zhongwei/gh-agentsecops-secopsagentkit

Fork 0

Files

Zhongwei Li ff1f4bd119 Initial commit

2025-11-29 17:51:02 +08:00

9.3 KiB

Raw Permalink Blame History

Gitleaks Detection Rules Reference

Comprehensive reference of built-in Gitleaks detection rules with CWE mappings and remediation guidance.

Cloud Provider Credentials
Version Control Systems
API Keys and Tokens
Database Credentials
Private Keys
Generic Patterns

Cloud Provider Credentials

AWS Access Key ID

Rule ID: aws-access-token
Pattern: AKIA[0-9A-Z]{16}
CWE: CWE-798 (Use of Hard-coded Credentials)
Severity: HIGH
Description: AWS Access Key ID for programmatic access
Remediation: Rotate via AWS IAM console, use AWS Secrets Manager or IAM roles

AWS Secret Access Key

Rule ID: aws-secret-key
Pattern: (?i)aws(.{0,20})?[\'\"][0-9a-zA-Z\/+]{40}[\'\"]
CWE: CWE-798
Severity: CRITICAL
Description: AWS Secret Access Key paired with Access Key ID
Remediation: Immediate rotation required, review CloudTrail logs for unauthorized access

GCP API Key

Rule ID: gcp-api-key
Pattern: AIza[0-9A-Za-z\\-_]{35}
CWE: CWE-798
Severity: HIGH
Description: Google Cloud Platform API key
Remediation: Delete and regenerate in GCP Console, review API usage logs

GCP Service Account

Rule ID: gcp-service-account
Pattern: \"type\": \"service_account\"
CWE: CWE-798
Severity: CRITICAL
Description: GCP service account JSON key file
Remediation: Delete service account key, use Workload Identity where possible

Azure Storage Account Key

Rule ID: azure-storage-key
Pattern: (?i)azure.*[\'\"][0-9a-zA-Z\/+]{88}[\'\"]
CWE: CWE-798
Severity: CRITICAL
Description: Azure Storage Account access key
Remediation: Regenerate keys in Azure Portal, use Azure Key Vault

Digital Ocean Token

Rule ID: digitalocean-token
Pattern: dop_v1_[a-f0-9]{64}
CWE: CWE-798
Severity: HIGH
Description: Digital Ocean personal access token
Remediation: Revoke token in Digital Ocean console, create new token

Version Control Systems

GitHub Personal Access Token

Rule ID: github-pat
Pattern: ghp_[0-9a-zA-Z]{36}
CWE: CWE-798
Severity: HIGH
Description: GitHub personal access token (classic)
Remediation: Revoke in GitHub Settings > Developer settings, review audit log

GitHub OAuth Token

Rule ID: github-oauth
Pattern: gho_[0-9a-zA-Z]{36}
CWE: CWE-798
Severity: HIGH
Description: GitHub OAuth access token
Remediation: Revoke OAuth app authorization, regenerate token

GitHub Fine-Grained Token

Rule ID: github-fine-grained-pat
Pattern: github_pat_[0-9a-zA-Z]{22}_[0-9a-zA-Z]{59}
CWE: CWE-798
Severity: HIGH
Description: GitHub fine-grained personal access token
Remediation: Revoke in GitHub Settings, review resource access scope

GitLab Personal Access Token

Rule ID: gitlab-pat
Pattern: glpat-[0-9a-zA-Z\\-_]{20}
CWE: CWE-798
Severity: HIGH
Description: GitLab personal access token
Remediation: Revoke in GitLab User Settings > Access Tokens

Bitbucket App Password

Rule ID: bitbucket-app-password
Pattern: (?i)bitbucket.*[\'\"][0-9a-zA-Z]{16}[\'\"]
CWE: CWE-798
Severity: HIGH
Description: Bitbucket app-specific password
Remediation: Revoke in Bitbucket Personal Settings > App passwords

API Keys and Tokens

Stripe API Key

Rule ID: stripe-api-key
Pattern: (?i)(sk|pk)_(test|live)_[0-9a-zA-Z]{24,}
CWE: CWE-798
Severity: CRITICAL (live), HIGH (test)
Description: Stripe API secret or publishable key
Remediation: Roll keys in Stripe Dashboard, review payment transactions

Twilio API Key

Rule ID: twilio-api-key
Pattern: SK[0-9a-fA-F]{32}
CWE: CWE-798
Severity: HIGH
Description: Twilio API key
Remediation: Delete key in Twilio Console, create new key

SendGrid API Key

Rule ID: sendgrid-api-key
Pattern: SG\\.[0-9A-Za-z\\-_]{22}\\.[0-9A-Za-z\\-_]{43}
CWE: CWE-798
Severity: HIGH
Description: SendGrid API key
Remediation: Delete in SendGrid Settings > API Keys, update applications

Slack Token

Rule ID: slack-token
Pattern: xox[baprs]-[0-9]{10,13}-[0-9]{10,13}-[a-zA-Z0-9]{24,}
CWE: CWE-798
Severity: HIGH
Description: Slack bot, app, or user token
Remediation: Regenerate in Slack App Settings, rotate token

Slack Webhook

Rule ID: slack-webhook
Pattern: https://hooks\\.slack\\.com/services/T[a-zA-Z0-9_]+/B[a-zA-Z0-9_]+/[a-zA-Z0-9_]+
CWE: CWE-798
Severity: MEDIUM
Description: Slack incoming webhook URL
Remediation: Regenerate webhook in Slack App Settings

npm Token

Rule ID: npm-access-token
Pattern: npm_[0-9a-zA-Z]{36}
CWE: CWE-798
Severity: HIGH
Description: npm access token
Remediation: Revoke in npm Account Settings, check package publish history

PyPI Token

Rule ID: pypi-upload-token
Pattern: pypi-AgEIcHlwaS5vcmc[0-9A-Za-z\\-_]{50,}
CWE: CWE-798
Severity: HIGH
Description: PyPI upload token
Remediation: Delete token in PyPI Account Settings, verify package uploads

Database Credentials

PostgreSQL Connection String

Rule ID: postgres-connection-string
Pattern: postgres(ql)?://[a-zA-Z0-9]+:[a-zA-Z0-9]+@[a-zA-Z0-9.-]+:[0-9]+/[a-zA-Z0-9_-]+
CWE: CWE-798
Severity: CRITICAL
Description: PostgreSQL database connection string with embedded credentials
Remediation: Change database password, use connection string from environment variables

MySQL Connection String

Rule ID: mysql-connection-string
Pattern: mysql://[a-zA-Z0-9]+:[a-zA-Z0-9]+@[a-zA-Z0-9.-]+:[0-9]+/[a-zA-Z0-9_-]+
CWE: CWE-259
Severity: CRITICAL
Description: MySQL database connection string with embedded credentials
Remediation: Rotate database password immediately, review access logs

MongoDB Connection String

Rule ID: mongodb-connection-string
Pattern: mongodb(\+srv)?://[a-zA-Z0-9]+:[a-zA-Z0-9]+@[a-zA-Z0-9.-]+
CWE: CWE-798
Severity: CRITICAL
Description: MongoDB connection string with credentials
Remediation: Change MongoDB user password, enable IP whitelisting

Redis URL

Rule ID: redis-url
Pattern: redis://:[a-zA-Z0-9]+@[a-zA-Z0-9.-]+:[0-9]+
CWE: CWE-798
Severity: HIGH
Description: Redis connection URL with password
Remediation: Change Redis password via CONFIG SET, use ACLs

Private Keys

RSA Private Key

Rule ID: rsa-private-key
Pattern: -----BEGIN RSA PRIVATE KEY-----
CWE: CWE-321 (Use of Hard-coded Cryptographic Key)
Severity: CRITICAL
Description: RSA private key in PEM format
Remediation: Generate new key pair, revoke associated certificates, audit access

SSH Private Key

Rule ID: ssh-private-key
Pattern: -----BEGIN (EC|DSA|OPENSSH) PRIVATE KEY-----
CWE: CWE-321
Severity: CRITICAL
Description: SSH private key
Remediation: Remove from authorized_keys on all servers, generate new key

PGP Private Key

Rule ID: pgp-private-key
Pattern: -----BEGIN PGP PRIVATE KEY BLOCK-----
CWE: CWE-321
Severity: CRITICAL
Description: PGP/GPG private key
Remediation: Revoke key on keyservers, generate new key pair

JWT Token

Rule ID: jwt
Pattern: eyJ[A-Za-z0-9_-]{10,}\\.[A-Za-z0-9_-]{10,}\\.[A-Za-z0-9_-]{10,}
CWE: CWE-798
Severity: HIGH
Description: JSON Web Token (may contain sensitive claims)
Remediation: Invalidate token, check token expiration, rotate signing secret

Generic Patterns

Generic API Key

Rule ID: generic-api-key
Pattern: (?i)(api_key|apikey|api-key)[\s]*[=:][\s]*[\'\"]?[a-zA-Z0-9]{32,}[\'\"]?
CWE: CWE-798
Severity: MEDIUM
Description: Generic API key pattern
Remediation: Rotate credential based on service documentation

Generic Secret

Rule ID: generic-secret
Pattern: (?i)(secret|password|passwd|pwd)[\s]*[=:][\s]*[\'\"]?[a-zA-Z0-9!@#$%^&*]{16,}[\'\"]?
CWE: CWE-259
Severity: MEDIUM
Description: Generic secret or password pattern
Remediation: Move to environment variable or secret management system

High Entropy String

Rule ID: high-entropy
Pattern: [a-zA-Z0-9]{32,}
Entropy: 4.5+
CWE: CWE-798
Severity: LOW (requires validation)
Description: High-entropy string that may be a credential
Remediation: Validate if actual secret, rotate if necessary

Usage in Configuration

Add these rule IDs to your .gitleaks.toml allowlist if needed:

[allowlist]
description = "Allow specific rules in test files"
paths = ['''test/''']
rules = ["generic-api-key", "generic-secret"]

CWE Reference

CWE-798: Use of Hard-coded Credentials
CWE-259: Use of Hard-coded Password
CWE-321: Use of Hard-coded Cryptographic Key
CWE-522: Insufficiently Protected Credentials
CWE-257: Storing Passwords in a Recoverable Format

9.3 KiB Raw Permalink Blame History