| 1 | + | // https://github.com/edoardottt/cariddi/blob/main/pkg/scanner/secrets.go |
| 2 | + | |
| 3 | + | package scanner |
| 4 | + | |
| 5 | + | type Secret struct { |
| 6 | + | Name string |
| 7 | + | Description string |
| 8 | + | Regex string |
| 9 | + | FalsePositives []string |
| 10 | + | Poc string |
| 11 | + | } |
| 12 | + | |
| 13 | + | type SecretMatched struct { |
| 14 | + | Secret Secret |
| 15 | + | URL string |
| 16 | + | Match string |
| 17 | + | } |
| 18 | + | |
| 19 | + | // GetSecretRegexes returns a slice of all |
| 20 | + | func GetSecretRegexes() []Secret { |
| 21 | + | |
| 22 | + | // Regexes from https://github.com/edoardottt/cariddi/blob/main/pkg/scanner/secrets.go |
| 23 | + | var regexes = []Secret{ |
| 24 | + | { |
| 25 | + | "AWS Access Key", |
| 26 | + | "AWS Access Key", |
| 27 | + | "(A3T[A-Z0-9]|AKIA|ACCA|AGPA|AIDA|AROA|AIPA|ANPA|ANVA|ASIA|ASCA|APKA)[A-Z0-9]{16}", |
| 28 | + | []string{}, |
| 29 | + | "?", |
| 30 | + | }, |
| 31 | + | { |
| 32 | + | "AWS Secret Key", |
| 33 | + | "AWS Secret Key", |
| 34 | + | `(?i)aws(.{0,20})?(?-i)['\"][0-9a-zA-Z\/+]{40}['\"]`, |
| 35 | + | []string{}, |
| 36 | + | "?", |
| 37 | + | }, |
| 38 | + | { |
| 39 | + | "AWS MWS Key", |
| 40 | + | "AWS MWS Key", |
| 41 | + | `amzn\.mws\.[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}`, |
| 42 | + | []string{}, |
| 43 | + | "?", |
| 44 | + | }, |
| 45 | + | { |
| 46 | + | "Amazon SNS topic", |
| 47 | + | "Amazon SNS topic", |
| 48 | + | `arn:aws:sns:[a-z0-9\-]+:[0-9]+:[A-Za-z0-9\-_]+`, |
| 49 | + | []string{}, |
| 50 | + | "?", |
| 51 | + | }, |
| 52 | + | { |
| 53 | + | "Facebook Access Token", |
| 54 | + | "Facebook Access Token", |
| 55 | + | `EAACEdEose0cBA[0-9A-Za-z]+`, |
| 56 | + | []string{}, |
| 57 | + | "?", |
| 58 | + | }, |
| 59 | + | { |
| 60 | + | "Facebook Secret Key", |
| 61 | + | "Facebook Secret Key", |
| 62 | + | `(?i)(facebook|fb)(.{0,20})?(?-i)['\"][0-9a-f]{32}['\"]`, |
| 63 | + | []string{"facebook.com", "facebook.svg"}, |
| 64 | + | "?", |
| 65 | + | }, |
| 66 | + | { |
| 67 | + | "Facebook Client ID", |
| 68 | + | "Facebook Client ID", |
| 69 | + | `(?i)(facebook|fb)(.{0,20})?['\"][0-9]{13,17}['\"]`, |
| 70 | + | []string{"facebook.com", "facebook.svg"}, |
| 71 | + | "?", |
| 72 | + | }, |
| 73 | + | { |
| 74 | + | "Cloudinary Basic Auth", |
| 75 | + | "Cloudinary Basic Auth", |
| 76 | + | `cloudinary://[0-9]{15}:[0-9A-Za-z\-_]+@[0-9A-Za-z\-_]+`, |
| 77 | + | []string{}, |
| 78 | + | "?", |
| 79 | + | }, |
| 80 | + | { |
| 81 | + | "Firebase Database", |
| 82 | + | "Firebase Database", |
| 83 | + | `([a-z0-9.-]+\.firebaseio\.com|[a-z0-9.-]+\.firebaseapp\.com)`, |
| 84 | + | []string{}, |
| 85 | + | "?", |
| 86 | + | }, |
| 87 | + | { |
| 88 | + | "Twitter Secret Key", |
| 89 | + | "Twitter Secret Key", |
| 90 | + | `(?i)twitter(.{0,20})?[0-9a-z]{35,44}`, |
| 91 | + | []string{"twitter.com"}, |
| 92 | + | "?", |
| 93 | + | }, |
| 94 | + | { |
| 95 | + | "Twitter Client ID", |
| 96 | + | "Twitter Client ID", |
| 97 | + | `(?i)twitter(.{0,20})?[0-9a-z]{18,25}`, |
| 98 | + | []string{"twitter.com"}, |
| 99 | + | "?", |
| 100 | + | }, |
| 101 | + | { |
| 102 | + | "Github Personal Access Token", |
| 103 | + | "Github Personal Access Token", |
| 104 | + | `ghp_.{36}`, |
| 105 | + | []string{}, |
| 106 | + | "?", |
| 107 | + | }, |
| 108 | + | { |
| 109 | + | "Github Personal Access Token", |
| 110 | + | "Github Personal Access Token", |
| 111 | + | `github_pat_.{82}`, |
| 112 | + | []string{}, |
| 113 | + | "?", |
| 114 | + | }, |
| 115 | + | { |
| 116 | + | "Github OAuth Access Token", |
| 117 | + | "Github OAuth Access Token", |
| 118 | + | `gho_.{36}`, |
| 119 | + | []string{}, |
| 120 | + | "?", |
| 121 | + | }, |
| 122 | + | { |
| 123 | + | "Github App Token", |
| 124 | + | "Github App Token", |
| 125 | + | `(ghu|ghs)_.{36}`, |
| 126 | + | []string{}, |
| 127 | + | "?", |
| 128 | + | }, |
| 129 | + | { |
| 130 | + | "Github Refresh Token", |
| 131 | + | "Github Refresh Token", |
| 132 | + | `ghr_.{76}`, |
| 133 | + | []string{}, |
| 134 | + | "?", |
| 135 | + | }, |
| 136 | + | { |
| 137 | + | "LinkedIn Client ID", |
| 138 | + | "LinkedIn Client ID", |
| 139 | + | `(?i)linkedin(.{0,20})?(?-i)[0-9a-z]{12}`, |
| 140 | + | []string{"linkedin.com", "linkedin.svg"}, |
| 141 | + | "?", |
| 142 | + | }, |
| 143 | + | { |
| 144 | + | "LinkedIn Secret Key", |
| 145 | + | "LinkedIn Secret Key", |
| 146 | + | `(?i)linkedin(.{0,20})?[0-9a-z]{16}`, |
| 147 | + | []string{"linkedin.com", "linkedin.svg"}, |
| 148 | + | "?", |
| 149 | + | }, |
| 150 | + | { |
| 151 | + | "Slack", |
| 152 | + | "Slack", |
| 153 | + | `xox[baprs]-([0-9a-zA-Z]{10,48})?`, |
| 154 | + | []string{}, |
| 155 | + | "?", |
| 156 | + | }, |
| 157 | + | { |
| 158 | + | "Asymmetric Private Key", |
| 159 | + | "Asymmetric Private Key", |
| 160 | + | `-----BEGIN ((EC|PGP|DSA|RSA|OPENSSH) )?PRIVATE KEY( BLOCK)?-----`, |
| 161 | + | []string{}, |
| 162 | + | "?", |
| 163 | + | }, |
| 164 | + | { |
| 165 | + | "Google API key", |
| 166 | + | "Google API key", |
| 167 | + | `AIza[0-9A-Za-z\-_]{35}`, |
| 168 | + | []string{}, |
| 169 | + | "?", |
| 170 | + | }, |
| 171 | + | { |
| 172 | + | "Google (GCP) Service Account", |
| 173 | + | "Google (GCP) Service Account", |
| 174 | + | `"type": "service_account"`, |
| 175 | + | []string{}, |
| 176 | + | "?", |
| 177 | + | }, |
| 178 | + | { |
| 179 | + | "Heroku API key", |
| 180 | + | "Heroku API key", |
| 181 | + | `(?i)heroku(.{0,20})?[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}`, |
| 182 | + | []string{}, |
| 183 | + | "?", |
| 184 | + | }, |
| 185 | + | { |
| 186 | + | "MailChimp API key", |
| 187 | + | "MailChimp API key", |
| 188 | + | `[0-9a-f]{32}-us[0-9]{1,2}`, |
| 189 | + | []string{}, |
| 190 | + | "?", |
| 191 | + | }, |
| 192 | + | { |
| 193 | + | "Mailgun API key", |
| 194 | + | "Mailgun API key", |
| 195 | + | `key\-[0-9a-zA-Z]{32}`, |
| 196 | + | []string{}, |
| 197 | + | "?", |
| 198 | + | }, |
| 199 | + | { |
| 200 | + | "PayPal Braintree access token", |
| 201 | + | "PayPal Braintree access token", |
| 202 | + | `access_token\$production\$[0-9a-z]{16}\$[0-9a-f]{32}`, |
| 203 | + | []string{}, |
| 204 | + | "?", |
| 205 | + | }, |
| 206 | + | { |
| 207 | + | "Picatic API key", |
| 208 | + | "Picatic API key", |
| 209 | + | `sk\_live\_[0-9a-z]{32}`, |
| 210 | + | []string{}, |
| 211 | + | "?", |
| 212 | + | }, |
| 213 | + | { |
| 214 | + | "SendGrid API Key", |
| 215 | + | "SendGrid API Key", |
| 216 | + | `SG\.[a-zA-Z0-9]{22}\.[a-zA-Z0-9]{43}`, |
| 217 | + | []string{}, |
| 218 | + | "?", |
| 219 | + | }, |
| 220 | + | { |
| 221 | + | "Slack Webhook", |
| 222 | + | "Slack Webhook", |
| 223 | + | `https\:\/\/hooks\.slack\.com/services/T[0-9A-Za-z\-_]{8}/B[0-9A-Za-z\-_]{8}/[0-9A-Za-z\-_]{24}`, |
| 224 | + | []string{}, |
| 225 | + | "?", |
| 226 | + | }, |
| 227 | + | { |
| 228 | + | "Stripe API key", |
| 229 | + | "Stripe API key", |
| 230 | + | `(?i)stripe(.{0,20})?[sr]k_live_[0-9a-zA-Z]{24}`, |
| 231 | + | []string{}, |
| 232 | + | "?", |
| 233 | + | }, |
| 234 | + | { |
| 235 | + | "Square access token", |
| 236 | + | "Square access token", |
| 237 | + | `sq0atp\-[0-9A-Za-z\-_]{22}|EAAAE[a-zA-Z0-9\-_]{59}`, |
| 238 | + | []string{}, |
| 239 | + | "?", |
| 240 | + | }, |
| 241 | + | { |
| 242 | + | "Square OAuth secret", |
| 243 | + | "Square OAuth secret", |
| 244 | + | `sq0csp\-[0-9A-Za-z\-_]{43}`, |
| 245 | + | []string{}, |
| 246 | + | "?", |
| 247 | + | }, |
| 248 | + | { |
| 249 | + | "Twilio API key", |
| 250 | + | "Twilio API key", |
| 251 | + | `(?i)twilio(.{0,20})?SK[0-9a-f]{32}`, |
| 252 | + | []string{}, |
| 253 | + | "?", |
| 254 | + | }, |
| 255 | + | { |
| 256 | + | "Dynatrace token", |
| 257 | + | "Dynatrace token", |
| 258 | + | `dt0[a-zA-Z]{1}[0-9]{2}\.[A-Z0-9]{24}\.[A-Z0-9]{64}`, |
| 259 | + | []string{}, |
| 260 | + | "?", |
| 261 | + | }, |
| 262 | + | { |
| 263 | + | "Shopify shared secret", |
| 264 | + | "Shopify shared secret", |
| 265 | + | `shpss\_[a-fA-F0-9]{32}`, |
| 266 | + | []string{}, |
| 267 | + | "?", |
| 268 | + | }, |
| 269 | + | { |
| 270 | + | "Shopify access token", |
| 271 | + | "Shopify access token", |
| 272 | + | `shpat\_[a-fA-F0-9]{32}`, |
| 273 | + | []string{}, |
| 274 | + | "?", |
| 275 | + | }, |
| 276 | + | { |
| 277 | + | "Shopify custom app access token", |
| 278 | + | "Shopify custom app access token", |
| 279 | + | `shpca\_[a-fA-F0-9]{32}`, |
| 280 | + | []string{}, |
| 281 | + | "?", |
| 282 | + | }, |
| 283 | + | { |
| 284 | + | "Shopify private app access token", |
| 285 | + | "Shopify private app access token", |
| 286 | + | `shppa\_[a-fA-F0-9]{32}`, |
| 287 | + | []string{}, |
| 288 | + | "?", |
| 289 | + | }, |
| 290 | + | { |
| 291 | + | "Seen in the past tokens", |
| 292 | + | "Seen in the past tokens", |
| 293 | + | `(?i)['|"](DISCOVERY_IAM_APIKEY|appPassword|slackToken|slack_signing_secret|watson_assistant_api_key|pythonPassword)['|"]`, |
| 294 | + | []string{}, |
| 295 | + | "?", |
| 296 | + | }, |
| 297 | + | { |
| 298 | + | "Secret indicator with _", |
| 299 | + | "Secret indicator with _", |
| 300 | + | `(?i)['|"][a-zA-Z0-9\-]+[\.|\-|_](access-key|password|apikey|secret|access_key|secret-key|pwd|passwd|appsecret|app_secret)['|"](\s*?):(\s*?)['|"].*?['|"](\s*?)`, |
| 301 | + | []string{}, |
| 302 | + | "?", |
| 303 | + | }, |
| 304 | + | { |
| 305 | + | "Escaped credentials", |
| 306 | + | "Escaped credentials", |
| 307 | + | `(?im)\\['|"](admin|user|client|users|)[_\.]?(pass|password|passwd|secret|credentials|token)\\['|"]\s*?:\s*?\\['|"].*?\\['|"]`, |
| 308 | + | []string{}, |
| 309 | + | "?", |
| 310 | + | }, |
| 311 | + | { |
| 312 | + | "API Tokens with high entropy", |
| 313 | + | "API Tokens with high entropy", |
| 314 | + | `(?i)token:\s*?['|"][a-zA-Z0-9]+['|"]`, |
| 315 | + | []string{}, |
| 316 | + | "?", |
| 317 | + | }, |
| 318 | + | { |
| 319 | + | "PyPI upload token", |
| 320 | + | "PyPI upload token", |
| 321 | + | `pypi\-AgEIcHlwaS5vcmc[A-Za-z0-9-_]{50,1000}`, |
| 322 | + | []string{}, |
| 323 | + | "?", |
| 324 | + | }, |
| 325 | + | { |
| 326 | + | "Bugsnag API Key", |
| 327 | + | "Bugsnag API Key", |
| 328 | + | `(?i)(bs|bugsnag)(.{0,20})?[0-9a-f]{32}`, |
| 329 | + | []string{}, |
| 330 | + | "?", |
| 331 | + | }, |
| 332 | + | { |
| 333 | + | "AWS cognito pool", |
| 334 | + | "AWS Cognito pool", |
| 335 | + | `(us-east-1|us-east-2|us-west-1|us-west-2|sa-east-1):[0-9A-Za-z]{8}-[0-9A-Za-z]{4}` + |
| 336 | + | `-[0-9A-Za-z]{4}-[0-9A-Za-z]{4}-[0-9A-Za-z]{12}`, |
| 337 | + | []string{}, |
| 338 | + | "?", |
| 339 | + | }, |
| 340 | + | { |
| 341 | + | "S3 Bucket", |
| 342 | + | "S3 Bucket", |
| 343 | + | `(?:[a-zA-Z0-9_-]+s3\.amazonaws\.com|[a-zA-Z0-9_.-]+amazonaws\.com|` + |
| 344 | + | `[a-zA-Z0-9-\.\_]+\.s3\.amazonaws\.com|s3\:\/\/[a-zA-Z0-9-\.\_]+|` + |
| 345 | + | `s3\.amazonaws\.com/[a-zA-Z0-9-\.\_]+)`, |
| 346 | + | []string{}, |
| 347 | + | "?", |
| 348 | + | }, |
| 349 | + | { |
| 350 | + | "Discord Webhook", |
| 351 | + | "Discord Webhook", |
| 352 | + | `https\:\/\/discordapp\.com\/api\/webhooks\/[0-9]+/[A-Za-z0-9\-]+`, |
| 353 | + | []string{}, |
| 354 | + | "?", |
| 355 | + | }, |
| 356 | + | { |
| 357 | + | "Google Calendar URI", |
| 358 | + | "Google Calendar URI", |
| 359 | + | `https\:\/\/(.*)calendar\.google\.com\/calendar\/[0-9a-z\/]+\/embed\?src=[A-Za-z0-9%@&;=\-_\.\/]+`, |
| 360 | + | []string{}, |
| 361 | + | "?", |
| 362 | + | }, |
| 363 | + | { |
| 364 | + | "Google OAuth Access Key", |
| 365 | + | "Google OAuth Access Key", |
| 366 | + | `ya29\.[0-9A-Za-z\-_]+`, |
| 367 | + | []string{}, |
| 368 | + | "?", |
| 369 | + | }, |
| 370 | + | { |
| 371 | + | "Mapbox Token Disclosure", |
| 372 | + | "Mapbox Token Disclosure", |
| 373 | + | `(pk|sk)\.eyJ1Ijoi\w+\.[\w-]*`, |
| 374 | + | []string{}, |
| 375 | + | "?", |
| 376 | + | }, |
| 377 | + | { |
| 378 | + | "Microsoft Teams Webhook", |
| 379 | + | "Microsoft Teams Webhook", |
| 380 | + | `https\:\/\/outlook\.office\.com\/webhook\/[A-Za-z0-9\-@]+\/IncomingWebhook\/[A-Za-z0-9\-]+\/[A-Za-z0-9\-]+`, |
| 381 | + | []string{}, |
| 382 | + | "?", |
| 383 | + | }, |
| 384 | + | { |
| 385 | + | "Generic Keys", |
| 386 | + | "Generic Keys", |
| 387 | + | `(?i)(?:(?:access_key|access_token|admin_pass|admin_user|algolia_admin_key|algolia_api_key|alias_pass|alicloud_access_key|ansible_vault_password|aos_key|api_key|api_key_secret|api_key_sid|api_secret|apidocs|apikey|apiSecret|app_debug|app_id|app_key|app_log_level|app_secret|appkey|appkeysecret|application_key|appsecret|appspot|auth_token|authorizationToken|authsecret|aws_access|aws_access_key_id|aws_bucket|aws_key|aws_secret|aws_secret_key|aws_token|AWSSecretKey|b2_app_key|bashrc password|bintray_apikey|bintray_gpg_password|bintray_key|bintraykey|bluemix_api_key|bluemix_pass|browserstack_access_key|bucket_password|bucketeer_aws_access_key_id|bucketeer_aws_secret_access_key|built_branch_deploy_key|bx_password|cache_driver|cache_s3_secret_key|cattle_access_key|cattle_secret_key|certificate_password|ci_deploy_password|client_secret|client_zpk_secret_key|clojars_password|cloud_api_key|cloud_watch_aws_access_key|cloudant_password|cloudflare_api_key|cloudflare_auth_key|cloudinary_api_secret|cloudinary_name|codecov_token|config|conn.login|connectionstring|consumer_key|consumer_secret|credentials|cypress_record_key|database_password|database_schema_test|datadog_api_key|datadog_app_key|db_password|db_server|db_username|dbpasswd|dbpassword|dbuser|deploy_password|digitalocean_ssh_key_body|digitalocean_ssh_key_ids|docker_hub_password|docker_key|docker_pass|docker_passwd|docker_password|dockerhub_password|dockerhubpassword|dot-files|dotfiles|droplet_travis_password|dynamoaccesskeyid|dynamosecretaccesskey|elastica_host|elastica_port|elasticsearch_password|encryption_key|encryption_password|env.heroku_api_key|env.sonatype_password|eureka.awssecretkey)[a-z0-9_.\-,]{0,25})[:<>=|]{1,2}.{0,5}['"]([0-9a-zA-Z\-_=]{8,64})['"]`, |
| 388 | + | []string{}, |
| 389 | + | "?", |
| 390 | + | }, |
| 391 | + | { |
| 392 | + | "Secrets From js miner", |
| 393 | + | "Check Keys in keyhacks", |
| 394 | + | `['"` + "`]?(\\w*)" + // Starts with a quote then a word / white spaces |
| 395 | + | `(\s*)` + |
| 396 | + | `(secret|token|password|passwd|authorization|bearer|aws_access_key_id|aws_secret_access_key|irc_pass|SLACK_BOT_TOKEN|id_dsa|` + |
| 397 | + | `secret[_-]?(key|token|secret)|` + |
| 398 | + | `api[_-]?(key|token|secret)|` + |
| 399 | + | `access[_-]?(key|token|secret)|` + |
| 400 | + | `auth[_-]?(key|token|secret)|` + |
| 401 | + | `session[_-]?(key|token|secret)|` + |
| 402 | + | `consumer[_-]?(key|token|secret)|` + |
| 403 | + | `public[_-]?(key|token|secret)|` + |
| 404 | + | `client[_-]?(id|token|key)|` + |
| 405 | + | `ssh[_-]?key|` + |
| 406 | + | `encrypt[_-]?(secret|key)|` + |
| 407 | + | `decrypt[_-]?(secret|key)|` + |
| 408 | + | `github[_-]?(key|token|secret)|` + |
| 409 | + | `slack[_-]?token)` + |
| 410 | + | `(\w*)` + // in case there are any characters / white spaces |
| 411 | + | `(\s*)` + |
| 412 | + | `['"` + "`]?" + // closing quote for variable name |
| 413 | + | `(\s*)` + // white spaces |
| 414 | + | `[:=]+[:=>]?` + // assignments operation |
| 415 | + | `(\s*)` + |
| 416 | + | `['"` + "`]" + // opening quote for secret |
| 417 | + | `(\s*)` + |
| 418 | + | `([\w\-/~!@#$%^&*+]+)` + // Assuming secrets will be alphanumeric with some special characters |
| 419 | + | `(\s*)` + |
| 420 | + | `['"` + "`]", |
| 421 | + | []string{}, |
| 422 | + | "?", |
| 423 | + | }, |
| 424 | + | } |
| 425 | + | return regexes |
| 426 | + | } |
| 427 | + | |
| 428 | + | // RemoveDuplicateSecrets removes duplicates from secrets found. |
| 429 | + | func RemoveDuplicateSecrets(input []SecretMatched) []SecretMatched { |
| 430 | + | keys := make(map[string]bool) |
| 431 | + | list := []SecretMatched{} |
| 432 | + | |
| 433 | + | for _, entry := range input { |
| 434 | + | if _, value := keys[entry.Match]; !value { |
| 435 | + | keys[entry.Match] = true |
| 436 | + | list = append(list, entry) |
| 437 | + | } |
| 438 | + | } |
| 439 | + | |
| 440 | + | return list |
| 441 | + | } |
| 442 | + | |