Generic CLI Secret
Generic CLI Option Secret detector aims at catching any secret that is embedded in a CLI command option. Note that in some cases this type of secret is already caught by specific database CLI detectors, in some other cases the generic high entropy detector would not be sufficient to catch them. Indeed, the space character is not considered a valid assignment character. That is to say
--secret mySup3rs3cret is not matched by the generic high entropy detector.
Generic CLI Option Secret detector handles this kind of secret.
To avoid raising many false alerts, this detector focuses on a list of given options that are very likely to be followed by secrets. Here is the exhaustive list of concerned options:
Then the value specified for the option must respect the following rules:
- it must follow this regex:
- it cannot be a file name or a file path.
- Some values that are considered as common example values for passwords or apikeys are eventually discarded.
Revoke the secret
This detector catches generic credentials, hence GitGuardian cannot infer the concerned service. To properly revoke the credentials:
- Understand what service is impacted by looking at the command preceding the match.
- Refer to the corresponding documentation to know how to revoke and rotate the credentials.
Examples that WILL be caught
- text: >
aws secretsmanager create-secret --name testing/secret --secret ImAsEcReTpAsSw0rD
Examples that WILL NOT be caught
- The option is not considered sensitive enough
- text: >
another_command secretsmanager --secret-sauce=ketchup
- The password is not considered sensitive.
- text: >
another_command secretsmanager --secret=123456
Generic CLI Option Secret
High Recall: False
Validity Check: False
Minimum Number of Matches: 1
Occurrences found for one million commits: 50.1
- type: FilenameBanlistPreValidator
- type: ContentWhitelistPreValidator
- type: CommonPasswordBanlistPostValidator
- type: ValueBanlistPostValidator
- '^(?-i:[A-Z_]+)$' # Uppercase words
- dbuser # considered not sensitive enough
- type: EntropyPostValidator
- type: HeuristicPostValidator