT_AUTOFORMAT | If set to `true`, it will reformat and reindent the output | `false` | -| XML_XMLLINT_INDENT | The number of indentation spaces when `XML_XMLLINT_AUTOFORMAT` is `true` | ` ` | +| XML_XMLLINT_INDENT | The number of indentation spaces when `XML_XMLLINT_AUTOFORMAT` is `true` | `` | | XML_XMLLINT_ARGUMENTS | User custom arguments to add in linter CLI call
Ex: `-s --foo "bar"` | | | XML_XMLLINT_COMMAND_REMOVE_ARGUMENTS | User custom arguments to remove from command line before calling the linter
Ex: `-s --foo "bar"` | | | XML_XMLLINT_FILTER_REGEX_INCLUDE | Custom regex including filter
Ex: `(src\|lib)` | Include every file | From 0570ea2bf698a2b6292a3dd57fadd93fc28f8f2b Mon Sep 17 00:00:00 2001 From: nvuillam Date: Sat, 26 Apr 2025 23:12:10 +0200 Subject: [PATCH 03/34] Sanitize all linter outputs by default --- .automation/build.py | 6 +- CHANGELOG.md | 1 + megalinter/Linter.py | 8 +- .../additional/gitleaks-default.toml | 3113 +++++++++++++++++ .../repository.megalinter-descriptor.yml | 2 + megalinter/linters/RakuLinter.py | 2 +- megalinter/linters/ShellcheckLinter.py | 2 +- megalinter/logger.py | 45 + megalinter/plugin_factory.py | 2 +- megalinter/pre_post_factory.py | 2 +- .../tests/test_megalinter/filters_test.py | 2 +- .../test_megalinter/mega_linter_1_test.py | 1 + .../tests/test_megalinter/utils_test.py | 45 + megalinter/utils.py | 6 +- megalinter/utils_reporter.py | 2 +- 15 files changed, 3224 insertions(+), 15 deletions(-) create mode 100644 megalinter/descriptors/additional/gitleaks-default.toml create mode 100644 megalinter/tests/test_megalinter/utils_test.py diff --git a/.automation/build.py b/.automation/build.py index b0dda18c5f3..09b780b03aa 100644 --- a/.automation/build.py +++ b/.automation/build.py @@ -2887,8 +2887,8 @@ def collect_linter_previews(): logging.error(str(e)) if title is not None: item = { - "title": megalinter.utils.decode_utf8(title), - "description": megalinter.utils.decode_utf8(description), + "title": megalinter.utils.clean_string(title), + "description": megalinter.utils.clean_string(description), "image": image, } data[linter.linter_name] = item @@ -3378,7 +3378,7 @@ def reformat_markdown_tables(): shell=True, executable=None if sys.platform == "win32" else which("bash"), ) - stdout = utils.decode_utf8(process.stdout) + stdout = utils.clean_string(process.stdout) logging.info(f"Format table results: ({process.returncode})\n" + stdout) diff --git a/CHANGELOG.md b/CHANGELOG.md index 85b0e5c7d89..b8eb46ea209 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -21,6 +21,7 @@ Note: Can be used with `oxsecurity/megalinter@beta` in your GitHub Action mega-l - [editorconfig_checker](https://megalinter.io/latest/descriptors/editorconfig_editorconfig_checker/) Changes default EditorConfig-Checker config filename by @llaville in - Fixes + - Sanitize all linter outputs by default - Reporters diff --git a/megalinter/Linter.py b/megalinter/Linter.py index fc8f3f94afb..c7a83472fad 100644 --- a/megalinter/Linter.py +++ b/megalinter/Linter.py @@ -1059,7 +1059,7 @@ def execute_lint_command(self, command): ), ) return_code = process.returncode - return_stdout = utils.decode_utf8(process.stdout) + return_stdout = utils.clean_string(process.stdout) else: # Use full executable path if we are on Windows if sys.platform == "win32": @@ -1081,7 +1081,7 @@ def execute_lint_command(self, command): cwd=cwd, ) return_code = process.returncode - return_stdout = utils.decode_utf8(process.stdout) + return_stdout = utils.clean_string(process.stdout) except FileNotFoundError as err: return_code = 999 return_stdout = ( @@ -1198,7 +1198,7 @@ def get_linter_version_output(self): env=subprocess_env, ) return_code = process.returncode - output = utils.decode_utf8(process.stdout) + output = utils.clean_string(process.stdout) logging.debug("Linter version result: " + str(return_code) + " " + output) except FileNotFoundError: logging.warning("Unable to call command [" + " ".join(command) + "]") @@ -1246,7 +1246,7 @@ def get_linter_help(self): env=subprocess_env, ) return_code = process.returncode - output += utils.decode_utf8(process.stdout) + output += utils.clean_string(process.stdout) logging.debug("Linter help result: " + str(return_code) + " " + output) except FileNotFoundError: logging.warning("Unable to call command [" + " ".join(command) + "]") diff --git a/megalinter/descriptors/additional/gitleaks-default.toml b/megalinter/descriptors/additional/gitleaks-default.toml new file mode 100644 index 00000000000..af0a35da964 --- /dev/null +++ b/megalinter/descriptors/additional/gitleaks-default.toml @@ -0,0 +1,3113 @@ +# This file has been auto-generated. Do not edit manually. +# If you would like to contribute new rules, please use +# cmd/generate/config/main.go and follow the contributing guidelines +# at https://github.com/gitleaks/gitleaks/blob/master/CONTRIBUTING.md +# +# How the hell does secret scanning work? Read this: +# https://lookingatcomputer.substack.com/p/regex-is-almost-all-you-need +# +# This is the default gitleaks configuration file. +# Rules and allowlists are defined within this file. +# Rules instruct gitleaks on what should be considered a secret. +# Allowlists instruct gitleaks on what is allowed, i.e. not a secret. + +title = "gitleaks config" + +[allowlist] +description = "global allow lists" +regexes = [ + '''(?i)^true|false|null$''', + '''^(?i:a+|b+|c+|d+|e+|f+|g+|h+|i+|j+|k+|l+|m+|n+|o+|p+|q+|r+|s+|t+|u+|v+|w+|x+|y+|z+|\*+|\.+)$''', + '''^\$(?:\d+|{\d+})$''', + '''^\$(?:[A-Z_]+|[a-z_]+)$''', + '''^\${(?:[A-Z_]+|[a-z_]+)}$''', + '''^\{\{[ \t]*[\w ().|]+[ \t]*}}$''', + '''^\$\{\{[ \t]*(?:(?:env|github|secrets|vars)(?:\.[A-Za-z]\w+)+[\w "'&./=|]*)[ \t]*}}$''', + '''^%(?:[A-Z_]+|[a-z_]+)%$''', + '''^%[+\-# 0]?[bcdeEfFgGoOpqstTUvxX]$''', + '''^\{\d{0,2}}$''', + '''^@(?:[A-Z_]+|[a-z_]+)@$''', + '''^/Users/(?i)[a-z0-9]+/[\w .-/]+$''', + '''^/(?:bin|etc|home|opt|tmp|usr|var)/[\w ./-]+$''', +] +paths = [ + '''gitleaks\.toml''', + '''(?i)\.(?:bmp|gif|jpe?g|png|svg|tiff?)$''', + '''(?i)\.(?:eot|[ot]tf|woff2?)$''', + '''(?i)\.(?:docx?|xlsx?|pdf|bin|socket|vsidx|v2|suo|wsuo|.dll|pdb|exe|gltf|zip)$''', + '''go\.(?:mod|sum|work(?:\.sum)?)$''', + '''(?:^|/)vendor/modules\.txt$''', + '''(?:^|/)vendor/(?:github\.com|golang\.org/x|google\.golang\.org|gopkg\.in|istio\.io|k8s\.io|sigs\.k8s\.io)(?:/.*)?$''', + '''(?:^|/)gradlew(?:\.bat)?$''', + '''(?:^|/)gradle\.lockfile$''', + '''(?:^|/)mvnw(?:\.cmd)?$''', + '''(?:^|/)\.mvn/wrapper/MavenWrapperDownloader\.java$''', + '''(?:^|/)node_modules(?:/.*)?$''', + '''(?:^|/)(?:deno\.lock|npm-shrinkwrap\.json|package-lock\.json|pnpm-lock\.yaml|yarn\.lock)$''', + '''(?:^|/)bower_components(?:/.*)?$''', + '''(?:^|/)(?:angular|bootstrap|jquery(?:-?ui)?|plotly|swagger-?ui)[a-zA-Z0-9.-]*(?:\.min)?\.js(?:\.map)?$''', + '''(?:^|/)javascript\.json$''', + '''(?:^|/)(?:Pipfile|poetry)\.lock$''', + '''(?i)(?:^|/)(?:v?env|virtualenv)/lib(?:64)?(?:/.*)?$''', + '''(?i)(?:^|/)(?:lib(?:64)?/python[23](?:\.\d{1,2})+|python/[23](?:\.\d{1,2})+/lib(?:64)?)(?:/.*)?$''', + '''(?i)(?:^|/)[a-z0-9_.]+-[0-9.]+\.dist-info(?:/.+)?$''', + '''(?:^|/)vendor/(?:bundle|ruby)(?:/.*?)?$''', + '''\.gem$''', + '''verification-metadata\.xml''', + '''Database.refactorlog''', +] +stopwords = [ + "abcdefghijklmnopqrstuvwxyz", + "014df517-39d1-4453-b7b3-9930c563627c", +] + +[[rules]] +id = "1password-service-account-token" +description = "Uncovered a possible 1Password service account token, potentially compromising access to secrets in vaults." +regex = '''ops_eyJ[a-zA-Z0-9+/]{250,}={0,3}''' +entropy = 4 +keywords = ["ops_"] + +[[rules]] +id = "adafruit-api-key" +description = "Identified a potential Adafruit API Key, which could lead to unauthorized access to Adafruit services and sensitive data exposure." +regex = '''(?i)[\w.-]{0,50}?(?:adafruit)(?:[ \t\w.-]{0,20})[\s'"]{0,3}(?:=|>|:{1,3}=|\|\||:|=>|\?=|,)[\x60'"\s=]{0,5}([a-z0-9_-]{32})(?:[\x60'"\s;]|\\[nr]|$)''' +keywords = ["adafruit"] + +[[rules]] +id = "adobe-client-id" +description = "Detected a pattern that resembles an Adobe OAuth Web Client ID, posing a risk of compromised Adobe integrations and data breaches." +regex = '''(?i)[\w.-]{0,50}?(?:adobe)(?:[ \t\w.-]{0,20})[\s'"]{0,3}(?:=|>|:{1,3}=|\|\||:|=>|\?=|,)[\x60'"\s=]{0,5}([a-f0-9]{32})(?:[\x60'"\s;]|\\[nr]|$)''' +entropy = 2 +keywords = ["adobe"] + +[[rules]] +id = "adobe-client-secret" +description = "Discovered a potential Adobe Client Secret, which, if exposed, could allow unauthorized Adobe service access and data manipulation." +regex = '''\b(p8e-(?i)[a-z0-9]{32})(?:[\x60'"\s;]|\\[nr]|$)''' +entropy = 2 +keywords = ["p8e-"] + +[[rules]] +id = "age-secret-key" +description = "Discovered a potential Age encryption tool secret key, risking data decryption and unauthorized access to sensitive information." +regex = '''AGE-SECRET-KEY-1[QPZRY9X8GF2TVDW0S3JN54KHCE6MUA7L]{58}''' +keywords = ["age-secret-key-1"] + +[[rules]] +id = "airtable-api-key" +description = "Uncovered a possible Airtable API Key, potentially compromising database access and leading to data leakage or alteration." +regex = '''(?i)[\w.-]{0,50}?(?:airtable)(?:[ \t\w.-]{0,20})[\s'"]{0,3}(?:=|>|:{1,3}=|\|\||:|=>|\?=|,)[\x60'"\s=]{0,5}([a-z0-9]{17})(?:[\x60'"\s;]|\\[nr]|$)''' +keywords = ["airtable"] + +[[rules]] +id = "algolia-api-key" +description = "Identified an Algolia API Key, which could result in unauthorized search operations and data exposure on Algolia-managed platforms." +regex = '''(?i)[\w.-]{0,50}?(?:algolia)(?:[ \t\w.-]{0,20})[\s'"]{0,3}(?:=|>|:{1,3}=|\|\||:|=>|\?=|,)[\x60'"\s=]{0,5}([a-z0-9]{32})(?:[\x60'"\s;]|\\[nr]|$)''' +keywords = ["algolia"] + +[[rules]] +id = "alibaba-access-key-id" +description = "Detected an Alibaba Cloud AccessKey ID, posing a risk of unauthorized cloud resource access and potential data compromise." +regex = '''\b(LTAI(?i)[a-z0-9]{20})(?:[\x60'"\s;]|\\[nr]|$)''' +entropy = 2 +keywords = ["ltai"] + +[[rules]] +id = "alibaba-secret-key" +description = "Discovered a potential Alibaba Cloud Secret Key, potentially allowing unauthorized operations and data access within Alibaba Cloud." +regex = '''(?i)[\w.-]{0,50}?(?:alibaba)(?:[ \t\w.-]{0,20})[\s'"]{0,3}(?:=|>|:{1,3}=|\|\||:|=>|\?=|,)[\x60'"\s=]{0,5}([a-z0-9]{30})(?:[\x60'"\s;]|\\[nr]|$)''' +entropy = 2 +keywords = ["alibaba"] + +[[rules]] +id = "asana-client-id" +description = "Discovered a potential Asana Client ID, risking unauthorized access to Asana projects and sensitive task information." +regex = '''(?i)[\w.-]{0,50}?(?:asana)(?:[ \t\w.-]{0,20})[\s'"]{0,3}(?:=|>|:{1,3}=|\|\||:|=>|\?=|,)[\x60'"\s=]{0,5}([0-9]{16})(?:[\x60'"\s;]|\\[nr]|$)''' +keywords = ["asana"] + +[[rules]] +id = "asana-client-secret" +description = "Identified an Asana Client Secret, which could lead to compromised project management integrity and unauthorized access." +regex = '''(?i)[\w.-]{0,50}?(?:asana)(?:[ \t\w.-]{0,20})[\s'"]{0,3}(?:=|>|:{1,3}=|\|\||:|=>|\?=|,)[\x60'"\s=]{0,5}([a-z0-9]{32})(?:[\x60'"\s;]|\\[nr]|$)''' +keywords = ["asana"] + +[[rules]] +id = "atlassian-api-token" +description = "Detected an Atlassian API token, posing a threat to project management and collaboration tool security and data confidentiality." +regex = '''[\w.-]{0,50}?(?i:[\w.-]{0,50}?(?:atlassian|confluence|jira)(?:[ \t\w.-]{0,20})[\s'"]{0,3})(?:=|>|:{1,3}=|\|\||:|=>|\?=|,)[\x60'"\s=]{0,5}([a-zA-Z0-9]{24})(?:[\x60'"\s;]|\\[nr]|$)|\b(ATATT3[A-Za-z0-9_\-=]{186})(?:[\x60'"\s;]|\\[nr]|$)''' +entropy = 3.5 +keywords = [ + "atlassian", + "confluence", + "jira", + "atatt3", +] + +[[rules]] +id = "authress-service-client-access-key" +description = "Uncovered a possible Authress Service Client Access Key, which may compromise access control services and sensitive data." +regex = '''\b((?:sc|ext|scauth|authress)_(?i)[a-z0-9]{5,30}\.[a-z0-9]{4,6}\.(?-i:acc)[_-][a-z0-9-]{10,32}\.[a-z0-9+/_=-]{30,120})(?:[\x60'"\s;]|\\[nr]|$)''' +entropy = 2 +keywords = [ + "sc_", + "ext_", + "scauth_", + "authress_", +] + +[[rules]] +id = "aws-access-token" +description = "Identified a pattern that may indicate AWS credentials, risking unauthorized cloud resource access and data breaches on AWS platforms." +regex = '''\b((?:A3T[A-Z0-9]|AKIA|ASIA|ABIA|ACCA)[A-Z0-9]{16})\b''' +entropy = 3 +keywords = [ + "a3t", + "akia", + "asia", + "abia", + "acca", +] +[[rules.allowlists]] +regexes = [ + '''.+EXAMPLE$''', +] + +[[rules]] +id = "azure-ad-client-secret" +description = "Azure AD Client Secret" +regex = '''(?:^|[\\'"\x60\s>=:(,)])([a-zA-Z0-9_~.]{3}\dQ~[a-zA-Z0-9_~.-]{31,34})(?:$|[\\'"\x60\s<),])''' +entropy = 3 +keywords = ["q~"] + +[[rules]] +id = "beamer-api-token" +description = "Detected a Beamer API token, potentially compromising content management and exposing sensitive notifications and updates." +regex = '''(?i)[\w.-]{0,50}?(?:beamer)(?:[ \t\w.-]{0,20})[\s'"]{0,3}(?:=|>|:{1,3}=|\|\||:|=>|\?=|,)[\x60'"\s=]{0,5}(b_[a-z0-9=_\-]{44})(?:[\x60'"\s;]|\\[nr]|$)''' +keywords = ["beamer"] + +[[rules]] +id = "bitbucket-client-id" +description = "Discovered a potential Bitbucket Client ID, risking unauthorized repository access and potential codebase exposure." +regex = '''(?i)[\w.-]{0,50}?(?:bitbucket)(?:[ \t\w.-]{0,20})[\s'"]{0,3}(?:=|>|:{1,3}=|\|\||:|=>|\?=|,)[\x60'"\s=]{0,5}([a-z0-9]{32})(?:[\x60'"\s;]|\\[nr]|$)''' +keywords = ["bitbucket"] + +[[rules]] +id = "bitbucket-client-secret" +description = "Discovered a potential Bitbucket Client Secret, posing a risk of compromised code repositories and unauthorized access." +regex = '''(?i)[\w.-]{0,50}?(?:bitbucket)(?:[ \t\w.-]{0,20})[\s'"]{0,3}(?:=|>|:{1,3}=|\|\||:|=>|\?=|,)[\x60'"\s=]{0,5}([a-z0-9=_\-]{64})(?:[\x60'"\s;]|\\[nr]|$)''' +keywords = ["bitbucket"] + +[[rules]] +id = "bittrex-access-key" +description = "Identified a Bittrex Access Key, which could lead to unauthorized access to cryptocurrency trading accounts and financial loss." +regex = '''(?i)[\w.-]{0,50}?(?:bittrex)(?:[ \t\w.-]{0,20})[\s'"]{0,3}(?:=|>|:{1,3}=|\|\||:|=>|\?=|,)[\x60'"\s=]{0,5}([a-z0-9]{32})(?:[\x60'"\s;]|\\[nr]|$)''' +keywords = ["bittrex"] + +[[rules]] +id = "bittrex-secret-key" +description = "Detected a Bittrex Secret Key, potentially compromising cryptocurrency transactions and financial security." +regex = '''(?i)[\w.-]{0,50}?(?:bittrex)(?:[ \t\w.-]{0,20})[\s'"]{0,3}(?:=|>|:{1,3}=|\|\||:|=>|\?=|,)[\x60'"\s=]{0,5}([a-z0-9]{32})(?:[\x60'"\s;]|\\[nr]|$)''' +keywords = ["bittrex"] + +[[rules]] +id = "cisco-meraki-api-key" +description = "Cisco Meraki is a cloud-managed IT solution that provides networking, security, and device management through an easy-to-use interface." +regex = '''[\w.-]{0,50}?(?i:[\w.-]{0,50}?(?:(?-i:[Mm]eraki|MERAKI))(?:[ \t\w.-]{0,20})[\s'"]{0,3})(?:=|>|:{1,3}=|\|\||:|=>|\?=|,)[\x60'"\s=]{0,5}([0-9a-f]{40})(?:[\x60'"\s;]|\\[nr]|$)''' +entropy = 3 +keywords = ["meraki"] + +[[rules]] +id = "clickhouse-cloud-api-secret-key" +description = "Identified a pattern that may indicate clickhouse cloud API secret key, risking unauthorized clickhouse cloud api access and data breaches on ClickHouse Cloud platforms." +regex = '''\b(4b1d[A-Za-z0-9]{38})\b''' +entropy = 3 +keywords = ["4b1d"] + +[[rules]] +id = "clojars-api-token" +description = "Uncovered a possible Clojars API token, risking unauthorized access to Clojure libraries and potential code manipulation." +regex = '''(?i)CLOJARS_[a-z0-9]{60}''' +entropy = 2 +keywords = ["clojars_"] + +[[rules]] +id = "cloudflare-api-key" +description = "Detected a Cloudflare API Key, potentially compromising cloud application deployments and operational security." +regex = '''(?i)[\w.-]{0,50}?(?:cloudflare)(?:[ \t\w.-]{0,20})[\s'"]{0,3}(?:=|>|:{1,3}=|\|\||:|=>|\?=|,)[\x60'"\s=]{0,5}([a-z0-9_-]{40})(?:[\x60'"\s;]|\\[nr]|$)''' +entropy = 2 +keywords = ["cloudflare"] + +[[rules]] +id = "cloudflare-global-api-key" +description = "Detected a Cloudflare Global API Key, potentially compromising cloud application deployments and operational security." +regex = '''(?i)[\w.-]{0,50}?(?:cloudflare)(?:[ \t\w.-]{0,20})[\s'"]{0,3}(?:=|>|:{1,3}=|\|\||:|=>|\?=|,)[\x60'"\s=]{0,5}([a-f0-9]{37})(?:[\x60'"\s;]|\\[nr]|$)''' +entropy = 2 +keywords = ["cloudflare"] + +[[rules]] +id = "cloudflare-origin-ca-key" +description = "Detected a Cloudflare Origin CA Key, potentially compromising cloud application deployments and operational security." +regex = '''\b(v1\.0-[a-f0-9]{24}-[a-f0-9]{146})(?:[\x60'"\s;]|\\[nr]|$)''' +entropy = 2 +keywords = [ + "cloudflare", + "v1.0-", +] + +[[rules]] +id = "codecov-access-token" +description = "Found a pattern resembling a Codecov Access Token, posing a risk of unauthorized access to code coverage reports and sensitive data." +regex = '''(?i)[\w.-]{0,50}?(?:codecov)(?:[ \t\w.-]{0,20})[\s'"]{0,3}(?:=|>|:{1,3}=|\|\||:|=>|\?=|,)[\x60'"\s=]{0,5}([a-z0-9]{32})(?:[\x60'"\s;]|\\[nr]|$)''' +keywords = ["codecov"] + +[[rules]] +id = "cohere-api-token" +description = "Identified a Cohere Token, posing a risk of unauthorized access to AI services and data manipulation." +regex = '''[\w.-]{0,50}?(?i:[\w.-]{0,50}?(?:cohere|CO_API_KEY)(?:[ \t\w.-]{0,20})[\s'"]{0,3})(?:=|>|:{1,3}=|\|\||:|=>|\?=|,)[\x60'"\s=]{0,5}([a-zA-Z0-9]{40})(?:[\x60'"\s;]|\\[nr]|$)''' +entropy = 4 +keywords = [ + "cohere", + "co_api_key", +] + +[[rules]] +id = "coinbase-access-token" +description = "Detected a Coinbase Access Token, posing a risk of unauthorized access to cryptocurrency accounts and financial transactions." +regex = '''(?i)[\w.-]{0,50}?(?:coinbase)(?:[ \t\w.-]{0,20})[\s'"]{0,3}(?:=|>|:{1,3}=|\|\||:|=>|\?=|,)[\x60'"\s=]{0,5}([a-z0-9_-]{64})(?:[\x60'"\s;]|\\[nr]|$)''' +keywords = ["coinbase"] + +[[rules]] +id = "confluent-access-token" +description = "Identified a Confluent Access Token, which could compromise access to streaming data platforms and sensitive data flow." +regex = '''(?i)[\w.-]{0,50}?(?:confluent)(?:[ \t\w.-]{0,20})[\s'"]{0,3}(?:=|>|:{1,3}=|\|\||:|=>|\?=|,)[\x60'"\s=]{0,5}([a-z0-9]{16})(?:[\x60'"\s;]|\\[nr]|$)''' +keywords = ["confluent"] + +[[rules]] +id = "confluent-secret-key" +description = "Found a Confluent Secret Key, potentially risking unauthorized operations and data access within Confluent services." +regex = '''(?i)[\w.-]{0,50}?(?:confluent)(?:[ \t\w.-]{0,20})[\s'"]{0,3}(?:=|>|:{1,3}=|\|\||:|=>|\?=|,)[\x60'"\s=]{0,5}([a-z0-9]{64})(?:[\x60'"\s;]|\\[nr]|$)''' +keywords = ["confluent"] + +[[rules]] +id = "contentful-delivery-api-token" +description = "Discovered a Contentful delivery API token, posing a risk to content management systems and data integrity." +regex = '''(?i)[\w.-]{0,50}?(?:contentful)(?:[ \t\w.-]{0,20})[\s'"]{0,3}(?:=|>|:{1,3}=|\|\||:|=>|\?=|,)[\x60'"\s=]{0,5}([a-z0-9=_\-]{43})(?:[\x60'"\s;]|\\[nr]|$)''' +keywords = ["contentful"] + +[[rules]] +id = "curl-auth-header" +description = "Discovered a potential authorization token provided in a curl command header, which could compromise the curl accessed resource." +regex = '''\bcurl\b(?:.*?|.*?(?:[\r\n]{1,2}.*?){1,5})[ \t\n\r](?:-H|--header)(?:=|[ \t]{0,5})(?:"(?i)(?:Authorization:[ \t]{0,5}(?:Basic[ \t]([a-z0-9+/]{8,}={0,3})|(?:Bearer|(?:Api-)?Token)[ \t]([\w=~@.+/-]{8,})|([\w=~@.+/-]{8,}))|(?:(?:X-(?:[a-z]+-)?)?(?:Api-?)?(?:Key|Token)):[ \t]{0,5}([\w=~@.+/-]{8,}))"|'(?i)(?:Authorization:[ \t]{0,5}(?:Basic[ \t]([a-z0-9+/]{8,}={0,3})|(?:Bearer|(?:Api-)?Token)[ \t]([\w=~@.+/-]{8,})|([\w=~@.+/-]{8,}))|(?:(?:X-(?:[a-z]+-)?)?(?:Api-?)?(?:Key|Token)):[ \t]{0,5}([\w=~@.+/-]{8,}))')(?:\B|\s|\z)''' +entropy = 2.75 +keywords = ["curl"] + +[[rules]] +id = "curl-auth-user" +description = "Discovered a potential basic authorization token provided in a curl command, which could compromise the curl accessed resource." +regex = '''\bcurl\b(?:.*|.*(?:[\r\n]{1,2}.*){1,5})[ \t\n\r](?:-u|--user)(?:=|[ \t]{0,5})("(:[^"]{3,}|[^:"]{3,}:|[^:"]{3,}:[^"]{3,})"|'([^:']{3,}:[^']{3,})'|((?:"[^"]{3,}"|'[^']{3,}'|[\w$@.-]+):(?:"[^"]{3,}"|'[^']{3,}'|[\w${}@.-]+)))(?:\s|\z)''' +entropy = 2 +keywords = ["curl"] +[[rules.allowlists]] +regexes = [ + '''[^:]+:(?:change(?:it|me)|pass(?:word)?|pwd|test|token|\*+|x+)''', + '''['"]?<[^>]+>['"]?:['"]?<[^>]+>|<[^:]+:[^>]+>['"]?''', + '''[^:]+:\[[^]]+]''', + '''['"]?[^:]+['"]?:['"]?\$(?:\d|\w+|\{(?:\d|\w+)})['"]?''', + '''\$\([^)]+\):\$\([^)]+\)''', + '''['"]?\$?{{[^}]+}}['"]?:['"]?\$?{{[^}]+}}['"]?''', +] + +[[rules]] +id = "databricks-api-token" +description = "Uncovered a Databricks API token, which may compromise big data analytics platforms and sensitive data processing." +regex = '''\b(dapi[a-f0-9]{32}(?:-\d)?)(?:[\x60'"\s;]|\\[nr]|$)''' +entropy = 3 +keywords = ["dapi"] + +[[rules]] +id = "datadog-access-token" +description = "Detected a Datadog Access Token, potentially risking monitoring and analytics data exposure and manipulation." +regex = '''(?i)[\w.-]{0,50}?(?:datadog)(?:[ \t\w.-]{0,20})[\s'"]{0,3}(?:=|>|:{1,3}=|\|\||:|=>|\?=|,)[\x60'"\s=]{0,5}([a-z0-9]{40})(?:[\x60'"\s;]|\\[nr]|$)''' +keywords = ["datadog"] + +[[rules]] +id = "defined-networking-api-token" +description = "Identified a Defined Networking API token, which could lead to unauthorized network operations and data breaches." +regex = '''(?i)[\w.-]{0,50}?(?:dnkey)(?:[ \t\w.-]{0,20})[\s'"]{0,3}(?:=|>|:{1,3}=|\|\||:|=>|\?=|,)[\x60'"\s=]{0,5}(dnkey-[a-z0-9=_\-]{26}-[a-z0-9=_\-]{52})(?:[\x60'"\s;]|\\[nr]|$)''' +keywords = ["dnkey"] + +[[rules]] +id = "digitalocean-access-token" +description = "Found a DigitalOcean OAuth Access Token, risking unauthorized cloud resource access and data compromise." +regex = '''\b(doo_v1_[a-f0-9]{64})(?:[\x60'"\s;]|\\[nr]|$)''' +entropy = 3 +keywords = ["doo_v1_"] + +[[rules]] +id = "digitalocean-pat" +description = "Discovered a DigitalOcean Personal Access Token, posing a threat to cloud infrastructure security and data privacy." +regex = '''\b(dop_v1_[a-f0-9]{64})(?:[\x60'"\s;]|\\[nr]|$)''' +entropy = 3 +keywords = ["dop_v1_"] + +[[rules]] +id = "digitalocean-refresh-token" +description = "Uncovered a DigitalOcean OAuth Refresh Token, which could allow prolonged unauthorized access and resource manipulation." +regex = '''(?i)\b(dor_v1_[a-f0-9]{64})(?:[\x60'"\s;]|\\[nr]|$)''' +keywords = ["dor_v1_"] + +[[rules]] +id = "discord-api-token" +description = "Detected a Discord API key, potentially compromising communication channels and user data privacy on Discord." +regex = '''(?i)[\w.-]{0,50}?(?:discord)(?:[ \t\w.-]{0,20})[\s'"]{0,3}(?:=|>|:{1,3}=|\|\||:|=>|\?=|,)[\x60'"\s=]{0,5}([a-f0-9]{64})(?:[\x60'"\s;]|\\[nr]|$)''' +keywords = ["discord"] + +[[rules]] +id = "discord-client-id" +description = "Identified a Discord client ID, which may lead to unauthorized integrations and data exposure in Discord applications." +regex = '''(?i)[\w.-]{0,50}?(?:discord)(?:[ \t\w.-]{0,20})[\s'"]{0,3}(?:=|>|:{1,3}=|\|\||:|=>|\?=|,)[\x60'"\s=]{0,5}([0-9]{18})(?:[\x60'"\s;]|\\[nr]|$)''' +entropy = 2 +keywords = ["discord"] + +[[rules]] +id = "discord-client-secret" +description = "Discovered a potential Discord client secret, risking compromised Discord bot integrations and data leaks." +regex = '''(?i)[\w.-]{0,50}?(?:discord)(?:[ \t\w.-]{0,20})[\s'"]{0,3}(?:=|>|:{1,3}=|\|\||:|=>|\?=|,)[\x60'"\s=]{0,5}([a-z0-9=_\-]{32})(?:[\x60'"\s;]|\\[nr]|$)''' +entropy = 2 +keywords = ["discord"] + +[[rules]] +id = "doppler-api-token" +description = "Discovered a Doppler API token, posing a risk to environment and secrets management security." +regex = '''dp\.pt\.(?i)[a-z0-9]{43}''' +entropy = 2 +keywords = ["dp.pt."] + +[[rules]] +id = "droneci-access-token" +description = "Detected a Droneci Access Token, potentially compromising continuous integration and deployment workflows." +regex = '''(?i)[\w.-]{0,50}?(?:droneci)(?:[ \t\w.-]{0,20})[\s'"]{0,3}(?:=|>|:{1,3}=|\|\||:|=>|\?=|,)[\x60'"\s=]{0,5}([a-z0-9]{32})(?:[\x60'"\s;]|\\[nr]|$)''' +keywords = ["droneci"] + +[[rules]] +id = "dropbox-api-token" +description = "Identified a Dropbox API secret, which could lead to unauthorized file access and data breaches in Dropbox storage." +regex = '''(?i)[\w.-]{0,50}?(?:dropbox)(?:[ \t\w.-]{0,20})[\s'"]{0,3}(?:=|>|:{1,3}=|\|\||:|=>|\?=|,)[\x60'"\s=]{0,5}([a-z0-9]{15})(?:[\x60'"\s;]|\\[nr]|$)''' +keywords = ["dropbox"] + +[[rules]] +id = "dropbox-long-lived-api-token" +description = "Found a Dropbox long-lived API token, risking prolonged unauthorized access to cloud storage and sensitive data." +regex = '''(?i)[\w.-]{0,50}?(?:dropbox)(?:[ \t\w.-]{0,20})[\s'"]{0,3}(?:=|>|:{1,3}=|\|\||:|=>|\?=|,)[\x60'"\s=]{0,5}([a-z0-9]{11}(AAAAAAAAAA)[a-z0-9\-_=]{43})(?:[\x60'"\s;]|\\[nr]|$)''' +keywords = ["dropbox"] + +[[rules]] +id = "dropbox-short-lived-api-token" +description = "Discovered a Dropbox short-lived API token, posing a risk of temporary but potentially harmful data access and manipulation." +regex = '''(?i)[\w.-]{0,50}?(?:dropbox)(?:[ \t\w.-]{0,20})[\s'"]{0,3}(?:=|>|:{1,3}=|\|\||:|=>|\?=|,)[\x60'"\s=]{0,5}(sl\.[a-z0-9\-=_]{135})(?:[\x60'"\s;]|\\[nr]|$)''' +keywords = ["dropbox"] + +[[rules]] +id = "duffel-api-token" +description = "Uncovered a Duffel API token, which may compromise travel platform integrations and sensitive customer data." +regex = '''duffel_(?:test|live)_(?i)[a-z0-9_\-=]{43}''' +entropy = 2 +keywords = ["duffel_"] + +[[rules]] +id = "dynatrace-api-token" +description = "Detected a Dynatrace API token, potentially risking application performance monitoring and data exposure." +regex = '''dt0c01\.(?i)[a-z0-9]{24}\.[a-z0-9]{64}''' +entropy = 4 +keywords = ["dt0c01."] + +[[rules]] +id = "easypost-api-token" +description = "Identified an EasyPost API token, which could lead to unauthorized postal and shipment service access and data exposure." +regex = '''\bEZAK(?i)[a-z0-9]{54}\b''' +entropy = 2 +keywords = ["ezak"] + +[[rules]] +id = "easypost-test-api-token" +description = "Detected an EasyPost test API token, risking exposure of test environments and potentially sensitive shipment data." +regex = '''\bEZTK(?i)[a-z0-9]{54}\b''' +entropy = 2 +keywords = ["eztk"] + +[[rules]] +id = "etsy-access-token" +description = "Found an Etsy Access Token, potentially compromising Etsy shop management and customer data." +regex = '''(?i)[\w.-]{0,50}?(?:(?-i:ETSY|[Ee]tsy))(?:[ \t\w.-]{0,20})[\s'"]{0,3}(?:=|>|:{1,3}=|\|\||:|=>|\?=|,)[\x60'"\s=]{0,5}([a-z0-9]{24})(?:[\x60'"\s;]|\\[nr]|$)''' +entropy = 3 +keywords = ["etsy"] + +[[rules]] +id = "facebook-access-token" +description = "Discovered a Facebook Access Token, posing a risk of unauthorized access to Facebook accounts and personal data exposure." +regex = '''(?i)\b(\d{15,16}(\||%)[0-9a-z\-_]{27,40})(?:[\x60'"\s;]|\\[nr]|$)''' +entropy = 3 +keywords = ["facebook"] + +[[rules]] +id = "facebook-page-access-token" +description = "Discovered a Facebook Page Access Token, posing a risk of unauthorized access to Facebook accounts and personal data exposure." +regex = '''\b(EAA[MC](?i)[a-z0-9]{100,})(?:[\x60'"\s;]|\\[nr]|$)''' +entropy = 4 +keywords = [ + "eaam", + "eaac", +] + +[[rules]] +id = "facebook-secret" +description = "Discovered a Facebook Application secret, posing a risk of unauthorized access to Facebook accounts and personal data exposure." +regex = '''(?i)[\w.-]{0,50}?(?:facebook)(?:[ \t\w.-]{0,20})[\s'"]{0,3}(?:=|>|:{1,3}=|\|\||:|=>|\?=|,)[\x60'"\s=]{0,5}([a-f0-9]{32})(?:[\x60'"\s;]|\\[nr]|$)''' +entropy = 3 +keywords = ["facebook"] + +[[rules]] +id = "fastly-api-token" +description = "Uncovered a Fastly API key, which may compromise CDN and edge cloud services, leading to content delivery and security issues." +regex = '''(?i)[\w.-]{0,50}?(?:fastly)(?:[ \t\w.-]{0,20})[\s'"]{0,3}(?:=|>|:{1,3}=|\|\||:|=>|\?=|,)[\x60'"\s=]{0,5}([a-z0-9=_\-]{32})(?:[\x60'"\s;]|\\[nr]|$)''' +keywords = ["fastly"] + +[[rules]] +id = "finicity-api-token" +description = "Detected a Finicity API token, potentially risking financial data access and unauthorized financial operations." +regex = '''(?i)[\w.-]{0,50}?(?:finicity)(?:[ \t\w.-]{0,20})[\s'"]{0,3}(?:=|>|:{1,3}=|\|\||:|=>|\?=|,)[\x60'"\s=]{0,5}([a-f0-9]{32})(?:[\x60'"\s;]|\\[nr]|$)''' +keywords = ["finicity"] + +[[rules]] +id = "finicity-client-secret" +description = "Identified a Finicity Client Secret, which could lead to compromised financial service integrations and data breaches." +regex = '''(?i)[\w.-]{0,50}?(?:finicity)(?:[ \t\w.-]{0,20})[\s'"]{0,3}(?:=|>|:{1,3}=|\|\||:|=>|\?=|,)[\x60'"\s=]{0,5}([a-z0-9]{20})(?:[\x60'"\s;]|\\[nr]|$)''' +keywords = ["finicity"] + +[[rules]] +id = "finnhub-access-token" +description = "Found a Finnhub Access Token, risking unauthorized access to financial market data and analytics." +regex = '''(?i)[\w.-]{0,50}?(?:finnhub)(?:[ \t\w.-]{0,20})[\s'"]{0,3}(?:=|>|:{1,3}=|\|\||:|=>|\?=|,)[\x60'"\s=]{0,5}([a-z0-9]{20})(?:[\x60'"\s;]|\\[nr]|$)''' +keywords = ["finnhub"] + +[[rules]] +id = "flickr-access-token" +description = "Discovered a Flickr Access Token, posing a risk of unauthorized photo management and potential data leakage." +regex = '''(?i)[\w.-]{0,50}?(?:flickr)(?:[ \t\w.-]{0,20})[\s'"]{0,3}(?:=|>|:{1,3}=|\|\||:|=>|\?=|,)[\x60'"\s=]{0,5}([a-z0-9]{32})(?:[\x60'"\s;]|\\[nr]|$)''' +keywords = ["flickr"] + +[[rules]] +id = "flutterwave-encryption-key" +description = "Uncovered a Flutterwave Encryption Key, which may compromise payment processing and sensitive financial information." +regex = '''FLWSECK_TEST-(?i)[a-h0-9]{12}''' +entropy = 2 +keywords = ["flwseck_test"] + +[[rules]] +id = "flutterwave-public-key" +description = "Detected a Finicity Public Key, potentially exposing public cryptographic operations and integrations." +regex = '''FLWPUBK_TEST-(?i)[a-h0-9]{32}-X''' +entropy = 2 +keywords = ["flwpubk_test"] + +[[rules]] +id = "flutterwave-secret-key" +description = "Identified a Flutterwave Secret Key, risking unauthorized financial transactions and data breaches." +regex = '''FLWSECK_TEST-(?i)[a-h0-9]{32}-X''' +entropy = 2 +keywords = ["flwseck_test"] + +[[rules]] +id = "flyio-access-token" +description = "Uncovered a Fly.io API key" +regex = '''\b((?:fo1_[\w-]{43}|fm1[ar]_[a-zA-Z0-9+\/]{100,}={0,3}|fm2_[a-zA-Z0-9+\/]{100,}={0,3}))(?:[\x60'"\s;]|\\[nr]|$)''' +entropy = 4 +keywords = [ + "fo1_", + "fm1", + "fm2_", +] + +[[rules]] +id = "frameio-api-token" +description = "Found a Frame.io API token, potentially compromising video collaboration and project management." +regex = '''fio-u-(?i)[a-z0-9\-_=]{64}''' +keywords = ["fio-u-"] + +[[rules]] +id = "freemius-secret-key" +description = "Detected a Freemius secret key, potentially exposing sensitive information." +regex = '''(?i)["']secret_key["']\s*=>\s*["'](sk_[\S]{29})["']''' +path = '''(?i)\.php$''' +keywords = ["secret_key"] + +[[rules]] +id = "freshbooks-access-token" +description = "Discovered a Freshbooks Access Token, posing a risk to accounting software access and sensitive financial data exposure." +regex = '''(?i)[\w.-]{0,50}?(?:freshbooks)(?:[ \t\w.-]{0,20})[\s'"]{0,3}(?:=|>|:{1,3}=|\|\||:|=>|\?=|,)[\x60'"\s=]{0,5}([a-z0-9]{64})(?:[\x60'"\s;]|\\[nr]|$)''' +keywords = ["freshbooks"] + +[[rules]] +id = "gcp-api-key" +description = "Uncovered a GCP API key, which could lead to unauthorized access to Google Cloud services and data breaches." +regex = '''\b(AIza[\w-]{35})(?:[\x60'"\s;]|\\[nr]|$)''' +entropy = 3 +keywords = ["aiza"] +[[rules.allowlists]] +regexes = [ + '''AIzaSyabcdefghijklmnopqrstuvwxyz1234567''', + '''AIzaSyAnLA7NfeLquW1tJFpx_eQCxoX-oo6YyIs''', + '''AIzaSyCkEhVjf3pduRDt6d1yKOMitrUEke8agEM''', + '''AIzaSyDMAScliyLx7F0NPDEJi1QmyCgHIAODrlU''', + '''AIzaSyD3asb-2pEZVqMkmL6M9N6nHZRR_znhrh0''', + '''AIzayDNSXIbFmlXbIE6mCzDLQAqITYefhixbX4A''', + '''AIzaSyAdOS2zB6NCsk1pCdZ4-P6GBdi_UUPwX7c''', + '''AIzaSyASWm6HmTMdYWpgMnjRBjxcQ9CKctWmLd4''', + '''AIzaSyANUvH9H9BsUccjsu2pCmEkOPjjaXeDQgY''', + '''AIzaSyA5_iVawFQ8ABuTZNUdcwERLJv_a_p4wtM''', + '''AIzaSyA4UrcGxgwQFTfaI3no3t7Lt1sjmdnP5sQ''', + '''AIzaSyDSb51JiIcB6OJpwwMicseKRhhrOq1cS7g''', + '''AIzaSyBF2RrAIm4a0mO64EShQfqfd2AFnzAvvuU''', + '''AIzaSyBcE-OOIbhjyR83gm4r2MFCu4MJmprNXsw''', + '''AIzaSyB8qGxt4ec15vitgn44duC5ucxaOi4FmqE''', + '''AIzaSyA8vmApnrHNFE0bApF4hoZ11srVL_n0nvY''', +] + +[[rules]] +id = "generic-api-key" +description = "Detected a Generic API Key, potentially exposing access to various services and sensitive operations." +regex = '''(?i)[\w.-]{0,50}?(?:access|auth|(?-i:[Aa]pi|API)|credential|creds|key|passw(?:or)?d|secret|token)(?:[ \t\w.-]{0,20})[\s'"]{0,3}(?:=|>|:{1,3}=|\|\||:|=>|\?=|,)[\x60'"\s=]{0,5}([\w.=-]{10,150}|[a-z0-9][a-z0-9+/]{11,}={0,3})(?:[\x60'"\s;]|\\[nr]|$)''' +entropy = 3.5 +keywords = [ + "access", + "api", + "auth", + "key", + "credential", + "creds", + "passwd", + "password", + "secret", + "token", +] +[[rules.allowlists]] +regexes = [ + '''^[a-zA-Z_.-]+$''', +] +[[rules.allowlists]] +regexTarget = "match" +regexes = [ + '''(?i)(?:access(?:ibility|or)|access[_.-]?id|random[_.-]?access|api[_.-]?(?:id|name|version)|rapid|capital|[a-z0-9-]*?api[a-z0-9-]*?:jar:|author|X-MS-Exchange-Organization-Auth|Authentication-Results|(?:credentials?[_.-]?id|withCredentials)|(?:bucket|foreign|hot|idx|natural|primary|pub(?:lic)?|schema|sequence)[_.-]?key|(?:turkey)|key[_.-]?(?:alias|board|code|frame|id|length|mesh|name|pair|press(?:ed)?|ring|selector|signature|size|stone|storetype|word|up|down|left|right)|key[_.-]?vault[_.-]?(?:id|name)|keyVaultToStoreSecrets|key(?:store|tab)[_.-]?(?:file|path)|issuerkeyhash|(?-i:[DdMm]onkey|[DM]ONKEY)|keying|(?:secret)[_.-]?(?:length|name|size)|UserSecretsId|(?:csrf)[_.-]?token|(?:io\.jsonwebtoken[ \t]?:[ \t]?[\w-]+)|(?:api|credentials|token)[_.-]?(?:endpoint|ur[il])|public[_.-]?token|(?:key|token)[_.-]?file|(?-i:(?:[A-Z_]+=\n[A-Z_]+=|[a-z_]+=\n[a-z_]+=)(?:\n|\z))|(?-i:(?:[A-Z.]+=\n[A-Z.]+=|[a-z.]+=\n[a-z.]+=)(?:\n|\z)))''', +] +stopwords = [ + "000000", + "6fe4476ee5a1832882e326b506d14126", + "_ec2_", + "aaaaaa", + "about", + "abstract", + "academy", + "acces", + "account", + "act-", + "act.", + "act_", + "action", + "active", + "actively", + "activity", + "adapter", + "add-", + "add-on", + "add.", + "add_", + "addon", + "addres", + "admin", + "adobe", + "advanced", + "adventure", + "agent", + "agile", + "air-", + "air.", + "air_", + "ajax", + "akka", + "alert", + "alfred", + "algorithm", + "all-", + "all.", + "all_", + "alloy", + "alpha", + "amazon", + "amqp", + "analysi", + "analytic", + "analyzer", + "android", + "angular", + "angularj", + "animate", + "animation", + "another", + "ansible", + "answer", + "ant-", + "ant.", + "ant_", + "any-", + "any.", + "any_", + "apache", + "app-", + "app.", + "app_", + "apple", + "arch", + "archive", + "archived", + "arduino", + "array", + "art-", + "art.", + "art_", + "article", + "asp-", + "asp.", + "asp_", + "asset", + "async", + "atom", + "attention", + "audio", + "audit", + "aura", + "auth", + "author", + "authorize", + "auto", + "automated", + "automatic", + "awesome", + "aws_", + "azure", + "back", + "backbone", + "backend", + "backup", + "bar-", + "bar.", + "bar_", + "base", + "based", + "bash", + "basic", + "batch", + "been", + "beer", + "behavior", + "being", + "benchmark", + "best", + "beta", + "better", + "big-", + "big.", + "big_", + "binary", + "binding", + "bit-", + "bit.", + "bit_", + "bitcoin", + "block", + "blog", + "board", + "book", + "bookmark", + "boost", + "boot", + "bootstrap", + "bosh", + "bot-", + "bot.", + "bot_", + "bower", + "box-", + "box.", + "box_", + "boxen", + "bracket", + "branch", + "bridge", + "browser", + "brunch", + "buffer", + "bug-", + "bug.", + "bug_", + "build", + "builder", + "building", + "buildout", + "buildpack", + "built", + "bundle", + "busines", + "but-", + "but.", + "but_", + "button", + "cache", + "caching", + "cakephp", + "calendar", + "call", + "camera", + "campfire", + "can-", + "can.", + "can_", + "canva", + "captcha", + "capture", + "card", + "carousel", + "case", + "cassandra", + "cat-", + "cat.", + "cat_", + "category", + "center", + "cento", + "challenge", + "change", + "changelog", + "channel", + "chart", + "chat", + "cheat", + "check", + "checker", + "chef", + "ches", + "chinese", + "chosen", + "chrome", + "ckeditor", + "clas", + "classe", + "classic", + "clean", + "cli-", + "cli.", + "cli_", + "client", + "clojure", + "clone", + "closure", + "cloud", + "club", + "cluster", + "cms-", + "cms_", + "coco", + "code", + "coding", + "coffee", + "color", + "combination", + "combo", + "command", + "commander", + "comment", + "commit", + "common", + "community", + "compas", + "compiler", + "complete", + "component", + "composer", + "computer", + "computing", + "con-", + "con.", + "con_", + "concept", + "conf", + "config", + "connect", + "connector", + "console", + "contact", + "container", + "contao", + "content", + "contest", + "context", + "control", + "convert", + "converter", + "conway'", + "cookbook", + "cookie", + "cool", + "copy", + "cordova", + "core", + "couchbase", + "couchdb", + "countdown", + "counter", + "course", + "craft", + "crawler", + "create", + "creating", + "creator", + "credential", + "crm-", + "crm.", + "crm_", + "cros", + "crud", + "csv-", + "csv.", + "csv_", + "cube", + "cucumber", + "cuda", + "current", + "currently", + "custom", + "daemon", + "dark", + "dart", + "dash", + "dashboard", + "data", + "database", + "date", + "day-", + "day.", + "day_", + "dead", + "debian", + "debug", + "debugger", + "deck", + "define", + "del-", + "del.", + "del_", + "delete", + "demo", + "deploy", + "design", + "designer", + "desktop", + "detection", + "detector", + "dev-", + "dev.", + "dev_", + "develop", + "developer", + "device", + "devise", + "diff", + "digital", + "directive", + "directory", + "discovery", + "display", + "django", + "dns-", + "dns_", + "doc-", + "doc.", + "doc_", + "docker", + "docpad", + "doctrine", + "document", + "doe-", + "doe.", + "doe_", + "dojo", + "dom-", + "dom.", + "dom_", + "domain", + "don't", + "done", + "dot-", + "dot.", + "dot_", + "dotfile", + "download", + "draft", + "drag", + "drill", + "drive", + "driven", + "driver", + "drop", + "dropbox", + "drupal", + "dsl-", + "dsl.", + "dsl_", + "dynamic", + "easy", + "ecdsa", + "eclipse", + "edit", + "editing", + "edition", + "editor", + "element", + "emac", + "email", + "embed", + "embedded", + "ember", + "emitter", + "emulator", + "encoding", + "endpoint", + "engine", + "english", + "enhanced", + "entity", + "entry", + "env_", + "episode", + "erlang", + "error", + "espresso", + "event", + "evented", + "example", + "exchange", + "exercise", + "experiment", + "expire", + "exploit", + "explorer", + "export", + "exporter", + "expres", + "ext-", + "ext.", + "ext_", + "extended", + "extension", + "external", + "extra", + "extractor", + "fabric", + "facebook", + "factory", + "fake", + "fast", + "feature", + "feed", + "fewfwef", + "ffmpeg", + "field", + "file", + "filter", + "find", + "finder", + "firefox", + "firmware", + "first", + "fish", + "fix-", + "fix_", + "flash", + "flask", + "flat", + "flex", + "flexible", + "flickr", + "flow", + "fluent", + "fluentd", + "fluid", + "folder", + "font", + "force", + "foreman", + "fork", + "form", + "format", + "formatter", + "forum", + "foundry", + "framework", + "free", + "friend", + "friendly", + "front-end", + "frontend", + "ftp-", + "ftp.", + "ftp_", + "fuel", + "full", + "fun-", + "fun.", + "fun_", + "func", + "future", + "gaia", + "gallery", + "game", + "gateway", + "gem-", + "gem.", + "gem_", + "gen-", + "gen.", + "gen_", + "general", + "generator", + "generic", + "genetic", + "get-", + "get.", + "get_", + "getenv", + "getting", + "ghost", + "gist", + "git-", + "git.", + "git_", + "github", + "gitignore", + "gitlab", + "glas", + "gmail", + "gnome", + "gnu-", + "gnu.", + "gnu_", + "goal", + "golang", + "gollum", + "good", + "google", + "gpu-", + "gpu.", + "gpu_", + "gradle", + "grail", + "graph", + "graphic", + "great", + "grid", + "groovy", + "group", + "grunt", + "guard", + "gui-", + "gui.", + "gui_", + "guide", + "guideline", + "gulp", + "gwt-", + "gwt.", + "gwt_", + "hack", + "hackathon", + "hacker", + "hacking", + "hadoop", + "haml", + "handler", + "hardware", + "has-", + "has_", + "hash", + "haskell", + "have", + "haxe", + "hello", + "help", + "helper", + "here", + "hero", + "heroku", + "high", + "hipchat", + "history", + "home", + "homebrew", + "homepage", + "hook", + "host", + "hosting", + "hot-", + "hot.", + "hot_", + "house", + "how-", + "how.", + "how_", + "html", + "http", + "hub-", + "hub.", + "hub_", + "hubot", + "human", + "icon", + "ide-", + "ide.", + "ide_", + "idea", + "identity", + "idiomatic", + "image", + "impact", + "import", + "important", + "importer", + "impres", + "index", + "infinite", + "info", + "injection", + "inline", + "input", + "inside", + "inspector", + "instagram", + "install", + "installer", + "instant", + "intellij", + "interface", + "internet", + "interview", + "into", + "intro", + "ionic", + "iphone", + "ipython", + "irc-", + "irc_", + "iso-", + "iso.", + "iso_", + "issue", + "jade", + "jasmine", + "java", + "jbos", + "jekyll", + "jenkin", + "jetbrains", + "job-", + "job.", + "job_", + "joomla", + "jpa-", + "jpa.", + "jpa_", + "jquery", + "json", + "just", + "kafka", + "karma", + "kata", + "kernel", + "keyboard", + "kindle", + "kit-", + "kit.", + "kit_", + "kitchen", + "knife", + "koan", + "kohana", + "lab-", + "lab.", + "lab_", + "lambda", + "lamp", + "language", + "laravel", + "last", + "latest", + "latex", + "launcher", + "layer", + "layout", + "lazy", + "ldap", + "leaflet", + "league", + "learn", + "learning", + "led-", + "led.", + "led_", + "leetcode", + "les-", + "les.", + "les_", + "level", + "leveldb", + "lib-", + "lib.", + "lib_", + "librarie", + "library", + "license", + "life", + "liferay", + "light", + "lightbox", + "like", + "line", + "link", + "linked", + "linkedin", + "linux", + "lisp", + "list", + "lite", + "little", + "load", + "loader", + "local", + "location", + "lock", + "log-", + "log.", + "log_", + "logger", + "logging", + "logic", + "login", + "logstash", + "longer", + "look", + "love", + "lua-", + "lua.", + "lua_", + "mac-", + "mac.", + "mac_", + "machine", + "made", + "magento", + "magic", + "mail", + "make", + "maker", + "making", + "man-", + "man.", + "man_", + "manage", + "manager", + "manifest", + "manual", + "map-", + "map.", + "map_", + "mapper", + "mapping", + "markdown", + "markup", + "master", + "math", + "matrix", + "maven", + "md5", + "mean", + "media", + "mediawiki", + "meetup", + "memcached", + "memory", + "menu", + "merchant", + "message", + "messaging", + "meta", + "metadata", + "meteor", + "method", + "metric", + "micro", + "middleman", + "migration", + "minecraft", + "miner", + "mini", + "minimal", + "mirror", + "mit-", + "mit.", + "mit_", + "mobile", + "mocha", + "mock", + "mod-", + "mod.", + "mod_", + "mode", + "model", + "modern", + "modular", + "module", + "modx", + "money", + "mongo", + "mongodb", + "mongoid", + "mongoose", + "monitor", + "monkey", + "more", + "motion", + "moved", + "movie", + "mozilla", + "mqtt", + "mule", + "multi", + "multiple", + "music", + "mustache", + "mvc-", + "mvc.", + "mvc_", + "mysql", + "nagio", + "name", + "native", + "need", + "neo-", + "neo.", + "neo_", + "nest", + "nested", + "net-", + "net.", + "net_", + "nette", + "network", + "new-", + "new.", + "new_", + "next", + "nginx", + "ninja", + "nlp-", + "nlp.", + "nlp_", + "node", + "nodej", + "nosql", + "not-", + "not.", + "not_", + "note", + "notebook", + "notepad", + "notice", + "notifier", + "now-", + "now.", + "now_", + "number", + "oauth", + "object", + "objective", + "obsolete", + "ocaml", + "octopres", + "official", + "old-", + "old.", + "old_", + "onboard", + "online", + "only", + "open", + "opencv", + "opengl", + "openshift", + "openwrt", + "option", + "oracle", + "org-", + "org.", + "org_", + "origin", + "original", + "orm-", + "orm.", + "orm_", + "osx-", + "osx_", + "our-", + "our.", + "our_", + "out-", + "out.", + "out_", + "output", + "over", + "overview", + "own-", + "own.", + "own_", + "pack", + "package", + "packet", + "page", + "panel", + "paper", + "paperclip", + "para", + "parallax", + "parallel", + "parse", + "parser", + "parsing", + "particle", + "party", + "password", + "patch", + "path", + "pattern", + "payment", + "paypal", + "pdf-", + "pdf.", + "pdf_", + "pebble", + "people", + "perl", + "personal", + "phalcon", + "phoenix", + "phone", + "phonegap", + "photo", + "php-", + "php.", + "php_", + "physic", + "picker", + "pipeline", + "platform", + "play", + "player", + "please", + "plu-", + "plu.", + "plu_", + "plug-in", + "plugin", + "plupload", + "png-", + "png.", + "png_", + "poker", + "polyfill", + "polymer", + "pool", + "pop-", + "pop.", + "pop_", + "popcorn", + "popup", + "port", + "portable", + "portal", + "portfolio", + "post", + "power", + "powered", + "powerful", + "prelude", + "pretty", + "preview", + "principle", + "print", + "pro-", + "pro.", + "pro_", + "problem", + "proc", + "product", + "profile", + "profiler", + "program", + "progres", + "project", + "protocol", + "prototype", + "provider", + "proxy", + "public", + "pull", + "puppet", + "pure", + "purpose", + "push", + "pusher", + "pyramid", + "python", + "quality", + "query", + "queue", + "quick", + "rabbitmq", + "rack", + "radio", + "rail", + "railscast", + "random", + "range", + "raspberry", + "rdf-", + "rdf.", + "rdf_", + "react", + "reactive", + "read", + "reader", + "readme", + "ready", + "real", + "real-time", + "reality", + "realtime", + "recipe", + "recorder", + "red-", + "red.", + "red_", + "reddit", + "redi", + "redmine", + "reference", + "refinery", + "refresh", + "registry", + "related", + "release", + "remote", + "rendering", + "repo", + "report", + "request", + "require", + "required", + "requirej", + "research", + "resource", + "response", + "resque", + "rest", + "restful", + "resume", + "reveal", + "reverse", + "review", + "riak", + "rich", + "right", + "ring", + "robot", + "role", + "room", + "router", + "routing", + "rpc-", + "rpc.", + "rpc_", + "rpg-", + "rpg.", + "rpg_", + "rspec", + "ruby-", + "ruby.", + "ruby_", + "rule", + "run-", + "run.", + "run_", + "runner", + "running", + "runtime", + "rust", + "rvm-", + "rvm.", + "rvm_", + "salt", + "sample", + "sandbox", + "sas-", + "sas.", + "sas_", + "sbt-", + "sbt.", + "sbt_", + "scala", + "scalable", + "scanner", + "schema", + "scheme", + "school", + "science", + "scraper", + "scratch", + "screen", + "script", + "scroll", + "scs-", + "scs.", + "scs_", + "sdk-", + "sdk.", + "sdk_", + "sdl-", + "sdl.", + "sdl_", + "search", + "secure", + "security", + "see-", + "see.", + "see_", + "seed", + "select", + "selector", + "selenium", + "semantic", + "sencha", + "send", + "sentiment", + "serie", + "server", + "service", + "session", + "set-", + "set.", + "set_", + "setting", + "setup", + "sha1", + "sha2", + "sha256", + "share", + "shared", + "sharing", + "sheet", + "shell", + "shield", + "shipping", + "shop", + "shopify", + "shortener", + "should", + "show", + "showcase", + "side", + "silex", + "simple", + "simulator", + "single", + "site", + "skeleton", + "sketch", + "skin", + "slack", + "slide", + "slider", + "slim", + "small", + "smart", + "smtp", + "snake", + "snapshot", + "snippet", + "soap", + "social", + "socket", + "software", + "solarized", + "solr", + "solution", + "solver", + "some", + "soon", + "source", + "space", + "spark", + "spatial", + "spec", + "sphinx", + "spine", + "spotify", + "spree", + "spring", + "sprite", + "sql-", + "sql.", + "sql_", + "sqlite", + "ssh-", + "ssh.", + "ssh_", + "stack", + "staging", + "standard", + "stanford", + "start", + "started", + "starter", + "startup", + "stat", + "statamic", + "state", + "static", + "statistic", + "statsd", + "statu", + "steam", + "step", + "still", + "stm-", + "stm.", + "stm_", + "storage", + "store", + "storm", + "story", + "strategy", + "stream", + "streaming", + "string", + "stripe", + "structure", + "studio", + "study", + "stuff", + "style", + "sublime", + "sugar", + "suite", + "summary", + "super", + "support", + "supported", + "svg-", + "svg.", + "svg_", + "svn-", + "svn.", + "svn_", + "swagger", + "swift", + "switch", + "switcher", + "symfony", + "symphony", + "sync", + "synopsi", + "syntax", + "system", + "tab-", + "tab.", + "tab_", + "table", + "tag-", + "tag.", + "tag_", + "talk", + "target", + "task", + "tcp-", + "tcp.", + "tcp_", + "tdd-", + "tdd.", + "tdd_", + "team", + "tech", + "template", + "term", + "terminal", + "testing", + "tetri", + "text", + "textmate", + "theme", + "theory", + "three", + "thrift", + "time", + "timeline", + "timer", + "tiny", + "tinymce", + "tip-", + "tip.", + "tip_", + "title", + "todo", + "todomvc", + "token", + "tool", + "toolbox", + "toolkit", + "top-", + "top.", + "top_", + "tornado", + "touch", + "tower", + "tracker", + "tracking", + "traffic", + "training", + "transfer", + "translate", + "transport", + "tree", + "trello", + "try-", + "try.", + "try_", + "tumblr", + "tut-", + "tut.", + "tut_", + "tutorial", + "tweet", + "twig", + "twitter", + "type", + "typo", + "ubuntu", + "uiview", + "ultimate", + "under", + "unit", + "unity", + "universal", + "unix", + "update", + "updated", + "upgrade", + "upload", + "uploader", + "uri-", + "uri.", + "uri_", + "url-", + "url.", + "url_", + "usage", + "usb-", + "usb.", + "usb_", + "use-", + "use.", + "use_", + "used", + "useful", + "user", + "using", + "util", + "utilitie", + "utility", + "vagrant", + "validator", + "value", + "variou", + "varnish", + "version", + "via-", + "via.", + "via_", + "video", + "view", + "viewer", + "vim-", + "vim.", + "vim_", + "vimrc", + "virtual", + "vision", + "visual", + "vpn", + "want", + "warning", + "watch", + "watcher", + "wave", + "way-", + "way.", + "way_", + "weather", + "web-", + "web_", + "webapp", + "webgl", + "webhook", + "webkit", + "webrtc", + "website", + "websocket", + "welcome", + "what", + "what'", + "when", + "where", + "which", + "why-", + "why.", + "why_", + "widget", + "wifi", + "wiki", + "win-", + "win.", + "win_", + "window", + "wip-", + "wip.", + "wip_", + "within", + "without", + "wizard", + "word", + "wordpres", + "work", + "worker", + "workflow", + "working", + "workshop", + "world", + "wrapper", + "write", + "writer", + "writing", + "written", + "www-", + "www.", + "www_", + "xamarin", + "xcode", + "xml-", + "xml.", + "xml_", + "xmpp", + "xxxxxx", + "yahoo", + "yaml", + "yandex", + "yeoman", + "yet-", + "yet.", + "yet_", + "yii-", + "yii.", + "yii_", + "youtube", + "yui-", + "yui.", + "yui_", + "zend", + "zero", + "zip-", + "zip.", + "zip_", + "zsh-", + "zsh.", + "zsh_", +] +[[rules.allowlists]] +regexTarget = "line" +regexes = [ + '''--mount=type=secret,''', + '''import[ \t]+{[ \t\w,]+}[ \t]+from[ \t]+['"][^'"]+['"]''', +] +[[rules.allowlists]] +condition = "AND" +paths = [ + '''\.bb$''','''\.bbappend$''','''\.bbclass$''','''\.inc$''', +] +regexTarget = "line" +regexes = [ + '''LICENSE[^=]*=\s*"[^"]+''', + '''LIC_FILES_CHKSUM[^=]*=\s*"[^"]+''', + '''SRC[^=]*=\s*"[a-zA-Z0-9]+''', +] + +[[rules]] +id = "github-app-token" +description = "Identified a GitHub App Token, which may compromise GitHub application integrations and source code security." +regex = '''(?:ghu|ghs)_[0-9a-zA-Z]{36}''' +entropy = 3 +keywords = [ + "ghu_", + "ghs_", +] +[[rules.allowlists]] +paths = [ + '''(?:^|/)@octokit/auth-token/README\.md$''', +] + +[[rules]] +id = "github-fine-grained-pat" +description = "Found a GitHub Fine-Grained Personal Access Token, risking unauthorized repository access and code manipulation." +regex = '''github_pat_\w{82}''' +entropy = 3 +keywords = ["github_pat_"] + +[[rules]] +id = "github-oauth" +description = "Discovered a GitHub OAuth Access Token, posing a risk of compromised GitHub account integrations and data leaks." +regex = '''gho_[0-9a-zA-Z]{36}''' +entropy = 3 +keywords = ["gho_"] + +[[rules]] +id = "github-pat" +description = "Uncovered a GitHub Personal Access Token, potentially leading to unauthorized repository access and sensitive content exposure." +regex = '''ghp_[0-9a-zA-Z]{36}''' +entropy = 3 +keywords = ["ghp_"] +[[rules.allowlists]] +paths = [ + '''(?:^|/)@octokit/auth-token/README\.md$''', +] + +[[rules]] +id = "github-refresh-token" +description = "Detected a GitHub Refresh Token, which could allow prolonged unauthorized access to GitHub services." +regex = '''ghr_[0-9a-zA-Z]{36}''' +entropy = 3 +keywords = ["ghr_"] + +[[rules]] +id = "gitlab-cicd-job-token" +description = "Identified a GitLab CI/CD Job Token, potential access to projects and some APIs on behalf of a user while the CI job is running." +regex = '''glcbt-[0-9a-zA-Z]{1,5}_[0-9a-zA-Z_-]{20}''' +entropy = 3 +keywords = ["glcbt-"] + +[[rules]] +id = "gitlab-deploy-token" +description = "Identified a GitLab Deploy Token, risking access to repositories, packages and containers with write access." +regex = '''gldt-[0-9a-zA-Z_\-]{20}''' +entropy = 3 +keywords = ["gldt-"] + +[[rules]] +id = "gitlab-feature-flag-client-token" +description = "Identified a GitLab feature flag client token, risks exposing user lists and features flags used by an application." +regex = '''glffct-[0-9a-zA-Z_\-]{20}''' +entropy = 3 +keywords = ["glffct-"] + +[[rules]] +id = "gitlab-feed-token" +description = "Identified a GitLab feed token, risking exposure of user data." +regex = '''glft-[0-9a-zA-Z_\-]{20}''' +entropy = 3 +keywords = ["glft-"] + +[[rules]] +id = "gitlab-incoming-mail-token" +description = "Identified a GitLab incoming mail token, risking manipulation of data sent by mail." +regex = '''glimt-[0-9a-zA-Z_\-]{25}''' +entropy = 3 +keywords = ["glimt-"] + +[[rules]] +id = "gitlab-kubernetes-agent-token" +description = "Identified a GitLab Kubernetes Agent token, risking access to repos and registry of projects connected via agent." +regex = '''glagent-[0-9a-zA-Z_\-]{50}''' +entropy = 3 +keywords = ["glagent-"] + +[[rules]] +id = "gitlab-oauth-app-secret" +description = "Identified a GitLab OIDC Application Secret, risking access to apps using GitLab as authentication provider." +regex = '''gloas-[0-9a-zA-Z_\-]{64}''' +entropy = 3 +keywords = ["gloas-"] + +[[rules]] +id = "gitlab-pat" +description = "Identified a GitLab Personal Access Token, risking unauthorized access to GitLab repositories and codebase exposure." +regex = '''glpat-[\w-]{20}''' +entropy = 3 +keywords = ["glpat-"] + +[[rules]] +id = "gitlab-pat-routable" +description = "Identified a GitLab Personal Access Token (routable), risking unauthorized access to GitLab repositories and codebase exposure." +regex = '''\bglpat-[0-9a-zA-Z_-]{27,300}\.[0-9a-z]{2}[0-9a-z]{7}\b''' +entropy = 4 +keywords = ["glpat-"] + +[[rules]] +id = "gitlab-ptt" +description = "Found a GitLab Pipeline Trigger Token, potentially compromising continuous integration workflows and project security." +regex = '''glptt-[0-9a-f]{40}''' +entropy = 3 +keywords = ["glptt-"] + +[[rules]] +id = "gitlab-rrt" +description = "Discovered a GitLab Runner Registration Token, posing a risk to CI/CD pipeline integrity and unauthorized access." +regex = '''GR1348941[\w-]{20}''' +entropy = 3 +keywords = ["gr1348941"] + +[[rules]] +id = "gitlab-runner-authentication-token" +description = "Discovered a GitLab Runner Authentication Token, posing a risk to CI/CD pipeline integrity and unauthorized access." +regex = '''glrt-[0-9a-zA-Z_\-]{20}''' +entropy = 3 +keywords = ["glrt-"] + +[[rules]] +id = "gitlab-runner-authentication-token-routable" +description = "Discovered a GitLab Runner Authentication Token (Routable), posing a risk to CI/CD pipeline integrity and unauthorized access." +regex = '''\bglrt-t\d_[0-9a-zA-Z_\-]{27,300}\.[0-9a-z]{2}[0-9a-z]{7}\b''' +entropy = 4 +keywords = ["glrt-"] + +[[rules]] +id = "gitlab-scim-token" +description = "Discovered a GitLab SCIM Token, posing a risk to unauthorized access for a organization or instance." +regex = '''glsoat-[0-9a-zA-Z_\-]{20}''' +entropy = 3 +keywords = ["glsoat-"] + +[[rules]] +id = "gitlab-session-cookie" +description = "Discovered a GitLab Session Cookie, posing a risk to unauthorized access to a user account." +regex = '''_gitlab_session=[0-9a-z]{32}''' +entropy = 3 +keywords = ["_gitlab_session="] + +[[rules]] +id = "gitter-access-token" +description = "Uncovered a Gitter Access Token, which may lead to unauthorized access to chat and communication services." +regex = '''(?i)[\w.-]{0,50}?(?:gitter)(?:[ \t\w.-]{0,20})[\s'"]{0,3}(?:=|>|:{1,3}=|\|\||:|=>|\?=|,)[\x60'"\s=]{0,5}([a-z0-9_-]{40})(?:[\x60'"\s;]|\\[nr]|$)''' +keywords = ["gitter"] + +[[rules]] +id = "gocardless-api-token" +description = "Detected a GoCardless API token, potentially risking unauthorized direct debit payment operations and financial data exposure." +regex = '''(?i)[\w.-]{0,50}?(?:gocardless)(?:[ \t\w.-]{0,20})[\s'"]{0,3}(?:=|>|:{1,3}=|\|\||:|=>|\?=|,)[\x60'"\s=]{0,5}(live_(?i)[a-z0-9\-_=]{40})(?:[\x60'"\s;]|\\[nr]|$)''' +keywords = [ + "live_", + "gocardless", +] + +[[rules]] +id = "grafana-api-key" +description = "Identified a Grafana API key, which could compromise monitoring dashboards and sensitive data analytics." +regex = '''(?i)\b(eyJrIjoi[A-Za-z0-9]{70,400}={0,3})(?:[\x60'"\s;]|\\[nr]|$)''' +entropy = 3 +keywords = ["eyjrijoi"] + +[[rules]] +id = "grafana-cloud-api-token" +description = "Found a Grafana cloud API token, risking unauthorized access to cloud-based monitoring services and data exposure." +regex = '''(?i)\b(glc_[A-Za-z0-9+/]{32,400}={0,3})(?:[\x60'"\s;]|\\[nr]|$)''' +entropy = 3 +keywords = ["glc_"] + +[[rules]] +id = "grafana-service-account-token" +description = "Discovered a Grafana service account token, posing a risk of compromised monitoring services and data integrity." +regex = '''(?i)\b(glsa_[A-Za-z0-9]{32}_[A-Fa-f0-9]{8})(?:[\x60'"\s;]|\\[nr]|$)''' +entropy = 3 +keywords = ["glsa_"] + +[[rules]] +id = "harness-api-key" +description = "Identified a Harness Access Token (PAT or SAT), risking unauthorized access to a Harness account." +regex = '''(?:pat|sat)\.[a-zA-Z0-9_-]{22}\.[a-zA-Z0-9]{24}\.[a-zA-Z0-9]{20}''' +keywords = [ + "pat.", + "sat.", +] + +[[rules]] +id = "hashicorp-tf-api-token" +description = "Uncovered a HashiCorp Terraform user/org API token, which may lead to unauthorized infrastructure management and security breaches." +regex = '''(?i)[a-z0-9]{14}\.(?-i:atlasv1)\.[a-z0-9\-_=]{60,70}''' +entropy = 3.5 +keywords = ["atlasv1"] + +[[rules]] +id = "hashicorp-tf-password" +description = "Identified a HashiCorp Terraform password field, risking unauthorized infrastructure configuration and security breaches." +regex = '''(?i)[\w.-]{0,50}?(?:administrator_login_password|password)(?:[ \t\w.-]{0,20})[\s'"]{0,3}(?:=|>|:{1,3}=|\|\||:|=>|\?=|,)[\x60'"\s=]{0,5}("[a-z0-9=_\-]{8,20}")(?:[\x60'"\s;]|\\[nr]|$)''' +path = '''(?i)\.(?:tf|hcl)$''' +entropy = 2 +keywords = [ + "administrator_login_password", + "password", +] + +[[rules]] +id = "heroku-api-key" +description = "Detected a Heroku API Key, potentially compromising cloud application deployments and operational security." +regex = '''(?i)[\w.-]{0,50}?(?:heroku)(?:[ \t\w.-]{0,20})[\s'"]{0,3}(?:=|>|:{1,3}=|\|\||:|=>|\?=|,)[\x60'"\s=]{0,5}([0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12})(?:[\x60'"\s;]|\\[nr]|$)''' +keywords = ["heroku"] + +[[rules]] +id = "hubspot-api-key" +description = "Found a HubSpot API Token, posing a risk to CRM data integrity and unauthorized marketing operations." +regex = '''(?i)[\w.-]{0,50}?(?:hubspot)(?:[ \t\w.-]{0,20})[\s'"]{0,3}(?:=|>|:{1,3}=|\|\||:|=>|\?=|,)[\x60'"\s=]{0,5}([0-9A-F]{8}-[0-9A-F]{4}-[0-9A-F]{4}-[0-9A-F]{4}-[0-9A-F]{12})(?:[\x60'"\s;]|\\[nr]|$)''' +keywords = ["hubspot"] + +[[rules]] +id = "huggingface-access-token" +description = "Discovered a Hugging Face Access token, which could lead to unauthorized access to AI models and sensitive data." +regex = '''\b(hf_(?i:[a-z]{34}))(?:[\x60'"\s;]|\\[nr]|$)''' +entropy = 2 +keywords = ["hf_"] + +[[rules]] +id = "huggingface-organization-api-token" +description = "Uncovered a Hugging Face Organization API token, potentially compromising AI organization accounts and associated data." +regex = '''\b(api_org_(?i:[a-z]{34}))(?:[\x60'"\s;]|\\[nr]|$)''' +entropy = 2 +keywords = ["api_org_"] + +[[rules]] +id = "infracost-api-token" +description = "Detected an Infracost API Token, risking unauthorized access to cloud cost estimation tools and financial data." +regex = '''\b(ico-[a-zA-Z0-9]{32})(?:[\x60'"\s;]|\\[nr]|$)''' +entropy = 3 +keywords = ["ico-"] + +[[rules]] +id = "intercom-api-key" +description = "Identified an Intercom API Token, which could compromise customer communication channels and data privacy." +regex = '''(?i)[\w.-]{0,50}?(?:intercom)(?:[ \t\w.-]{0,20})[\s'"]{0,3}(?:=|>|:{1,3}=|\|\||:|=>|\?=|,)[\x60'"\s=]{0,5}([a-z0-9=_\-]{60})(?:[\x60'"\s;]|\\[nr]|$)''' +keywords = ["intercom"] + +[[rules]] +id = "intra42-client-secret" +description = "Found a Intra42 client secret, which could lead to unauthorized access to the 42School API and sensitive data." +regex = '''\b(s-s4t2(?:ud|af)-(?i)[abcdef0123456789]{64})(?:[\x60'"\s;]|\\[nr]|$)''' +entropy = 3 +keywords = [ + "intra", + "s-s4t2ud-", + "s-s4t2af-", +] + +[[rules]] +id = "jfrog-api-key" +description = "Found a JFrog API Key, posing a risk of unauthorized access to software artifact repositories and build pipelines." +regex = '''(?i)[\w.-]{0,50}?(?:jfrog|artifactory|bintray|xray)(?:[ \t\w.-]{0,20})[\s'"]{0,3}(?:=|>|:{1,3}=|\|\||:|=>|\?=|,)[\x60'"\s=]{0,5}([a-z0-9]{73})(?:[\x60'"\s;]|\\[nr]|$)''' +keywords = [ + "jfrog", + "artifactory", + "bintray", + "xray", +] + +[[rules]] +id = "jfrog-identity-token" +description = "Discovered a JFrog Identity Token, potentially compromising access to JFrog services and sensitive software artifacts." +regex = '''(?i)[\w.-]{0,50}?(?:jfrog|artifactory|bintray|xray)(?:[ \t\w.-]{0,20})[\s'"]{0,3}(?:=|>|:{1,3}=|\|\||:|=>|\?=|,)[\x60'"\s=]{0,5}([a-z0-9]{64})(?:[\x60'"\s;]|\\[nr]|$)''' +keywords = [ + "jfrog", + "artifactory", + "bintray", + "xray", +] + +[[rules]] +id = "jwt" +description = "Uncovered a JSON Web Token, which may lead to unauthorized access to web applications and sensitive user data." +regex = '''\b(ey[a-zA-Z0-9]{17,}\.ey[a-zA-Z0-9\/\\_-]{17,}\.(?:[a-zA-Z0-9\/\\_-]{10,}={0,2})?)(?:[\x60'"\s;]|\\[nr]|$)''' +entropy = 3 +keywords = ["ey"] + +[[rules]] +id = "jwt-base64" +description = "Detected a Base64-encoded JSON Web Token, posing a risk of exposing encoded authentication and data exchange information." +regex = '''\bZXlK(?:(?PaGJHY2lPaU)|(?PaGNIVWlPaU)|(?PaGNIWWlPaU)|(?PaGRXUWlPaU)|(?PaU5qUWlP)|(?PamNtbDBJanBi)|(?PamRIa2lPaU)|(?PbGNHc2lPbn)|(?PbGJtTWlPaU)|(?PcWEzVWlPaU)|(?PcWQyc2lPb)|(?PcGMzTWlPaU)|(?PcGRpSTZJ)|(?PcmFXUWlP)|(?PclpYbGZiM0J6SWpwY)|(?PcmRIa2lPaUp)|(?PdWIyNWpaU0k2)|(?Pd01tTWlP)|(?Pd01uTWlPaU)|(?Pd2NIUWlPaU)|(?PemRXSWlPaU)|(?PemRuUWlP)|(?PMFlXY2lPaU)|(?PMGVYQWlPaUp)|(?PMWNtd2l)|(?PMWMyVWlPaUp)|(?PMlpYSWlPaU)|(?PMlpYSnphVzl1SWpv)|(?PNElqb2)|(?PNE5XTWlP)|(?PNE5YUWlPaU)|(?PNE5YUWpVekkxTmlJNkl)|(?PNE5YVWlPaU)|(?PNmFYQWlPaU))[a-zA-Z0-9\/\\_+\-\r\n]{40,}={0,2}''' +entropy = 2 +keywords = ["zxlk"] + +[[rules]] +id = "kraken-access-token" +description = "Identified a Kraken Access Token, potentially compromising cryptocurrency trading accounts and financial security." +regex = '''(?i)[\w.-]{0,50}?(?:kraken)(?:[ \t\w.-]{0,20})[\s'"]{0,3}(?:=|>|:{1,3}=|\|\||:|=>|\?=|,)[\x60'"\s=]{0,5}([a-z0-9\/=_\+\-]{80,90})(?:[\x60'"\s;]|\\[nr]|$)''' +keywords = ["kraken"] + +[[rules]] +id = "kubernetes-secret-yaml" +description = "Possible Kubernetes Secret detected, posing a risk of leaking credentials/tokens from your deployments" +regex = '''(?i)(?:\bkind:[ \t]*["']?\bsecret\b["']?(?:.|\s){0,200}?\bdata:(?:.|\s){0,100}?\s+([\w.-]+:(?:[ \t]*(?:\||>[-+]?)\s+)?[ \t]*(?:["']?[a-z0-9+/]{10,}={0,3}["']?|\{\{[ \t\w"|$:=,.-]+}}|""|''))|\bdata:(?:.|\s){0,100}?\s+([\w.-]+:(?:[ \t]*(?:\||>[-+]?)\s+)?[ \t]*(?:["']?[a-z0-9+/]{10,}={0,3}["']?|\{\{[ \t\w"|$:=,.-]+}}|""|''))(?:.|\s){0,200}?\bkind:[ \t]*["']?\bsecret\b["']?)''' +path = '''(?i)\.ya?ml$''' +keywords = ["secret"] +[[rules.allowlists]] +regexes = [ + '''[\w.-]+:(?:[ \t]*(?:\||>[-+]?)\s+)?[ \t]*(?:\{\{[ \t\w"|$:=,.-]+}}|""|'')''', +] +[[rules.allowlists]] +regexTarget = "match" +regexes = [ + '''(kind:(?:.|\s)+\n---\n(?:.|\s)+\bdata:|data:(?:.|\s)+\n---\n(?:.|\s)+\bkind:)''', +] + +[[rules]] +id = "kucoin-access-token" +description = "Found a Kucoin Access Token, risking unauthorized access to cryptocurrency exchange services and transactions." +regex = '''(?i)[\w.-]{0,50}?(?:kucoin)(?:[ \t\w.-]{0,20})[\s'"]{0,3}(?:=|>|:{1,3}=|\|\||:|=>|\?=|,)[\x60'"\s=]{0,5}([a-f0-9]{24})(?:[\x60'"\s;]|\\[nr]|$)''' +keywords = ["kucoin"] + +[[rules]] +id = "kucoin-secret-key" +description = "Discovered a Kucoin Secret Key, which could lead to compromised cryptocurrency operations and financial data breaches." +regex = '''(?i)[\w.-]{0,50}?(?:kucoin)(?:[ \t\w.-]{0,20})[\s'"]{0,3}(?:=|>|:{1,3}=|\|\||:|=>|\?=|,)[\x60'"\s=]{0,5}([0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12})(?:[\x60'"\s;]|\\[nr]|$)''' +keywords = ["kucoin"] + +[[rules]] +id = "launchdarkly-access-token" +description = "Uncovered a Launchdarkly Access Token, potentially compromising feature flag management and application functionality." +regex = '''(?i)[\w.-]{0,50}?(?:launchdarkly)(?:[ \t\w.-]{0,20})[\s'"]{0,3}(?:=|>|:{1,3}=|\|\||:|=>|\?=|,)[\x60'"\s=]{0,5}([a-z0-9=_\-]{40})(?:[\x60'"\s;]|\\[nr]|$)''' +keywords = ["launchdarkly"] + +[[rules]] +id = "linear-api-key" +description = "Detected a Linear API Token, posing a risk to project management tools and sensitive task data." +regex = '''lin_api_(?i)[a-z0-9]{40}''' +entropy = 2 +keywords = ["lin_api_"] + +[[rules]] +id = "linear-client-secret" +description = "Identified a Linear Client Secret, which may compromise secure integrations and sensitive project management data." +regex = '''(?i)[\w.-]{0,50}?(?:linear)(?:[ \t\w.-]{0,20})[\s'"]{0,3}(?:=|>|:{1,3}=|\|\||:|=>|\?=|,)[\x60'"\s=]{0,5}([a-f0-9]{32})(?:[\x60'"\s;]|\\[nr]|$)''' +entropy = 2 +keywords = ["linear"] + +[[rules]] +id = "linkedin-client-id" +description = "Found a LinkedIn Client ID, risking unauthorized access to LinkedIn integrations and professional data exposure." +regex = '''(?i)[\w.-]{0,50}?(?:linked[_-]?in)(?:[ \t\w.-]{0,20})[\s'"]{0,3}(?:=|>|:{1,3}=|\|\||:|=>|\?=|,)[\x60'"\s=]{0,5}([a-z0-9]{14})(?:[\x60'"\s;]|\\[nr]|$)''' +entropy = 2 +keywords = [ + "linkedin", + "linked_in", + "linked-in", +] + +[[rules]] +id = "linkedin-client-secret" +description = "Discovered a LinkedIn Client secret, potentially compromising LinkedIn application integrations and user data." +regex = '''(?i)[\w.-]{0,50}?(?:linked[_-]?in)(?:[ \t\w.-]{0,20})[\s'"]{0,3}(?:=|>|:{1,3}=|\|\||:|=>|\?=|,)[\x60'"\s=]{0,5}([a-z0-9]{16})(?:[\x60'"\s;]|\\[nr]|$)''' +entropy = 2 +keywords = [ + "linkedin", + "linked_in", + "linked-in", +] + +[[rules]] +id = "lob-api-key" +description = "Uncovered a Lob API Key, which could lead to unauthorized access to mailing and address verification services." +regex = '''(?i)[\w.-]{0,50}?(?:lob)(?:[ \t\w.-]{0,20})[\s'"]{0,3}(?:=|>|:{1,3}=|\|\||:|=>|\?=|,)[\x60'"\s=]{0,5}((live|test)_[a-f0-9]{35})(?:[\x60'"\s;]|\\[nr]|$)''' +keywords = [ + "test_", + "live_", +] + +[[rules]] +id = "lob-pub-api-key" +description = "Detected a Lob Publishable API Key, posing a risk of exposing mail and print service integrations." +regex = '''(?i)[\w.-]{0,50}?(?:lob)(?:[ \t\w.-]{0,20})[\s'"]{0,3}(?:=|>|:{1,3}=|\|\||:|=>|\?=|,)[\x60'"\s=]{0,5}((test|live)_pub_[a-f0-9]{31})(?:[\x60'"\s;]|\\[nr]|$)''' +keywords = [ + "test_pub", + "live_pub", + "_pub", +] + +[[rules]] +id = "mailchimp-api-key" +description = "Identified a Mailchimp API key, potentially compromising email marketing campaigns and subscriber data." +regex = '''(?i)[\w.-]{0,50}?(?:MailchimpSDK.initialize|mailchimp)(?:[ \t\w.-]{0,20})[\s'"]{0,3}(?:=|>|:{1,3}=|\|\||:|=>|\?=|,)[\x60'"\s=]{0,5}([a-f0-9]{32}-us\d\d)(?:[\x60'"\s;]|\\[nr]|$)''' +keywords = ["mailchimp"] + +[[rules]] +id = "mailgun-private-api-token" +description = "Found a Mailgun private API token, risking unauthorized email service operations and data breaches." +regex = '''(?i)[\w.-]{0,50}?(?:mailgun)(?:[ \t\w.-]{0,20})[\s'"]{0,3}(?:=|>|:{1,3}=|\|\||:|=>|\?=|,)[\x60'"\s=]{0,5}(key-[a-f0-9]{32})(?:[\x60'"\s;]|\\[nr]|$)''' +keywords = ["mailgun"] + +[[rules]] +id = "mailgun-pub-key" +description = "Discovered a Mailgun public validation key, which could expose email verification processes and associated data." +regex = '''(?i)[\w.-]{0,50}?(?:mailgun)(?:[ \t\w.-]{0,20})[\s'"]{0,3}(?:=|>|:{1,3}=|\|\||:|=>|\?=|,)[\x60'"\s=]{0,5}(pubkey-[a-f0-9]{32})(?:[\x60'"\s;]|\\[nr]|$)''' +keywords = ["mailgun"] + +[[rules]] +id = "mailgun-signing-key" +description = "Uncovered a Mailgun webhook signing key, potentially compromising email automation and data integrity." +regex = '''(?i)[\w.-]{0,50}?(?:mailgun)(?:[ \t\w.-]{0,20})[\s'"]{0,3}(?:=|>|:{1,3}=|\|\||:|=>|\?=|,)[\x60'"\s=]{0,5}([a-h0-9]{32}-[a-h0-9]{8}-[a-h0-9]{8})(?:[\x60'"\s;]|\\[nr]|$)''' +keywords = ["mailgun"] + +[[rules]] +id = "mapbox-api-token" +description = "Detected a MapBox API token, posing a risk to geospatial services and sensitive location data exposure." +regex = '''(?i)[\w.-]{0,50}?(?:mapbox)(?:[ \t\w.-]{0,20})[\s'"]{0,3}(?:=|>|:{1,3}=|\|\||:|=>|\?=|,)[\x60'"\s=]{0,5}(pk\.[a-z0-9]{60}\.[a-z0-9]{22})(?:[\x60'"\s;]|\\[nr]|$)''' +keywords = ["mapbox"] + +[[rules]] +id = "mattermost-access-token" +description = "Identified a Mattermost Access Token, which may compromise team communication channels and data privacy." +regex = '''(?i)[\w.-]{0,50}?(?:mattermost)(?:[ \t\w.-]{0,20})[\s'"]{0,3}(?:=|>|:{1,3}=|\|\||:|=>|\?=|,)[\x60'"\s=]{0,5}([a-z0-9]{26})(?:[\x60'"\s;]|\\[nr]|$)''' +keywords = ["mattermost"] + +[[rules]] +id = "maxmind-license-key" +description = "Discovered a potential MaxMind license key." +regex = '''\b([A-Za-z0-9]{6}_[A-Za-z0-9]{29}_mmk)(?:[\x60'"\s;]|\\[nr]|$)''' +entropy = 4 +keywords = ["_mmk"] + +[[rules]] +id = "messagebird-api-token" +description = "Found a MessageBird API token, risking unauthorized access to communication platforms and message data." +regex = '''(?i)[\w.-]{0,50}?(?:message[_-]?bird)(?:[ \t\w.-]{0,20})[\s'"]{0,3}(?:=|>|:{1,3}=|\|\||:|=>|\?=|,)[\x60'"\s=]{0,5}([a-z0-9]{25})(?:[\x60'"\s;]|\\[nr]|$)''' +keywords = [ + "messagebird", + "message-bird", + "message_bird", +] + +[[rules]] +id = "messagebird-client-id" +description = "Discovered a MessageBird client ID, potentially compromising API integrations and sensitive communication data." +regex = '''(?i)[\w.-]{0,50}?(?:message[_-]?bird)(?:[ \t\w.-]{0,20})[\s'"]{0,3}(?:=|>|:{1,3}=|\|\||:|=>|\?=|,)[\x60'"\s=]{0,5}([0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12})(?:[\x60'"\s;]|\\[nr]|$)''' +keywords = [ + "messagebird", + "message-bird", + "message_bird", +] + +[[rules]] +id = "microsoft-teams-webhook" +description = "Uncovered a Microsoft Teams Webhook, which could lead to unauthorized access to team collaboration tools and data leaks." +regex = '''https://[a-z0-9]+\.webhook\.office\.com/webhookb2/[a-z0-9]{8}-([a-z0-9]{4}-){3}[a-z0-9]{12}@[a-z0-9]{8}-([a-z0-9]{4}-){3}[a-z0-9]{12}/IncomingWebhook/[a-z0-9]{32}/[a-z0-9]{8}-([a-z0-9]{4}-){3}[a-z0-9]{12}''' +keywords = [ + "webhook.office.com", + "webhookb2", + "incomingwebhook", +] + +[[rules]] +id = "netlify-access-token" +description = "Detected a Netlify Access Token, potentially compromising web hosting services and site management." +regex = '''(?i)[\w.-]{0,50}?(?:netlify)(?:[ \t\w.-]{0,20})[\s'"]{0,3}(?:=|>|:{1,3}=|\|\||:|=>|\?=|,)[\x60'"\s=]{0,5}([a-z0-9=_\-]{40,46})(?:[\x60'"\s;]|\\[nr]|$)''' +keywords = ["netlify"] + +[[rules]] +id = "new-relic-browser-api-token" +description = "Identified a New Relic ingest browser API token, risking unauthorized access to application performance data and analytics." +regex = '''(?i)[\w.-]{0,50}?(?:new-relic|newrelic|new_relic)(?:[ \t\w.-]{0,20})[\s'"]{0,3}(?:=|>|:{1,3}=|\|\||:|=>|\?=|,)[\x60'"\s=]{0,5}(NRJS-[a-f0-9]{19})(?:[\x60'"\s;]|\\[nr]|$)''' +keywords = ["nrjs-"] + +[[rules]] +id = "new-relic-insert-key" +description = "Discovered a New Relic insight insert key, compromising data injection into the platform." +regex = '''(?i)[\w.-]{0,50}?(?:new-relic|newrelic|new_relic)(?:[ \t\w.-]{0,20})[\s'"]{0,3}(?:=|>|:{1,3}=|\|\||:|=>|\?=|,)[\x60'"\s=]{0,5}(NRII-[a-z0-9-]{32})(?:[\x60'"\s;]|\\[nr]|$)''' +keywords = ["nrii-"] + +[[rules]] +id = "new-relic-user-api-id" +description = "Found a New Relic user API ID, posing a risk to application monitoring services and data integrity." +regex = '''(?i)[\w.-]{0,50}?(?:new-relic|newrelic|new_relic)(?:[ \t\w.-]{0,20})[\s'"]{0,3}(?:=|>|:{1,3}=|\|\||:|=>|\?=|,)[\x60'"\s=]{0,5}([a-z0-9]{64})(?:[\x60'"\s;]|\\[nr]|$)''' +keywords = [ + "new-relic", + "newrelic", + "new_relic", +] + +[[rules]] +id = "new-relic-user-api-key" +description = "Discovered a New Relic user API Key, which could lead to compromised application insights and performance monitoring." +regex = '''(?i)[\w.-]{0,50}?(?:new-relic|newrelic|new_relic)(?:[ \t\w.-]{0,20})[\s'"]{0,3}(?:=|>|:{1,3}=|\|\||:|=>|\?=|,)[\x60'"\s=]{0,5}(NRAK-[a-z0-9]{27})(?:[\x60'"\s;]|\\[nr]|$)''' +keywords = ["nrak"] + +[[rules]] +id = "npm-access-token" +description = "Uncovered an npm access token, potentially compromising package management and code repository access." +regex = '''(?i)\b(npm_[a-z0-9]{36})(?:[\x60'"\s;]|\\[nr]|$)''' +entropy = 2 +keywords = ["npm_"] + +[[rules]] +id = "nuget-config-password" +description = "Identified a password within a Nuget config file, potentially compromising package management access." +regex = '''(?i)''' +path = '''(?i)nuget\.config$''' +entropy = 1 +keywords = ["|:{1,3}=|\|\||:|=>|\?=|,)[\x60'"\s=]{0,5}([a-z0-9=_\-]{32})(?:[\x60'"\s;]|\\[nr]|$)''' +keywords = [ + "nytimes", + "new-york-times", + "newyorktimes", +] + +[[rules]] +id = "octopus-deploy-api-key" +description = "Discovered a potential Octopus Deploy API key, risking application deployments and operational security." +regex = '''\b(API-[A-Z0-9]{26})(?:[\x60'"\s;]|\\[nr]|$)''' +entropy = 3 +keywords = ["api-"] + +[[rules]] +id = "okta-access-token" +description = "Identified an Okta Access Token, which may compromise identity management services and user authentication data." +regex = '''[\w.-]{0,50}?(?i:[\w.-]{0,50}?(?:(?-i:[Oo]kta|OKTA))(?:[ \t\w.-]{0,20})[\s'"]{0,3})(?:=|>|:{1,3}=|\|\||:|=>|\?=|,)[\x60'"\s=]{0,5}(00[\w=\-]{40})(?:[\x60'"\s;]|\\[nr]|$)''' +entropy = 4 +keywords = ["okta"] + +[[rules]] +id = "openai-api-key" +description = "Found an OpenAI API Key, posing a risk of unauthorized access to AI services and data manipulation." +regex = '''\b(sk-(?:proj|svcacct|admin)-(?:[A-Za-z0-9_-]{74}|[A-Za-z0-9_-]{58})T3BlbkFJ(?:[A-Za-z0-9_-]{74}|[A-Za-z0-9_-]{58})\b|sk-[a-zA-Z0-9]{20}T3BlbkFJ[a-zA-Z0-9]{20})(?:[\x60'"\s;]|\\[nr]|$)''' +entropy = 3 +keywords = ["t3blbkfj"] + +[[rules]] +id = "openshift-user-token" +description = "Found an OpenShift user token, potentially compromising an OpenShift/Kubernetes cluster." +regex = '''\b(sha256~[\w-]{43})(?:[^\w-]|\z)''' +entropy = 3.5 +keywords = ["sha256~"] + +[[rules]] +id = "pkcs12-file" +description = "Found a PKCS #12 file, which commonly contain bundled private keys." +path = '''(?i)(?:^|\/)[^\/]+\.p(?:12|fx)$''' + +[[rules]] +id = "plaid-api-token" +description = "Discovered a Plaid API Token, potentially compromising financial data aggregation and banking services." +regex = '''(?i)[\w.-]{0,50}?(?:plaid)(?:[ \t\w.-]{0,20})[\s'"]{0,3}(?:=|>|:{1,3}=|\|\||:|=>|\?=|,)[\x60'"\s=]{0,5}(access-(?:sandbox|development|production)-[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12})(?:[\x60'"\s;]|\\[nr]|$)''' +keywords = ["plaid"] + +[[rules]] +id = "plaid-client-id" +description = "Uncovered a Plaid Client ID, which could lead to unauthorized financial service integrations and data breaches." +regex = '''(?i)[\w.-]{0,50}?(?:plaid)(?:[ \t\w.-]{0,20})[\s'"]{0,3}(?:=|>|:{1,3}=|\|\||:|=>|\?=|,)[\x60'"\s=]{0,5}([a-z0-9]{24})(?:[\x60'"\s;]|\\[nr]|$)''' +entropy = 3.5 +keywords = ["plaid"] + +[[rules]] +id = "plaid-secret-key" +description = "Detected a Plaid Secret key, risking unauthorized access to financial accounts and sensitive transaction data." +regex = '''(?i)[\w.-]{0,50}?(?:plaid)(?:[ \t\w.-]{0,20})[\s'"]{0,3}(?:=|>|:{1,3}=|\|\||:|=>|\?=|,)[\x60'"\s=]{0,5}([a-z0-9]{30})(?:[\x60'"\s;]|\\[nr]|$)''' +entropy = 3.5 +keywords = ["plaid"] + +[[rules]] +id = "planetscale-api-token" +description = "Identified a PlanetScale API token, potentially compromising database management and operations." +regex = '''\b(pscale_tkn_(?i)[\w=\.-]{32,64})(?:[\x60'"\s;]|\\[nr]|$)''' +entropy = 3 +keywords = ["pscale_tkn_"] + +[[rules]] +id = "planetscale-oauth-token" +description = "Found a PlanetScale OAuth token, posing a risk to database access control and sensitive data integrity." +regex = '''\b(pscale_oauth_[\w=\.-]{32,64})(?:[\x60'"\s;]|\\[nr]|$)''' +entropy = 3 +keywords = ["pscale_oauth_"] + +[[rules]] +id = "planetscale-password" +description = "Discovered a PlanetScale password, which could lead to unauthorized database operations and data breaches." +regex = '''(?i)\b(pscale_pw_(?i)[\w=\.-]{32,64})(?:[\x60'"\s;]|\\[nr]|$)''' +entropy = 3 +keywords = ["pscale_pw_"] + +[[rules]] +id = "postman-api-token" +description = "Uncovered a Postman API token, potentially compromising API testing and development workflows." +regex = '''\b(PMAK-(?i)[a-f0-9]{24}\-[a-f0-9]{34})(?:[\x60'"\s;]|\\[nr]|$)''' +entropy = 3 +keywords = ["pmak-"] + +[[rules]] +id = "prefect-api-token" +description = "Detected a Prefect API token, risking unauthorized access to workflow management and automation services." +regex = '''\b(pnu_[a-zA-Z0-9]{36})(?:[\x60'"\s;]|\\[nr]|$)''' +entropy = 2 +keywords = ["pnu_"] + +[[rules]] +id = "private-key" +description = "Identified a Private Key, which may compromise cryptographic security and sensitive data encryption." +regex = '''(?i)-----BEGIN[ A-Z0-9_-]{0,100}PRIVATE KEY(?: BLOCK)?-----[\s\S-]{64,}?KEY(?: BLOCK)?-----''' +keywords = ["-----begin"] + +[[rules]] +id = "privateai-api-token" +description = "Identified a PrivateAI Token, posing a risk of unauthorized access to AI services and data manipulation." +regex = '''[\w.-]{0,50}?(?i:[\w.-]{0,50}?(?:private[_-]?ai)(?:[ \t\w.-]{0,20})[\s'"]{0,3})(?:=|>|:{1,3}=|\|\||:|=>|\?=|,)[\x60'"\s=]{0,5}([a-z0-9]{32})(?:[\x60'"\s;]|\\[nr]|$)''' +entropy = 3 +keywords = [ + "privateai", + "private_ai", + "private-ai", +] + +[[rules]] +id = "pulumi-api-token" +description = "Found a Pulumi API token, posing a risk to infrastructure as code services and cloud resource management." +regex = '''\b(pul-[a-f0-9]{40})(?:[\x60'"\s;]|\\[nr]|$)''' +entropy = 2 +keywords = ["pul-"] + +[[rules]] +id = "pypi-upload-token" +description = "Discovered a PyPI upload token, potentially compromising Python package distribution and repository integrity." +regex = '''pypi-AgEIcHlwaS5vcmc[\w-]{50,1000}''' +entropy = 3 +keywords = ["pypi-ageichlwas5vcmc"] + +[[rules]] +id = "rapidapi-access-token" +description = "Uncovered a RapidAPI Access Token, which could lead to unauthorized access to various APIs and data services." +regex = '''(?i)[\w.-]{0,50}?(?:rapidapi)(?:[ \t\w.-]{0,20})[\s'"]{0,3}(?:=|>|:{1,3}=|\|\||:|=>|\?=|,)[\x60'"\s=]{0,5}([a-z0-9_-]{50})(?:[\x60'"\s;]|\\[nr]|$)''' +keywords = ["rapidapi"] + +[[rules]] +id = "readme-api-token" +description = "Detected a Readme API token, risking unauthorized documentation management and content exposure." +regex = '''\b(rdme_[a-z0-9]{70})(?:[\x60'"\s;]|\\[nr]|$)''' +entropy = 2 +keywords = ["rdme_"] + +[[rules]] +id = "rubygems-api-token" +description = "Identified a Rubygem API token, potentially compromising Ruby library distribution and package management." +regex = '''\b(rubygems_[a-f0-9]{48})(?:[\x60'"\s;]|\\[nr]|$)''' +entropy = 2 +keywords = ["rubygems_"] + +[[rules]] +id = "scalingo-api-token" +description = "Found a Scalingo API token, posing a risk to cloud platform services and application deployment security." +regex = '''\b(tk-us-[\w-]{48})(?:[\x60'"\s;]|\\[nr]|$)''' +entropy = 2 +keywords = ["tk-us-"] + +[[rules]] +id = "sendbird-access-id" +description = "Discovered a Sendbird Access ID, which could compromise chat and messaging platform integrations." +regex = '''(?i)[\w.-]{0,50}?(?:sendbird)(?:[ \t\w.-]{0,20})[\s'"]{0,3}(?:=|>|:{1,3}=|\|\||:|=>|\?=|,)[\x60'"\s=]{0,5}([0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12})(?:[\x60'"\s;]|\\[nr]|$)''' +keywords = ["sendbird"] + +[[rules]] +id = "sendbird-access-token" +description = "Uncovered a Sendbird Access Token, potentially risking unauthorized access to communication services and user data." +regex = '''(?i)[\w.-]{0,50}?(?:sendbird)(?:[ \t\w.-]{0,20})[\s'"]{0,3}(?:=|>|:{1,3}=|\|\||:|=>|\?=|,)[\x60'"\s=]{0,5}([a-f0-9]{40})(?:[\x60'"\s;]|\\[nr]|$)''' +keywords = ["sendbird"] + +[[rules]] +id = "sendgrid-api-token" +description = "Detected a SendGrid API token, posing a risk of unauthorized email service operations and data exposure." +regex = '''\b(SG\.(?i)[a-z0-9=_\-\.]{66})(?:[\x60'"\s;]|\\[nr]|$)''' +entropy = 2 +keywords = ["sg."] + +[[rules]] +id = "sendinblue-api-token" +description = "Identified a Sendinblue API token, which may compromise email marketing services and subscriber data privacy." +regex = '''\b(xkeysib-[a-f0-9]{64}\-(?i)[a-z0-9]{16})(?:[\x60'"\s;]|\\[nr]|$)''' +entropy = 2 +keywords = ["xkeysib-"] + +[[rules]] +id = "sentry-access-token" +description = "Found a Sentry.io Access Token (old format), risking unauthorized access to error tracking services and sensitive application data." +regex = '''(?i)[\w.-]{0,50}?(?:sentry)(?:[ \t\w.-]{0,20})[\s'"]{0,3}(?:=|>|:{1,3}=|\|\||:|=>|\?=|,)[\x60'"\s=]{0,5}([a-f0-9]{64})(?:[\x60'"\s;]|\\[nr]|$)''' +entropy = 3 +keywords = ["sentry"] + +[[rules]] +id = "sentry-org-token" +description = "Found a Sentry.io Organization Token, risking unauthorized access to error tracking services and sensitive application data." +regex = '''\bsntrys_eyJpYXQiO[a-zA-Z0-9+/]{10,200}(?:LCJyZWdpb25fdXJs|InJlZ2lvbl91cmwi|cmVnaW9uX3VybCI6)[a-zA-Z0-9+/]{10,200}={0,2}_[a-zA-Z0-9+/]{43}(?:[^a-zA-Z0-9+/]|\z)''' +entropy = 4.5 +keywords = ["sntrys_eyjpyxqio"] + +[[rules]] +id = "sentry-user-token" +description = "Found a Sentry.io User Token, risking unauthorized access to error tracking services and sensitive application data." +regex = '''\b(sntryu_[a-f0-9]{64})(?:[\x60'"\s;]|\\[nr]|$)''' +entropy = 3.5 +keywords = ["sntryu_"] + +[[rules]] +id = "settlemint-application-access-token" +description = "Found a Settlemint Application Access Token." +regex = '''\b(sm_aat_[a-zA-Z0-9]{16})(?:[\x60'"\s;]|\\[nr]|$)''' +entropy = 3 +keywords = ["sm_aat"] + +[[rules]] +id = "settlemint-personal-access-token" +description = "Found a Settlemint Personal Access Token." +regex = '''\b(sm_pat_[a-zA-Z0-9]{16})(?:[\x60'"\s;]|\\[nr]|$)''' +entropy = 3 +keywords = ["sm_pat"] + +[[rules]] +id = "settlemint-service-access-token" +description = "Found a Settlemint Service Access Token." +regex = '''\b(sm_sat_[a-zA-Z0-9]{16})(?:[\x60'"\s;]|\\[nr]|$)''' +entropy = 3 +keywords = ["sm_sat"] + +[[rules]] +id = "shippo-api-token" +description = "Discovered a Shippo API token, potentially compromising shipping services and customer order data." +regex = '''\b(shippo_(?:live|test)_[a-fA-F0-9]{40})(?:[\x60'"\s;]|\\[nr]|$)''' +entropy = 2 +keywords = ["shippo_"] + +[[rules]] +id = "shopify-access-token" +description = "Uncovered a Shopify access token, which could lead to unauthorized e-commerce platform access and data breaches." +regex = '''shpat_[a-fA-F0-9]{32}''' +entropy = 2 +keywords = ["shpat_"] + +[[rules]] +id = "shopify-custom-access-token" +description = "Detected a Shopify custom access token, potentially compromising custom app integrations and e-commerce data security." +regex = '''shpca_[a-fA-F0-9]{32}''' +entropy = 2 +keywords = ["shpca_"] + +[[rules]] +id = "shopify-private-app-access-token" +description = "Identified a Shopify private app access token, risking unauthorized access to private app data and store operations." +regex = '''shppa_[a-fA-F0-9]{32}''' +entropy = 2 +keywords = ["shppa_"] + +[[rules]] +id = "shopify-shared-secret" +description = "Found a Shopify shared secret, posing a risk to application authentication and e-commerce platform security." +regex = '''shpss_[a-fA-F0-9]{32}''' +entropy = 2 +keywords = ["shpss_"] + +[[rules]] +id = "sidekiq-secret" +description = "Discovered a Sidekiq Secret, which could lead to compromised background job processing and application data breaches." +regex = '''(?i)[\w.-]{0,50}?(?:BUNDLE_ENTERPRISE__CONTRIBSYS__COM|BUNDLE_GEMS__CONTRIBSYS__COM)(?:[ \t\w.-]{0,20})[\s'"]{0,3}(?:=|>|:{1,3}=|\|\||:|=>|\?=|,)[\x60'"\s=]{0,5}([a-f0-9]{8}:[a-f0-9]{8})(?:[\x60'"\s;]|\\[nr]|$)''' +keywords = [ + "bundle_enterprise__contribsys__com", + "bundle_gems__contribsys__com", +] + +[[rules]] +id = "sidekiq-sensitive-url" +description = "Uncovered a Sidekiq Sensitive URL, potentially exposing internal job queues and sensitive operation details." +regex = '''(?i)\bhttps?://([a-f0-9]{8}:[a-f0-9]{8})@(?:gems.contribsys.com|enterprise.contribsys.com)(?:[\/|\#|\?|:]|$)''' +keywords = [ + "gems.contribsys.com", + "enterprise.contribsys.com", +] + +[[rules]] +id = "slack-app-token" +description = "Detected a Slack App-level token, risking unauthorized access to Slack applications and workspace data." +regex = '''(?i)xapp-\d-[A-Z0-9]+-\d+-[a-z0-9]+''' +entropy = 2 +keywords = ["xapp"] + +[[rules]] +id = "slack-bot-token" +description = "Identified a Slack Bot token, which may compromise bot integrations and communication channel security." +regex = '''xoxb-[0-9]{10,13}-[0-9]{10,13}[a-zA-Z0-9-]*''' +entropy = 3 +keywords = ["xoxb"] + +[[rules]] +id = "slack-config-access-token" +description = "Found a Slack Configuration access token, posing a risk to workspace configuration and sensitive data access." +regex = '''(?i)xoxe.xox[bp]-\d-[A-Z0-9]{163,166}''' +entropy = 2 +keywords = [ + "xoxe.xoxb-", + "xoxe.xoxp-", +] + +[[rules]] +id = "slack-config-refresh-token" +description = "Discovered a Slack Configuration refresh token, potentially allowing prolonged unauthorized access to configuration settings." +regex = '''(?i)xoxe-\d-[A-Z0-9]{146}''' +entropy = 2 +keywords = ["xoxe-"] + +[[rules]] +id = "slack-legacy-bot-token" +description = "Uncovered a Slack Legacy bot token, which could lead to compromised legacy bot operations and data exposure." +regex = '''xoxb-[0-9]{8,14}-[a-zA-Z0-9]{18,26}''' +entropy = 2 +keywords = ["xoxb"] + +[[rules]] +id = "slack-legacy-token" +description = "Detected a Slack Legacy token, risking unauthorized access to older Slack integrations and user data." +regex = '''xox[os]-\d+-\d+-\d+-[a-fA-F\d]+''' +entropy = 2 +keywords = [ + "xoxo", + "xoxs", +] + +[[rules]] +id = "slack-legacy-workspace-token" +description = "Identified a Slack Legacy Workspace token, potentially compromising access to workspace data and legacy features." +regex = '''xox[ar]-(?:\d-)?[0-9a-zA-Z]{8,48}''' +entropy = 2 +keywords = [ + "xoxa", + "xoxr", +] + +[[rules]] +id = "slack-user-token" +description = "Found a Slack User token, posing a risk of unauthorized user impersonation and data access within Slack workspaces." +regex = '''xox[pe](?:-[0-9]{10,13}){3}-[a-zA-Z0-9-]{28,34}''' +entropy = 2 +keywords = [ + "xoxp-", + "xoxe-", +] + +[[rules]] +id = "slack-webhook-url" +description = "Discovered a Slack Webhook, which could lead to unauthorized message posting and data leakage in Slack channels." +regex = '''(?:https?://)?hooks.slack.com/(?:services|workflows|triggers)/[A-Za-z0-9+/]{43,56}''' +keywords = ["hooks.slack.com"] + +[[rules]] +id = "snyk-api-token" +description = "Uncovered a Snyk API token, potentially compromising software vulnerability scanning and code security." +regex = '''(?i)[\w.-]{0,50}?(?:snyk[_.-]?(?:(?:api|oauth)[_.-]?)?(?:key|token))(?:[ \t\w.-]{0,20})[\s'"]{0,3}(?:=|>|:{1,3}=|\|\||:|=>|\?=|,)[\x60'"\s=]{0,5}([0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12})(?:[\x60'"\s;]|\\[nr]|$)''' +keywords = ["snyk"] + +[[rules]] +id = "sonar-api-token" +description = "Uncovered a Sonar API token, potentially compromising software vulnerability scanning and code security." +regex = '''(?i)[\w.-]{0,50}?(?:sonar[_.-]?(login|token))(?:[ \t\w.-]{0,20})[\s'"]{0,3}(?:=|>|:{1,3}=|\|\||:|=>|\?=|,)[\x60'"\s=]{0,5}([a-z0-9=_\-]{40})(?:[\x60'"\s;]|\\[nr]|$)''' +keywords = ["sonar"] + +[[rules]] +id = "sourcegraph-access-token" +description = "Sourcegraph is a code search and navigation engine." +regex = '''(?i)\b(\b(sgp_(?:[a-fA-F0-9]{16}|local)_[a-fA-F0-9]{40}|sgp_[a-fA-F0-9]{40}|[a-fA-F0-9]{40})\b)(?:[\x60'"\s;]|\\[nr]|$)''' +entropy = 3 +keywords = [ + "sgp_", + "sourcegraph", +] + +[[rules]] +id = "square-access-token" +description = "Detected a Square Access Token, risking unauthorized payment processing and financial transaction exposure." +regex = '''\b((?:EAAA|sq0atp-)[\w-]{22,60})(?:[\x60'"\s;]|\\[nr]|$)''' +entropy = 2 +keywords = [ + "sq0atp-", + "eaaa", +] + +[[rules]] +id = "squarespace-access-token" +description = "Identified a Squarespace Access Token, which may compromise website management and content control on Squarespace." +regex = '''(?i)[\w.-]{0,50}?(?:squarespace)(?:[ \t\w.-]{0,20})[\s'"]{0,3}(?:=|>|:{1,3}=|\|\||:|=>|\?=|,)[\x60'"\s=]{0,5}([0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12})(?:[\x60'"\s;]|\\[nr]|$)''' +keywords = ["squarespace"] + +[[rules]] +id = "stripe-access-token" +description = "Found a Stripe Access Token, posing a risk to payment processing services and sensitive financial data." +regex = '''\b((?:sk|rk)_(?:test|live|prod)_[a-zA-Z0-9]{10,99})(?:[\x60'"\s;]|\\[nr]|$)''' +entropy = 2 +keywords = [ + "sk_test", + "sk_live", + "sk_prod", + "rk_test", + "rk_live", + "rk_prod", +] + +[[rules]] +id = "sumologic-access-id" +description = "Discovered a SumoLogic Access ID, potentially compromising log management services and data analytics integrity." +regex = '''[\w.-]{0,50}?(?i:[\w.-]{0,50}?(?:(?-i:[Ss]umo|SUMO))(?:[ \t\w.-]{0,20})[\s'"]{0,3})(?:=|>|:{1,3}=|\|\||:|=>|\?=|,)[\x60'"\s=]{0,5}(su[a-zA-Z0-9]{12})(?:[\x60'"\s;]|\\[nr]|$)''' +entropy = 3 +keywords = ["sumo"] + +[[rules]] +id = "sumologic-access-token" +description = "Uncovered a SumoLogic Access Token, which could lead to unauthorized access to log data and analytics insights." +regex = '''(?i)[\w.-]{0,50}?(?:(?-i:[Ss]umo|SUMO))(?:[ \t\w.-]{0,20})[\s'"]{0,3}(?:=|>|:{1,3}=|\|\||:|=>|\?=|,)[\x60'"\s=]{0,5}([a-z0-9]{64})(?:[\x60'"\s;]|\\[nr]|$)''' +entropy = 3 +keywords = ["sumo"] + +[[rules]] +id = "telegram-bot-api-token" +description = "Detected a Telegram Bot API Token, risking unauthorized bot operations and message interception on Telegram." +regex = '''(?i)[\w.-]{0,50}?(?:telegr)(?:[ \t\w.-]{0,20})[\s'"]{0,3}(?:=|>|:{1,3}=|\|\||:|=>|\?=|,)[\x60'"\s=]{0,5}([0-9]{5,16}:(?-i:A)[a-z0-9_\-]{34})(?:[\x60'"\s;]|\\[nr]|$)''' +keywords = ["telegr"] + +[[rules]] +id = "travisci-access-token" +description = "Identified a Travis CI Access Token, potentially compromising continuous integration services and codebase security." +regex = '''(?i)[\w.-]{0,50}?(?:travis)(?:[ \t\w.-]{0,20})[\s'"]{0,3}(?:=|>|:{1,3}=|\|\||:|=>|\?=|,)[\x60'"\s=]{0,5}([a-z0-9]{22})(?:[\x60'"\s;]|\\[nr]|$)''' +keywords = ["travis"] + +[[rules]] +id = "twilio-api-key" +description = "Found a Twilio API Key, posing a risk to communication services and sensitive customer interaction data." +regex = '''SK[0-9a-fA-F]{32}''' +entropy = 3 +keywords = ["sk"] + +[[rules]] +id = "twitch-api-token" +description = "Discovered a Twitch API token, which could compromise streaming services and account integrations." +regex = '''(?i)[\w.-]{0,50}?(?:twitch)(?:[ \t\w.-]{0,20})[\s'"]{0,3}(?:=|>|:{1,3}=|\|\||:|=>|\?=|,)[\x60'"\s=]{0,5}([a-z0-9]{30})(?:[\x60'"\s;]|\\[nr]|$)''' +keywords = ["twitch"] + +[[rules]] +id = "twitter-access-secret" +description = "Uncovered a Twitter Access Secret, potentially risking unauthorized Twitter integrations and data breaches." +regex = '''(?i)[\w.-]{0,50}?(?:twitter)(?:[ \t\w.-]{0,20})[\s'"]{0,3}(?:=|>|:{1,3}=|\|\||:|=>|\?=|,)[\x60'"\s=]{0,5}([a-z0-9]{45})(?:[\x60'"\s;]|\\[nr]|$)''' +keywords = ["twitter"] + +[[rules]] +id = "twitter-access-token" +description = "Detected a Twitter Access Token, posing a risk of unauthorized account operations and social media data exposure." +regex = '''(?i)[\w.-]{0,50}?(?:twitter)(?:[ \t\w.-]{0,20})[\s'"]{0,3}(?:=|>|:{1,3}=|\|\||:|=>|\?=|,)[\x60'"\s=]{0,5}([0-9]{15,25}-[a-zA-Z0-9]{20,40})(?:[\x60'"\s;]|\\[nr]|$)''' +keywords = ["twitter"] + +[[rules]] +id = "twitter-api-key" +description = "Identified a Twitter API Key, which may compromise Twitter application integrations and user data security." +regex = '''(?i)[\w.-]{0,50}?(?:twitter)(?:[ \t\w.-]{0,20})[\s'"]{0,3}(?:=|>|:{1,3}=|\|\||:|=>|\?=|,)[\x60'"\s=]{0,5}([a-z0-9]{25})(?:[\x60'"\s;]|\\[nr]|$)''' +keywords = ["twitter"] + +[[rules]] +id = "twitter-api-secret" +description = "Found a Twitter API Secret, risking the security of Twitter app integrations and sensitive data access." +regex = '''(?i)[\w.-]{0,50}?(?:twitter)(?:[ \t\w.-]{0,20})[\s'"]{0,3}(?:=|>|:{1,3}=|\|\||:|=>|\?=|,)[\x60'"\s=]{0,5}([a-z0-9]{50})(?:[\x60'"\s;]|\\[nr]|$)''' +keywords = ["twitter"] + +[[rules]] +id = "twitter-bearer-token" +description = "Discovered a Twitter Bearer Token, potentially compromising API access and data retrieval from Twitter." +regex = '''(?i)[\w.-]{0,50}?(?:twitter)(?:[ \t\w.-]{0,20})[\s'"]{0,3}(?:=|>|:{1,3}=|\|\||:|=>|\?=|,)[\x60'"\s=]{0,5}(A{22}[a-zA-Z0-9%]{80,100})(?:[\x60'"\s;]|\\[nr]|$)''' +keywords = ["twitter"] + +[[rules]] +id = "typeform-api-token" +description = "Uncovered a Typeform API token, which could lead to unauthorized survey management and data collection." +regex = '''(?i)[\w.-]{0,50}?(?:typeform)(?:[ \t\w.-]{0,20})[\s'"]{0,3}(?:=|>|:{1,3}=|\|\||:|=>|\?=|,)[\x60'"\s=]{0,5}(tfp_[a-z0-9\-_\.=]{59})(?:[\x60'"\s;]|\\[nr]|$)''' +keywords = ["tfp_"] + +[[rules]] +id = "vault-batch-token" +description = "Detected a Vault Batch Token, risking unauthorized access to secret management services and sensitive data." +regex = '''\b(hvb\.[\w-]{138,300})(?:[\x60'"\s;]|\\[nr]|$)''' +entropy = 4 +keywords = ["hvb."] + +[[rules]] +id = "vault-service-token" +description = "Identified a Vault Service Token, potentially compromising infrastructure security and access to sensitive credentials." +regex = '''\b((?:hvs\.[\w-]{90,120}|s\.(?i:[a-z0-9]{24})))(?:[\x60'"\s;]|\\[nr]|$)''' +entropy = 3.5 +keywords = [ + "hvs.", + "s.", +] +[[rules.allowlists]] +regexes = [ + '''s\.[A-Za-z]{24}''', +] + +[[rules]] +id = "yandex-access-token" +description = "Found a Yandex Access Token, posing a risk to Yandex service integrations and user data privacy." +regex = '''(?i)[\w.-]{0,50}?(?:yandex)(?:[ \t\w.-]{0,20})[\s'"]{0,3}(?:=|>|:{1,3}=|\|\||:|=>|\?=|,)[\x60'"\s=]{0,5}(t1\.[A-Z0-9a-z_-]+[=]{0,2}\.[A-Z0-9a-z_-]{86}[=]{0,2})(?:[\x60'"\s;]|\\[nr]|$)''' +keywords = ["yandex"] + +[[rules]] +id = "yandex-api-key" +description = "Discovered a Yandex API Key, which could lead to unauthorized access to Yandex services and data manipulation." +regex = '''(?i)[\w.-]{0,50}?(?:yandex)(?:[ \t\w.-]{0,20})[\s'"]{0,3}(?:=|>|:{1,3}=|\|\||:|=>|\?=|,)[\x60'"\s=]{0,5}(AQVN[A-Za-z0-9_\-]{35,38})(?:[\x60'"\s;]|\\[nr]|$)''' +keywords = ["yandex"] + +[[rules]] +id = "yandex-aws-access-token" +description = "Uncovered a Yandex AWS Access Token, potentially compromising cloud resource access and data security on Yandex Cloud." +regex = '''(?i)[\w.-]{0,50}?(?:yandex)(?:[ \t\w.-]{0,20})[\s'"]{0,3}(?:=|>|:{1,3}=|\|\||:|=>|\?=|,)[\x60'"\s=]{0,5}(YC[a-zA-Z0-9_\-]{38})(?:[\x60'"\s;]|\\[nr]|$)''' +keywords = ["yandex"] + +[[rules]] +id = "zendesk-secret-key" +description = "Detected a Zendesk Secret Key, risking unauthorized access to customer support services and sensitive ticketing data." +regex = '''(?i)[\w.-]{0,50}?(?:zendesk)(?:[ \t\w.-]{0,20})[\s'"]{0,3}(?:=|>|:{1,3}=|\|\||:|=>|\?=|,)[\x60'"\s=]{0,5}([a-z0-9]{40})(?:[\x60'"\s;]|\\[nr]|$)''' +keywords = ["zendesk"] diff --git a/megalinter/descriptors/repository.megalinter-descriptor.yml b/megalinter/descriptors/repository.megalinter-descriptor.yml index 6f93e62fe81..5cc0289ab49 100644 --- a/megalinter/descriptors/repository.megalinter-descriptor.yml +++ b/megalinter/descriptors/repository.megalinter-descriptor.yml @@ -663,6 +663,8 @@ linters: cli_lint_extra_args: - filesystem - "." + - --exclude + - .git - --fail - --only-verified - --no-update diff --git a/megalinter/linters/RakuLinter.py b/megalinter/linters/RakuLinter.py index 72dbb6516d4..11e14f27947 100644 --- a/megalinter/linters/RakuLinter.py +++ b/megalinter/linters/RakuLinter.py @@ -29,7 +29,7 @@ def before_lint_files(self): ), ) return_code = process.returncode - return_stdout = megalinter.utils.decode_utf8(process.stdout) + return_stdout = megalinter.utils.clean_string(process.stdout) logging.debug(f"{return_code} : {return_stdout}") # Build the CLI command to call to lint a file diff --git a/megalinter/linters/ShellcheckLinter.py b/megalinter/linters/ShellcheckLinter.py index 6d5d3d07ecd..c76f8e4fde0 100644 --- a/megalinter/linters/ShellcheckLinter.py +++ b/megalinter/linters/ShellcheckLinter.py @@ -24,7 +24,7 @@ def manage_sarif_output(self, return_stdout): env=config.build_env(self.request_id), ) return_code = process.returncode - shellcheck_res_sarif = utils.decode_utf8(process.stdout) + shellcheck_res_sarif = utils.clean_string(process.stdout) logging.debug( "shellcheck-sarif output" + str(return_code) diff --git a/megalinter/logger.py b/megalinter/logger.py index 4a6886dae6e..883d80457be 100644 --- a/megalinter/logger.py +++ b/megalinter/logger.py @@ -1,12 +1,17 @@ #!/usr/bin/env python3 import logging import os +import re import sys +import tomllib + +import requests import chalk as c from megalinter import config, utils from megalinter.constants import ML_DOC_URL from megalinter.utils_reporter import log_section_start +from pywhat import identifier def initialize_logger(mega_linter): @@ -139,3 +144,43 @@ def display_header(mega_linter): logging.debug("" + name + "=HIDDEN_BY_MEGALINTER") logging.debug(utils.format_hyphens("")) logging.info("") + +GITLEAKS_REGEXES = None + +def fetch_gitleaks_regexes(force_use_local_file=False): + global GITLEAKS_REGEXES + if GITLEAKS_REGEXES is not None: + return GITLEAKS_REGEXES + + config_data = None + if not force_use_local_file: + url = "https://raw.githubusercontent.com/gitleaks/gitleaks/refs/heads/master/config/gitleaks.toml" + try: + response = requests.get(url) + if response.status_code == 200: + config_data = response.text + else: + logging.warning(f"Failed to fetch Gitleaks config from URL: {response.status_code}") + except Exception as e: + logging.warning(f"Could not fetch Gitleaks config from URL. Error: {e}") + + if config_data is None: + logging.info("Using local Gitleaks config file.") + with open("./descriptors/additional/gitleaks-default.toml", "r", encoding="utf-8") as file: + config_data = file.read() + + config = tomllib.loads(config_data.encode("utf-8")) + regex_patterns = [] + for rule in config.get('rules', []): + pattern = rule.get('regex') + if pattern: + regex_patterns.append(pattern) + GITLEAKS_REGEXES = regex_patterns + return regex_patterns + +def sanitize_string(input_string): + regex_patterns = fetch_gitleaks_regexes() + sanitized_string = input_string + for pattern in regex_patterns: + sanitized_string = re.sub(pattern, "[HIDDEN BY MEGALINTER]", sanitized_string) + return sanitized_string diff --git a/megalinter/plugin_factory.py b/megalinter/plugin_factory.py index 881ee0dd01d..96476914708 100644 --- a/megalinter/plugin_factory.py +++ b/megalinter/plugin_factory.py @@ -113,7 +113,7 @@ def process_install(install, request_id): env=config.build_env(request_id), ) return_code = process.returncode - stdout = utils.decode_utf8(process.stdout) + stdout = utils.clean_string(process.stdout) logging.debug(f"[Plugins] Result ({str(return_code)}): {stdout}") if return_code != 0: raise Exception( diff --git a/megalinter/pre_post_factory.py b/megalinter/pre_post_factory.py index 740e5d92ccc..7837eae4ddf 100644 --- a/megalinter/pre_post_factory.py +++ b/megalinter/pre_post_factory.py @@ -151,7 +151,7 @@ def run_command(command_info, log_key, mega_linter, linter=None): env=subprocess_env, ) return_code = process.returncode - return_stdout = utils.decode_utf8(process.stdout) + return_stdout = utils.clean_string(process.stdout) if return_code == 0: add_in_logs(linter, log_key, [f"{log_key} result:\n{return_stdout}"]) else: diff --git a/megalinter/tests/test_megalinter/filters_test.py b/megalinter/tests/test_megalinter/filters_test.py index 16317c483b4..0db25ce7a92 100644 --- a/megalinter/tests/test_megalinter/filters_test.py +++ b/megalinter/tests/test_megalinter/filters_test.py @@ -9,7 +9,7 @@ from megalinter import utils -class utilsTest(unittest.TestCase): +class filters_test(unittest.TestCase): def test_file_contains_true(self): repo_home = utils.REPO_HOME_DEFAULT regex_list = ["#!/usr/bin/env perl", "#!/usr/bin/perl"] diff --git a/megalinter/tests/test_megalinter/mega_linter_1_test.py b/megalinter/tests/test_megalinter/mega_linter_1_test.py index dcd8dbc9da3..7d5871db4cc 100644 --- a/megalinter/tests/test_megalinter/mega_linter_1_test.py +++ b/megalinter/tests/test_megalinter/mega_linter_1_test.py @@ -494,3 +494,4 @@ def test_skip_cli_lint_mode(self): self.assertIn( "JAVASCRIPT_ES has been skipped because its CLI lint mode", output ) + diff --git a/megalinter/tests/test_megalinter/utils_test.py b/megalinter/tests/test_megalinter/utils_test.py new file mode 100644 index 00000000000..b4351f9d98d --- /dev/null +++ b/megalinter/tests/test_megalinter/utils_test.py @@ -0,0 +1,45 @@ +#!/usr/bin/env python3 +""" +Unit tests for utils class + +""" +import re +import unittest + +from megalinter import utils +from megalinter.logger import sanitize_string, fetch_gitleaks_regexes + + +class utils_test(unittest.TestCase): + def test_sanitize_string(self): + input_string = ( + "AWS Key: AKIAIOSFODNN7EXAMPLE and GitHub Token: ghp_abcdEFGHijklMNOPqrstUVWXyz1234567890" + ) + expected_output = ( + "AWS Key: [HIDDEN BY MEGALINTER] and GitHub Token: [HIDDEN BY MEGALINTER]" + ) + + sanitized = sanitize_string(input_string) + + # We don't know exactly what pywhat will match, so check if sensitive parts are gone + self.assertNotIn("AKIAIOSFODNN7EXAMPLE", sanitized) + self.assertNotIn("ghp_abcdEFGHijklMNOPqrstUVWXyz1234567890", sanitized) + self.assertIn("[HIDDEN BY MEGALINTER]", sanitized) + + # Optional: stricter check if needed + self.assertEqual( + sanitized.count("[HIDDEN BY MEGALINTER]"), 2, + "There should be exactly 2 [HIDDEN BY MEGALINTER] in the output" + ) + + def test_fetch_gitleaks_regexes_remote(self): + # Test fetching Gitleaks regexes from the remote URL + regexes = fetch_gitleaks_regexes(force_use_local_file=False) + self.assertIsInstance(regexes, list, "Regexes should be a list") + self.assertGreater(len(regexes), 0, "Regexes list should not be empty") + + def test_fetch_gitleaks_regexes_local(self): + # Test fetching Gitleaks regexes from the local file + regexes = fetch_gitleaks_regexes(force_use_local_file=True) + self.assertIsInstance(regexes, list, "Regexes should be a list") + self.assertGreater(len(regexes), 0, "Regexes list should not be empty") \ No newline at end of file diff --git a/megalinter/utils.py b/megalinter/utils.py index d6302f29831..a1e3b7dc614 100644 --- a/megalinter/utils.py +++ b/megalinter/utils.py @@ -13,7 +13,7 @@ import git import regex -from megalinter import config +from megalinter import config, logger from megalinter.constants import DEFAULT_DOCKER_WORKSPACE_DIR SIZE_MAX_SOURCEFILEHEADER = 1024 @@ -297,12 +297,14 @@ def file_is_generated(file_name: str) -> bool: return b"@generated" in content and b"@not-generated" not in content -def decode_utf8(stdout): +def clean_string(stdout: str) -> str: # noinspection PyBroadException try: res = stdout.decode("utf-8") + stdout = logger.sanitize_string(stdout) except Exception: res = str(stdout) + stdout = logger.sanitize_string(stdout) return res diff --git a/megalinter/utils_reporter.py b/megalinter/utils_reporter.py index d1e1ab174a7..2f90e741d7d 100644 --- a/megalinter/utils_reporter.py +++ b/megalinter/utils_reporter.py @@ -237,7 +237,7 @@ def convert_sarif_to_human(sarif_in, request_id) -> str: env=config.build_env(request_id), ) return_code = process.returncode - output = utils.decode_utf8(process.stdout) + output = utils.clean_string(process.stdout) except Exception as e: return_code = 1 output = sarif_in From b36f404bb9073b210aca0d34e4311bd00675b4dc Mon Sep 17 00:00:00 2001 From: nvuillam Date: Sat, 26 Apr 2025 23:22:12 +0200 Subject: [PATCH 04/34] fix --- megalinter/logger.py | 1 - megalinter/tests/test_megalinter/utils_test.py | 1 - 2 files changed, 2 deletions(-) diff --git a/megalinter/logger.py b/megalinter/logger.py index 883d80457be..26edcbc9bfa 100644 --- a/megalinter/logger.py +++ b/megalinter/logger.py @@ -11,7 +11,6 @@ from megalinter import config, utils from megalinter.constants import ML_DOC_URL from megalinter.utils_reporter import log_section_start -from pywhat import identifier def initialize_logger(mega_linter): diff --git a/megalinter/tests/test_megalinter/utils_test.py b/megalinter/tests/test_megalinter/utils_test.py index b4351f9d98d..a8d5db7e630 100644 --- a/megalinter/tests/test_megalinter/utils_test.py +++ b/megalinter/tests/test_megalinter/utils_test.py @@ -21,7 +21,6 @@ def test_sanitize_string(self): sanitized = sanitize_string(input_string) - # We don't know exactly what pywhat will match, so check if sensitive parts are gone self.assertNotIn("AKIAIOSFODNN7EXAMPLE", sanitized) self.assertNotIn("ghp_abcdEFGHijklMNOPqrstUVWXyz1234567890", sanitized) self.assertIn("[HIDDEN BY MEGALINTER]", sanitized) From 1f73587aa429d539e5cc3a25785eb3d3319e1948 Mon Sep 17 00:00:00 2001 From: nvuillam Date: Sat, 26 Apr 2025 23:29:31 +0200 Subject: [PATCH 05/34] fix --- megalinter/logger.py | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/megalinter/logger.py b/megalinter/logger.py index 26edcbc9bfa..fe97f800d0a 100644 --- a/megalinter/logger.py +++ b/megalinter/logger.py @@ -157,7 +157,7 @@ def fetch_gitleaks_regexes(force_use_local_file=False): try: response = requests.get(url) if response.status_code == 200: - config_data = response.text + config_data = response.text.encode("utf-8") else: logging.warning(f"Failed to fetch Gitleaks config from URL: {response.status_code}") except Exception as e: @@ -168,7 +168,7 @@ def fetch_gitleaks_regexes(force_use_local_file=False): with open("./descriptors/additional/gitleaks-default.toml", "r", encoding="utf-8") as file: config_data = file.read() - config = tomllib.loads(config_data.encode("utf-8")) + config = tomllib.loads(config_data) regex_patterns = [] for rule in config.get('rules', []): pattern = rule.get('regex') From 1d703061f077b67246f21382717ef7f97986d9dd Mon Sep 17 00:00:00 2001 From: nvuillam Date: Sun, 27 Apr 2025 00:30:00 +0200 Subject: [PATCH 06/34] fixes regex patterns --- megalinter/logger.py | 3 ++- megalinter/utils.py | 24 ++++++++++++++++++++++-- 2 files changed, 24 insertions(+), 3 deletions(-) diff --git a/megalinter/logger.py b/megalinter/logger.py index fe97f800d0a..b3beb9d3715 100644 --- a/megalinter/logger.py +++ b/megalinter/logger.py @@ -157,7 +157,7 @@ def fetch_gitleaks_regexes(force_use_local_file=False): try: response = requests.get(url) if response.status_code == 200: - config_data = response.text.encode("utf-8") + config_data = response.text # Fix: Pass string to tomllib.loads instead of bytes else: logging.warning(f"Failed to fetch Gitleaks config from URL: {response.status_code}") except Exception as e: @@ -174,6 +174,7 @@ def fetch_gitleaks_regexes(force_use_local_file=False): pattern = rule.get('regex') if pattern: regex_patterns.append(pattern) + regex_patterns = utils.fix_regex_patterns(regex_patterns) GITLEAKS_REGEXES = regex_patterns return regex_patterns diff --git a/megalinter/utils.py b/megalinter/utils.py index a1e3b7dc614..bcd6f13dde7 100644 --- a/megalinter/utils.py +++ b/megalinter/utils.py @@ -301,10 +301,10 @@ def clean_string(stdout: str) -> str: # noinspection PyBroadException try: res = stdout.decode("utf-8") - stdout = logger.sanitize_string(stdout) + res = logger.sanitize_string(res) except Exception: res = str(stdout) - stdout = logger.sanitize_string(stdout) + res = logger.sanitize_string(res) return res @@ -587,3 +587,23 @@ def is_pr() -> bool: ) else False ) + + +def fix_regex_patterns(patterns,fail=False): + """ + Ensures that global flags (e.g., (?i)) are at the start of each regex pattern in the list. + If not, it adjusts the patterns to make them compatible with the re module. + """ + fixed_patterns = [] + for pattern in patterns: + try: + # Try compiling the pattern to check if it's valid + re.compile(pattern) + fixed_patterns.append(pattern) # Pattern is valid, add as is + except re.error as e: + if fail is True: + raise + else : + logging.warning(f"Invalid regex pattern: {pattern}. Error: {e}") + return fixed_patterns + From 59bb8411ba42699abf50af39bafb4810690f0eb0 Mon Sep 17 00:00:00 2001 From: nvuillam Date: Sun, 27 Apr 2025 00:39:45 +0200 Subject: [PATCH 07/34] Fixes --- .mega-linter.yml | 2 -- .secretlintignore | 2 +- megalinter/tests/test_megalinter/utils_test.py | 6 ------ 3 files changed, 1 insertion(+), 9 deletions(-) diff --git a/.mega-linter.yml b/.mega-linter.yml index 018d5d646a6..11dac719b43 100644 --- a/.mega-linter.yml +++ b/.mega-linter.yml @@ -16,7 +16,6 @@ DISABLE_LINTERS: - JSON_PRETTIER - MARKDOWN_MARKDOWN_LINK_CHECK - PYTHON_PYRIGHT - - REPOSITORY_GITLEAKS - REPOSITORY_KICS - SPELL_PROSELINT - SPELL_MISSPELL @@ -26,7 +25,6 @@ DISABLE_ERRORS_LINTERS: - REPOSITORY_DEVSKIM - REPOSITORY_GRYPE - REPOSITORY_SEMGREP - - REPOSITORY_TRUFFLEHOG - SPELL_LYCHEE PRINT_ALL_FILES: false FILTER_REGEX_EXCLUDE: '(\.automation/test|\.automation/generated|\.venv|\.github/workflows|docs/javascripts|docs/overrides|docs/json-schemas|flavors|clj-kondo|TEMPLATES)' diff --git a/.secretlintignore b/.secretlintignore index 38d5b0f6971..d7fcb346aea 100644 --- a/.secretlintignore +++ b/.secretlintignore @@ -1,2 +1,2 @@ .automation/test -megalinter-reports +megalinter/tests/test_megalinter:utils_test.py diff --git a/megalinter/tests/test_megalinter/utils_test.py b/megalinter/tests/test_megalinter/utils_test.py index a8d5db7e630..06725a67219 100644 --- a/megalinter/tests/test_megalinter/utils_test.py +++ b/megalinter/tests/test_megalinter/utils_test.py @@ -3,10 +3,8 @@ Unit tests for utils class """ -import re import unittest -from megalinter import utils from megalinter.logger import sanitize_string, fetch_gitleaks_regexes @@ -15,10 +13,6 @@ def test_sanitize_string(self): input_string = ( "AWS Key: AKIAIOSFODNN7EXAMPLE and GitHub Token: ghp_abcdEFGHijklMNOPqrstUVWXyz1234567890" ) - expected_output = ( - "AWS Key: [HIDDEN BY MEGALINTER] and GitHub Token: [HIDDEN BY MEGALINTER]" - ) - sanitized = sanitize_string(input_string) self.assertNotIn("AKIAIOSFODNN7EXAMPLE", sanitized) From 1bde8292ee1cf9942298ea1866c97ca2d1f57b2f Mon Sep 17 00:00:00 2001 From: nvuillam Date: Sun, 27 Apr 2025 00:42:55 +0200 Subject: [PATCH 08/34] cspell --- .cspell.json | 1 + 1 file changed, 1 insertion(+) diff --git a/.cspell.json b/.cspell.json index 811cf6110c6..a442f584ad1 100644 --- a/.cspell.json +++ b/.cspell.json @@ -20,6 +20,7 @@ ".lycheeignore" ], "ignoreWords": [ + "AKIAIOSFODNN", "ARGTOP", "AROA47DSWDEZA3", "ASPM", From d9de77ecf3a00087d35ce920461c341f68598c07 Mon Sep 17 00:00:00 2001 From: nvuillam Date: Sun, 27 Apr 2025 00:47:19 +0200 Subject: [PATCH 09/34] mypy --- megalinter/utils.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/megalinter/utils.py b/megalinter/utils.py index bcd6f13dde7..e165e6436db 100644 --- a/megalinter/utils.py +++ b/megalinter/utils.py @@ -297,7 +297,7 @@ def file_is_generated(file_name: str) -> bool: return b"@generated" in content and b"@not-generated" not in content -def clean_string(stdout: str) -> str: +def clean_string(stdout) -> str: # noinspection PyBroadException try: res = stdout.decode("utf-8") From 8839376d00c6a67c22ef81e2ae9d066ebd263f07 Mon Sep 17 00:00:00 2001 From: nvuillam Date: Sun, 27 Apr 2025 00:54:17 +0200 Subject: [PATCH 10/34] gl --- .mega-linter.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/.mega-linter.yml b/.mega-linter.yml index 11dac719b43..43aea107924 100644 --- a/.mega-linter.yml +++ b/.mega-linter.yml @@ -16,6 +16,7 @@ DISABLE_LINTERS: - JSON_PRETTIER - MARKDOWN_MARKDOWN_LINK_CHECK - PYTHON_PYRIGHT + - REPOSITORY_GITLEAKS - REPOSITORY_KICS - SPELL_PROSELINT - SPELL_MISSPELL From a7027a67a1033240fbac884a66f39d685bbaf4bc Mon Sep 17 00:00:00 2001 From: nvuillam Date: Sun, 27 Apr 2025 01:08:47 +0200 Subject: [PATCH 11/34] cfg --- .mega-linter.yml | 3 +++ .secretlintignore | 2 +- 2 files changed, 4 insertions(+), 1 deletion(-) diff --git a/.mega-linter.yml b/.mega-linter.yml index 43aea107924..fc5af82ffb2 100644 --- a/.mega-linter.yml +++ b/.mega-linter.yml @@ -45,6 +45,9 @@ REPOSITORY_TRIVY_ARGUMENTS: - ".automation/test" - "--skip-dirs" - ".venv" +REPOSITORY_TRUFFLEHOG_ARGUMENTS: + - --exclude-globs + - ".automation/test/*,.git/*" SHOW_ELAPSED_TIME: true FLAVOR_SUGGESTIONS: false EMAIL_REPORTER: false diff --git a/.secretlintignore b/.secretlintignore index d7fcb346aea..b48c4f428a0 100644 --- a/.secretlintignore +++ b/.secretlintignore @@ -1,2 +1,2 @@ .automation/test -megalinter/tests/test_megalinter:utils_test.py +**/tests/test_megalinter/utils_test.py From 21c8305879cb14a3e6587deeb2801b47166a4982 Mon Sep 17 00:00:00 2001 From: nvuillam Date: Sun, 27 Apr 2025 01:16:25 +0200 Subject: [PATCH 12/34] fix --- .mega-linter.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.mega-linter.yml b/.mega-linter.yml index fc5af82ffb2..085bf957732 100644 --- a/.mega-linter.yml +++ b/.mega-linter.yml @@ -46,8 +46,8 @@ REPOSITORY_TRIVY_ARGUMENTS: - "--skip-dirs" - ".venv" REPOSITORY_TRUFFLEHOG_ARGUMENTS: - - --exclude-globs - - ".automation/test/*,.git/*" + - --exclude + - ".automation/test,.git" SHOW_ELAPSED_TIME: true FLAVOR_SUGGESTIONS: false EMAIL_REPORTER: false From 364437f1e8d1f16a6d067fa427c5c3986d83dcba Mon Sep 17 00:00:00 2001 From: nvuillam Date: Sun, 27 Apr 2025 01:36:51 +0200 Subject: [PATCH 13/34] try again --- .automation/test/gitleaks/bad/keys | 2 +- .mega-linter.yml | 3 +-- megalinter/descriptors/repository.megalinter-descriptor.yml | 2 -- 3 files changed, 2 insertions(+), 5 deletions(-) diff --git a/.automation/test/gitleaks/bad/keys b/.automation/test/gitleaks/bad/keys index aa504a82046..2bfcabd83fa 100644 --- a/.automation/test/gitleaks/bad/keys +++ b/.automation/test/gitleaks/bad/keys @@ -1,6 +1,6 @@ Basic auth: -https://admin:admin@the-internet.herokuapp.com/basic_auth +https://admin:admin@the-internet.herokuapp.com/basic_auth # trufflehog:ignore Private key: -----BEGIN OPENSSH PRIVATE KEY----- diff --git a/.mega-linter.yml b/.mega-linter.yml index 085bf957732..b91bb17378b 100644 --- a/.mega-linter.yml +++ b/.mega-linter.yml @@ -46,8 +46,7 @@ REPOSITORY_TRIVY_ARGUMENTS: - "--skip-dirs" - ".venv" REPOSITORY_TRUFFLEHOG_ARGUMENTS: - - --exclude - - ".automation/test,.git" + - --exclude-paths=.gitignore SHOW_ELAPSED_TIME: true FLAVOR_SUGGESTIONS: false EMAIL_REPORTER: false diff --git a/megalinter/descriptors/repository.megalinter-descriptor.yml b/megalinter/descriptors/repository.megalinter-descriptor.yml index 5cc0289ab49..6f93e62fe81 100644 --- a/megalinter/descriptors/repository.megalinter-descriptor.yml +++ b/megalinter/descriptors/repository.megalinter-descriptor.yml @@ -663,8 +663,6 @@ linters: cli_lint_extra_args: - filesystem - "." - - --exclude - - .git - --fail - --only-verified - --no-update From b87a8f3731e90531edb47c975e2f74f6f2bd60b1 Mon Sep 17 00:00:00 2001 From: nvuillam Date: Sun, 27 Apr 2025 01:45:51 +0200 Subject: [PATCH 14/34] trufflehogignore --- .mega-linter.yml | 2 +- TEMPLATES/.trufflehogignore | 1 + 2 files changed, 2 insertions(+), 1 deletion(-) create mode 100644 TEMPLATES/.trufflehogignore diff --git a/.mega-linter.yml b/.mega-linter.yml index b91bb17378b..986bc2f6984 100644 --- a/.mega-linter.yml +++ b/.mega-linter.yml @@ -46,7 +46,7 @@ REPOSITORY_TRIVY_ARGUMENTS: - "--skip-dirs" - ".venv" REPOSITORY_TRUFFLEHOG_ARGUMENTS: - - --exclude-paths=.gitignore + - --exclude-paths=TEMPLATES/.trufflehogignore SHOW_ELAPSED_TIME: true FLAVOR_SUGGESTIONS: false EMAIL_REPORTER: false diff --git a/TEMPLATES/.trufflehogignore b/TEMPLATES/.trufflehogignore new file mode 100644 index 00000000000..4032ec6b7c8 --- /dev/null +++ b/TEMPLATES/.trufflehogignore @@ -0,0 +1 @@ +.git/ \ No newline at end of file From a9ffe77d09bdc93ab916ad9185ddd1d52a9de280 Mon Sep 17 00:00:00 2001 From: nvuillam Date: Sun, 27 Apr 2025 02:03:35 +0200 Subject: [PATCH 15/34] TrufflehogLinter --- CHANGELOG.md | 1 + megalinter/MegaLinter.py | 10 +--------- .../repository.megalinter-descriptor.yml | 3 ++- megalinter/linters/TruffleHogLinter.py | 20 +++++++++++++++++++ megalinter/utils.py | 11 ++++++++++ 5 files changed, 35 insertions(+), 10 deletions(-) create mode 100644 megalinter/linters/TruffleHogLinter.py diff --git a/CHANGELOG.md b/CHANGELOG.md index b8eb46ea209..a81cb730e51 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -19,6 +19,7 @@ Note: Can be used with `oxsecurity/megalinter@beta` in your GitHub Action mega-l - Linters enhancements - [editorconfig_checker](https://megalinter.io/latest/descriptors/editorconfig_editorconfig_checker/) Changes default EditorConfig-Checker config filename by @llaville in + - [TruffleHog](https://megalinter.io/latest/descriptors/repository_trufflehog/): Ignore .git by default if not already done using --exclude-paths option - Fixes - Sanitize all linter outputs by default diff --git a/megalinter/MegaLinter.py b/megalinter/MegaLinter.py index e2cdead034e..3a6ef05a517 100644 --- a/megalinter/MegaLinter.py +++ b/megalinter/MegaLinter.py @@ -92,15 +92,7 @@ def __init__(self, params=None): manage_upgrade_message() display_header(self) # MegaLinter default rules location - self.default_rules_location = ( - "/action/lib/.automation" - if os.path.isdir("/action/lib/.automation") - else os.path.relpath( - os.path.relpath( - os.path.dirname(os.path.abspath(__file__)) + "/../TEMPLATES" - ) - ) - ) + self.default_rules_location = utils.get_default_rules_location() # User-defined rules location self.linter_rules_path = self.github_workspace + os.path.sep + ".github/linters" diff --git a/megalinter/descriptors/repository.megalinter-descriptor.yml b/megalinter/descriptors/repository.megalinter-descriptor.yml index 6f93e62fe81..13103e81a6b 100644 --- a/megalinter/descriptors/repository.megalinter-descriptor.yml +++ b/megalinter/descriptors/repository.megalinter-descriptor.yml @@ -645,7 +645,8 @@ linters: url: https://marketplace.visualstudio.com/items?itemName=AquaSecurityOfficial.trivy-vulnerability-scanner # TRUFFLEHOG - - linter_name: trufflehog + - class: TruffleHogLinter + linter_name: trufflehog descriptor_flavors: - all_flavors # Applicable to CI in any language project - ci_light diff --git a/megalinter/linters/TruffleHogLinter.py b/megalinter/linters/TruffleHogLinter.py new file mode 100644 index 00000000000..98cdd883291 --- /dev/null +++ b/megalinter/linters/TruffleHogLinter.py @@ -0,0 +1,20 @@ +#!/usr/bin/env python3 +""" +Use TruffleHog Linter to find secrets +""" + +from megalinter import Linter, utils + + +class TruffleHogLinter(Linter): + # Build the CLI command to call to lint a file + def build_lint_command(self, file=None): + cmd = super().build_lint_command(file) + + if not any(arg.startswith("--exclude-paths") for arg in cmd): + default_rules_location = utils.get_default_rules_location() + default_trufflehog_ignore_file = default_rules_location + "/.trufflehogignore" + exclude_arg = "--exclude-paths=" + default_trufflehog_ignore_file + cmd += [exclude_arg] + + return cmd \ No newline at end of file diff --git a/megalinter/utils.py b/megalinter/utils.py index e165e6436db..52b52b73ba2 100644 --- a/megalinter/utils.py +++ b/megalinter/utils.py @@ -296,6 +296,17 @@ def file_is_generated(file_name: str) -> bool: content = f.read(SIZE_MAX_SOURCEFILEHEADER) return b"@generated" in content and b"@not-generated" not in content +def get_default_rules_location() -> str: + default_rules_location = ( + "/action/lib/.automation" + if os.path.isdir("/action/lib/.automation") + else os.path.relpath( + os.path.relpath( + os.path.dirname(os.path.abspath(__file__)) + "/../TEMPLATES" + ) + ) + ) + return default_rules_location def clean_string(stdout) -> str: # noinspection PyBroadException From 1042dea477366b3326db40f9886f873e50ea3449 Mon Sep 17 00:00:00 2001 From: nvuillam Date: Sun, 27 Apr 2025 02:05:13 +0200 Subject: [PATCH 16/34] cspell --- .cspell.json | 1 + 1 file changed, 1 insertion(+) diff --git a/.cspell.json b/.cspell.json index a442f584ad1..2a76c239f83 100644 --- a/.cspell.json +++ b/.cspell.json @@ -1501,6 +1501,7 @@ "trivyignore", "trollface", "trufflehog", + "trufflehogignore", "trufflesecurity", "tsql", "tsqllint", From a982342ead62f34268fa65dd22c3de35af515fca Mon Sep 17 00:00:00 2001 From: nvuillam Date: Sun, 27 Apr 2025 02:09:05 +0200 Subject: [PATCH 17/34] rename method --- megalinter/logger.py | 2 +- megalinter/utils.py | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/megalinter/logger.py b/megalinter/logger.py index b3beb9d3715..1bf0efa328e 100644 --- a/megalinter/logger.py +++ b/megalinter/logger.py @@ -174,7 +174,7 @@ def fetch_gitleaks_regexes(force_use_local_file=False): pattern = rule.get('regex') if pattern: regex_patterns.append(pattern) - regex_patterns = utils.fix_regex_patterns(regex_patterns) + regex_patterns = utils.keep_only_valid_regex_patterns(regex_patterns) GITLEAKS_REGEXES = regex_patterns return regex_patterns diff --git a/megalinter/utils.py b/megalinter/utils.py index 52b52b73ba2..a1133e14502 100644 --- a/megalinter/utils.py +++ b/megalinter/utils.py @@ -600,7 +600,7 @@ def is_pr() -> bool: ) -def fix_regex_patterns(patterns,fail=False): +def keep_only_valid_regex_patterns(patterns,fail=False): """ Ensures that global flags (e.g., (?i)) are at the start of each regex pattern in the list. If not, it adjusts the patterns to make them compatible with the re module. From 41ef6dc4ab839e5b1307e67c8213de335c484e5f Mon Sep 17 00:00:00 2001 From: nvuillam Date: Sun, 27 Apr 2025 02:18:24 +0200 Subject: [PATCH 18/34] try to fix regex pattern --- megalinter/utils.py | 29 +++++++++++++++++++---------- 1 file changed, 19 insertions(+), 10 deletions(-) diff --git a/megalinter/utils.py b/megalinter/utils.py index a1133e14502..4011e8f7f9e 100644 --- a/megalinter/utils.py +++ b/megalinter/utils.py @@ -600,21 +600,30 @@ def is_pr() -> bool: ) -def keep_only_valid_regex_patterns(patterns,fail=False): - """ - Ensures that global flags (e.g., (?i)) are at the start of each regex pattern in the list. - If not, it adjusts the patterns to make them compatible with the re module. - """ +def fix_regex_pattern(pattern): + # 1. Fix global flags not at the start of the expression + if '(?i)' in pattern: + if pattern.find('(?i)') > 0: + parts = pattern.split('(?i)') + pattern = '(?i)' + ''.join(parts[1:]) + # 2. Replace invalid escape sequences like `\z` with `$` + pattern = re.sub(r'\\z', '$', pattern) + return pattern + +def keep_only_valid_regex_patterns(patterns, fail=False): fixed_patterns = [] for pattern in patterns: + # First, attempt to fix the pattern + fixed_pattern = fix_regex_pattern(pattern) try: - # Try compiling the pattern to check if it's valid - re.compile(pattern) - fixed_patterns.append(pattern) # Pattern is valid, add as is + # Try compiling the fixed pattern to check if it's valid + re.compile(fixed_pattern) + fixed_patterns.append(fixed_pattern) # Pattern is valid, add it except re.error as e: if fail is True: raise - else : - logging.warning(f"Invalid regex pattern: {pattern}. Error: {e}") + else: + logging.warning(f"Invalid regex pattern after fix: {fixed_pattern}. Error: {e}") + return fixed_patterns From 37ab697b28e72e96ed5e0d0a8d72443725f76495 Mon Sep 17 00:00:00 2001 From: nvuillam Date: Sun, 27 Apr 2025 02:27:27 +0200 Subject: [PATCH 19/34] Fix sanitization to not break json --- megalinter/logger.py | 9 ++++++++- 1 file changed, 8 insertions(+), 1 deletion(-) diff --git a/megalinter/logger.py b/megalinter/logger.py index 1bf0efa328e..0daff3dfa17 100644 --- a/megalinter/logger.py +++ b/megalinter/logger.py @@ -182,5 +182,12 @@ def sanitize_string(input_string): regex_patterns = fetch_gitleaks_regexes() sanitized_string = input_string for pattern in regex_patterns: - sanitized_string = re.sub(pattern, "[HIDDEN BY MEGALINTER]", sanitized_string) + while True: + match = re.search(pattern, sanitized_string) + if not match: + break + if sanitized_string[match.end() - 1] == '"': + sanitized_string = re.sub(pattern, "[HIDDEN BY MEGALINTER]\"", sanitized_string, count=1) + else: + sanitized_string = re.sub(pattern, "[HIDDEN BY MEGALINTER]", sanitized_string, count=1) return sanitized_string From 36f4dffc6fe6038c2be76ed7dfaaf84404dbf206 Mon Sep 17 00:00:00 2001 From: nvuillam Date: Sun, 27 Apr 2025 02:50:55 +0200 Subject: [PATCH 20/34] fix test --- .mega-linter.yml | 2 +- .trufflehogignore | 2 ++ TEMPLATES/.trufflehogignore | 2 +- 3 files changed, 4 insertions(+), 2 deletions(-) create mode 100644 .trufflehogignore diff --git a/.mega-linter.yml b/.mega-linter.yml index 986bc2f6984..9b2638b249c 100644 --- a/.mega-linter.yml +++ b/.mega-linter.yml @@ -46,7 +46,7 @@ REPOSITORY_TRIVY_ARGUMENTS: - "--skip-dirs" - ".venv" REPOSITORY_TRUFFLEHOG_ARGUMENTS: - - --exclude-paths=TEMPLATES/.trufflehogignore + - --exclude-paths=.trufflehogignore SHOW_ELAPSED_TIME: true FLAVOR_SUGGESTIONS: false EMAIL_REPORTER: false diff --git a/.trufflehogignore b/.trufflehogignore new file mode 100644 index 00000000000..e311286da8b --- /dev/null +++ b/.trufflehogignore @@ -0,0 +1,2 @@ +.git/ +.automation/test/gitleaks/bad diff --git a/TEMPLATES/.trufflehogignore b/TEMPLATES/.trufflehogignore index 4032ec6b7c8..2d2ecd68da8 100644 --- a/TEMPLATES/.trufflehogignore +++ b/TEMPLATES/.trufflehogignore @@ -1 +1 @@ -.git/ \ No newline at end of file +.git/ From cf122555a40eb0a9a6aae1319ae87fd7bc2c830b Mon Sep 17 00:00:00 2001 From: nvuillam <17500430+nvuillam@users.noreply.github.com> Date: Sun, 27 Apr 2025 00:51:59 +0000 Subject: [PATCH 21/34] [MegaLinter] Apply linters fixes --- megalinter/linters/TruffleHogLinter.py | 6 ++-- megalinter/logger.py | 30 +++++++++++++------ .../test_megalinter/mega_linter_1_test.py | 1 - .../tests/test_megalinter/utils_test.py | 13 ++++---- megalinter/utils.py | 20 ++++++++----- 5 files changed, 43 insertions(+), 27 deletions(-) diff --git a/megalinter/linters/TruffleHogLinter.py b/megalinter/linters/TruffleHogLinter.py index 98cdd883291..589c5ed5845 100644 --- a/megalinter/linters/TruffleHogLinter.py +++ b/megalinter/linters/TruffleHogLinter.py @@ -13,8 +13,10 @@ def build_lint_command(self, file=None): if not any(arg.startswith("--exclude-paths") for arg in cmd): default_rules_location = utils.get_default_rules_location() - default_trufflehog_ignore_file = default_rules_location + "/.trufflehogignore" + default_trufflehog_ignore_file = ( + default_rules_location + "/.trufflehogignore" + ) exclude_arg = "--exclude-paths=" + default_trufflehog_ignore_file cmd += [exclude_arg] - return cmd \ No newline at end of file + return cmd diff --git a/megalinter/logger.py b/megalinter/logger.py index 0daff3dfa17..4141439d654 100644 --- a/megalinter/logger.py +++ b/megalinter/logger.py @@ -5,9 +5,8 @@ import sys import tomllib -import requests - import chalk as c +import requests from megalinter import config, utils from megalinter.constants import ML_DOC_URL from megalinter.utils_reporter import log_section_start @@ -144,8 +143,10 @@ def display_header(mega_linter): logging.debug(utils.format_hyphens("")) logging.info("") + GITLEAKS_REGEXES = None + def fetch_gitleaks_regexes(force_use_local_file=False): global GITLEAKS_REGEXES if GITLEAKS_REGEXES is not None: @@ -157,27 +158,34 @@ def fetch_gitleaks_regexes(force_use_local_file=False): try: response = requests.get(url) if response.status_code == 200: - config_data = response.text # Fix: Pass string to tomllib.loads instead of bytes + config_data = ( + response.text + ) # Fix: Pass string to tomllib.loads instead of bytes else: - logging.warning(f"Failed to fetch Gitleaks config from URL: {response.status_code}") + logging.warning( + f"Failed to fetch Gitleaks config from URL: {response.status_code}" + ) except Exception as e: logging.warning(f"Could not fetch Gitleaks config from URL. Error: {e}") if config_data is None: logging.info("Using local Gitleaks config file.") - with open("./descriptors/additional/gitleaks-default.toml", "r", encoding="utf-8") as file: + with open( + "./descriptors/additional/gitleaks-default.toml", "r", encoding="utf-8" + ) as file: config_data = file.read() config = tomllib.loads(config_data) regex_patterns = [] - for rule in config.get('rules', []): - pattern = rule.get('regex') + for rule in config.get("rules", []): + pattern = rule.get("regex") if pattern: regex_patterns.append(pattern) regex_patterns = utils.keep_only_valid_regex_patterns(regex_patterns) GITLEAKS_REGEXES = regex_patterns return regex_patterns + def sanitize_string(input_string): regex_patterns = fetch_gitleaks_regexes() sanitized_string = input_string @@ -187,7 +195,11 @@ def sanitize_string(input_string): if not match: break if sanitized_string[match.end() - 1] == '"': - sanitized_string = re.sub(pattern, "[HIDDEN BY MEGALINTER]\"", sanitized_string, count=1) + sanitized_string = re.sub( + pattern, '[HIDDEN BY MEGALINTER]"', sanitized_string, count=1 + ) else: - sanitized_string = re.sub(pattern, "[HIDDEN BY MEGALINTER]", sanitized_string, count=1) + sanitized_string = re.sub( + pattern, "[HIDDEN BY MEGALINTER]", sanitized_string, count=1 + ) return sanitized_string diff --git a/megalinter/tests/test_megalinter/mega_linter_1_test.py b/megalinter/tests/test_megalinter/mega_linter_1_test.py index 7d5871db4cc..dcd8dbc9da3 100644 --- a/megalinter/tests/test_megalinter/mega_linter_1_test.py +++ b/megalinter/tests/test_megalinter/mega_linter_1_test.py @@ -494,4 +494,3 @@ def test_skip_cli_lint_mode(self): self.assertIn( "JAVASCRIPT_ES has been skipped because its CLI lint mode", output ) - diff --git a/megalinter/tests/test_megalinter/utils_test.py b/megalinter/tests/test_megalinter/utils_test.py index 06725a67219..e692972e43f 100644 --- a/megalinter/tests/test_megalinter/utils_test.py +++ b/megalinter/tests/test_megalinter/utils_test.py @@ -5,14 +5,12 @@ """ import unittest -from megalinter.logger import sanitize_string, fetch_gitleaks_regexes +from megalinter.logger import fetch_gitleaks_regexes, sanitize_string class utils_test(unittest.TestCase): def test_sanitize_string(self): - input_string = ( - "AWS Key: AKIAIOSFODNN7EXAMPLE and GitHub Token: ghp_abcdEFGHijklMNOPqrstUVWXyz1234567890" - ) + input_string = "AWS Key: AKIAIOSFODNN7EXAMPLE and GitHub Token: ghp_abcdEFGHijklMNOPqrstUVWXyz1234567890" sanitized = sanitize_string(input_string) self.assertNotIn("AKIAIOSFODNN7EXAMPLE", sanitized) @@ -21,8 +19,9 @@ def test_sanitize_string(self): # Optional: stricter check if needed self.assertEqual( - sanitized.count("[HIDDEN BY MEGALINTER]"), 2, - "There should be exactly 2 [HIDDEN BY MEGALINTER] in the output" + sanitized.count("[HIDDEN BY MEGALINTER]"), + 2, + "There should be exactly 2 [HIDDEN BY MEGALINTER] in the output", ) def test_fetch_gitleaks_regexes_remote(self): @@ -35,4 +34,4 @@ def test_fetch_gitleaks_regexes_local(self): # Test fetching Gitleaks regexes from the local file regexes = fetch_gitleaks_regexes(force_use_local_file=True) self.assertIsInstance(regexes, list, "Regexes should be a list") - self.assertGreater(len(regexes), 0, "Regexes list should not be empty") \ No newline at end of file + self.assertGreater(len(regexes), 0, "Regexes list should not be empty") diff --git a/megalinter/utils.py b/megalinter/utils.py index 4011e8f7f9e..e6f3edee2f7 100644 --- a/megalinter/utils.py +++ b/megalinter/utils.py @@ -296,6 +296,7 @@ def file_is_generated(file_name: str) -> bool: content = f.read(SIZE_MAX_SOURCEFILEHEADER) return b"@generated" in content and b"@not-generated" not in content + def get_default_rules_location() -> str: default_rules_location = ( "/action/lib/.automation" @@ -308,6 +309,7 @@ def get_default_rules_location() -> str: ) return default_rules_location + def clean_string(stdout) -> str: # noinspection PyBroadException try: @@ -602,14 +604,15 @@ def is_pr() -> bool: def fix_regex_pattern(pattern): # 1. Fix global flags not at the start of the expression - if '(?i)' in pattern: - if pattern.find('(?i)') > 0: - parts = pattern.split('(?i)') - pattern = '(?i)' + ''.join(parts[1:]) + if "(?i)" in pattern: + if pattern.find("(?i)") > 0: + parts = pattern.split("(?i)") + pattern = "(?i)" + "".join(parts[1:]) # 2. Replace invalid escape sequences like `\z` with `$` - pattern = re.sub(r'\\z', '$', pattern) + pattern = re.sub(r"\\z", "$", pattern) return pattern + def keep_only_valid_regex_patterns(patterns, fail=False): fixed_patterns = [] for pattern in patterns: @@ -623,7 +626,8 @@ def keep_only_valid_regex_patterns(patterns, fail=False): if fail is True: raise else: - logging.warning(f"Invalid regex pattern after fix: {fixed_pattern}. Error: {e}") - - return fixed_patterns + logging.warning( + f"Invalid regex pattern after fix: {fixed_pattern}. Error: {e}" + ) + return fixed_patterns From 128bb334de2ea729202cb2eb62d07223fb3e95b7 Mon Sep 17 00:00:00 2001 From: nvuillam Date: Sun, 27 Apr 2025 03:08:42 +0200 Subject: [PATCH 22/34] fix test case --- .automation/test/gitleaks/bad/keys | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.automation/test/gitleaks/bad/keys b/.automation/test/gitleaks/bad/keys index 2bfcabd83fa..aa504a82046 100644 --- a/.automation/test/gitleaks/bad/keys +++ b/.automation/test/gitleaks/bad/keys @@ -1,6 +1,6 @@ Basic auth: -https://admin:admin@the-internet.herokuapp.com/basic_auth # trufflehog:ignore +https://admin:admin@the-internet.herokuapp.com/basic_auth Private key: -----BEGIN OPENSSH PRIVATE KEY----- From 33cf552dd2caba140d5621c62f2bce2ee97032a3 Mon Sep 17 00:00:00 2001 From: nvuillam Date: Sun, 27 Apr 2025 10:02:21 +0200 Subject: [PATCH 23/34] Improve test cases perfs --- README.md | 4 ++-- megalinter/logger.py | 5 +++++ 2 files changed, 7 insertions(+), 2 deletions(-) diff --git a/README.md b/README.md index 876b19ff497..5ea6104004c 100644 --- a/README.md +++ b/README.md @@ -1132,11 +1132,11 @@ You may see **github permission errors**, or workflows not run on the new commit To solve these issues, you can apply one of the following solutions. - Method 1: The most secured - - [Create Fine Grained Personal Access Token](https://docs.github.com/en/authentication/keeping-your-account-and-data-secure/creating-a-personal-access-token#creating-a-fine-grained-personal-access-token), scoped only on your repository and then copy the PAT value + - [Create Fine Grained Personal Access Token](https://docs.github.com/en/authentication/keeping-your-account-and-data-secure/creating-a-personal-access-token#creating-a-fine-grained-personal-access-token), scoped only on your repository and with **Contents: Read/Write** and then copy the PAT value - [Define environment secret variable](https://docs.github.com/en/actions/security-guides/encrypted-secrets#creating-encrypted-secrets-for-an-environment) named **PAT** on your repository, and paste the PAT value - Update your Github Actions Workflow to add the environment name -- Method 2: Easier, but any contributor with write access can see your Personal Access Token +- Method 2: Easier, but any contributor with write access can see your Personal Access Token, so use it only on private repositories. - [Create Classic Personal Access Token](https://docs.github.com/en/free-pro-team@latest/github/authenticating-to-github/creating-a-personal-access-token#creating-a-token), then copy the PAT value - [Define secret variable](https://docs.github.com/en/free-pro-team@latest/actions/reference/encrypted-secrets#creating-encrypted-secrets-for-a-repository) named **PAT** on your repository, and paste the PAT value diff --git a/megalinter/logger.py b/megalinter/logger.py index 4141439d654..cab6ff43d0c 100644 --- a/megalinter/logger.py +++ b/megalinter/logger.py @@ -152,6 +152,11 @@ def fetch_gitleaks_regexes(force_use_local_file=False): if GITLEAKS_REGEXES is not None: return GITLEAKS_REGEXES + # Use local file for test cases to improve speed + current_test_name = utils.get_current_test_name() + if current_test_name and "test_fetch_gitleaks_regexes_remote" not in current_test_name: + force_use_local_file = True + config_data = None if not force_use_local_file: url = "https://raw.githubusercontent.com/gitleaks/gitleaks/refs/heads/master/config/gitleaks.toml" From e8907d21d9fbd992ab795dbc5e0bb5c4ccb0f3c3 Mon Sep 17 00:00:00 2001 From: nvuillam Date: Sun, 27 Apr 2025 10:08:34 +0200 Subject: [PATCH 24/34] fix --- megalinter/logger.py | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/megalinter/logger.py b/megalinter/logger.py index cab6ff43d0c..9cd515fd42c 100644 --- a/megalinter/logger.py +++ b/megalinter/logger.py @@ -9,6 +9,7 @@ import requests from megalinter import config, utils from megalinter.constants import ML_DOC_URL +from megalinter.linter_factory import get_descriptor_dir from megalinter.utils_reporter import log_section_start @@ -175,8 +176,9 @@ def fetch_gitleaks_regexes(force_use_local_file=False): if config_data is None: logging.info("Using local Gitleaks config file.") + descriptors_dir = get_descriptor_dir() with open( - "./descriptors/additional/gitleaks-default.toml", "r", encoding="utf-8" + f"{descriptors_dir}/additional/gitleaks-default.toml", "r", encoding="utf-8" ) as file: config_data = file.read() From 0cdfc414690b74dd53289b15e8ab93ac21970ca6 Mon Sep 17 00:00:00 2001 From: nvuillam Date: Sun, 27 Apr 2025 10:10:34 +0200 Subject: [PATCH 25/34] fix --- megalinter/tests/test_megalinter/utils_test.py | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/megalinter/tests/test_megalinter/utils_test.py b/megalinter/tests/test_megalinter/utils_test.py index e692972e43f..da31105dd03 100644 --- a/megalinter/tests/test_megalinter/utils_test.py +++ b/megalinter/tests/test_megalinter/utils_test.py @@ -26,12 +26,12 @@ def test_sanitize_string(self): def test_fetch_gitleaks_regexes_remote(self): # Test fetching Gitleaks regexes from the remote URL - regexes = fetch_gitleaks_regexes(force_use_local_file=False) + regexes = fetch_gitleaks_regexes(False) self.assertIsInstance(regexes, list, "Regexes should be a list") self.assertGreater(len(regexes), 0, "Regexes list should not be empty") def test_fetch_gitleaks_regexes_local(self): # Test fetching Gitleaks regexes from the local file - regexes = fetch_gitleaks_regexes(force_use_local_file=True) + regexes = fetch_gitleaks_regexes(True) self.assertIsInstance(regexes, list, "Regexes should be a list") self.assertGreater(len(regexes), 0, "Regexes list should not be empty") From c81b2a46cf6e477cfe21693ee9ff7b393efb080d Mon Sep 17 00:00:00 2001 From: nvuillam Date: Sun, 27 Apr 2025 10:17:28 +0200 Subject: [PATCH 26/34] move get_descriptor_dir to utils --- megalinter/linter_factory.py | 17 +---------------- megalinter/logger.py | 3 +-- megalinter/utils.py | 15 +++++++++++++++ 3 files changed, 17 insertions(+), 18 deletions(-) diff --git a/megalinter/linter_factory.py b/megalinter/linter_factory.py index 57b4321448f..5964e3bc18e 100644 --- a/megalinter/linter_factory.py +++ b/megalinter/linter_factory.py @@ -4,22 +4,7 @@ import yaml from megalinter import Linter, flavor_factory - - -# Returns directory where all .yml language descriptors are defined -def get_descriptor_dir(): - # Compiled version (copied from DockerFile) - if os.path.isdir("/megalinter-descriptors"): - return "/megalinter-descriptors" - # Dev / Test version - else: - descriptor_dir = os.path.realpath( - os.path.dirname(os.path.abspath(__file__)) + "/descriptors" - ) - assert os.path.isdir( - descriptor_dir - ), f"Descriptor dir {descriptor_dir} not found !" - return descriptor_dir +from megalinter.utils import get_descriptor_dir # List all defined linters diff --git a/megalinter/logger.py b/megalinter/logger.py index 9cd515fd42c..157a9219697 100644 --- a/megalinter/logger.py +++ b/megalinter/logger.py @@ -9,7 +9,6 @@ import requests from megalinter import config, utils from megalinter.constants import ML_DOC_URL -from megalinter.linter_factory import get_descriptor_dir from megalinter.utils_reporter import log_section_start @@ -176,7 +175,7 @@ def fetch_gitleaks_regexes(force_use_local_file=False): if config_data is None: logging.info("Using local Gitleaks config file.") - descriptors_dir = get_descriptor_dir() + descriptors_dir = utils.get_descriptor_dir() with open( f"{descriptors_dir}/additional/gitleaks-default.toml", "r", encoding="utf-8" ) as file: diff --git a/megalinter/utils.py b/megalinter/utils.py index e6f3edee2f7..77f51848639 100644 --- a/megalinter/utils.py +++ b/megalinter/utils.py @@ -74,6 +74,21 @@ ] +# Returns directory where all .yml language descriptors are defined +def get_descriptor_dir(): + # Compiled version (copied from DockerFile) + if os.path.isdir("/megalinter-descriptors"): + return "/megalinter-descriptors" + # Dev / Test version + else: + descriptor_dir = os.path.realpath( + os.path.dirname(os.path.abspath(__file__)) + "/descriptors" + ) + assert os.path.isdir( + descriptor_dir + ), f"Descriptor dir {descriptor_dir} not found !" + return descriptor_dir + def get_excluded_directories(request_id): default_excluded_dirs = [ "__pycache__", From 98a3b43f924ca691ea77f79769a575addd467094 Mon Sep 17 00:00:00 2001 From: nvuillam Date: Sun, 27 Apr 2025 10:25:15 +0200 Subject: [PATCH 27/34] change replacement expression --- megalinter/logger.py | 4 ++-- megalinter/tests/test_megalinter/utils_test.py | 6 +++--- 2 files changed, 5 insertions(+), 5 deletions(-) diff --git a/megalinter/logger.py b/megalinter/logger.py index 157a9219697..911965c5008 100644 --- a/megalinter/logger.py +++ b/megalinter/logger.py @@ -202,10 +202,10 @@ def sanitize_string(input_string): break if sanitized_string[match.end() - 1] == '"': sanitized_string = re.sub( - pattern, '[HIDDEN BY MEGALINTER]"', sanitized_string, count=1 + pattern, 'HIDDEN_BY_MEGALINTER"', sanitized_string, count=1 ) else: sanitized_string = re.sub( - pattern, "[HIDDEN BY MEGALINTER]", sanitized_string, count=1 + pattern, "HIDDEN_BY_MEGALINTER", sanitized_string, count=1 ) return sanitized_string diff --git a/megalinter/tests/test_megalinter/utils_test.py b/megalinter/tests/test_megalinter/utils_test.py index da31105dd03..c0977b280a5 100644 --- a/megalinter/tests/test_megalinter/utils_test.py +++ b/megalinter/tests/test_megalinter/utils_test.py @@ -15,13 +15,13 @@ def test_sanitize_string(self): self.assertNotIn("AKIAIOSFODNN7EXAMPLE", sanitized) self.assertNotIn("ghp_abcdEFGHijklMNOPqrstUVWXyz1234567890", sanitized) - self.assertIn("[HIDDEN BY MEGALINTER]", sanitized) + self.assertIn("HIDDEN_BY_MEGALINTER", sanitized) # Optional: stricter check if needed self.assertEqual( - sanitized.count("[HIDDEN BY MEGALINTER]"), + sanitized.count("HIDDEN_BY_MEGALINTER"), 2, - "There should be exactly 2 [HIDDEN BY MEGALINTER] in the output", + "There should be exactly 2 HIDDEN_BY_MEGALINTER in the output", ) def test_fetch_gitleaks_regexes_remote(self): From 58b1025d2fb42e467449fe3f68be6b2b3d40cfdb Mon Sep 17 00:00:00 2001 From: nvuillam <17500430+nvuillam@users.noreply.github.com> Date: Sun, 27 Apr 2025 08:33:28 +0000 Subject: [PATCH 28/34] [MegaLinter] Apply linters fixes --- megalinter/logger.py | 5 ++++- megalinter/utils.py | 1 + 2 files changed, 5 insertions(+), 1 deletion(-) diff --git a/megalinter/logger.py b/megalinter/logger.py index 911965c5008..3e6ce894ca8 100644 --- a/megalinter/logger.py +++ b/megalinter/logger.py @@ -154,7 +154,10 @@ def fetch_gitleaks_regexes(force_use_local_file=False): # Use local file for test cases to improve speed current_test_name = utils.get_current_test_name() - if current_test_name and "test_fetch_gitleaks_regexes_remote" not in current_test_name: + if ( + current_test_name + and "test_fetch_gitleaks_regexes_remote" not in current_test_name + ): force_use_local_file = True config_data = None diff --git a/megalinter/utils.py b/megalinter/utils.py index 77f51848639..0cc9b4633e8 100644 --- a/megalinter/utils.py +++ b/megalinter/utils.py @@ -89,6 +89,7 @@ def get_descriptor_dir(): ), f"Descriptor dir {descriptor_dir} not found !" return descriptor_dir + def get_excluded_directories(request_id): default_excluded_dirs = [ "__pycache__", From c96dca53a5127553dd3d2eeb6dd4def2867eedd7 Mon Sep 17 00:00:00 2001 From: nvuillam Date: Sun, 27 Apr 2025 11:02:08 +0200 Subject: [PATCH 29/34] Fix --- megalinter/logger.py | 3 +++ 1 file changed, 3 insertions(+) diff --git a/megalinter/logger.py b/megalinter/logger.py index 911965c5008..daee66fa3f6 100644 --- a/megalinter/logger.py +++ b/megalinter/logger.py @@ -184,6 +184,9 @@ def fetch_gitleaks_regexes(force_use_local_file=False): config = tomllib.loads(config_data) regex_patterns = [] for rule in config.get("rules", []): + rule_id = rule.get("id") + if rule_id == "generic-api-key": + continue pattern = rule.get("regex") if pattern: regex_patterns.append(pattern) From e4ba547778e02d962e0d57df45a84a0b13d146df Mon Sep 17 00:00:00 2001 From: nvuillam <17500430+nvuillam@users.noreply.github.com> Date: Sun, 27 Apr 2025 09:10:04 +0000 Subject: [PATCH 30/34] [MegaLinter] Apply linters fixes --- megalinter/logger.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/megalinter/logger.py b/megalinter/logger.py index 140f86e35de..4c039322d03 100644 --- a/megalinter/logger.py +++ b/megalinter/logger.py @@ -189,7 +189,7 @@ def fetch_gitleaks_regexes(force_use_local_file=False): for rule in config.get("rules", []): rule_id = rule.get("id") if rule_id == "generic-api-key": - continue + continue pattern = rule.get("regex") if pattern: regex_patterns.append(pattern) From 40f7f0f87bec2008f08f66afe7c76588614d4fa4 Mon Sep 17 00:00:00 2001 From: nvuillam Date: Sun, 27 Apr 2025 12:28:16 +0200 Subject: [PATCH 31/34] Fix test --- .secretlintignore | 1 + 1 file changed, 1 insertion(+) diff --git a/.secretlintignore b/.secretlintignore index b48c4f428a0..d211984ce35 100644 --- a/.secretlintignore +++ b/.secretlintignore @@ -1,2 +1,3 @@ .automation/test **/tests/test_megalinter/utils_test.py +**/updated_dev_sources/** From d2c068e8520726639f85c33c7bdc9de05a9e66cd Mon Sep 17 00:00:00 2001 From: Nicolas Vuillamy Date: Sun, 27 Apr 2025 11:33:13 +0000 Subject: [PATCH 32/34] Do not sanitize formatters to improve perfs --- megalinter/Linter.py | 4 ++-- megalinter/utils.py | 8 +++++--- megalinter/utilstest.py | 7 +++++-- 3 files changed, 12 insertions(+), 7 deletions(-) diff --git a/megalinter/Linter.py b/megalinter/Linter.py index c7a83472fad..acd497e18d1 100644 --- a/megalinter/Linter.py +++ b/megalinter/Linter.py @@ -1059,7 +1059,7 @@ def execute_lint_command(self, command): ), ) return_code = process.returncode - return_stdout = utils.clean_string(process.stdout) + return_stdout = utils.clean_string(process.stdout,self.is_formatter == False) else: # Use full executable path if we are on Windows if sys.platform == "win32": @@ -1081,7 +1081,7 @@ def execute_lint_command(self, command): cwd=cwd, ) return_code = process.returncode - return_stdout = utils.clean_string(process.stdout) + return_stdout = utils.clean_string(process.stdout, self.is_formatter == False) except FileNotFoundError as err: return_code = 999 return_stdout = ( diff --git a/megalinter/utils.py b/megalinter/utils.py index 92cb2a81ee6..e9e9d7faa0f 100644 --- a/megalinter/utils.py +++ b/megalinter/utils.py @@ -326,14 +326,16 @@ def get_default_rules_location() -> str: return default_rules_location -def clean_string(stdout) -> str: +def clean_string(stdout,sanitize=True) -> str: # noinspection PyBroadException try: res = stdout.decode("utf-8") - res = logger.sanitize_string(res) + if sanitize is True: + res = logger.sanitize_string(res) except Exception: res = str(stdout) - res = logger.sanitize_string(res) + if sanitize is True: + res = logger.sanitize_string(res) return res diff --git a/megalinter/utilstest.py b/megalinter/utilstest.py index 0d4c8ba2fac..8e762739fec 100644 --- a/megalinter/utilstest.py +++ b/megalinter/utilstest.py @@ -339,8 +339,11 @@ def copy_logs_for_doc(text_report_file, test_folder, report_file_name): target_file = f"{updated_sources_dir}{os.path.sep}{report_file_name}".replace( ".log", ".txt" ) - os.makedirs(os.path.dirname(target_file), exist_ok=True) - shutil.copy(text_report_file, target_file) + try: + os.makedirs(os.path.dirname(target_file), exist_ok=True) + shutil.copy(text_report_file, target_file) + except Exception: + logging.warning("Unable to copy logs for doc") def test_get_linter_version(linter, test_self): From 01478c21bd4140301d23a028e28de894a2346eb8 Mon Sep 17 00:00:00 2001 From: nvuillam Date: Sun, 27 Apr 2025 13:42:31 +0200 Subject: [PATCH 33/34] py --- megalinter/Linter.py | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/megalinter/Linter.py b/megalinter/Linter.py index acd497e18d1..e33dff672d9 100644 --- a/megalinter/Linter.py +++ b/megalinter/Linter.py @@ -1059,7 +1059,7 @@ def execute_lint_command(self, command): ), ) return_code = process.returncode - return_stdout = utils.clean_string(process.stdout,self.is_formatter == False) + return_stdout = utils.clean_string(process.stdout,not self.is_formatter) else: # Use full executable path if we are on Windows if sys.platform == "win32": @@ -1081,7 +1081,7 @@ def execute_lint_command(self, command): cwd=cwd, ) return_code = process.returncode - return_stdout = utils.clean_string(process.stdout, self.is_formatter == False) + return_stdout = utils.clean_string(process.stdout, not self.is_formatter) except FileNotFoundError as err: return_code = 999 return_stdout = ( From 0f280586eecf738f7442a0fdb04d277372d4654d Mon Sep 17 00:00:00 2001 From: nvuillam <17500430+nvuillam@users.noreply.github.com> Date: Sun, 27 Apr 2025 11:48:09 +0000 Subject: [PATCH 34/34] [MegaLinter] Apply linters fixes --- megalinter/Linter.py | 6 ++++-- megalinter/utils.py | 2 +- 2 files changed, 5 insertions(+), 3 deletions(-) diff --git a/megalinter/Linter.py b/megalinter/Linter.py index e33dff672d9..86d9c3a4af1 100644 --- a/megalinter/Linter.py +++ b/megalinter/Linter.py @@ -1059,7 +1059,7 @@ def execute_lint_command(self, command): ), ) return_code = process.returncode - return_stdout = utils.clean_string(process.stdout,not self.is_formatter) + return_stdout = utils.clean_string(process.stdout, not self.is_formatter) else: # Use full executable path if we are on Windows if sys.platform == "win32": @@ -1081,7 +1081,9 @@ def execute_lint_command(self, command): cwd=cwd, ) return_code = process.returncode - return_stdout = utils.clean_string(process.stdout, not self.is_formatter) + return_stdout = utils.clean_string( + process.stdout, not self.is_formatter + ) except FileNotFoundError as err: return_code = 999 return_stdout = ( diff --git a/megalinter/utils.py b/megalinter/utils.py index e9e9d7faa0f..e0a81c043ed 100644 --- a/megalinter/utils.py +++ b/megalinter/utils.py @@ -326,7 +326,7 @@ def get_default_rules_location() -> str: return default_rules_location -def clean_string(stdout,sanitize=True) -> str: +def clean_string(stdout, sanitize=True) -> str: # noinspection PyBroadException try: res = stdout.decode("utf-8")