Merge pull request #3203 from returntocorp/merge-develop-to-release

Merge Develop into Release
semgrep · Oct 28, 2023 · fd372ea · fd372ea
2 parents 4693c84 + 2f8588a
commit fd372ea
Show file tree

Hide file tree

Showing 11 changed files with 20 additions and 18 deletions.
diff --git a/.github/workflows/trigger-pro-benchmark-scan.yaml b/.github/workflows/trigger-pro-benchmark-scan.yaml
@@ -20,5 +20,5 @@ jobs:
           COMP_BRANCH: ${{ github.head_ref }}
           BASE_BRANCH: ${{  github.event.pull_request.base.ref }}
         run: |
-          curl -X POST https://argoworkflows-dev.corp.r2c.dev/api/v1/events/security-research/pro-perf-scan-test -H "Authorization: ${{ secrets.ARGO_WORKFLOWS_TOKEN }}" -d "{\"base_branch\": \"$BASE_BRANCH\", \"comparison_branch\": \"$COMP_BRANCH\", \"rules_repository\": \"$RULES_REPO\"}"
+          curl -X POST https://argoworkflows-dev2.corp.r2c.dev/api/v1/events/security-research/pro-perf-scan-test -H "Authorization: ${{ secrets.ARGO_WORKFLOWS_TOKEN }}" -d "{\"base_branch\": \"$BASE_BRANCH\", \"comparison_branch\": \"$COMP_BRANCH\", \"rules_repository\": \"$RULES_REPO\"}"
 
diff --git a/.github/workflows/trigger-semgrep-scanner-initiate-scan.yaml b/.github/workflows/trigger-semgrep-scanner-initiate-scan.yaml
@@ -56,4 +56,4 @@ jobs:
           github.event_name == 'pull_request' &&
           env.changed_lang_count > 0
         run: |
-          curl -X POST https://argoworkflows-dev.corp.r2c.dev/api/v1/events/security-research/initiate-scan-argo -H "Authorization: ${{ secrets.ARGO_WORKFLOWS_TOKEN }}" -d "{\"branch\" : \"$HEAD_REF\", \"repo\" : \"$REPO_NAME\", \"commit\" : \"$PR_HEAD_SHA\", \"changed_files\" : \"$CHANGED_FILES\" , \"langs\" : \"$CHANGED_LANGS\"}"
+          curl -X POST https://argoworkflows-dev2.corp.r2c.dev/api/v1/events/security-research/initiate-scan-argo -H "Authorization: ${{ secrets.ARGO_WORKFLOWS_TOKEN }}" -d "{\"branch\" : \"$HEAD_REF\", \"repo\" : \"$REPO_NAME\", \"commit\" : \"$PR_HEAD_SHA\", \"changed_files\" : \"$CHANGED_FILES\" , \"langs\" : \"$CHANGED_LANGS\"}"
diff --git a/generic/secrets/gitleaks/age-secret-key.yaml b/generic/secrets/gitleaks/age-secret-key.yaml
@@ -1,6 +1,6 @@
 rules:
 - id: age-secret-key
-  message: A gitleaks age secret key was detected which attempts to identify hard-coded credentials. It is not recommended to store credentials in source-code, as this risks secrets being leaked and used by either an internal or external malicious adversary. It is recommended to use environment variables to securely provide credentials or retrieve credentials from a secure vault or HSM (Hardware Security Module).
+  message: A gitleaks age-secret-key was detected which attempts to identify hard-coded credentials. It is not recommended to store credentials in source-code, as this risks secrets being leaked and used by either an internal or external malicious adversary. It is recommended to use environment variables to securely provide credentials or retrieve credentials from a secure vault or HSM (Hardware Security Module).
   languages:
     - regex
   severity: INFO

diff --git a/generic/secrets/gitleaks/huggingface-access-token.yaml b/generic/secrets/gitleaks/huggingface-access-token.yaml
@@ -16,7 +16,7 @@ rules:
       owasp:
         - A07:2021 - Identification and Authentication Failures
       references:
-        - https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_CheatSheet.html
+        - https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html
       source-rule-url: https://github.com/zricethezav/gitleaks/tree/master/cmd/generate/config/rules
       subcategory:
         - vuln

diff --git a/generic/secrets/gitleaks/huggingface-organization-api-token.yaml b/generic/secrets/gitleaks/huggingface-organization-api-token.yaml
@@ -16,7 +16,7 @@ rules:
       owasp:
         - A07:2021 - Identification and Authentication Failures
       references:
-        - https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_CheatSheet.html
+        - https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html
       source-rule-url: https://github.com/zricethezav/gitleaks/tree/master/cmd/generate/config/rules
       subcategory:
         - vuln

diff --git a/generic/secrets/gitleaks/infracost-api-token.yaml b/generic/secrets/gitleaks/infracost-api-token.yaml
@@ -16,7 +16,7 @@ rules:
       owasp:
         - A07:2021 - Identification and Authentication Failures
       references:
-        - https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_CheatSheet.html
+        - https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html
       source-rule-url: https://github.com/zricethezav/gitleaks/tree/master/cmd/generate/config/rules
       subcategory:
         - vuln

diff --git a/generic/secrets/gitleaks/jwt-base64.yaml b/generic/secrets/gitleaks/jwt-base64.yaml
@@ -16,7 +16,7 @@ rules:
       owasp:
         - A07:2021 - Identification and Authentication Failures
       references:
-        - https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_CheatSheet.html
+        - https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html
       source-rule-url: https://github.com/zricethezav/gitleaks/tree/master/cmd/generate/config/rules
       subcategory:
         - vuln

diff --git a/generic/secrets/gitleaks/scalingo-api-token.yaml b/generic/secrets/gitleaks/scalingo-api-token.yaml
@@ -16,7 +16,7 @@ rules:
       owasp:
         - A07:2021 - Identification and Authentication Failures
       references:
-        - https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_CheatSheet.html
+        - https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html
       source-rule-url: https://github.com/zricethezav/gitleaks/tree/master/cmd/generate/config/rules
       subcategory:
         - vuln

diff --git a/generic/secrets/gitleaks/snyk-api-token.txt b/generic/secrets/gitleaks/snyk-api-token.txt
@@ -1,16 +1,18 @@
 // ruleid: snyk-api-token
 const SNYK_TOKEN = "12345678-ABCD-ABCD-ABCD-1234567890AB"
-// ruleid: snyk-api-token 
-const SNYK_KEY = "12345678-ABCD-ABCD-ABCD-1234567890AB" 
 // ruleid: snyk-api-token
-const SNYK = "12345678-ABCD-ABCD-ABCD-1234567890AB" 
+const SNYK_KEY = "12345678-ABCD-ABCD-ABCD-1234567890AB"
 // ruleid: snyk-api-token
-SNYK = "12345678-ABCD-ABCD-ABCD-1234567890AB" 
+SNYK_TOKEN := "12345678-ABCD-ABCD-ABCD-1234567890AB"
 // ruleid: snyk-api-token
-SNYK_TOKEN := "12345678-ABCD-ABCD-ABCD-1234567890AB" 
+SNYK_TOKEN ::= "12345678-ABCD-ABCD-ABCD-1234567890AB"
 // ruleid: snyk-api-token
-SNYK_TOKEN ::= "12345678-ABCD-ABCD-ABCD-1234567890AB" 
+SNYK_TOKEN :::= "12345678-ABCD-ABCD-ABCD-1234567890AB"
 // ruleid: snyk-api-token
-SNYK_TOKEN :::= "12345678-ABCD-ABCD-ABCD-1234567890AB" 
+SNYK_TOKEN ?= "12345678-ABCD-ABCD-ABCD-1234567890AB"
 // ruleid: snyk-api-token
-SNYK_TOKEN ?= "12345678-ABCD-ABCD-ABCD-1234567890AB"
+SNYK_API_KEY ?= "12345678-ABCD-ABCD-ABCD-1234567890AB"
+// ruleid: snyk-api-token
+SNYK_API_TOKEN = "12345678-ABCD-ABCD-ABCD-1234567890AB"
+// ruleid: snyk-api-token
+SNYK_OAUTH_TOKEN = "12345678-ABCD-ABCD-ABCD-1234567890AB"
diff --git a/generic/secrets/gitleaks/snyk-api-token.yaml b/generic/secrets/gitleaks/snyk-api-token.yaml
@@ -23,4 +23,4 @@ rules:
       technology:
         - gitleaks
   patterns:
-    - pattern-regex: (?i)(?:snyk)(?:[0-9a-z\-_\t .]{0,20})(?:[\s|']|[\s|"]){0,3}(?:=|>|:{1,3}=|\|\|:|<=|=>|:|\?=)(?:'|\"|\s|=|\x60){0,5}([0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12})(?:['|\"|\n|\r|\s|\x60|;]|$)
+    - pattern-regex: (?i)(?:snyk_token|snyk_key|snyk_api_token|snyk_api_key|snyk_oauth_token)(?:[0-9a-z\-_\t .]{0,20})(?:[\s|']|[\s|"]){0,3}(?:=|>|:{1,3}=|\|\|:|<=|=>|:|\?=)(?:'|\"|\s|=|\x60){0,5}([0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12})(?:['|\"|\n|\r|\s|\x60|;]|$)
diff --git a/generic/secrets/gitleaks/stripe-access-token.yaml b/generic/secrets/gitleaks/stripe-access-token.yaml
@@ -23,4 +23,4 @@ rules:
       technology:
         - gitleaks
   patterns:
-    - pattern-regex: (?i)(sk|pk)_(test|live)_[0-9a-z]{10,32}
+    - pattern-regex: (?i)\b((sk|pk)_(test|live)_[0-9a-z]{10,32})(?:['|\"|\n|\r|\s|\x60|;]|$)