feat: add settlemint api keys detection (#1663)

* feat: add settlemint api keys detection

* fix regex creation

* use GenerateUniqueTokenRegex

* trigger ci

* ensure tokens have min length of 12

* ensure to set minLength on settlemint token pattern

* set base entropy for settlemint detectors

* update settlemint token regexes to be more precise

cmd/generate/config/main.go

@@ -185,6 +185,9 @@ func main() {
 		rules.SentryAccessToken(),
 		rules.SentryOrgToken(),
 		rules.SentryUserToken(),
+		rules.SettlemintApplicationAccessToken(),
+		rules.SettlemintPersonalAccessToken(),
+		rules.SettlemintServiceAccessToken(),
 		rules.ShippoAPIToken(),
 		rules.ShopifyAccessToken(),
 		rules.ShopifyCustomAccessToken(),

cmd/generate/config/rules/settlemint.go

@@ -0,0 +1,70 @@
+package rules
+
+import (
+	"github.com/zricethezav/gitleaks/v8/cmd/generate/config/utils"
+	"github.com/zricethezav/gitleaks/v8/cmd/generate/secrets"
+	"github.com/zricethezav/gitleaks/v8/config"
+)
+
+func SettlemintPersonalAccessToken() *config.Rule {
+	// define rule
+	r := config.Rule{
+		Description: "Found a Settlemint Personal Access Token.",
+		RuleID:      "settlemint-personal-access-token",
+		Regex:       utils.GenerateUniqueTokenRegex(`sm_pat_[a-zA-Z0-9]{16}`, false),
+		Entropy:     3,
+		Keywords: []string{
+			"sm_pat",
+		},
+	}
+
+	// validate
+	tps := utils.GenerateSampleSecrets("settlemintToken", "sm_pat_"+secrets.NewSecret(utils.AlphaNumeric("16")))
+	fps := []string{
+		"nonMatchingToken := \"" + secrets.NewSecret(utils.AlphaNumeric("16")) + "\"",
+		"nonMatchingToken := \"sm_pat_" + secrets.NewSecret(utils.AlphaNumeric("10")) + "\"",
+	}
+	return utils.Validate(r, tps, fps)
+}
+
+func SettlemintApplicationAccessToken() *config.Rule {
+	// define rule
+	r := config.Rule{
+		Description: "Found a Settlemint Application Access Token.",
+		RuleID:      "settlemint-application-access-token",
+		Regex:       utils.GenerateUniqueTokenRegex(`sm_aat_[a-zA-Z0-9]{16}`, false),
+		Entropy:     3,
+		Keywords: []string{
+			"sm_aat",
+		},
+	}
+
+	// validate
+	tps := utils.GenerateSampleSecrets("settlemintToken", "sm_aat_"+secrets.NewSecret(utils.AlphaNumeric("16")))
+	fps := []string{
+		"nonMatchingToken := \"" + secrets.NewSecret(utils.AlphaNumeric("16")) + "\"",
+		"nonMatchingToken := \"sm_aat_" + secrets.NewSecret(utils.AlphaNumeric("10")) + "\"",
+	}
+	return utils.Validate(r, tps, fps)
+}
+
+func SettlemintServiceAccessToken() *config.Rule {
+	// define rule
+	r := config.Rule{
+		Description: "Found a Settlemint Service Access Token.",
+		RuleID:      "settlemint-service-access-token",
+		Regex:       utils.GenerateUniqueTokenRegex(`sm_sat_[a-zA-Z0-9]{16}`, false),
+		Entropy:     3,
+		Keywords: []string{
+			"sm_sat",
+		},
+	}
+
+	// validate
+	tps := utils.GenerateSampleSecrets("settlemintToken", "sm_sat_"+secrets.NewSecret(utils.AlphaNumeric("16")))
+	fps := []string{
+		"nonMatchingToken := \"" + secrets.NewSecret(utils.AlphaNumeric("16")) + "\"",
+		"nonMatchingToken := \"sm_sat_" + secrets.NewSecret(utils.AlphaNumeric("10")) + "\"",
+	}
+	return utils.Validate(r, tps, fps)
+}

config/gitleaks.toml

@@ -2743,6 +2743,27 @@ regex = '''\b(sntryu_[a-f0-9]{64})(?:['|\"|\n|\r|\s|\x60|;]|$)'''
 entropy = 3.5
 keywords = ["sntryu_"]
 
+[[rules]]
+id = "settlemint-application-access-token"
+description = "Found a Settlemint Application Access Token."
+regex = '''\b(sm_aat_[a-zA-Z0-9]{16})(?:['|\"|\n|\r|\s|\x60|;]|$)'''
+entropy = 3
+keywords = ["sm_aat"]
+
+[[rules]]
+id = "settlemint-personal-access-token"
+description = "Found a Settlemint Personal Access Token."
+regex = '''\b(sm_pat_[a-zA-Z0-9]{16})(?:['|\"|\n|\r|\s|\x60|;]|$)'''
+entropy = 3
+keywords = ["sm_pat"]
+
+[[rules]]
+id = "settlemint-service-access-token"
+description = "Found a Settlemint Service Access Token."
+regex = '''\b(sm_sat_[a-zA-Z0-9]{16})(?:['|\"|\n|\r|\s|\x60|;]|$)'''
+entropy = 3
+keywords = ["sm_sat"]
+
 [[rules]]
 id = "shippo-api-token"
 description = "Discovered a Shippo API token, potentially compromising shipping services and customer order data."