Add: Gitlab -> Pulumi

keyshade-xyz · Sep 16, 2024 · fff1935 · fff1935
1 parent 472e9cb
commit fff1935
Show file tree

Hide file tree

Showing 18 changed files with 740 additions and 5 deletions.
diff --git a/packages/secret-scan/src/denylist.ts b/packages/secret-scan/src/denylist.ts
@@ -42,7 +42,18 @@ import {
   easypost,
   facebook,
   flutterwave,
-  frameio
+  frameio,
+  gitlab,
+  grafana,
+  harness,
+  hashicorp,
+  heroku,
+  hubspot,
+  huggingface,
+  infracost,
+  intra42,
+  // kubernetes,
+  linear, lob, planetscale, postman, prefect, pulumi
 } from '@/rules'
 
 const denylist: SecretConfig = {
@@ -137,7 +148,39 @@ const denylist: SecretConfig = {
 
   flutterwave: flutterwave(),
 
-  frameio: frameio()
+  frameio: frameio(),
+
+  gitlab: gitlab(),
+
+  grafana: grafana(),
+
+  harness: harness(),
+
+  hashicorp: hashicorp(),
+
+  heroku: heroku(),
+
+  hubspot: hubspot(),
+
+  huggingface: huggingface(),
+
+  infracost: infracost(),
+
+  intra42: intra42(),
+
+  //kubernetes: kubernetes(),
+
+  linear: linear(),
+
+  lob: lob(),
+
+  planetscale: planetscale(),
+
+  postman: postman(),
+
+  prefect: prefect(),
+
+  pulumi: pulumi()
 }
 
 export default denylist
diff --git a/packages/secret-scan/src/rules/gitlab.ts b/packages/secret-scan/src/rules/gitlab.ts
@@ -0,0 +1,47 @@
+// keyshade-ignore-all
+import type { TestCase }from '@/types'
+
+export default function gitlab(): RegExp[] {
+	return [
+		/glpat-[0-9a-zA-Z\-_]{20}/,  		   // GitLab Personal Access Token  regex
+		/glptt-[0-9a-f]{40}/,              // GitLab Pipeline Trigger Token regex
+		/GR1348941[0-9a-zA-Z\-_]{20}/      // GitLab Runner Registration Token regex
+	]
+}
+
+const testcase: TestCase[] = [
+	{
+		input: 'glpat-a7rhywlOQc22s2wu6ksw',
+		expected: true
+	},
+	{
+		input: 'glptt-6a2ebf582d778fbabc413dfa97e0dfd6b4ce5c2e',
+		expected: true
+	},
+	{
+		input: 'GR1348941PQrAlrwIUScCvc8l6dWY',
+		expected: true
+	},
+	{
+		input: 'const = GITLAB_PERSONAL_ACCESS_TOKEN',
+		expected: false
+	},
+	{
+		input: 'const = GITLAB_PIPELINE_TRIGGER_TOKEN',
+		expected: false
+	},
+	{
+		input: 'const = GITLAB_RUNNER_REGISTRATION_TOKEN',
+		expected: false
+	},
+	{
+		input: 'GITLAB',
+		expected: false
+	},
+	{
+		input: 'GIT',
+		expected: false
+	}
+]
+
+gitlab.testcases = testcase
diff --git a/packages/secret-scan/src/rules/grafana.ts b/packages/secret-scan/src/rules/grafana.ts
@@ -0,0 +1,83 @@
+// keyshade-ignore-all
+import type { TestCase }from '@/types'
+
+export default function grafana(): RegExp[] {
+	return [
+		/eyJrIjoi[A-Za-z0-9]{70,400}={0,2}/,  		   // Grafana API Key regex
+		/glc_[A-Za-z0-9+/]{32,400}={0,2}/,           // Grafana Cloud API Token regex
+		/glsa_[A-Za-z0-9]{32}_[A-Fa-f0-9]{8}/        // Grafana Service Account Token regex
+	]
+}
+
+const testcase: TestCase[] = [
+	{
+		input: 'eyJrIjoiLC58NHoAWV9QQ4Hpinsjz28MsjlfclKhSP6J6ecvqe7mHV67gknZlPfS92wlJSaGVwKI8ZOxmosmWlylfjEQwsDL9M31sNtgLyJZgXMKr3YXFUvwXrxrUmrmA3SGEDQeqrwuQKIRglOx94NHGe7wve0xbOf3Mkysv6u8LUB9H2ZJJhtPorLByR2rUMaZaauZvyNm6dkz4iYgxNk2ROP6PIA1E6N6TGwHa44pebzqMSDMPSlVAWrNaK2xjco3Ez7qtXpJl7tayylHAONDcWiM9vQDUELUA8uZtQsHNZP4DEoPMKHeaChAMlAVzDvzaM8fkGta9CJeqfrwb4qJ2Y6uwsXk8e8XMsSWPsxXFyOe7NUVMPNFzy8C344xiv3YcvV1E==',
+		expected: true
+	},
+	{
+		input: 'eyJrIjoiIvuuuE2MzK2VJR23kHp3Q90IJSdnW9f1WIoyculWhTLBXrykooBhgIYm6IJgCndcSWDIaXJks7bkCdP3ywa7AfVpQP9rmJOq5VK57mas1KcdXD7Z1bdvhSo0mdzW91epWEcnlnLQpbtVLlDvxqnak9WETmFH==',
+		expected: true
+	},
+	{
+		input: 'eyJrIjoi6QlsUNL4JJHbBXlyJS3SiRDPUzUfhT1B2w6px62kuQK05cTohhVE4TR2H9dOGNF5B6plJAECmpGfWca7gbA7LpFGRRVG',
+		expected: true
+	},
+	{
+		input: 'glc_kB8ZcmLO+X1zpBZ7ljeXs8x8QjAPWLAQfIMv9r+4iOeAnQXnecZLzdPkutte3w0u737mBAFf+v3CitNm0fzUOEFd26tuVsncFpEkxRq/kjcYEhBWLYtIStMLcYyo7XhyLFW8IM7Bf4tGI9g5n9jfjtZnWqfKWEEhaHfE0ra',
+		expected: true
+	},
+	{
+		input: 'glc_Hb574KjK4N0Z81xqlZGJy0IZCvBmDPT7cPPVqdH9plY1GbHRVl8Nm8coHWlRrh97YJTUyaNSF1Ec3r36sOHyks9C31FIX5vEpAvRx5ZReGdPV4DVP9Y33gzhMgqhHA4HEUi+hnFPClhPlXMBMhZJLUAzFvP0AoOMxrkXnCMJSwfPC4/9/djzC16zX9MuYFWf==',
+		expected: true
+	},
+	{
+		input: 'glc_zSP9RW2kk4DZpq/gXYZwiKmLudxJqUNfXjtC8BvJLiMS32766GkZNOq2XIvPs8ZfFAh3yMUYTs/N4UT2d7q63uqq7=',
+		expected: true
+	},
+	{
+		input: 'glsa_phY2htSd5uTt3jmPvK8XBLuq1hwk8K7J_BbB124A7',
+		expected: true
+	},
+	{
+		input: 'glsa_8LVjQdfLZyFiylzBXDmwAhkwkHODsRNJ_B6BfAf1c',
+		expected: true
+	},
+	{
+		input: 'glsa_OBtXDlTAprnRnhZPLHXPyFeY9lbXc4dW_Eb1A4125',
+		expected: true
+	},
+	{
+		input: 'glsa_OBtXDlTAprnRnhZPLHXPyFeY9lbXc4dW_',
+		expected: false
+	},
+	{
+		input: 'glc_zSP9RW2kq/gXYZwiKmLudxJqU66GkZN',
+		expected: false
+	},
+	{
+		input: 'eyJrIjoi6QlsUNL4JJHbBXlyJS3SiRDPUzUfhT1B2w6px62kuQK05cTohhVE4TR2H9dO',
+		expected: false
+	},
+	{
+		input: 'GRAFANA',
+		expected: false
+	},
+	{
+		input: 'const = GRAFANA_API_KEY',
+		expected: false
+	},
+	{
+		input: 'GRAFANA_API_KEY',
+		expected: false
+	},
+	{
+		input: 'GRAFANA_CLOUD_API_TOKEN',
+		expected: false
+	},
+	{
+		input: 'GRAFANA_SERVICE_ACCOUNT_TOKEN',
+		expected: false
+	}
+]
+
+grafana.testcases = testcase
diff --git a/packages/secret-scan/src/rules/harness.ts b/packages/secret-scan/src/rules/harness.ts
@@ -0,0 +1,50 @@
+// keyshade-ignore-all
+import type { TestCase }from '@/types'
+
+export default function harness(): RegExp[] {
+	return [
+		// Harness Personal Access (starts with `pat`) & Service Account (starts with `sat`) Token regex
+		/(?:pat|sat)\.[a-zA-Z0-9]{22}\.[a-zA-Z0-9]{24}\.[a-zA-Z0-9]{20}/,
+	]
+}
+
+const testcase: TestCase[] = [
+	{
+		input: 'sat.tbD3t0UTVxnDsJjXtA7yFg.Ses0cii322QyNVAWsGCAtbPG.cL64ShIGlxlB55eB2YSw',
+		expected: true
+	},
+	{
+		input: 'sat.D5rQDqdpmAy8RCFrGOjBXu.8YSoWK1thmC6eTbWDLSg4SiK.OnKZVW9IytuKh9HFhhKG',
+		expected: true
+	},
+	{
+		input: 'pat.GRDSyUuWR5EA2jwP2LDXEv.WqO2w3p1vb8QBvif7r0ilHTS.8T9HF4wdkNw1SxJTcoB3',
+		expected: true
+	},
+	{
+		input: 'pat.t9KDTZ3Z4y1LZx2lwLTx5Y.VHA8Fd6wMD8Lc5yZ1aruadYC.v56fG64UhjmwgkoY5ugl\n',
+		expected: true
+	},
+	{
+		input: 'const = HARNESS_PERSONAL_ACCESS_TOKEN',
+		expected: false
+	},
+	{
+		input: 'const = HARNESS_SERVICE_ACCOUNT_TOKEN',
+		expected: false
+	},
+	{
+		input: 'HARNESS',
+		expected: false
+	},
+	{
+		input: 'pat.',
+		expected: false
+	},
+	{
+		input: 'sat.',
+		expected: false
+	}
+]
+
+harness.testcases = testcase
diff --git a/packages/secret-scan/src/rules/hashicorp.ts b/packages/secret-scan/src/rules/hashicorp.ts
@@ -0,0 +1,26 @@
+// keyshade-ignore-all
+import type { TestCase }from '@/types'
+
+export default function hashicorp(): RegExp[] {
+	return [
+		// Hashicorp Terraform APi Token Regex
+		/[a-z0-9]{14}\.atlasv1\.[a-z0-9\-_=]{60,70}/i
+	]
+}
+
+const testcase: TestCase[] = [
+	{
+		input: '9mc0jh5dvgc1cx.atlasv1.y4u=-3=j=5nbf2bg0tkg1019e_9r6ghkmugdfl05hp2qzdd8=8d=wmtfya99o',
+		expected: true
+	},
+	{
+		input: 't4eyvzkop56q4o.atlasv1.idknou9rz9ul3y2lepjhk=c6dvpdioedep=cwkrzk4m8i5v8fpb-kixusz-xo7loooj1',
+		expected: true
+	},
+	{
+		input: 'TERRAFORM',
+		expected: false
+	}
+]
+
+hashicorp.testcases = testcase
diff --git a/packages/secret-scan/src/rules/heroku.ts b/packages/secret-scan/src/rules/heroku.ts
@@ -0,0 +1,38 @@
+// keyshade-ignore-all
+import type { TestCase }from '@/types'
+
+export default function heroku(): RegExp[] {
+	return [
+		// Heroku API Key regex ( UUID like pattern )
+		/\b[0-9a-fA-F]{8}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{12}\b/
+	]
+}
+
+const testcase: TestCase[] = [
+	{
+		input: 'E3D24DAc-7c5D-Aacd-fafF-3cc0c70e2ccc',
+		expected: true
+	},
+	{
+		input: 'AAD43dca-DBFc-4aEc-c86c-D57D57CAefb2',
+		expected: true
+	},
+	{
+		input: 'FdA859B1-7D9a-f3e0-fAC3-E4ae6FbEEfBA',
+		expected: true
+	},
+	{
+		input: 'AADdca-DBFc-4aEc-c86c-D57D57CAefb2',
+		expected: false
+	},
+	{
+		input: 'AAD43dca-DBFc-4aEc-c86c-D7CAefb2',
+		expected: false
+	},
+	{
+		input: 'AAD43dca-Dc-Ec-cc-D57D57CAefb2',
+		expected: false
+	}
+]
+
+heroku.testcases = testcase
diff --git a/packages/secret-scan/src/rules/hubspot.ts b/packages/secret-scan/src/rules/hubspot.ts
@@ -0,0 +1,38 @@
+// keyshade-ignore-all
+import type { TestCase }from '@/types'
+
+export default function hubspot(): RegExp[] {
+	return [
+		// Hubspot API Key regex
+		/\b[0-9A-F]{8}-[0-9A-F]{4}-[0-9A-F]{4}-[0-9A-F]{4}-[0-9A-F]{12}\b/
+	]
+}
+
+const testcase: TestCase[] = [
+	{
+		input: '6CA76A92-AC2A-8798-B0DD-DC55F0FD2718',
+		expected: true
+	},
+	{
+		input: '17EEDBBE-B310-B60F-D37F-5902082CA2F2',
+		expected: true
+	},
+	{
+		input: 'F74407A5-64B8-1C17-C90D-A3613B216A0B',
+		expected: true
+	},
+	{
+		input: '17EEDBBE-B310-B60F-D37F-5902082CA',
+		expected: false
+	},
+	{
+		input: '17EEE-B310-B60F-D37F-5902082CA2F2',
+		expected: false
+	},
+	{
+		input: '17EEDBBE-B0-B0F-D-5902082CA2F2',
+		expected: false
+	}
+]
+
+hubspot.testcases = testcase
diff --git a/packages/secret-scan/src/rules/huggingface.ts b/packages/secret-scan/src/rules/huggingface.ts
@@ -0,0 +1,41 @@
+// keyshade-ignore-all
+import type { TestCase }from '@/types'
+
+export default function huggingface(): RegExp[] {
+	return [
+		// Huggingface Access Token regex
+		/(?:^|[\\'"` + "`" + ` >=:])(hf_[a-zA-Z]{34})(?:$|[\\'"` + "`" + ` <])/,
+
+		// Huggingface Organization Access Token Regex
+		/(?:^|[\\'"` + "`" + ` >=:\(,)])(api_org_[a-zA-Z]{34})(?:$|[\\'"` + "`" + ` <\),])/
+	]
+}
+
+const testcase: TestCase[] = [
+	{
+		input: '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',
+		expected: true
+	},
+	{
+		input: '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',
+		expected: true
+	},
+	{
+		input: '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',
+		expected: true
+	},
+	{
+		input: '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',
+		expected: true
+	},
+	{
+		input: 'api_org_',
+		expected: false
+	},
+	{
+		input: 'hf_',
+		expected: false
+	}
+]
+
+huggingface.testcases = testcase