Generic CLI Secret

Description

General

The Generic CLI Option Secret detector aims at catching any secret that is embedded in a CLI command option. Note that in some cases this type of secret is already caught by specific database CLI detectors, in some other cases the generic high entropy detector would not be sufficient to catch them. Indeed, the space character is not considered a valid assignment character. That is to say --secret mySup3rs3cret is not matched by the generic high entropy detector.
The Generic CLI Option Secret detector handles this kind of secret.

Specifications

To avoid raising many false alerts, this detector focuses on a list of given options that are very likely to be followed by secrets. Here is the exhaustive list of concerned options:

• secret(-key)?
• token
• api[_-]?key
• cred(entials)?
• password
• pwd

Then the value specified for the option must respect the following rules:

• it must follow this regex: [a-zA-Z0-9_\\.+/~-][a-zA-Z0-9_\\.+/=~-]{5,128}.
• it cannot be a file name or a file path.
• Some values that are considered as common example values for passwords or apikeys are eventually discarded.

Revoke the secret

This detector catches generic credentials, hence GitGuardian cannot infer the concerned service. To properly revoke the credentials:

1. Understand what service is impacted by looking at the command preceding the match.
2. Refer to the corresponding documentation to know how to revoke and rotate the credentials.

Examples

Examples that WILL be caught

- text: >
    aws secretsmanager create-secret --name testing/secret --secret ImAsEcReTpAsSw0rD
  apikey: ImAsEcReTpAsSw0rD

Examples that WILL NOT be caught

• The option is not considered sensitive enough

- text: >
    another_command secretsmanager --secret-sauce=ketchup
  apikey: ketchup

• The password is not considered sensitive.

- text: >
    another_command secretsmanager --secret=123456
  apikey: 123456

Details for Generic CLI Option Secret

• High Recall: False

• Validity Check: False

• Minimum Number of Matches: 1

• Occurrences found for one million commits: 50.1

• Prefixed: False

• PreValidators:

- type: FilenameBanlistPreValidator
- type: ContentWhitelistPreValidator
  patterns:
    - '--(secret|token|api[_-]?key|cred|auth|password|pwd)'

• PostValidators

- type: CommonPasswordBanlistPostValidator
- type: ValueBanlistPostValidator
  patterns:
    - '^(?-i:[A-Z_]+)$' # Uppercase words
    - '[a-z]*[_-][a-z]*'
    - ^--
    - option
    - parameter
    - argument
    - x{6}
    - y{6}
    - ^password$
    - token
    - abc$
    - test
    - ^sha256$
    - ^source=
    - ^id=
    - ^\./
    - ^~/
    - \.$
    - 'a0b1c2d3e4f5'
    - '123456'
    - \.psk$
    - \.keycp$
    - foobar
    - dbuser # considered not sensitive enough
    - consumerKey=$
    - string
    - multiple
    - something
    - without
    - individual
    - specify
    - usertype
    - console
- type: EntropyPostValidator
  entropy: 1
- type: HeuristicPostValidator
  filters:
    - file_path
    - file_name