Add support for GitLab routable tokens (#1656)

* Add support for GitLab routable tokens #1655

This commit adds support for GitLabs routable tokens.

For the specification see:
https://handbook.gitlab.com/handbook/engineering/architecture/design-documents/cells/routable_tokens/#proposal

Issue: https://github.com/gitleaks/gitleaks/issues/1655

* Add support for GitLab routable tokens #1655

This commit adds increases the entropy.

For the specification see:
https://handbook.gitlab.com/handbook/engineering/architecture/design-documents/cells/routable_tokens/#proposal

Issue: https://github.com/gitleaks/gitleaks/issues/1655

* add word boundary to regex

Co-authored-by: Ben-grmbl <173737458+Ben-grmbl@users.noreply.github.com>

* chore: re-generate gitleaks.toml

Co-authored-by: Ben-grmbl <173737458+Ben-grmbl@users.noreply.github.com>

---------

Co-authored-by: Nicholas Wittstruck <1283061+nwittstruck@users.noreply.github.com>
Co-authored-by: Ben-grmbl <173737458+Ben-grmbl@users.noreply.github.com>

cmd/generate/config/main.go

@@ -109,6 +109,7 @@ func main() {
 		rules.GitlabKubernetesAgentToken(),
 		rules.GitlabOauthAppSecret(),
 		rules.GitlabPat(),
+		rules.GitlabPatRoutable(),
 		rules.GitlabPipelineTriggerToken(),
 		rules.GitlabRunnerRegistrationToken(),
 		rules.GitlabRunnerAuthenticationToken(),

cmd/generate/config/rules/gitlab.go

@@ -115,6 +115,23 @@ func GitlabPat() *config.Rule {
 	return utils.Validate(r, tps, fps)
 }
 
+func GitlabPatRoutable() *config.Rule {
+	r := config.Rule{
+		RuleID:      "gitlab-pat-routable",
+		Description: "Identified a GitLab Personal Access Token (routable), risking unauthorized access to GitLab repositories and codebase exposure.",
+		Regex:       regexp.MustCompile(`\bglpat-[0-9a-zA-Z_-]{27,300}\.[0-9a-z]{2}[0-9a-z]{7}\b`),
+		Entropy:     4,
+		Keywords:    []string{"glpat-"},
+	}
+
+	// validate
+	tps := utils.GenerateSampleSecrets("gitlab", "glpat-"+secrets.NewSecret(utils.AlphaNumeric("27"))+"."+secrets.NewSecret(utils.AlphaNumeric("2"))+secrets.NewSecret(utils.AlphaNumeric("7")))
+	fps := []string{
+		"glpat-xxxxxxxx-xxxxxxxxxxxxxxxxxx.xxxxxxxxx",
+	}
+	return utils.Validate(r, tps, fps)
+}
+
 func GitlabPipelineTriggerToken() *config.Rule {
 	r := config.Rule{
 		RuleID:      "gitlab-ptt",

config/gitleaks.toml

@@ -2141,6 +2141,13 @@ regex = '''glpat-[\w-]{20}'''
 entropy = 3
 keywords = ["glpat-"]
 
+[[rules]]
+id = "gitlab-pat-routable"
+description = "Identified a GitLab Personal Access Token (routable), risking unauthorized access to GitLab repositories and codebase exposure."
+regex = '''\bglpat-[0-9a-zA-Z_-]{27,300}\.[0-9a-z]{2}[0-9a-z]{7}\b'''
+entropy = 4
+keywords = ["glpat-"]
+
 [[rules]]
 id = "gitlab-ptt"
 description = "Found a GitLab Pipeline Trigger Token, potentially compromising continuous integration workflows and project security."