Passwords inside a Postman Collection JSON file are not detected #1248
maksymgendin
started this conversation in
Ideas
Replies: 1 comment 2 replies
-
Here's a naive rule that should be able to pick this up: # https://www.postmanlabs.com/postman-collection/Collection.html
[[rules]]
id = "postman-collection"
description = ""
regex = '''(?i)"key"\s*:\s*"(?:key|api|token|secret|client|passwd|password|auth|access)"\s*,\s*"value"\s*:\s*"(.+?)",?'''
secretGroup = 1
keywords = ["key", "api", "token", "secret", "client", "passw", "password", "auth", "access"]
path = '''\.postman_collection(\.json)?$'''
[rules.allowlist]
regexes = [
'''^\{\{[a-zA-Z][a-zA-Z_-]*\}\}$''', # https://learning.postman.com/docs/sending-requests/variables/#variables-quick-start
] For example: {
"key": "password",
"value": "my_secret_password",
"type": "string"
}
{
"key": "password",
"value": "my_secret_password"
} |
Beta Was this translation helpful? Give feedback.
2 replies
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
-
Dear community,
I found out that gitleaks doesn't detect passwords inside a Postman Collection JSON file. The structure is the following:
Any chance that you could build some senseful default rule for that?
Beta Was this translation helpful? Give feedback.
All reactions