From 87fa7c1bcb67e3cab3e0b7794305fd73a0a060b9 Mon Sep 17 00:00:00 2001
From: "Security Research (r2c-argo)" <securityresearch@r2c.dev>
Date: Fri, 27 Oct 2023 15:26:32 +0000
Subject: [PATCH 1/3] Merge Gitleaks rules 2023-10-27 # 15:26

---
 generic/secrets/gitleaks/age-secret-key.yaml                    | 2 +-
 generic/secrets/gitleaks/huggingface-access-token.yaml          | 2 +-
 .../secrets/gitleaks/huggingface-organization-api-token.yaml    | 2 +-
 generic/secrets/gitleaks/infracost-api-token.yaml               | 2 +-
 generic/secrets/gitleaks/jwt-base64.yaml                        | 2 +-
 generic/secrets/gitleaks/scalingo-api-token.yaml                | 2 +-
 generic/secrets/gitleaks/snyk-api-token.yaml                    | 2 +-
 generic/secrets/gitleaks/stripe-access-token.yaml               | 2 +-
 8 files changed, 8 insertions(+), 8 deletions(-)

diff --git a/generic/secrets/gitleaks/age-secret-key.yaml b/generic/secrets/gitleaks/age-secret-key.yaml
index 1805833732..fd32bd955a 100644
--- a/generic/secrets/gitleaks/age-secret-key.yaml
+++ b/generic/secrets/gitleaks/age-secret-key.yaml
@@ -1,6 +1,6 @@
 rules:
 - id: age-secret-key
-  message: A gitleaks age secret key was detected which attempts to identify hard-coded credentials. It is not recommended to store credentials in source-code, as this risks secrets being leaked and used by either an internal or external malicious adversary. It is recommended to use environment variables to securely provide credentials or retrieve credentials from a secure vault or HSM (Hardware Security Module).
+  message: A gitleaks age-secret-key was detected which attempts to identify hard-coded credentials. It is not recommended to store credentials in source-code, as this risks secrets being leaked and used by either an internal or external malicious adversary. It is recommended to use environment variables to securely provide credentials or retrieve credentials from a secure vault or HSM (Hardware Security Module).
   languages:
     - regex
   severity: INFO
diff --git a/generic/secrets/gitleaks/huggingface-access-token.yaml b/generic/secrets/gitleaks/huggingface-access-token.yaml
index be166ecd1a..cf18c503b3 100644
--- a/generic/secrets/gitleaks/huggingface-access-token.yaml
+++ b/generic/secrets/gitleaks/huggingface-access-token.yaml
@@ -16,7 +16,7 @@ rules:
       owasp:
         - A07:2021 - Identification and Authentication Failures
       references:
-        - https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_CheatSheet.html
+        - https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html
       source-rule-url: https://github.com/zricethezav/gitleaks/tree/master/cmd/generate/config/rules
       subcategory:
         - vuln
diff --git a/generic/secrets/gitleaks/huggingface-organization-api-token.yaml b/generic/secrets/gitleaks/huggingface-organization-api-token.yaml
index 096a1d1f18..f1d91d9073 100644
--- a/generic/secrets/gitleaks/huggingface-organization-api-token.yaml
+++ b/generic/secrets/gitleaks/huggingface-organization-api-token.yaml
@@ -16,7 +16,7 @@ rules:
       owasp:
         - A07:2021 - Identification and Authentication Failures
       references:
-        - https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_CheatSheet.html
+        - https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html
       source-rule-url: https://github.com/zricethezav/gitleaks/tree/master/cmd/generate/config/rules
       subcategory:
         - vuln
diff --git a/generic/secrets/gitleaks/infracost-api-token.yaml b/generic/secrets/gitleaks/infracost-api-token.yaml
index 7ec7e9bcbc..f5575d7734 100644
--- a/generic/secrets/gitleaks/infracost-api-token.yaml
+++ b/generic/secrets/gitleaks/infracost-api-token.yaml
@@ -16,7 +16,7 @@ rules:
       owasp:
         - A07:2021 - Identification and Authentication Failures
       references:
-        - https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_CheatSheet.html
+        - https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html
       source-rule-url: https://github.com/zricethezav/gitleaks/tree/master/cmd/generate/config/rules
       subcategory:
         - vuln
diff --git a/generic/secrets/gitleaks/jwt-base64.yaml b/generic/secrets/gitleaks/jwt-base64.yaml
index 0540827185..6dcfda8548 100644
--- a/generic/secrets/gitleaks/jwt-base64.yaml
+++ b/generic/secrets/gitleaks/jwt-base64.yaml
@@ -16,7 +16,7 @@ rules:
       owasp:
         - A07:2021 - Identification and Authentication Failures
       references:
-        - https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_CheatSheet.html
+        - https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html
       source-rule-url: https://github.com/zricethezav/gitleaks/tree/master/cmd/generate/config/rules
       subcategory:
         - vuln
diff --git a/generic/secrets/gitleaks/scalingo-api-token.yaml b/generic/secrets/gitleaks/scalingo-api-token.yaml
index 3fda89f944..b5d1c4fe19 100644
--- a/generic/secrets/gitleaks/scalingo-api-token.yaml
+++ b/generic/secrets/gitleaks/scalingo-api-token.yaml
@@ -16,7 +16,7 @@ rules:
       owasp:
         - A07:2021 - Identification and Authentication Failures
       references:
-        - https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_CheatSheet.html
+        - https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html
       source-rule-url: https://github.com/zricethezav/gitleaks/tree/master/cmd/generate/config/rules
       subcategory:
         - vuln
diff --git a/generic/secrets/gitleaks/snyk-api-token.yaml b/generic/secrets/gitleaks/snyk-api-token.yaml
index 788ae1b811..71bb2e3fce 100644
--- a/generic/secrets/gitleaks/snyk-api-token.yaml
+++ b/generic/secrets/gitleaks/snyk-api-token.yaml
@@ -23,4 +23,4 @@ rules:
       technology:
         - gitleaks
   patterns:
-    - pattern-regex: (?i)(?:snyk)(?:[0-9a-z\-_\t .]{0,20})(?:[\s|']|[\s|"]){0,3}(?:=|>|:{1,3}=|\|\|:|<=|=>|:|\?=)(?:'|\"|\s|=|\x60){0,5}([0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12})(?:['|\"|\n|\r|\s|\x60|;]|$)
+    - pattern-regex: (?i)(?:snyk_token|snyk_key|snyk_api_token|snyk_api_key|snyk_oauth_token)(?:[0-9a-z\-_\t .]{0,20})(?:[\s|']|[\s|"]){0,3}(?:=|>|:{1,3}=|\|\|:|<=|=>|:|\?=)(?:'|\"|\s|=|\x60){0,5}([0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12})(?:['|\"|\n|\r|\s|\x60|;]|$)
diff --git a/generic/secrets/gitleaks/stripe-access-token.yaml b/generic/secrets/gitleaks/stripe-access-token.yaml
index bf70fe993d..c35c686a48 100644
--- a/generic/secrets/gitleaks/stripe-access-token.yaml
+++ b/generic/secrets/gitleaks/stripe-access-token.yaml
@@ -23,4 +23,4 @@ rules:
       technology:
         - gitleaks
   patterns:
-    - pattern-regex: (?i)(sk|pk)_(test|live)_[0-9a-z]{10,32}
+    - pattern-regex: (?i)\b((sk|pk)_(test|live)_[0-9a-z]{10,32})(?:['|\"|\n|\r|\s|\x60|;]|$)

From b202a82a33a6502932cec560b5c6f39e0391e928 Mon Sep 17 00:00:00 2001
From: LewisArdern <LewisArdern@live.co.uk>
Date: Fri, 27 Oct 2023 16:37:55 +0100
Subject: [PATCH 2/3] fix snyk

---
 generic/secrets/gitleaks/snyk-api-token.txt | 18 ++++++++++--------
 1 file changed, 10 insertions(+), 8 deletions(-)

diff --git a/generic/secrets/gitleaks/snyk-api-token.txt b/generic/secrets/gitleaks/snyk-api-token.txt
index 4601397ce7..20a7ba2ede 100644
--- a/generic/secrets/gitleaks/snyk-api-token.txt
+++ b/generic/secrets/gitleaks/snyk-api-token.txt
@@ -1,16 +1,18 @@
 // ruleid: snyk-api-token
 const SNYK_TOKEN = "12345678-ABCD-ABCD-ABCD-1234567890AB"
-// ruleid: snyk-api-token 
-const SNYK_KEY = "12345678-ABCD-ABCD-ABCD-1234567890AB" 
 // ruleid: snyk-api-token
-const SNYK = "12345678-ABCD-ABCD-ABCD-1234567890AB" 
+const SNYK_KEY = "12345678-ABCD-ABCD-ABCD-1234567890AB"
 // ruleid: snyk-api-token
-SNYK = "12345678-ABCD-ABCD-ABCD-1234567890AB" 
+SNYK_TOKEN := "12345678-ABCD-ABCD-ABCD-1234567890AB"
 // ruleid: snyk-api-token
-SNYK_TOKEN := "12345678-ABCD-ABCD-ABCD-1234567890AB" 
+SNYK_TOKEN ::= "12345678-ABCD-ABCD-ABCD-1234567890AB"
 // ruleid: snyk-api-token
-SNYK_TOKEN ::= "12345678-ABCD-ABCD-ABCD-1234567890AB" 
+SNYK_TOKEN :::= "12345678-ABCD-ABCD-ABCD-1234567890AB"
 // ruleid: snyk-api-token
-SNYK_TOKEN :::= "12345678-ABCD-ABCD-ABCD-1234567890AB" 
+SNYK_TOKEN ?= "12345678-ABCD-ABCD-ABCD-1234567890AB"
 // ruleid: snyk-api-token
-SNYK_TOKEN ?= "12345678-ABCD-ABCD-ABCD-1234567890AB"
\ No newline at end of file
+SNYK_API_KEY ?= "12345678-ABCD-ABCD-ABCD-1234567890AB"
+// ruleid: snyk-api-token
+SNYK_API_TOKEN = "12345678-ABCD-ABCD-ABCD-1234567890AB"
+// ruleid: snyk-api-token
+SNYK_OAUTH_TOKEN = "12345678-ABCD-ABCD-ABCD-1234567890AB"
\ No newline at end of file

From 2f8588a9c55b1706fb406ae348cf4eee534f3a72 Mon Sep 17 00:00:00 2001
From: Grayson H <grayson@semgrep.com>
Date: Fri, 27 Oct 2023 13:14:17 -0500
Subject: [PATCH 3/3] Update trigger- workflow URLs (#3193)

Co-authored-by: Claudio <claudio@r2c.dev>
---
 .github/workflows/trigger-pro-benchmark-scan.yaml            | 2 +-
 .github/workflows/trigger-semgrep-scanner-initiate-scan.yaml | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/.github/workflows/trigger-pro-benchmark-scan.yaml b/.github/workflows/trigger-pro-benchmark-scan.yaml
index 73e177f4af..7dd0462414 100644
--- a/.github/workflows/trigger-pro-benchmark-scan.yaml
+++ b/.github/workflows/trigger-pro-benchmark-scan.yaml
@@ -20,5 +20,5 @@ jobs:
           COMP_BRANCH: ${{ github.head_ref }}
           BASE_BRANCH: ${{  github.event.pull_request.base.ref }}
         run: |
-          curl -X POST https://argoworkflows-dev.corp.r2c.dev/api/v1/events/security-research/pro-perf-scan-test -H "Authorization: ${{ secrets.ARGO_WORKFLOWS_TOKEN }}" -d "{\"base_branch\": \"$BASE_BRANCH\", \"comparison_branch\": \"$COMP_BRANCH\", \"rules_repository\": \"$RULES_REPO\"}"
+          curl -X POST https://argoworkflows-dev2.corp.r2c.dev/api/v1/events/security-research/pro-perf-scan-test -H "Authorization: ${{ secrets.ARGO_WORKFLOWS_TOKEN }}" -d "{\"base_branch\": \"$BASE_BRANCH\", \"comparison_branch\": \"$COMP_BRANCH\", \"rules_repository\": \"$RULES_REPO\"}"
 
diff --git a/.github/workflows/trigger-semgrep-scanner-initiate-scan.yaml b/.github/workflows/trigger-semgrep-scanner-initiate-scan.yaml
index 7960795899..91aff30daa 100644
--- a/.github/workflows/trigger-semgrep-scanner-initiate-scan.yaml
+++ b/.github/workflows/trigger-semgrep-scanner-initiate-scan.yaml
@@ -56,4 +56,4 @@ jobs:
           github.event_name == 'pull_request' &&
           env.changed_lang_count > 0
         run: |
-          curl -X POST https://argoworkflows-dev.corp.r2c.dev/api/v1/events/security-research/initiate-scan-argo -H "Authorization: ${{ secrets.ARGO_WORKFLOWS_TOKEN }}" -d "{\"branch\" : \"$HEAD_REF\", \"repo\" : \"$REPO_NAME\", \"commit\" : \"$PR_HEAD_SHA\", \"changed_files\" : \"$CHANGED_FILES\" , \"langs\" : \"$CHANGED_LANGS\"}"
+          curl -X POST https://argoworkflows-dev2.corp.r2c.dev/api/v1/events/security-research/initiate-scan-argo -H "Authorization: ${{ secrets.ARGO_WORKFLOWS_TOKEN }}" -d "{\"branch\" : \"$HEAD_REF\", \"repo\" : \"$REPO_NAME\", \"commit\" : \"$PR_HEAD_SHA\", \"changed_files\" : \"$CHANGED_FILES\" , \"langs\" : \"$CHANGED_LANGS\"}"