Generic password

Description

General

The generic password detector aims at catching any strings being assigned to a password variable.

This statement is pretty wide, therefore to avoid raising many false alerts, GitGuardian has come up with a range of validation steps and specifications to refine the perimeter to look at.

Specifications

First, the detector starts by identifying documents that contains the strings password, passwd or pwd and for which the filename is not indicating that the document is a test file or package file. Then the detector uses common detection techniques and applies post validation steps.

More precisely, an assignment is any statement of the form assigned_variable assignment_token value, like for instance: my_password = "password123".

assigned_variable

Must contain the pwd, passwd, or password to be considered sensitive and therefore valid.

assignment_token

GitGuardian's secrets detection engine accepts a wide variety of assignment tokens that correspond to different types of assignments or different languages. Here is a non exhaustive list of valid assignment tokens: :, =, ||, =>, :=, <-.

value

Should not be in one of GitGuardian's common password banlist.
Should not contain to a certain extent words from GitGuardian's dictionary banlist.
Should not be a word from a specific banlist, usually to avoid placeholders for when password are checked such as Password is invalid in multiple languages or encrypted passwords.
Should not contain specific words around the value found such as example or version.

Revoke the secret

This detector catches generic passwords, hence GitGuardian cannot infer the concerned service. To properly revoke the password:

Understand what service is impacted.
Refer to the corresponding documentation to know how to revoke and rotate the secret.

Examples

Examples that WILL be caught

- text: |
    password = lol123ok!
  password: lol123ok!

- text: |
    pwd = lol123ok!
  password: lol123ok!

- text: |
    passwd : lol123ok!
  password: lol123ok!