docs: add list of all supported secrets (#208)

.ci/update-readme.sh

@@ -1,19 +1,30 @@
+update_readme() {
+  output_file=$1
+  placeholder_name=$2
+  target_file=$3
+
+  sed -i "/<!-- $placeholder_name:start -->/,/<!-- $placeholder_name:end -->/{
+            /<!-- $placeholder_name:start -->/{
+              p
+              r $output_file
+            }
+            /<!-- $placeholder_name:end -->/!d
+          }" $target_file
+}
+
+# Update the README with the help message
 help_message=$(go run .)
 
 echo "" >output.txt
 echo '```' >>output.txt
 echo "$help_message" >>output.txt
 echo '```' >>output.txt
 echo "" >>output.txt
+update_readme "output.txt" "command-line" "README.md"
+rm output.txt
 
-sed -i '/<!-- command-line:start -->/,/<!-- command-line:end -->/{
-            /<!-- command-line:start -->/{
-              p
-              r output.txt
-            }
-            /<!-- command-line:end -->/!d
-          }' README.md
-
+go run . rules | awk 'BEGIN{FS = "   *"}{print "| " $1 " | " $2 " | " $3 " | " $4 " |";}' >output.txt
+update_readme "output.txt" "table" "./docs/list-of-rules.md"
 rm output.txt
 
-git --no-pager diff README.md
+git --no-pager diff README.md ./docs/list-of-rules.md

README.md

@@ -7,6 +7,8 @@
 
 **Too many secrets (`2ms`)** is a command line tool written in Go language and built over [gitleaks](https://github.com/gitleaks/gitleaks). `2ms` is capable of finding secrets such as login credentials, API keys, SSH keys and more hidden in code, content systems, chat applications and more.
 
+You can see the list of rules that `2ms` uses to detect secrets in [docs/list-of-rules.md](docs/list-of-rules.md)
+
 # Installation
 
 ### Download Precompiled Binaries
@@ -165,6 +167,8 @@ From the help message: `--validate    trigger additional validation to check if
 
 The `--validate` flag will check the validity of the secrets found. For example, if it is a Github token, it will check if the token is valid by making a request to the Github API. We will use the less intrusive method to check the validity of the secret.
 
+The list of services that support the Validity Check feature can be found in the [List of Rules](docs/list-of-rules.md) document.
+
 The result of the validation can be:
 
 - `valid` - The secret is valid

docs/list-of-rules.md

@@ -0,0 +1,169 @@
+# Rules
+
+Here is a complete list of all the rules that are currently implemented.
+
+<!-- table:start -->
+| Name | Description | Tags | Validity Check |
+| ---- | ---- | ---- | ---- |
+| adafruit-api-key | Adafruit API Key | api-key |  |
+| adobe-client-id | Adobe Client ID (OAuth Web) | client-id |  |
+| adobe-client-secret | Adobe Client Secret | client-secret |  |
+| age secret key | Age secret key | secret-key |  |
+| airtable-api-key | Airtable API Key | api-key |  |
+| algolia-api-key | Algolia API Key | api-key |  |
+| alibaba-access-key-id | Alibaba AccessKey ID | access-key,access-id |  |
+| alibaba-secret-key | Alibaba Secret Key | secret-key |  |
+| asana-client-id | Asana Client ID | client-id |  |
+| asana-client-secret | Asana Client Secret | client-secret |  |
+| atlassian-api-token | Atlassian API token | api-token |  |
+| authress-service-client-access-key | Authress Service Client Access Key | access-token |  |
+| aws-access-token | AWS | access-token |  |
+| bitbucket-client-id | Bitbucket Client ID | client-id |  |
+| bitbucket-client-secret | Bitbucket Client Secret | client-secret |  |
+| bittrex-access-key | Bittrex Access Key | access-key |  |
+| bittrex-secret-key | Bittrex Secret Key | secret-key |  |
+| beamer-api-token | Beamer API token | api-token |  |
+| codecov-access-token | Codecov Access Token | access-token |  |
+| coinbase-access-token | Coinbase Access Token | access-token |  |
+| clojars-api-token | Clojars API token | api-token |  |
+| confluent-access-token | Confluent Access Token | access-token |  |
+| confluent-secret-key | Confluent Secret Key | secret-key |  |
+| contentful-delivery-api-token | Contentful delivery API token | api-token |  |
+| databricks-api-token | Databricks API token | api-token |  |
+| datadog-access-token | Datadog Access Token | access-token,client-id |  |
+| defined-networking-api-token | Defined Networking API token | api-token |  |
+| digitalocean-pat | DigitalOcean Personal Access Token | access-token |  |
+| digitalocean-access-token | DigitalOcean OAuth Access Token | access-token |  |
+| digitalocean-refresh-token | DigitalOcean OAuth Refresh Token | refresh-token |  |
+| discord-api-token | Discord API key | api-key,api-token |  |
+| discord-client-id | Discord client ID | client-id |  |
+| discord-client-secret | Discord client secret | client-secret |  |
+| doppler-api-token | Doppler API token | api-token |  |
+| dropbox-api-token | Dropbox API secret | api-token |  |
+| dropbox-short-lived-api-token | Dropbox short lived API token | api-token |  |
+| dropbox-long-lived-api-token | Dropbox long lived API token | api-token |  |
+| droneci-access-token | Droneci Access Token | access-token |  |
+| duffel-api-token | Duffel API token | api-token |  |
+| dynatrace-api-token | Dynatrace API token | api-token |  |
+| easypost-api-token | EasyPost API token | api-token |  |
+| easypost-test-api-token | EasyPost test API token | api-token |  |
+| etsy-access-token | Etsy Access Token | access-token |  |
+| facebook | Facebook Access Token | api-token |  |
+| fastly-api-token | Fastly API key | api-token,api-key |  |
+| finicity-client-secret | Finicity Client Secret | client-secret |  |
+| finicity-api-token | Finicity API token | api-token |  |
+| flickr-access-token | Flickr Access Token | access-token |  |
+| finnhub-access-token | Finnhub Access Token | access-token |  |
+| flutterwave-public-key | Finicity Public Key | public-key |  |
+| flutterwave-secret-key | Flutterwave Secret Key | secret-key |  |
+| flutterwave-encryption-key | Flutterwave Encryption Key | encryption-key |  |
+| frameio-api-token | Frame.io API token | api-token |  |
+| freshbooks-access-token | Freshbooks Access Token | access-token |  |
+| gcp-api-key | GCP API key | api-key |  |
+| generic-api-key | Generic API Key | api-key |  |
+| github-pat | GitHub Personal Access Token | access-token | V |
+| github-fine-grained-pat | GitHub Fine-Grained Personal Access Token | access-token | V |
+| github-oauth | GitHub OAuth Access Token | access-token |  |
+| github-app-token | GitHub App Token | access-token |  |
+| github-refresh-token | GitHub Refresh Token | refresh-token |  |
+| gitlab-pat | GitLab Personal Access Token | access-token |  |
+| gitlab-ptt | GitLab Pipeline Trigger Token | trigger-token |  |
+| gitlab-rrt | GitLab Runner Registration Token | registration-token |  |
+| gitter-access-token | Gitter Access Token | access-token |  |
+| gocardless-api-token | GoCardless API token | api-token |  |
+| grafana-api-key | Grafana api key (or Grafana cloud api key) | api-key |  |
+| grafana-cloud-api-token | Grafana cloud api token | api-token |  |
+| grafana-service-account-token | Grafana service account token | access-token |  |
+| hashicorp-tf-api-token | HashiCorp Terraform user/org API token | api-token |  |
+| heroku-api-key | Heroku API Key | api-key |  |
+| hubspot-api-key | HubSpot API Token | api-token,api-key |  |
+| intercom-api-key | Intercom API Token | api-token,api-key |  |
+| jfrog-api-key | JFrog API Key | api-key |  |
+| jfrog-identity-token | JFrog Identity Token | access-token |  |
+| jwt | JSON Web Token | access-token |  |
+| kraken-access-token | Kraken Access Token | access-token |  |
+| kucoin-access-token | Kucoin Access Token | access-token |  |
+| kucoin-secret-key | Kucoin Secret Key | secret-key |  |
+| launchdarkly-access-token | Launchdarkly Access Token | access-token |  |
+| linear-api-key | Linear API Token | api-token,api-key |  |
+| linear-client-secret | Linear Client Secret | client-secret |  |
+| linkedin-client-id | LinkedIn Client ID | client-id |  |
+| linkedin-client-secret | LinkedIn Client secret | client-secret |  |
+| lob-api-key | Lob API Key | api-key |  |
+| lob-pub-api-key | Lob Publishable API Key | api-key |  |
+| mailchimp-api-key | Mailchimp API key | api-key |  |
+| mailgun-pub-key | Mailgun public validation key | public-key |  |
+| mailgun-private-api-token | Mailgun private API token | private-key |  |
+| mailgun-signing-key | Mailgun webhook signing key | api-key |  |
+| mapbox-api-token | MapBox API token | api-token |  |
+| mattermost-access-token | Mattermost Access Token | access-token |  |
+| messagebird-api-token | MessageBird API token | api-token |  |
+| messagebird-client-id | MessageBird client ID | client-id |  |
+| netlify-access-token | Netlify Access Token | access-token |  |
+| new-relic-user-api-key | New Relic user API Key | api-key |  |
+| new-relic-user-api-id | New Relic user API ID | access-id |  |
+| new-relic-browser-api-token | New Relic ingest browser API token | api-token |  |
+| npm-access-token | npm access token | access-token |  |
+| nytimes-access-token | Nytimes Access Token | access-token |  |
+| okta-access-token | Okta Access Token | access-token |  |
+| openai-api-key | OpenAI API Key | api-key |  |
+| plaid-client-id | Plaid Client ID | client-id |  |
+| plaid-secret-key | Plaid Secret key | secret-key |  |
+| plaid-api-token | Plaid API Token | api-token |  |
+| planetscale-password | PlanetScale password | password |  |
+| planetscale-api-token | PlanetScale API token | api-token |  |
+| planetscale-oauth-token | PlanetScale OAuth token | access-token |  |
+| postman-api-token | Postman API token | api-token |  |
+| prefect-api-token | Prefect API token | api-token |  |
+| private-key | Private Key | private-key |  |
+| pulumi-api-token | Pulumi API token | api-token |  |
+| pypi-upload-token | PyPI upload token | upload-token |  |
+| rapidapi-access-token | RapidAPI Access Token | access-token |  |
+| readme-api-token | Readme API token | api-token |  |
+| rubygems-api-token | Rubygem API token | api-token |  |
+| sendbird-access-id | Sendbird Access ID | access-id |  |
+| sendbird-access-token | Sendbird Access Token | access-token |  |
+| sendgrid-api-token | SendGrid API token | api-token |  |
+| sendinblue-api-token | Sendinblue API token | api-token |  |
+| sentry-access-token | Sentry Access Token | access-token |  |
+| shippo-api-token | Shippo API token | api-token |  |
+| shopify-access-token | Shopify access token | access-token |  |
+| shopify-custom-access-token | Shopify custom access token | access-token |  |
+| shopify-private-app-access-token | Shopify private app access token | access-token |  |
+| shopify-shared-secret | Shopify shared secret | public-secret |  |
+| sidekiq-secret | Sidekiq Secret | secret-key |  |
+| sidekiq-sensitive-url | Sidekiq Sensitive URL | sensitive-url |  |
+| slack-bot-token | Slack Bot token | access-token |  |
+| slack-app-token | Slack App-level token | access-token |  |
+| slack-legacy-token | Slack Legacy token | access-token |  |
+| slack-user-token | Slack User | access-token |  |
+| slack-config-access-token | Slack Configuration access token | access-token |  |
+| slack-config-refresh-token | Slack Configuration refresh token | refresh-token |  |
+| slack-legacy-bot-token | Slack Legacy bot token | access-token |  |
+| slack-legacy-workspace-token | Slack Legacy Workspace token | access-token |  |
+| slack-webhook-url | Slack Webhook | webhook |  |
+| stripe-access-token | Stripe Access Token | access-token |  |
+| square-access-token | Square Access Token | access-token |  |
+| squarespace-access-token | Squarespace Access Token | access-token |  |
+| sumologic-access-id | SumoLogic Access ID | access-id |  |
+| sumologic-access-token | SumoLogic Access Token | access-token |  |
+| snyk-api-token | Snyk API token | api-key |  |
+| microsoft-teams-webhook | Microsoft Teams Webhook | webhook |  |
+| telegram-bot-api-token | Telegram Bot API Token | api-token |  |
+| travisci-access-token | Travis CI Access Token | access-token |  |
+| twilio-api-key | Twilio API Key | api-key |  |
+| twitch-api-token | Twitch API token | api-token |  |
+| twitter-api-key | Twitter API Key | api-key |  |
+| twitter-api-secret | Twitter API Secret | api-key |  |
+| twitter-access-token | Twitter Access Token | access-token |  |
+| twitter-access-secret | Twitter Access Secret | public-secret |  |
+| twitter-bearer-token | Twitter Bearer Token | api-token |  |
+| typeform-api-token | Typeform API token | api-token |  |
+| vault-batch-token | Vault Batch Token | api-token |  |
+| vault-service-token | Vault Service Token | api-token |  |
+| yandex-api-key | Yandex API Key | api-key |  |
+| yandex-aws-access-token | Yandex AWS Access Token | access-token |  |
+| yandex-access-token | Yandex Access Token | access-token |  |
+| zendesk-secret-key | Zendesk Secret Key | secret-key |  |
+| authenticated-url | Identify username:password inside URLS | sensitive-url |  |
+<!-- table:end -->

secrets/engine.go

@@ -116,6 +116,11 @@ func isSecretIgnored(secret *Secret, ignoredIds *[]string) bool {
 }
 
 func GetRulesCommand(secretsConfig *SecretsConfig) *cobra.Command {
+	canValidateDisplay := map[bool]string{
+		true:  "V",
+		false: "",
+	}
+
 	return &cobra.Command{
 		Use:   "rules",
 		Short: "List all rules",
@@ -126,10 +131,17 @@ func GetRulesCommand(secretsConfig *SecretsConfig) *cobra.Command {
 
 			tab := tabwriter.NewWriter(os.Stdout, 1, 2, 2, ' ', 0)
 
-			fmt.Fprintln(tab, "Name\tDescription\tTags")
-			fmt.Fprintln(tab, "----\t----\t----")
+			fmt.Fprintln(tab, "Name\tDescription\tTags\tValidity Check")
+			fmt.Fprintln(tab, "----\t----\t----\t----")
 			for _, rule := range *rules {
-				fmt.Fprintf(tab, "%s\t%s\t%s\n", rule.Rule.RuleID, rule.Rule.Description, strings.Join(rule.Tags, ","))
+				fmt.Fprintf(
+					tab,
+					"%s\t%s\t%s\t%s\n",
+					rule.Rule.RuleID,
+					rule.Rule.Description,
+					strings.Join(rule.Tags, ","),
+					canValidateDisplay[isCanValidateRule(rule.Rule.RuleID)],
+				)
 			}
 			if err := tab.Flush(); err != nil {
 				return err

secrets/secret.go

@@ -35,6 +35,11 @@ var ruleIDToFunction = map[string]validationFunc{
 	"github-pat":              validateGithub,
 }
 
+func isCanValidateRule(ruleID string) bool {
+	_, ok := ruleIDToFunction[ruleID]
+	return ok
+}
+
 func (s *Secret) Validate(wg *sync.WaitGroup) {
 	defer wg.Done()
 	if f, ok := ruleIDToFunction[s.RuleID]; ok {