New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Gitleaks misses quite a few Azure rules. #539
Comments
@jessehouwing wow thanks for bringing this up! I definitely would like to add more rules to the default gitleaks configuration. Feel free to open a MR. It looks like you have a good start https://github.com/jessehouwing/gitleaks-azure/blob/main/UDMSecretChecks.toml
There isn't really a process. If you could link to some example credentials or Azure documentation that describes the regexes that would be more than sufficient. I need to add a CONTRIBUTE.md file so it's easier to contribute new rules but for now you can edit https://github.com/zricethezav/gitleaks/blob/master/config/default.go and add the rules there. |
I contributed in a project called SpamAssassin before. There I was abne tm setup what we called a Spam and a Ham corpus of examples to test rules against, many people separated oud good code vs bad code and every time the ruleset changed, they'd run the new ruleset and reported any new false positives and false negatives. Would be nice if people could setup a private repo with a GitHub action to give you more confidence over the quality of the rules added through a pull request. |
Yups that's the pattern source. There isn't a 1-to-1 mapping, but it's close. |
Any update on a possible PR @jessehouwing and @zricethezav . We use are going to use gitleaks internally at our company and implemented your rules @jessehouwing. We also started creating a repo that triggers the rules to get findings. We may be able to work something out to push this a little bit. Could we integrate this into the default rule set? |
@SebastianSchuetze @jessehouwing if either of you wanted to contribute these rules into the default config I'd be more than happy to review it. Going to pin this issue as it's a relatively easy first issue for newcomers |
Hi all, currently working on this in https://github.com/dvasdekis/gitleaks-azure/tree/fix_%23539 |
Just a small tipp @dvasdekis. Can you use the wording AzDO oder ADO for abbreviation or the full product name Azure DevOps? VSTS is the old name and is deprecated. |
Thanks for reviewing. These specific tokens are VSTS tokens - Azure Devops tokens have a different format (I believe) |
It's the same format. It's the same thing. The "new name" s Azure DevOps and unfortunately, there's no fixed prefix on these tokens to easily detect them. |
Hi, this is now ready for review: #1079 |
@zricethezav the PR is open. So you need anything to have this approved or checked? |
* Initial secret set * Covered off all rule types in comments * Finished Azure and Ansible rules * About to run go run main.go * Fixed some rules, but tests need work * Initial secret set for Azure Needs work - many tests fail * Fix remaining Azure secrets - but couldn't get XML to work * Update .gitignore Co-authored-by: Jesse Houwing <jesse.houwing@gmail.com> --------- Co-authored-by: Jesse Houwing <jesse.houwing@gmail.com>
Hi guys, I've made a copy of this PR but with keywords included. It's almost completely the same otherwise. Let me know if this helps |
Gitleaks is missing quite a few rules for the Microsoft ecosystem, including Visual Studio, Azure and Azure DevOps.
Microsoft used to have a competing product called
credscan
, but it was recently deprecated in favor of the GitHub Security offerings.I've ported most of the rules from credscan to the gitleaks format and put them in a repo here:
https://github.com/jessehouwing/gitleaks-azure
I'd love to contribute them, but I'm unsure to the process of vetting and approving these rules.
cc @zricethezav
Some features GitLeaks may be missing:
credscan
has a few built-in decoders, so you can have it match a specific kind of pattern, say a base64 encoded string of 78 characters, then decode it and check the decoded value matches a regex. This reduces positives on base-64 encoded credentials that don't have an easily recognizable pattern.Without these the ruleset will trigger more false-positives.
The text was updated successfully, but these errors were encountered: