Follow-up azure

cmd/generate/config/main.go

@@ -31,25 +31,25 @@ func main() {
 	configRules = append(configRules, rules.Authress())
 	configRules = append(configRules, rules.AWS())
 	configRules = append(configRules, rules.AzureAppServiceDeploymentSecrets())
-	configRules = append(configRules, rules.AzureDevTFVCSecrets())
-	configRules = append(configRules, rules.AzureDevopsPAT())
-	configRules = append(configRules, rules.AzureNetworkCredential())
-	configRules = append(configRules, rules.AzureNetworkCredentialSchtasks())
-	configRules = append(configRules, rules.AzureNetworkCredentialDotNet())
-	configRules = append(configRules, rules.AzurePasswordDecryptionkey())
-	configRules = append(configRules, rules.AzurePasswordAddKey())
-	configRules = append(configRules, rules.AzurePasswordConnString())
-	configRules = append(configRules, rules.AzurePasswordValueString())
-	configRules = append(configRules, rules.AzurePassworduidpw())
-	configRules = append(configRules, rules.AzureStorageCredential43char())
-	configRules = append(configRules, rules.AzureStorageCredential86char())
-	configRules = append(configRules, rules.AzureStorageCredentialAccountKey())
-	configRules = append(configRules, rules.AzureStorageCredentialBlobURL())
-	configRules = append(configRules, rules.AzureStorageCredentialMonikerKey())
-	configRules = append(configRules, rules.AzureStorageCredentialServiceBus())
-	configRules = append(configRules, rules.AzureStorageCredentialSig53())
-	configRules = append(configRules, rules.AzureStorageCredentialUserIDPW())
-	configRules = append(configRules, rules.AzureStorageCredentialXStore())
+	// configRules = append(configRules, rules.AzureDevTFVCSecrets())
+	// configRules = append(configRules, rules.AzureDevopsPAT())
+	// configRules = append(configRules, rules.AzureNetworkCredential())
+	// configRules = append(configRules, rules.AzureNetworkCredentialSchtasks())
+	// configRules = append(configRules, rules.AzureNetworkCredentialDotNet())
+	// configRules = append(configRules, rules.AzurePasswordDecryptionkey())
+	// configRules = append(configRules, rules.AzurePasswordAddKey())
+	// configRules = append(configRules, rules.AzurePasswordConnString())
+	// configRules = append(configRules, rules.AzurePasswordValueString())
+	// configRules = append(configRules, rules.AzurePassworduidpw())
+	// configRules = append(configRules, rules.AzureStorageCredential43char())
+	// configRules = append(configRules, rules.AzureStorageCredential86char())
+	// configRules = append(configRules, rules.AzureStorageCredentialAccountKey())
+	// configRules = append(configRules, rules.AzureStorageCredentialBlobURL())
+	// configRules = append(configRules, rules.AzureStorageCredentialMonikerKey())
+	// configRules = append(configRules, rules.AzureStorageCredentialServiceBus())
+	// configRules = append(configRules, rules.AzureStorageCredentialSig53())
+	// configRules = append(configRules, rules.AzureStorageCredentialUserIDPW())
+	// configRules = append(configRules, rules.AzureStorageCredentialXStore())
 
 	// Below work on Regex.com but something about the internal conversion to generateUniqueTokenRegex is breaking them
 	//configRules = append(configRules, rules.AzurePowershellTokenCache())

cmd/generate/config/rules/azure.go

@@ -18,270 +18,280 @@ import (
 
 // CSCAN0250 - covered in jwt.go
 
-
 func AzureAppServiceDeploymentSecrets() *config.Rule {
 	// define rule
 	r := config.Rule{
 		Description: "CSCAN0020, CSCAN0030 - Found Azure app service deployment secrets in publish settings file.",
 		RuleID:      "azure-app-service-deployment-secrets",
 		SecretGroup: 1,
-		Regex: generateUniqueTokenRegex(`MII[a-z0-9=_\-]{200}`),
-		Keywords: []string{"MII"},
+		Regex:       generateUniqueTokenRegex(`MII[a-z0-9=_\-]{200}`),
+		Keywords:    []string{"MII"},
 	}
 
 	// validate
 	tps := []string{
 		generateSampleSecret("azure-app-service-deployment-secrets",
-			"MII" + secrets.NewSecret(alphaNumeric("200"))),
-	}
-	return validate(r, tps, nil)
-}
-
-func AzureStorageCredential86char() *config.Rule {
-	// define rule
-	r := config.Rule{
-		Description: "CSCAN0030, CSCAN0090, CSCAN0150 - Found Azure storage credential in source code file.",
-		RuleID:      "azure-storage-credential-86char",
-		SecretGroup: 1,
-		Regex: generateUniqueTokenRegex(`[ \t]{0,10}[a-zA-Z0-9/+]{86}==`),
-	}
-
-	// validate
-	tps := []string{
-		generateSampleSecret("azure-storage-credential-86char",
-			secrets.NewSecret(alphaNumeric("86") + "==")),
+			"MII"+secrets.NewSecret(alphaNumeric("200"))),
 	}
 	return validate(r, tps, nil)
 }
 
-func AzureStorageCredential43char() *config.Rule {
-	// define rule
-	r := config.Rule{
-		Description: "CSCAN0030, CSCAN0090, CSCAN0150 - Found Azure storage credential in source code file.",
-		RuleID:      "azure-storage-credential-43char",
-		SecretGroup: 1,
-		Regex: generateUniqueTokenRegex(`[a-zA-Z0-9/+]{43}=[^{@\d%]`),
-	}
+// TODO (zrice) needs keyword
+// func AzureStorageCredential86char() *config.Rule {
+// 	// define rule
+// 	r := config.Rule{
+// 		Description: "CSCAN0030, CSCAN0090, CSCAN0150 - Found Azure storage credential in source code file.",
+// 		RuleID:      "azure-storage-credential-86char",
+// 		SecretGroup: 1,
+// 		Regex: generateUniqueTokenRegex(`[ \t]{0,10}[a-zA-Z0-9/+]{86}==`),
+// 	}
 
-	// validate
-	tps := []string{
-		generateSampleSecret("azure-storage-credential-43char",
-			secrets.NewSecret(alphaNumeric("43") + "=a")),
-	}
-	return validate(r, tps, nil)
-}
+// 	// validate
+// 	tps := []string{
+// 		generateSampleSecret("azure-storage-credential-86char",
+// 			secrets.NewSecret(alphaNumeric("86") + "==")),
+// 	}
+// 	return validate(r, tps, nil)
+// }
 
-func AzureStorageCredentialSig53() *config.Rule {
-	// define rule
-	r := config.Rule{
-		Description: "CSCAN0030, CSCAN0090, CSCAN0150 - Found Azure storage credential in source code file.",
-		RuleID:      "azure-storage-credential-sig53",
-		SecretGroup: 1,
-		Regex: generateUniqueTokenRegex(`((sig|sas|password)=|>)[a-zA-Z0-9%]{43,53}%3d[^{a-zA-Z0-9%]`),
-	}
+// TODO (zrice) needs keyword
+// func AzureStorageCredential43char() *config.Rule {
+// 	// define rule
+// 	r := config.Rule{
+// 		Description: "CSCAN0030, CSCAN0090, CSCAN0150 - Found Azure storage credential in source code file.",
+// 		RuleID:      "azure-storage-credential-43char",
+// 		SecretGroup: 1,
+// 		Regex: generateUniqueTokenRegex(`[a-zA-Z0-9/+]{43}=[^{@\d%]`),
+// 	}
 
-	// validate
-	tps := []string{
-		generateSampleSecret("azure-storage-credential-sig53",
-			"sig=" + secrets.NewSecret(alphaNumeric("53") + "%3D")),
-	}
-	return validate(r, tps, nil)
-}
+// 	// validate
+// 	tps := []string{
+// 		generateSampleSecret("azure-storage-credential-43char",
+// 			secrets.NewSecret(alphaNumeric("43") + "=a")),
+// 	}
+// 	return validate(r, tps, nil)
+// }
 
+// TODO (zrice) needs keyword
+// func AzureStorageCredentialSig53() *config.Rule {
+// 	// define rule
+// 	r := config.Rule{
+// 		Description: "CSCAN0030, CSCAN0090, CSCAN0150 - Found Azure storage credential in source code file.",
+// 		RuleID:      "azure-storage-credential-sig53",
+// 		SecretGroup: 1,
+// 		Regex: generateUniqueTokenRegex(`((sig|sas|password)=|>)[a-zA-Z0-9%]{43,53}%3d[^{a-zA-Z0-9%]`),
+// 	}
 
-func AzureStorageCredentialUserIDPW() *config.Rule {
-	// define rule
-	r := config.Rule{
-		Description: "CSCAN0030 - Found Azure storage credential in source code file.",
-		RuleID:      "azure-storage-credential-useridpw",
-		SecretGroup: 1,
-		Regex: generateUniqueTokenRegex(`((user) ?(id|name)|uid)=.{2,128}?\s*?;\s*?((password)|(pwd))=[^'$%>@'";\[\{][^;"']{2,350}?(;|"|')`),
-	}
+// 	// validate
+// 	tps := []string{
+// 		generateSampleSecret("azure-storage-credential-sig53",
+// 			"sig=" + secrets.NewSecret(alphaNumeric("53") + "%3D")),
+// 	}
+// 	return validate(r, tps, nil)
+// }
 
-	// validate
-	tps := []string{
-		generateSampleSecret("azure-storage-credential-useridpw",
-		"userid=" + secrets.NewSecret(alphaNumeric("128")) + ";password=" + secrets.NewSecret(alphaNumeric("200")) + ";"),
-	}
-	return validate(r, tps, nil)
-}
+// TODO (zrice) needs keyword
+// func AzureStorageCredentialUserIDPW() *config.Rule {
+// 	// define rule
+// 	r := config.Rule{
+// 		Description: "CSCAN0030 - Found Azure storage credential in source code file.",
+// 		RuleID:      "azure-storage-credential-useridpw",
+// 		SecretGroup: 1,
+// 		Regex: generateUniqueTokenRegex(`((user) ?(id|name)|uid)=.{2,128}?\s*?;\s*?((password)|(pwd))=[^'$%>@'";\[\{][^;"']{2,350}?(;|"|')`),
+// 	}
 
-func AzureStorageCredentialAccountKey() *config.Rule {
-	// define rule
-	r := config.Rule{
-		Description: "CSCAN0030 - Found Azure storage credential in source code file.",
-		RuleID:      "azure-storage-credential-accountkey",
-		SecretGroup: 1,
-		Regex: generateUniqueTokenRegex(`AccountKey\s*=\s*MII[a-zA-Z0-9/+]{43,}?={0,2}`),
-	}
+// 	// validate
+// 	tps := []string{
+// 		generateSampleSecret("azure-storage-credential-useridpw",
+// 		"userid=" + secrets.NewSecret(alphaNumeric("128")) + ";password=" + secrets.NewSecret(alphaNumeric("200")) + ";"),
+// 	}
+// 	return validate(r, tps, nil)
+// }
 
-	// validate
-	tps := []string{
-		generateSampleSecret("azure-storage-credential-accountkey",
-			"AccountKey = MII" + secrets.NewSecret(alphaNumeric("43") + "=")),
-	}
-	return validate(r, tps, nil)
-}
+// TODO (zrice) needs keyword
+// func AzureStorageCredentialAccountKey() *config.Rule {
+// 	// define rule
+// 	r := config.Rule{
+// 		Description: "CSCAN0030 - Found Azure storage credential in source code file.",
+// 		RuleID:      "azure-storage-credential-accountkey",
+// 		SecretGroup: 1,
+// 		Regex: generateUniqueTokenRegex(`AccountKey\s*=\s*MII[a-zA-Z0-9/+]{43,}?={0,2}`),
+// 	}
 
-func AzureStorageCredentialXStore() *config.Rule {
-	// define rule
-	r := config.Rule{
-		Description: "CSCAN0100 - Found Azure storage credential in source code file.",
-		RuleID:      "azure-storage-credential-xstore",
-		SecretGroup: 1,
-		Regex: generateUniqueTokenRegex(`[<XstoreAccountInfo].*accountSharedKey\s*=\s*['"].*['"]`),
-	}
+// 	// validate
+// 	tps := []string{
+// 		generateSampleSecret("azure-storage-credential-accountkey",
+// 			"AccountKey = MII" + secrets.NewSecret(alphaNumeric("43") + "=")),
+// 	}
+// 	return validate(r, tps, nil)
+// }
 
-	// validate
-	tps := []string{
-		generateSampleSecret("azure-storage-credential-xstore",
-			"<XstoreAccountInfo accountName = 'John Doe' accountSharedKey='" + secrets.NewSecret(alphaNumeric("43")) + "' />"),
-	}
-	return validate(r, tps, nil)
-}
+// TODO (zrice) needs keyword
+// func AzureStorageCredentialXStore() *config.Rule {
+// 	// define rule
+// 	r := config.Rule{
+// 		Description: "CSCAN0100 - Found Azure storage credential in source code file.",
+// 		RuleID:      "azure-storage-credential-xstore",
+// 		SecretGroup: 1,
+// 		Regex: generateUniqueTokenRegex(`[<XstoreAccountInfo].*accountSharedKey\s*=\s*['"].*['"]`),
+// 	}
 
-func AzureStorageCredentialServiceBus() *config.Rule {
-	// define rule
-	r := config.Rule{
-		Description: "CSCAN0100 - Found Azure storage credential in source code file.",
-		RuleID:      "azure-storage-credential-servicebus",
-		SecretGroup: 1,
-		Regex: generateUniqueTokenRegex(`[<ServiceBusAccountInfo].*SharedAccessKey\s*=\s*[a-zA-Z0-9/+]{10,}['"]`),
-	}
+// 	// validate
+// 	tps := []string{
+// 		generateSampleSecret("azure-storage-credential-xstore",
+// 			"<XstoreAccountInfo accountName = 'John Doe' accountSharedKey='" + secrets.NewSecret(alphaNumeric("43")) + "' />"),
+// 	}
+// 	return validate(r, tps, nil)
+// }
 
-	// validate
-	tps := []string{
-		generateSampleSecret("azure-storage-credential-servicebus",
-		"<ServiceBusAccountInfo accountName='name' connectionString='Endpoint=sb://foo.net/;SharedAccessKeyName=bar;SharedAccessKey=" + secrets.NewSecret(alphaNumeric("43")) + "' />"),
-	}
-	return validate(r, tps, nil)
-}
+// TODO (zrice) needs keyword
+// func AzureStorageCredentialServiceBus() *config.Rule {
+// 	// define rule
+// 	r := config.Rule{
+// 		Description: "CSCAN0100 - Found Azure storage credential in source code file.",
+// 		RuleID:      "azure-storage-credential-servicebus",
+// 		SecretGroup: 1,
+// 		Regex: generateUniqueTokenRegex(`[<ServiceBusAccountInfo].*SharedAccessKey\s*=\s*[a-zA-Z0-9/+]{10,}['"]`),
+// 	}
 
-func AzureStorageCredentialMonikerKey() *config.Rule {
-	// define rule
-	r := config.Rule{
-		Description: "CSCAN0130 - Found Azure storage credential in MonitoringAgent config file.",
-		RuleID:      "azure-storage-credential-monikerkey",
-		SecretGroup: 1,
-		Regex: generateUniqueTokenRegex(`Account moniker\s?=.*key\s?=.*`),
-	}
+// 	// validate
+// 	tps := []string{
+// 		generateSampleSecret("azure-storage-credential-servicebus",
+// 		"<ServiceBusAccountInfo accountName='name' connectionString='Endpoint=sb://foo.net/;SharedAccessKeyName=bar;SharedAccessKey=" + secrets.NewSecret(alphaNumeric("43")) + "' />"),
+// 	}
+// 	return validate(r, tps, nil)
+// }
 
-	// validate
-	tps := []string{
-		generateSampleSecret("azure-storage-credential-monikerkey",
-			"Account Moniker = 'John Doe' Key = '" + secrets.NewSecret(alphaNumeric("200") + "'")),
-	}
-	return validate(r, tps, nil)
-}
+// TODO (zrice) needs keyword
+// func AzureStorageCredentialMonikerKey() *config.Rule {
+// 	// define rule
+// 	r := config.Rule{
+// 		Description: "CSCAN0130 - Found Azure storage credential in MonitoringAgent config file.",
+// 		RuleID:      "azure-storage-credential-monikerkey",
+// 		SecretGroup: 1,
+// 		Regex: generateUniqueTokenRegex(`Account moniker\s?=.*key\s?=.*`),
+// 	}
 
+// 	// validate
+// 	tps := []string{
+// 		generateSampleSecret("azure-storage-credential-monikerkey",
+// 			"Account Moniker = 'John Doe' Key = '" + secrets.NewSecret(alphaNumeric("200") + "'")),
+// 	}
+// 	return validate(r, tps, nil)
+// }
 
-func AzureStorageCredentialBlobURL() *config.Rule {
-	// define rule
-	r := config.Rule{
-		Description: "CSCAN0110 - Found Azure storage credential in source code file.",
-		RuleID:      "azure-storage-credential-bloburl",
-		SecretGroup: 1,
-		Regex: generateUniqueTokenRegex(`(?i)https://[a-zA-Z0-9-]+.(blob|file|queue|table|dfs|z8.web).core.windows.net/.*?sig=[a-zA-Z0-9%]{30,}`),
-	}
+// TODO (zrice) needs keyword
+// func AzureStorageCredentialBlobURL() *config.Rule {
+// 	// define rule
+// 	r := config.Rule{
+// 		Description: "CSCAN0110 - Found Azure storage credential in source code file.",
+// 		RuleID:      "azure-storage-credential-bloburl",
+// 		SecretGroup: 1,
+// 		Regex: generateUniqueTokenRegex(`(?i)https://[a-zA-Z0-9-]+.(blob|file|queue|table|dfs|z8.web).core.windows.net/.*?sig=[a-zA-Z0-9%]{30,}`),
+// 	}
 
-	// validate
-	tps := []string{
-		generateSampleSecret("azure-storage-credential-bloburl",
-			"https://myacct.blob.core.windows.net/a?sp=r&sr=b&sig=" + secrets.NewSecret(alphaNumeric("43"))),
-	}
-	return validate(r, tps, nil)
-}
+// 	// validate
+// 	tps := []string{
+// 		generateSampleSecret("azure-storage-credential-bloburl",
+// 			"https://myacct.blob.core.windows.net/a?sp=r&sr=b&sig=" + secrets.NewSecret(alphaNumeric("43"))),
+// 	}
+// 	return validate(r, tps, nil)
+// }
 
 // CSCAN0050, CSCAN0060, CSCAN0070 - covered in PrivateKey.go
 
 // CSCAN0080 looks for 'Password' in XML file
 
-func AzurePasswordDecryptionkey() *config.Rule {
-	// define rule
-	r := config.Rule{
-		Description: "CSCAN0090 - Found Azure password, symmetric key or storage credential in source file.",
-		RuleID:      "azure-password-machinekey",
-		SecretGroup: 1,
-		Regex: generateUniqueTokenRegex(`(decryptionKey\s*\=\s*['"].*['"]|validationKey\s*\=\s*['"].*['"])`),
-	}
-
-	// validate
-	tps := []string{
-		generateSampleSecret("azure-password-machinekey",
-			"<machineKey decryptionKey='" + secrets.NewSecret(alphaNumeric("43")) + "' validationKey='" + secrets.NewSecret(alphaNumeric("43")) + "' useMachineContainer='true'>"),
-	}
-	return validate(r, tps, nil)
-}
+// TODO (zrice) needs keyword
+// func AzurePasswordDecryptionkey() *config.Rule {
+// 	// define rule
+// 	r := config.Rule{
+// 		Description: "CSCAN0090 - Found Azure password, symmetric key or storage credential in source file.",
+// 		RuleID:      "azure-password-machinekey",
+// 		SecretGroup: 1,
+// 		Regex: generateUniqueTokenRegex(`(decryptionKey\s*\=\s*['"].*['"]|validationKey\s*\=\s*['"].*['"])`),
+// 	}
 
+// 	// validate
+// 	tps := []string{
+// 		generateSampleSecret("azure-password-machinekey",
+// 			"<machineKey decryptionKey='" + secrets.NewSecret(alphaNumeric("43")) + "' validationKey='" + secrets.NewSecret(alphaNumeric("43")) + "' useMachineContainer='true'>"),
+// 	}
+// 	return validate(r, tps, nil)
+// }
 
-func AzurePasswordAddKey() *config.Rule {
-	// define rule
-	r := config.Rule{
-		Description: "CSCAN0090 - Found Azure password, symmetric key or storage credential in source file.",
-		RuleID:      "azure-password-addkey",
-		SecretGroup: 1,
-		Regex: generateUniqueTokenRegex(`[<add].*([key](s|[0-9])?|(credential)s?|(secret)(s|S|[0-9])?|[password|token|key](primary|secondary|orsas|sas|encrypted))['"]\s*value\s*=['"].*['"]`),
-	}
+// TODO (zrice) needs keyword
+// func AzurePasswordAddKey() *config.Rule {
+// 	// define rule
+// 	r := config.Rule{
+// 		Description: "CSCAN0090 - Found Azure password, symmetric key or storage credential in source file.",
+// 		RuleID:      "azure-password-addkey",
+// 		SecretGroup: 1,
+// 		Regex: generateUniqueTokenRegex(`[<add].*([key](s|[0-9])?|(credential)s?|(secret)(s|S|[0-9])?|[password|token|key](primary|secondary|orsas|sas|encrypted))['"]\s*value\s*=['"].*['"]`),
+// 	}
 
-	// validate
-	tps := []string{
-		generateSampleSecret("azure-password-addkey",
-			"<add key='primary' value='" + secrets.NewSecret(alphaNumeric("200") + "' >")),
-	}
-	return validate(r, tps, nil)
-}
+// 	// validate
+// 	tps := []string{
+// 		generateSampleSecret("azure-password-addkey",
+// 			"<add key='primary' value='" + secrets.NewSecret(alphaNumeric("200") + "' >")),
+// 	}
+// 	return validate(r, tps, nil)
+// }
 
-func AzurePasswordConnString() *config.Rule {
-	// define rule
-	r := config.Rule{
-		Description: "CSCAN0090 - Found Azure password, symmetric key or storage credential in source file.",
-		RuleID:      "azure-password-connstring",
-		SecretGroup: 1,
-		Regex: generateUniqueTokenRegex(`(connectionstring|connstring)[^=]*?=["'][^"']*?(password)=[^\$\s;][^"'\s]*?(;|['"])`),
-	}
+// TODO (zrice) needs keyword
+// func AzurePasswordConnString() *config.Rule {
+// 	// define rule
+// 	r := config.Rule{
+// 		Description: "CSCAN0090 - Found Azure password, symmetric key or storage credential in source file.",
+// 		RuleID:      "azure-password-connstring",
+// 		SecretGroup: 1,
+// 		Regex: generateUniqueTokenRegex(`(connectionstring|connstring)[^=]*?=["'][^"']*?(password)=[^\$\s;][^"'\s]*?(;|['"])`),
+// 	}
 
-	// validate
-	tps := []string{
-		generateSampleSecret("azure-password-connstring",
-			//connstring='password=secret123;Server=localhost;'
-			"connstring='Server=localhost;password=" + secrets.NewSecret(alphaNumeric("23") + "'")),
-	}
-	return validate(r, tps, nil)
-}
+// 	// validate
+// 	tps := []string{
+// 		generateSampleSecret("azure-password-connstring",
+// 			//connstring='password=secret123;Server=localhost;'
+// 			"connstring='Server=localhost;password=" + secrets.NewSecret(alphaNumeric("23") + "'")),
+// 	}
+// 	return validate(r, tps, nil)
+// }
 
-func AzurePasswordValueString() *config.Rule {
-	// define rule
-	r := config.Rule{
-		Description: "CSCAN0090 - Found Azure password, symmetric key or storage credential in source file.",
-		RuleID:      "azure-password-value-string",
-		SecretGroup: 1,
-		Regex: generateUniqueTokenRegex(`value\s?=\s?['"]((([A-Za-z0-9+/]){4}){1,200})==['"]`),
-	}
+// TODO (zrice) needs keyword
+// func AzurePasswordValueString() *config.Rule {
+// 	// define rule
+// 	r := config.Rule{
+// 		Description: "CSCAN0090 - Found Azure password, symmetric key or storage credential in source file.",
+// 		RuleID:      "azure-password-value-string",
+// 		SecretGroup: 1,
+// 		Regex: generateUniqueTokenRegex(`value\s?=\s?['"]((([A-Za-z0-9+/]){4}){1,200})==['"]`),
+// 	}
 
-	// validate
-	tps := []string{
-		generateSampleSecret("azure-password-value-string",
-			"Value='" + secrets.NewSecret(alphaNumeric("20") + "=='")),
-	}
-	return validate(r, tps, nil)
-}
+// 	// validate
+// 	tps := []string{
+// 		generateSampleSecret("azure-password-value-string",
+// 			"Value='" + secrets.NewSecret(alphaNumeric("20") + "=='")),
+// 	}
+// 	return validate(r, tps, nil)
+// }
 
-func AzurePassworduidpw() *config.Rule {
-	// define rule
-	r := config.Rule{
-		Description: "CSCAN0090, CSCAN0150 - Found Azure password, symmetric key or storage credential in source file.",
-		RuleID:      "azure-password-uidpw",
-		SecretGroup: 1,
-		Regex: generateUniqueTokenRegex(`((user) ?(id|name)|uid)=.{2,128}?\s*?;\s*?((password|(pwd))=[^'$%@'";\[\{][^;"']{2,350}?(;|"|'))`),
-	}
+// TODO (zrice) needs keyword
+// func AzurePassworduidpw() *config.Rule {
+// 	// define rule
+// 	r := config.Rule{
+// 		Description: "CSCAN0090, CSCAN0150 - Found Azure password, symmetric key or storage credential in source file.",
+// 		RuleID:      "azure-password-uidpw",
+// 		SecretGroup: 1,
+// 		Regex: generateUniqueTokenRegex(`((user) ?(id|name)|uid)=.{2,128}?\s*?;\s*?((password|(pwd))=[^'$%@'";\[\{][^;"']{2,350}?(;|"|'))`),
+// 	}
 
-	// validate
-	tps := []string{
-		generateSampleSecret("azure-password-uidpw",
-			`uid=testuser;pwd=` + secrets.NewSecret(alphaNumeric("86") + ";")),
-	}
-	return validate(r, tps, nil)
-}
+// 	// validate
+// 	tps := []string{
+// 		generateSampleSecret("azure-password-uidpw",
+// 			`uid=testuser;pwd=` + secrets.NewSecret(alphaNumeric("86") + ";")),
+// 	}
+// 	return validate(r, tps, nil)
+// }
 
 // TODO: Come back to the two XML passwords below
 // func AzurePasswordXMLCredential() *config.Rule {
@@ -338,92 +348,94 @@ func AzurePassworduidpw() *config.Rule {
 // 	return validate(r, tps, nil)
 // }
 
+// TODO (zrice) needs keyword
+// func AzureNetworkCredential() *config.Rule {
+// 	// define rule
+// 	r := config.Rule{
+// 		Description: "CSCAN0160 - Found Azure domain credential in source file.",
+// 		RuleID:      "azure-network-credential",
+// 		SecretGroup: 1,
+// 		Regex: generateUniqueTokenRegex(`NetworkCredential\((\s*).*,(\s*).*,(\s*)(corp|europe|middleeast|northamerica|southpacific|southamerica|fareast|africa|redmond|exchange|extranet|partners|extranettest|parttest|noe|ntdev|ntwksta|sys-wingroup|windeploy|wingroup|winse|segroup|xcorp|xrep|phx|gme|usme|cdocidm|mslpa)\)`),
+// 	}
 
-func AzureNetworkCredential() *config.Rule {
-	// define rule
-	r := config.Rule{
-		Description: "CSCAN0160 - Found Azure domain credential in source file.",
-		RuleID:      "azure-network-credential",
-		SecretGroup: 1,
-		Regex: generateUniqueTokenRegex(`NetworkCredential\((\s*).*,(\s*).*,(\s*)(corp|europe|middleeast|northamerica|southpacific|southamerica|fareast|africa|redmond|exchange|extranet|partners|extranettest|parttest|noe|ntdev|ntwksta|sys-wingroup|windeploy|wingroup|winse|segroup|xcorp|xrep|phx|gme|usme|cdocidm|mslpa)\)`),
-	}
-
-	// validate
-	tps := []string{
-		generateSampleSecret("azure-network-credential",
-			"NetworkCredential(username, password, europe)"),
-	}
-	return validate(r, tps, nil)
-}
-
-func AzureNetworkCredentialSchtasks() *config.Rule {
-	// define rule
-	r := config.Rule{
-		Description: "CSCAN0160 - Found Azure domain credential in source file.",
-		RuleID:      "azure-network-credential-schtasks",
-		SecretGroup: 1,
-		Regex: generateUniqueTokenRegex(`schtasks.*/ru\s(corp|europe|middleeast|northamerica|southpacific|southamerica|fareast|africa|redmond|exchange|extranet|partners|extranettest|parttest|noe|ntdev|ntwksta|sys\-wingroup|windeploy|wingroup|winse|segroup|xcorp|xrep|phx|gme|usme|cdocidm|mslpa).*/rp.*`),
-	}
+// 	// validate
+// 	tps := []string{
+// 		generateSampleSecret("azure-network-credential",
+// 			"NetworkCredential(username, password, europe)"),
+// 	}
+// 	return validate(r, tps, nil)
+// }
 
-	// validate
-	tps := []string{
-		generateSampleSecret("azure-network-credential-schtasks",
-			`Schtasks /create /tn corp-daily-backup /tr \corp\backup.bat /ru corp\admin /rp password /sc daily`),
-	}
-	return validate(r, tps, nil)
-}
+// TODO (zrice) needs keyword
+// func AzureNetworkCredentialSchtasks() *config.Rule {
+// 	// define rule
+// 	r := config.Rule{
+// 		Description: "CSCAN0160 - Found Azure domain credential in source file.",
+// 		RuleID:      "azure-network-credential-schtasks",
+// 		SecretGroup: 1,
+// 		Regex: generateUniqueTokenRegex(`schtasks.*/ru\s(corp|europe|middleeast|northamerica|southpacific|southamerica|fareast|africa|redmond|exchange|extranet|partners|extranettest|parttest|noe|ntdev|ntwksta|sys\-wingroup|windeploy|wingroup|winse|segroup|xcorp|xrep|phx|gme|usme|cdocidm|mslpa).*/rp.*`),
+// 	}
 
-func AzureNetworkCredentialDotNet() *config.Rule {
-	// define rule
-	r := config.Rule{
-		Description: "CSCAN0160 - Found Azure domain credential in source file.",
-		RuleID:      "azure-network-credential-dotnet",
-		SecretGroup: 1,
-		Regex: generateUniqueTokenRegex(`new-object\s*System.Net.NetworkCredential\(.*?,\s*['"][^"]+['"]`),
-	}
+// 	// validate
+// 	tps := []string{
+// 		generateSampleSecret("azure-network-credential-schtasks",
+// 			`Schtasks /create /tn corp-daily-backup /tr \corp\backup.bat /ru corp\admin /rp password /sc daily`),
+// 	}
+// 	return validate(r, tps, nil)
+// }
 
-	// validate
-	tps := []string{
-		generateSampleSecret("azure-network-credential-dotnet",
-			"New-Object System.Net.NetworkCredential(username, '" +  secrets.NewSecret(alphaNumeric("86")) + "')"),
-	}
-	return validate(r, tps, nil)
-}
+// TODO (zrice) needs keyword
+// func AzureNetworkCredentialDotNet() *config.Rule {
+// 	// define rule
+// 	r := config.Rule{
+// 		Description: "CSCAN0160 - Found Azure domain credential in source file.",
+// 		RuleID:      "azure-network-credential-dotnet",
+// 		SecretGroup: 1,
+// 		Regex: generateUniqueTokenRegex(`new-object\s*System.Net.NetworkCredential\(.*?,\s*['"][^"]+['"]`),
+// 	}
 
-func AzureDevTFVCSecrets() *config.Rule {
-	// define rule
-	r := config.Rule{
-		Description: "CSCAN0200 - Found Azure DevDiv TFVC repo secrets.",
-		RuleID:      "azure-devtfvc-secrets",
-		SecretGroup: 1,
-		Regex: generateUniqueTokenRegex(`enc_username=.+[\n\r\s]+enc_password=.{3,}`),
-	}
+// 	// validate
+// 	tps := []string{
+// 		generateSampleSecret("azure-network-credential-dotnet",
+// 			"New-Object System.Net.NetworkCredential(username, '" +  secrets.NewSecret(alphaNumeric("86")) + "')"),
+// 	}
+// 	return validate(r, tps, nil)
+// }
 
-	// validate
-	tps := []string{
-		generateSampleSecret("azure-devtfvc-secrets",
-			"enc_username=myusername enc_password=" + secrets.NewSecret(alphaNumeric("86"))),
-	}
-	return validate(r, tps, nil)
-}
+// TODO (zrice) needs keyword
+// func AzureDevTFVCSecrets() *config.Rule {
+// 	// define rule
+// 	r := config.Rule{
+// 		Description: "CSCAN0200 - Found Azure DevDiv TFVC repo secrets.",
+// 		RuleID:      "azure-devtfvc-secrets",
+// 		SecretGroup: 1,
+// 		Regex: generateUniqueTokenRegex(`enc_username=.+[\n\r\s]+enc_password=.{3,}`),
+// 	}
 
-func AzureDevopsPAT() *config.Rule {
-	// define rule
-	r := config.Rule{
-		Description: "CSCAN0240 - Found Azure Devops personal access token in source file.",
-		RuleID:      "azure-devops-pat",
-		SecretGroup: 1,
-		Regex: generateUniqueTokenRegex(`(access_token).*?['="][a-zA-Z0-9/+]{10,99}['"]`),
-	}
+// 	// validate
+// 	tps := []string{
+// 		generateSampleSecret("azure-devtfvc-secrets",
+// 			"enc_username=myusername enc_password=" + secrets.NewSecret(alphaNumeric("86"))),
+// 	}
+// 	return validate(r, tps, nil)
+// }
 
-	// validate
-	tps := []string{
-		generateSampleSecret("azure-devops-pat",
-			"Access_token=='" + secrets.NewSecret(hex("52")) + "'"),
-	}
-	return validate(r, tps, nil)
-}
+// func AzureDevopsPAT() *config.Rule {
+// 	// define rule
+// 	r := config.Rule{
+// 		Description: "CSCAN0240 - Found Azure Devops personal access token in source file.",
+// 		RuleID:      "azure-devops-pat",
+// 		SecretGroup: 1,
+// 		Regex: generateUniqueTokenRegex(`(access_token).*?['="][a-zA-Z0-9/+]{10,99}['"]`),
+// 	}
 
+// 	// validate
+// 	tps := []string{
+// 		generateSampleSecret("azure-devops-pat",
+// 			"Access_token=='" + secrets.NewSecret(hex("52")) + "'"),
+// 	}
+// 	return validate(r, tps, nil)
+// }
 
 // func AzurePowershellTokenCache() *config.Rule {
 // 	// define rule

cmd/generate/config/rules/config.tmpl

@@ -14,7 +14,7 @@ title = "gitleaks config"
 description = "global allow lists"
 paths = [
     '''gitleaks.toml''',
-    '''(.*?)(jpg|gif|doc|docx|zip|xls|pdf|bin|svg|socket)$''',
+    '''(.*?)(jpg|gif|doc|docx|zip|xls|pdf|bin|svg|socket|vsidx|v2|suo|wsuo|.dll|pdb|exe)$''',
     '''(go.mod|go.sum)$''',
     '''gradle.lockfile''',
     '''node_modules''',

config/gitleaks.toml

@@ -154,177 +154,6 @@ keywords = [
     "mii",
 ]
 
-[[rules]]
-description = "CSCAN0240 - Found Azure Devops personal access token in source file."
-id = "azure-devops-pat"
-regex = '''(?i)\b((access_token).*?['="][a-zA-Z0-9/+]{10,99}['"])(?:['|\"|\n|\r|\s|\x60|;]|$)'''
-secretGroup = 1
-keywords = [
-    
-]
-
-[[rules]]
-description = "CSCAN0200 - Found Azure DevDiv TFVC repo secrets."
-id = "azure-devtfvc-secrets"
-regex = '''(?i)\b(enc_username=.+[\n\r\s]+enc_password=.{3,})(?:['|\"|\n|\r|\s|\x60|;]|$)'''
-secretGroup = 1
-keywords = [
-    
-]
-
-[[rules]]
-description = "CSCAN0160 - Found Azure domain credential in source file."
-id = "azure-network-credential"
-regex = '''(?i)\b(NetworkCredential\((\s*).*,(\s*).*,(\s*)(corp|europe|middleeast|northamerica|southpacific|southamerica|fareast|africa|redmond|exchange|extranet|partners|extranettest|parttest|noe|ntdev|ntwksta|sys-wingroup|windeploy|wingroup|winse|segroup|xcorp|xrep|phx|gme|usme|cdocidm|mslpa)\))(?:['|\"|\n|\r|\s|\x60|;]|$)'''
-secretGroup = 1
-keywords = [
-    
-]
-
-[[rules]]
-description = "CSCAN0160 - Found Azure domain credential in source file."
-id = "azure-network-credential-dotnet"
-regex = '''(?i)\b(new-object\s*System.Net.NetworkCredential\(.*?,\s*['"][^"]+['"])(?:['|\"|\n|\r|\s|\x60|;]|$)'''
-secretGroup = 1
-keywords = [
-    
-]
-
-[[rules]]
-description = "CSCAN0160 - Found Azure domain credential in source file."
-id = "azure-network-credential-schtasks"
-regex = '''(?i)\b(schtasks.*/ru\s(corp|europe|middleeast|northamerica|southpacific|southamerica|fareast|africa|redmond|exchange|extranet|partners|extranettest|parttest|noe|ntdev|ntwksta|sys\-wingroup|windeploy|wingroup|winse|segroup|xcorp|xrep|phx|gme|usme|cdocidm|mslpa).*/rp.*)(?:['|\"|\n|\r|\s|\x60|;]|$)'''
-secretGroup = 1
-keywords = [
-    
-]
-
-[[rules]]
-description = "CSCAN0090 - Found Azure password, symmetric key or storage credential in source file."
-id = "azure-password-addkey"
-regex = '''(?i)\b([<add].*([key](s|[0-9])?|(credential)s?|(secret)(s|S|[0-9])?|[password|token|key](primary|secondary|orsas|sas|encrypted))['"]\s*value\s*=['"].*['"])(?:['|\"|\n|\r|\s|\x60|;]|$)'''
-secretGroup = 1
-keywords = [
-    
-]
-
-[[rules]]
-description = "CSCAN0090 - Found Azure password, symmetric key or storage credential in source file."
-id = "azure-password-connstring"
-regex = '''(?i)\b((connectionstring|connstring)[^=]*?=["'][^"']*?(password)=[^\$\s;][^"'\s]*?(;|['"]))(?:['|\"|\n|\r|\s|\x60|;]|$)'''
-secretGroup = 1
-keywords = [
-    
-]
-
-[[rules]]
-description = "CSCAN0090 - Found Azure password, symmetric key or storage credential in source file."
-id = "azure-password-machinekey"
-regex = '''(?i)\b((decryptionKey\s*\=\s*['"].*['"]|validationKey\s*\=\s*['"].*['"]))(?:['|\"|\n|\r|\s|\x60|;]|$)'''
-secretGroup = 1
-keywords = [
-    
-]
-
-[[rules]]
-description = "CSCAN0090, CSCAN0150 - Found Azure password, symmetric key or storage credential in source file."
-id = "azure-password-uidpw"
-regex = '''(?i)\b(((user) ?(id|name)|uid)=.{2,128}?\s*?;\s*?((password|(pwd))=[^'$%@'";\[\{][^;"']{2,350}?(;|"|')))(?:['|\"|\n|\r|\s|\x60|;]|$)'''
-secretGroup = 1
-keywords = [
-    
-]
-
-[[rules]]
-description = "CSCAN0090 - Found Azure password, symmetric key or storage credential in source file."
-id = "azure-password-value-string"
-regex = '''(?i)\b(value\s?=\s?['"]((([A-Za-z0-9+/]){4}){1,200})==['"])(?:['|\"|\n|\r|\s|\x60|;]|$)'''
-secretGroup = 1
-keywords = [
-    
-]
-
-[[rules]]
-description = "CSCAN0030, CSCAN0090, CSCAN0150 - Found Azure storage credential in source code file."
-id = "azure-storage-credential-43char"
-regex = '''(?i)\b([a-zA-Z0-9/+]{43}=[^{@\d%])(?:['|\"|\n|\r|\s|\x60|;]|$)'''
-secretGroup = 1
-keywords = [
-    
-]
-
-[[rules]]
-description = "CSCAN0030, CSCAN0090, CSCAN0150 - Found Azure storage credential in source code file."
-id = "azure-storage-credential-86char"
-regex = '''(?i)\b([ \t]{0,10}[a-zA-Z0-9/+]{86}==)(?:['|\"|\n|\r|\s|\x60|;]|$)'''
-secretGroup = 1
-keywords = [
-    
-]
-
-[[rules]]
-description = "CSCAN0030 - Found Azure storage credential in source code file."
-id = "azure-storage-credential-accountkey"
-regex = '''(?i)\b(AccountKey\s*=\s*MII[a-zA-Z0-9/+]{43,}?={0,2})(?:['|\"|\n|\r|\s|\x60|;]|$)'''
-secretGroup = 1
-keywords = [
-    
-]
-
-[[rules]]
-description = "CSCAN0110 - Found Azure storage credential in source code file."
-id = "azure-storage-credential-bloburl"
-regex = '''(?i)\b((?i)https://[a-zA-Z0-9-]+.blob.core.windows.net/.*?sig=[a-zA-Z0-9%]{30,})(?:['|\"|\n|\r|\s|\x60|;]|$)'''
-secretGroup = 1
-keywords = [
-    
-]
-
-[[rules]]
-description = "CSCAN0130 - Found Azure storage credential in MonitoringAgent config file."
-id = "azure-storage-credential-monikerkey"
-regex = '''(?i)\b(Account moniker\s?=.*key\s?=.*)(?:['|\"|\n|\r|\s|\x60|;]|$)'''
-secretGroup = 1
-keywords = [
-    
-]
-
-[[rules]]
-description = "CSCAN0100 - Found Azure storage credential in source code file."
-id = "azure-storage-credential-servicebus"
-regex = '''(?i)\b([<ServiceBusAccountInfo].*SharedAccessKey\s*=\s*[a-zA-Z0-9/+]{10,}['"])(?:['|\"|\n|\r|\s|\x60|;]|$)'''
-secretGroup = 1
-keywords = [
-    
-]
-
-[[rules]]
-description = "CSCAN0030, CSCAN0090, CSCAN0150 - Found Azure storage credential in source code file."
-id = "azure-storage-credential-sig53"
-regex = '''(?i)\b(((sig|sas|password)=|>)[a-zA-Z0-9%]{43,53}%3d[^{a-zA-Z0-9%])(?:['|\"|\n|\r|\s|\x60|;]|$)'''
-secretGroup = 1
-keywords = [
-    
-]
-
-[[rules]]
-description = "CSCAN0030 - Found Azure storage credential in source code file."
-id = "azure-storage-credential-useridpw"
-regex = '''(?i)\b(((user) ?(id|name)|uid)=.{2,128}?\s*?;\s*?((password)|(pwd))=[^'$%>@'";\[\{][^;"']{2,350}?(;|"|'))(?:['|\"|\n|\r|\s|\x60|;]|$)'''
-secretGroup = 1
-keywords = [
-    
-]
-
-[[rules]]
-description = "CSCAN0100 - Found Azure storage credential in source code file."
-id = "azure-storage-credential-xstore"
-regex = '''(?i)\b([<XstoreAccountInfo].*accountSharedKey\s*=\s*['"].*['"])(?:['|\"|\n|\r|\s|\x60|;]|$)'''
-secretGroup = 1
-keywords = [
-    
-]
-
 [[rules]]
 description = "Beamer API token"
 id = "beamer-api-token"
@@ -2566,7 +2395,7 @@ id = "openai-api-key"
 regex = '''(?i)\b(sk-[a-zA-Z0-9]{20}T3BlbkFJ[a-zA-Z0-9]{20})(?:['|\"|\n|\r|\s|\x60|;]|$)'''
 secretGroup = 1
 keywords = [
-    "sk-","t3blbkfj",
+    "t3blbkfj",
 ]
 
 [[rules]]