Limit hashicorp-tf-password to .tf/.hcl files (#1420)

* Limit hashicorp-tf-password to .tf/.hcl files

* fix tests

---------

Co-authored-by: Becojo <Becojo@users.noreply.github.com>

cmd/generate/config/rules/hashicorp.go

@@ -32,17 +32,20 @@ func HashicorpField() *config.Rule {
 		RuleID:      "hashicorp-tf-password",
 		Regex:       generateSemiGenericRegex(keywords, fmt.Sprintf(`"%s"`, alphaNumericExtended("8,20")), true),
 		Keywords:    keywords,
+		Path:        regexp.MustCompile(`\.(tf|hcl)$`),
 	}
 
-	tps := []string{
+	tps := map[string]string{
 		// Example from: https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/sql_server.html
-		"administrator_login_password = " + `"thisIsDog11"`,
+		"file.tf": "administrator_login_password = " + `"thisIsDog11"`,
 		// https://registry.terraform.io/providers/petoju/mysql/latest/docs
-		"password       = " + `"rootpasswd"`,
+		"file.hcl": "password       = " + `"rootpasswd"`,
 	}
-	fps := []string{
-		"administrator_login_password = var.db_password",
-		`password = "${aws_db_instance.default.password}"`,
+	fps := map[string]string{
+		"file.tf":      "administrator_login_password = var.db_password",
+		"file.hcl":     `password = "${aws_db_instance.default.password}"`,
+		"unrelated.js": "password       = " + `"rootpasswd"`,
 	}
-	return validate(r, tps, fps)
+
+	return validateWithPaths(r, tps, fps)
 }

cmd/generate/config/rules/rule.go

@@ -97,6 +97,34 @@ func validate(r config.Rule, truePositives []string, falsePositives []string) *c
 	return &r
 }
 
+func validateWithPaths(r config.Rule, truePositives map[string]string, falsePositives map[string]string) *config.Rule {
+	var keywords []string
+	for _, k := range r.Keywords {
+		keywords = append(keywords, strings.ToLower(k))
+	}
+	r.Keywords = keywords
+
+	rules := make(map[string]config.Rule)
+	rules[r.RuleID] = r
+	d := detect.NewDetector(config.Config{
+		Rules:    rules,
+		Keywords: keywords,
+	})
+	for path, tp := range truePositives {
+		f := detect.Fragment{Raw: tp, FilePath: path}
+		if len(d.Detect(f)) != 1 {
+			log.Fatal().Msgf("Failed to validate. For rule ID [%s], true positive [%s] in %s was not detected by regexp [%s] path [%s]", r.RuleID, tp, path, r.Regex, r.Path)
+		}
+	}
+	for path, fp := range falsePositives {
+		f := detect.Fragment{Raw: fp, FilePath: path}
+		if len(d.Detect(f)) != 0 {
+			log.Fatal().Msgf("Failed to validate. For rule ID [%s], false positive [%s] in %s was detected by regexp [%s] path [%s]", r.RuleID, fp, path, r.Regex, r.Path)
+		}
+	}
+	return &r
+}
+
 func numeric(size string) string {
 	return fmt.Sprintf(`[0-9]{%s}`, size)
 }

config/gitleaks.toml

@@ -2105,6 +2105,7 @@ keywords = [
 id = "hashicorp-tf-password"
 description = "Identified a HashiCorp Terraform password field, risking unauthorized infrastructure configuration and security breaches."
 regex = '''(?i)(?:administrator_login_password|password)(?:[0-9a-z\-_\t .]{0,20})(?:[\s|']|[\s|"]){0,3}(?:=|>|:{1,3}=|\|\|:|<=|=>|:|\?=)(?:'|\"|\s|=|\x60){0,5}("[a-z0-9=_\-]{8,20}")(?:['|\"|\n|\r|\s|\x60|;]|$)'''
+path = '''\.(tf|hcl)$'''
 keywords = [
     "administrator_login_password","password",
 ]