docs 📝: Add new rule to detect Sidekiq secret in README.md #23
@@ -30,7 +30,7 @@ jobs:
|
||||
--redact=50 \
|
||||
--verbose \
|
||||
--exit-code 1
|
||||
--exclude-files "README.md"
|
||||
# --exclude-files "README.md"
|
||||
|
||||
lint_test:
|
||||
|
|
||||
name: lint tests
|
||||
|
||||
@@ -28,3 +28,13 @@ id = "sidekiq-secret"
|
||||
description = "Sidekiq Secret"
|
||||
regex = "export BUNDLE_ENTERPRISE__CONTRIBSYS__COM=\\S+"
|
||||
entropy = 2.5
|
||||
gitea-actions
commented
[Lines 26-30] [Score: 2] This rule is for detecting Sidekiq secrets (regex pattern provided) that may be hardcoded or leaked in the source code. It's a good practice to have rules like this in place to ensure sensitive data isn't accidentally exposed. [Lines 26-30] [Score: 2] This rule is for detecting Sidekiq secrets (regex pattern provided) that may be hardcoded or leaked in the source code. It's a good practice to have rules like this in place to ensure sensitive data isn't accidentally exposed.
|
||||
|
||||
# ==========================
|
||||
# File-specific entropy overrides
|
||||
# ==========================
|
||||
[[rules]]
|
||||
id = "generic-api-key-docs"
|
||||
description = "Ignore placeholder secrets in README.md"
|
||||
regex = "(?i)(api[_-]?key|secret|token)=\\S+"
|
||||
filepath = "README.md"
|
||||
|
gitea-actions
commented
[Lines 38-39] [Score: 4] The regular expression for generic API keys catches any string containing "api", "key", "secret", or "token" followed by one or more non-space characters. While this is a good starting point, it might catch too many false positives if the project uses these terms in non-sensitive contexts. Consider refining the regular expression to better match actual API keys. [Lines 38-39] [Score: 4] The regular expression for generic API keys catches any string containing "api", "key", "secret", or "token" followed by one or more non-space characters. While this is a good starting point, it might catch too many false positives if the project uses these terms in non-sensitive contexts. Consider refining the regular expression to better match actual API keys.
|
||||
entropy = 10.0 # very high threshold, placeholders won't trigger
|
||||
|
gitea-actions
commented
[Lines 35-40] [Score: 2] This rule is similar to the initial allowlist rule for ignoring placeholder secrets within the README.md file, but with a higher entropy threshold (10.0) to reduce false negatives. It's good to have this rule in place to prevent alerts on known placeholders and maintain proper scan results. [Lines 35-40] [Score: 2] This rule is similar to the initial allowlist rule for ignoring placeholder secrets within the README.md file, but with a higher entropy threshold (10.0) to reduce false negatives. It's good to have this rule in place to prevent alerts on known placeholders and maintain proper scan results.
gitea-actions
commented
[Score: 4] The high entropy value (5.0) set for the generic API keys in README.md might overlook actual secrets. Consider reducing the entropy threshold to ensure sensitive information is detected. [Score: 4] The high entropy value (5.0) set for the generic API keys in README.md might overlook actual secrets. Consider reducing the entropy threshold to ensure sensitive information is detected.
|
||||
[Score: 2] Potential security risk if sensitive information is present in the README file and it's being excluded from Gitleaks checks. Consider removing the exclusion if not necessary.