feat: general fp tweaks (#1703)

cmd/generate/config/base/config.go

@@ -5,6 +5,7 @@ import (
 	"strings"
 
 	regexp "github.com/wasilibs/go-re2"
+
 	"github.com/zricethezav/gitleaks/v8/config"
 )
 
@@ -80,7 +81,7 @@ func CreateGlobalConfig() config.Config {
 				regexp.MustCompile(`(^|/)(npm-shrinkwrap\.json|package-lock\.json|pnpm-lock\.yaml|yarn\.lock)$`),
 				regexp.MustCompile(`(^|/)bower_components(/.*)?$`),
 				// TODO: Add more common static assets, such as swagger-ui.
-				regexp.MustCompile(`(^|/)(angular|jquery(-?ui)?|plotly|swagger-?ui)[a-zA-Z0-9.-]*(\.min)?\.js(\.map)?$`),
+				regexp.MustCompile(`(^|/)(angular|bootstrap|jquery(-?ui)?|plotly|swagger-?ui)[a-zA-Z0-9.-]*(\.min)?\.js(\.map)?$`),
 
 				// ----------- Python files -----------
 				// Dependencies and lock files.

cmd/generate/config/base/config_test.go

@@ -91,6 +91,7 @@ func TestConfigAllowlistPaths(t *testing.T) {
 	}{
 		"javascript - common static assets": {
 			invalid: []string{
+				`tests/e2e/nuget/wwwroot/lib/bootstrap/dist/js/bootstrap.esm.min.js`,
 				`src/main/static/lib/angular.1.2.16.min.js`,
 				`src/main/resources/static/jquery-ui-1.12.1/jquery-ui-min.js`,
 				`src/main/resources/static/js/jquery-ui-1.10.4.min.js`,

cmd/generate/config/rules/dynatrace.go

@@ -16,7 +16,7 @@ func Dynatrace() *config.Rule {
 		Description: "Detected a Dynatrace API token, potentially risking application performance monitoring and data exposure.",
 		Regex:       regexp.MustCompile(`dt0c01\.(?i)[a-z0-9]{24}\.[a-z0-9]{64}`),
 		Entropy:     4,
-		Keywords:    []string{"dt0c01"},
+		Keywords:    []string{"dt0c01."},
 	}
 
 	// validate

cmd/generate/config/rules/generic.go

@@ -67,7 +67,9 @@ func GenericCredential() *config.Rule {
 						`|(credentials?[_.-]?id|withCredentials)` + // Jenkins plugins
 						// Key
 						`|(bucket|foreign|hot|natural|primary|schema|sequence)[_.-]?key` +
-						`|key[_.-]?(alias|board|code|ring|selector|size|stone|storetype|word|up|down|left|right)` +
+						`|key[_.-]?(alias|board|code|id|name|ring|selector|size|stone|storetype|word|up|down|left|right)` +
+						// Azure KeyVault
+						`|key[_.-]?vault[_.-]?(id|name)|keyVaultToStoreSecrets` +
 						`|key(store|tab)[_.-]?(file|path)` +
 						`|issuerkeyhash` + // part of ssl cert
 						`|(?-i:[DdMm]onkey|[DM]ONKEY)|keying` + // common words containing "key"
@@ -76,6 +78,7 @@ func GenericCredential() *config.Rule {
 						`|UserSecretsId` + // https://learn.microsoft.com/en-us/aspnet/core/security/app-secrets?view=aspnetcore-8.0&tabs=linux
 
 						// Token
+						`|(io\.jsonwebtoken[ \t]?:[ \t]?[\w-]+)` + // Maven library coordinats. (e.g., https://mvnrepository.com/artifact/io.jsonwebtoken/jjwt)
 
 						// General
 						`|(api|credentials|token)[_.-]?(endpoint|ur[il])` +
@@ -83,7 +86,9 @@ func GenericCredential() *config.Rule {
 						`|(key|token)[_.-]?file` +
 						`)`),
 				},
-				StopWords: DefaultStopWords,
+				StopWords: append(DefaultStopWords,
+					"6fe4476ee5a1832882e326b506d14126", // https://github.com/yarnpkg/berry/issues/6201
+				),
 			},
 		},
 	}
@@ -116,8 +121,9 @@ func GenericCredential() *config.Rule {
 		`todo_secret_do_not_commit = `+newPlausibleSecret(`[a-zA-Z0-9]{30}`),
 
 		// Token
-		utils.GenerateSampleSecret("generic", "CLOJARS_34bf0e88955ff5a1c328d6a7491acc4f48e865a7b8dd4d70a70749037443"), //gitleaks:allow
-		utils.GenerateSampleSecret("generic", "Zf3D0LXCM3EIMbgJpUNnkRtOfOueHznB"),
+		` utils.GetEnvOrDefault("api_token", "dafa7817-e246-48f3-91a7-e87653d587b8")`,
+		//	`"env": {
+		//"API_TOKEN": "Lj2^5O%xi214"`,
 	)
 	fps := []string{
 		// Access
@@ -173,6 +179,11 @@ func GenericCredential() *config.Rule {
 		`	doc.Security.KeySize = PdfEncryptionKeySize.Key128Bit;`,
 		`o.keySelector=n,o.haKey=!1,`,
 		// TODO: Requires line-level allowlists.
+		`                                "key_name": "prod5zyxlmy-cmk",`,
+		`                                "kms_key_id": "555ea4a3-d53a-4412-9c66-3a7cb667b0d6",`,
+		`	"key_vault_name": "web21prqodx24021",`,
+		`  keyVaultToStoreSecrets: cmp2-qat-1208358310`, // e.g., https://github.com/2uasimojo/community-operators-prod/blob/9e51e4c8e0b5caaa3087e8e18e6fb918b2c36643/operators/azure-service-operator/1.0.59040/manifests/azure.microsoft.com_cosmosdbs.yaml#L50
+		`,apiKey:"6fe4476ee5a1832882e326b506d14126",`,
 		// `<add key="SchemaTable" value="G:\SchemaTable.xml" />`,
 		//	`secret:
 		// secretName: app-decryption-secret
@@ -181,7 +192,7 @@ func GenericCredential() *config.Rule {
 		//	  path: app-k8s.yml`,
 
 		// TODO: https://learn.microsoft.com/en-us/windows/apps/design/style/xaml-theme-resources
-		// `<Color x:Key="NormalBrushGradient1">#FFBAE4FF</Color>`,
+		//`<Color x:Key="NormalBrushGradient1">#FFBAE4FF</Color>`,
 
 		// Password
 		`password combination.
@@ -197,10 +208,13 @@ R5: Regulatory--21`,
 		`    access_token_url='https://github.com/login/oauth/access_token',`,
 		`publicToken = "9Cnzj4p4WGeKLs1Pt8QuKUpRKfFLfRYC9AIKjbJTWit"`,
 		`<SourceFile SourceLocation="F:\Extracts\" TokenFile="RTL_INST_CODE.cer">`,
+		`notes            = "Maven - io.jsonwebtoken:jjwt-jackson-0.11.2"`,
 		// TODO: `TOKEN_AUDIENCE = "25872395-ed3a-4703-b647-22ec53f3683c"`,
 
 		// General
 		`clientId = "73082700-1f09-405b-80d0-3131bfd6272d"`,
+		//		`GITHUB_API_KEY=
+		//DYNATRACE_API_KEY=`,
 	}
 	return utils.Validate(r, tps, fps)
 }

config/gitleaks.toml

@@ -40,7 +40,7 @@ paths = [
     '''(^|/)node_modules(/.*)?$''',
     '''(^|/)(npm-shrinkwrap\.json|package-lock\.json|pnpm-lock\.yaml|yarn\.lock)$''',
     '''(^|/)bower_components(/.*)?$''',
-    '''(^|/)(angular|jquery(-?ui)?|plotly|swagger-?ui)[a-zA-Z0-9.-]*(\.min)?\.js(\.map)?$''',
+    '''(^|/)(angular|bootstrap|jquery(-?ui)?|plotly|swagger-?ui)[a-zA-Z0-9.-]*(\.min)?\.js(\.map)?$''',
     '''(^|/)(Pipfile|poetry)\.lock$''',
     '''(?i)/?(v?env|virtualenv)/lib(64)?(/.*)?$''',
     '''(?i)(^|/)(lib(64)?/python[23](\.\d{1,2})+|python/[23](\.\d{1,2})+/lib(64)?)(/.*)?$''',
@@ -399,7 +399,7 @@ id = "dynatrace-api-token"
 description = "Detected a Dynatrace API token, potentially risking application performance monitoring and data exposure."
 regex = '''dt0c01\.(?i)[a-z0-9]{24}\.[a-z0-9]{64}'''
 entropy = 4
-keywords = ["dt0c01"]
+keywords = ["dt0c01."]
 
 [[rules]]
 id = "easypost-api-token"
@@ -576,7 +576,7 @@ regexes = [
 [[rules.allowlists]]
 regexTarget = "match"
 regexes = [
-    '''(?i)(accessor|access[_.-]?id|api[_.-]?(version|id)|rapid|capital|[a-z0-9-]*?api[a-z0-9-]*?:jar:|author|X-MS-Exchange-Organization-Auth|Authentication-Results|(credentials?[_.-]?id|withCredentials)|(bucket|foreign|hot|natural|primary|schema|sequence)[_.-]?key|key[_.-]?(alias|board|code|ring|selector|size|stone|storetype|word|up|down|left|right)|key(store|tab)[_.-]?(file|path)|issuerkeyhash|(?-i:[DdMm]onkey|[DM]ONKEY)|keying|(secret)[_.-]?name|UserSecretsId|(api|credentials|token)[_.-]?(endpoint|ur[il])|public[_.-]?(key|token)|(key|token)[_.-]?file)''',
+    '''(?i)(accessor|access[_.-]?id|api[_.-]?(version|id)|rapid|capital|[a-z0-9-]*?api[a-z0-9-]*?:jar:|author|X-MS-Exchange-Organization-Auth|Authentication-Results|(credentials?[_.-]?id|withCredentials)|(bucket|foreign|hot|natural|primary|schema|sequence)[_.-]?key|key[_.-]?(alias|board|code|id|name|ring|selector|size|stone|storetype|word|up|down|left|right)|key[_.-]?vault[_.-]?(id|name)|keyVaultToStoreSecrets|key(store|tab)[_.-]?(file|path)|issuerkeyhash|(?-i:[DdMm]onkey|[DM]ONKEY)|keying|(secret)[_.-]?name|UserSecretsId|(io\.jsonwebtoken[ \t]?:[ \t]?[\w-]+)|(api|credentials|token)[_.-]?(endpoint|ur[il])|public[_.-]?(key|token)|(key|token)[_.-]?file)''',
 ]
 stopwords = [
     "000000",
@@ -2055,6 +2055,7 @@ stopwords = [
     "zsh-",
     "zsh.",
     "zsh_",
+    "6fe4476ee5a1832882e326b506d14126",
 ]
 
 [[rules]]