Skip to main content

Generic high entropy secret

Description#

General#

The generic high entropy detector aims at catching any high entropy strings being assigned to a sensitive variable.
This statement is pretty wide, therefore to avoid raising many false alerts, GitGuardian has come up with a range of validation steps and specifications to refine the perimeter we are looking at.

Specifications#

We refer to an assignment as any statement of the form {assigned_variable} {assignment_token} {value}, like for instance : my_variable = "HelloWorld".

For this detector, the {assigned_variable} we are looking at must contain one of the following words to be considered sensitive and therefore valid :

  • secret
  • token
  • api[_.-]?key
  • credential
  • auth

Example : secret_id is a valid assigned_variable in our case.

The {assignment_token} can be one of the following : :, =, :=, =>, ,, >, (,<-

Example : a valid assignment could thus be secret_id := {value} or service_credential <- {value}

Finally, the {value} must be be a high entropy string, that is to say it must :

  • Follow this regular expression : [a-zA-Z0-9_.+/-][a-zA-Z0-9_.+/=-]{15,1023}
  • Have a Shannon entropy of at least 3
  • Pass our post validation steps (see hereunder)

Example : Overall, secret_id := hj65_klhz/trlupok76 is a valid assignment for this detector and will be caught.

Read the next section for more examples.

Revoke the secret#

This detector catches generic secrets, hence GitGuardian cannot infer the concerned service. To properly revoke the secret :

  1. Understand what service is impacted.
  2. Refer to the corresponding documentation to know how to revoke and rotate the secret.

Examples#

Examples that WILL be caught

- text: |    api_key = hj65_klhz/trlupok76  apikey: hj65_klhz/trlupok76
- text: |    secret_access = hj65_klhz/trlupok76  apikey: hj65_klhz/trlupok76
- text: |    o.set("auth", "bsaruceobkoraebisroaecbu89")  apikey: bsaruceobkoraebisroaecbu89
- text: |    token := buaroeuboesanubo234reacubrch  apikey: buaroeuboesanubo234reacubrch
- text: |    something_token := buaroeuboesanubo234reacubrch  apikey: buaroeuboesanubo234reacubrch
- text: |    set_apikey(buaroeuboesanubo234reacubrch)  apikey: buaroeuboesanubo234reacubrch

Examples that WILL NOT be caught

  • The high entropy string is too short :
- text: |    api_key = hj65_klhz/trlu
  • The entropy of the string is not high enough
- text: |    secret = xob1xob1xob1xob1xob1xob1xob1
  • The assigned variable is not considered sensitive
- text: |    object_id = hj65_klhz/trlupok76
  • The high entropy string is not part of an assignment
- text: |    my high entropy api_key    hj65_klhz/trlupok76
- text: |    secret = aes.hj65_klhz/trlupok76

Details for Generic high entropy secret#

  • High Recall: False

  • Validity Check: False

  • Minimum Number of Matches: 1

  • Occurrences found for one million commits: 10577

  • Prefixed: False

  • PreValidators:
    Here is a list of the validation steps the document must pass before being analyzed.

- type: FilenameBanlistPreValidator  banlist_extensions: []  banlist_filenames:    - hash    - list/k.txt$    - list/plex.txt$  check_binaries: false- type: ContentWhitelistPreValidator  patterns:    - (secret|token|api[_.-]?key|credential|auth)
  • PostValidators:
    Here is a list of the validation steps the matched string must pass after being caught.
post_validators:  - type: MinimumDigitsPostValidator    digits: 2  - type: EntropyPostValidator    entropy: 3  - type: ValueBanlistPostValidator    patterns:      - ^id[_.-]      - ^mid[_.-]      - ^mnp[_.-]      - ^auth[_.-]      - ^trnsl[_.-]      - ^oqs_kem[_.-]      - ^pos[_.-]      - ^new[_.-]      - ^aes[_.-]      - ^wpa[_.-]      - ^ec[_.-]      - ^sec[_.-]      - ^zte[_.-]      - ^com\.      - parentkey      - auto      - enrich      - frontend      - options      - layout      - group      - field      - gatsby      - transform      - random      - ^tls[_.-]      - "12345"      - "4321"      - abcd      - _size$      - ^pub[_.-]      - test      - country      - "[_.-]length$"      - template      - \.get      - get[_.-]      - preview      - alpha      - beta      - fake      - ^-      - keyring      - web[_.-]?app      - ^ds[_.-[token[_.-]      - ^pk[_.-]      - ^aizasy  - type: ContextWindowBanlistPostValidator    window_width: 25    patterns:      - public[_.-]?key      - hash[_.-]?key      - token_?address      - key[_.-]?user      - key[_.-]?id      - token[_.-]?id      - credential[_.-]?id      - publishable_?key      - author      - keyword      - document_?key      - sha      - registry      - propert(y|ies)      - client[_.-]?id # alone, this is not a secret      - secret[_.-]?id # alone, this is not a secret      - foreign      - pubkey      - licensekey      - \.jpe?g      - \.png      - theme      - playlist      - hash      - sha      - localhost      - 127\.0\.0.\.1      - dev      - test      - xsrf      - csrf      - secret_key_base      - authenticity_token  - type: HeuristicPostValidator    filters:      - url      - date      - file_name      - number  - type: DictFilterPostValidator