refactor(generic-api-key): remove hard-coded 'magic' (#1600)

cmd/generate/config/rules/generic.go

@@ -39,6 +39,13 @@ func GenericCredential() *config.Rule {
 		},
 		Entropy: 3.5,
 		Allowlists: []config.Allowlist{
+			{
+				// NOTE: this is a goofy hack to get around the fact there golang's regex engine does not support positive lookaheads.
+				// Ideally we would want to ensure the secret contains both numbers and alphabetical characters, not just alphabetical characters.
+				Regexes: []*regexp.Regexp{
+					regexp.MustCompile(`^[a-zA-Z_.-]+$`),
+				},
+			},
 			{
 				Description:    "Allowlist for Generic API Keys",
 				MatchCondition: config.AllowlistMatchOr,

config/gitleaks.toml

@@ -551,6 +551,10 @@ keywords = [
     "token",
 ]
 [[rules.allowlists]]
+regexes = [
+    '''^[a-zA-Z_.-]+$''',
+]
+[[rules.allowlists]]
 regexTarget = "match"
 regexes = [
     '''(?i)(accessor|access[_.-]?id|api[_.-]?(version|id)|rapid|capital|[a-z0-9-]*?api[a-z0-9-]*?:jar:|author|X-MS-Exchange-Organization-Auth|Authentication-Results|(credentials?[_.-]?id|withCredentials)|(bucket|foreign|hot|natural|primary|schema|sequence)[_.-]?key|key[_.-]?(alias|board|code|ring|selector|size|stone|storetype|word|up|down|left|right)|key(store|tab)[_.-]?(file|path)|issuerkeyhash|(?-i:[DdMm]onkey|[DM]ONKEY)|keying|(secret)[_.-]?name|UserSecretsId|(api|credentials|token)[_.-]?(endpoint|ur[il])|public[_.-]?(key|token)|(key|token)[_.-]?file)''',

detect/detect.go

@@ -431,18 +431,6 @@ MatchLoop:
 				// entropy is too low, skip this finding
 				continue
 			}
-			// NOTE: this is a goofy hack to get around the fact there golang's regex engine
-			// does not support positive lookaheads. Ideally we would want to add a
-			// restriction on generic rules regex that requires the secret match group
-			// contains both numbers and alphabetical characters, not just alphabetical characters.
-			// What this bit of code does is check if the ruleid is prepended with "generic" and enforces the
-			// secret contains both digits and alphabetical characters.
-			// TODO: this should be replaced with stop words
-			if strings.HasPrefix(r.RuleID, "generic") {
-				if !containsDigit(finding.Secret) {
-					continue
-				}
-			}
 		}
 		// check if the regexTarget is defined in the allowlist "regexes" entry
 		// or if the secret is in the list of stopwords

detect/utils.go

@@ -180,17 +180,6 @@ func printFinding(f report.Finding, noColor bool) {
 	fmt.Println("")
 }
 
-func containsDigit(s string) bool {
-	for _, c := range s {
-		switch c {
-		case '1', '2', '3', '4', '5', '6', '7', '8', '9':
-			return true
-		}
-
-	}
-	return false
-}
-
 func isWhitespace(ch byte) bool {
 	return ch == ' ' || ch == '\t' || ch == '\n' || ch == '\r'
 }