generic password detector aims at catching any strings being assigned to a password variable.
This statement is pretty wide, therefore to avoid raising many false alerts, GitGuardian has come up with a range of validation steps and specifications to refine the perimeter we are looking at.
First, the detector starts by identifying documents that contains the strings
pwd and for which the filename is not indicating that the document is a test file or package file (see the prevalidator hereunder). Then the detector uses common detection techniques and applies post validation steps.
More precisely, we refer to an assignment as any statement of the form
assigned_variable assignment_token value, like for instance :
my_password = "password123".
- Must contain the
passwordto be considered sensitive and therefore valid.
- Should not be in one of Gitguardian's common password or value banlist (see banlist hereunder).
- Should not contain to a certain extent words from GitGuardian's dictionary banlist (see banlist hereunder).
- Should not be a word from a specific banlist, usually to avoid placeholder for when password are checked such as
Password is invalidin multiple languages or encrypted passwords.
- Should not contain specific words around the value found such as
Revoke the secret
This detector catches generic passwords, hence GitGuardian cannot infer the concerned service. To properly revoke the password :
- Understand what service is impacted.
- Refer to the corresponding documentation to know how to revoke and rotate the secret.
Examples that WILL be catched
Examples that WILL NOT be catched
- password is encrypted
- A banlisted word is present in the context
High Recall: False
Validity Check: False
Minimum Number of Matches: 1
Occurrences found for one million commits: 14535