feat(secret): add support of GitHub fine-grained tokens (#5740)

Co-authored-by: DmitriyLewen <dmitriy.lewen@smartforce.io>
aquasecurity · Dec 7, 2023 · be1c554 · be1c554
1 parent a5342da
commit be1c554
Show file tree

Hide file tree

Showing 3 changed files with 39 additions and 0 deletions.
diff --git a/pkg/fanal/secret/builtin-rules.go b/pkg/fanal/secret/builtin-rules.go
@@ -142,6 +142,14 @@ var builtinRules = []Rule{
 		Regex:    MustCompile(`ghr_[0-9a-zA-Z]{76}`),
 		Keywords: []string{"ghr_"},
 	},
+	{
+		ID:       "github-fine-grained-pat",
+		Category: CategoryGitHub,
+		Title:    "GitHub Fine-grained personal access tokens",
+		Severity: "CRITICAL",
+		Regex:    MustCompile(`github_pat_[a-zA-Z0-9]{22}_[a-zA-Z0-9]{59}`),
+		Keywords: []string{"github_pat_"},
+	},
 	{
 		ID:       "gitlab-pat",
 		Category: CategoryGitLab,

diff --git a/pkg/fanal/secret/scanner_test.go b/pkg/fanal/secret/scanner_test.go
@@ -297,6 +297,27 @@ func TestSecretScanner(t *testing.T) {
 			},
 		},
 	}
+	wantFindingGitHubPAT := types.SecretFinding{
+		RuleID:    "github-fine-grained-pat",
+		Category:  secret.CategoryGitHub,
+		Title:     "GitHub Fine-grained personal access tokens",
+		Severity:  "CRITICAL",
+		StartLine: 1,
+		EndLine:   1,
+		Match:     "GITHUB_TOKEN=*********************************************************************************************",
+		Code: types.Code{
+			Lines: []types.Line{
+				{
+					Number:      1,
+					Content:     "GITHUB_TOKEN=*********************************************************************************************",
+					Highlighted: "GITHUB_TOKEN=*********************************************************************************************",
+					IsCause:     true,
+					FirstCause:  true,
+					LastCause:   true,
+				},
+			},
+		},
+	}
 	wantFindingGHButDisableAWS := types.SecretFinding{
 		RuleID:    "github-pat",
 		Category:  secret.CategoryGitHub,
@@ -721,6 +742,15 @@ func TestSecretScanner(t *testing.T) {
 				Findings: []types.SecretFinding{wantFinding5a, wantFinding6},
 			},
 		},
+		{
+			name:          "should find GitHub Personal Access Token (classic)",
+			configPath:    filepath.Join("testdata", "skip-test.yaml"),
+			inputFilePath: "testdata/github-token.txt",
+			want: types.Secret{
+				FilePath: "testdata/github-token.txt",
+				Findings: []types.SecretFinding{wantFindingGitHubPAT},
+			},
+		},
 		{
 			name:          "should enable github-pat builtin rule, but disable aws-access-key-id rule",
 			configPath:    filepath.Join("testdata", "config-enable-ghp.yaml"),

diff --git a/pkg/fanal/secret/testdata/github-token.txt b/pkg/fanal/secret/testdata/github-token.txt
@@ -0,0 +1 @@
+GITHUB_TOKEN=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