docs 📝: Add new rule to detect Sidekiq secret in README.md #23
@@ -37,7 +37,7 @@ id = "generic-api-key-docs"
|
||||
description = "Ignore placeholder secrets in README.md"
|
||||
regex = "(?i)(api[_-]?key|secret|token)=\\S+"
|
||||
filepath = "README.md"
|
||||
|
|
||||
entropy = 10.0 # very high threshold, placeholders won't trigger
|
||||
entropy = 5.0 # high threshold, placeholders won't trigger
|
||||
gitea-actions
commented
[Lines 35-40] [Score: 2] This rule is similar to the initial allowlist rule for ignoring placeholder secrets within the README.md file, but with a higher entropy threshold (10.0) to reduce false negatives. It's good to have this rule in place to prevent alerts on known placeholders and maintain proper scan results. [Lines 35-40] [Score: 2] This rule is similar to the initial allowlist rule for ignoring placeholder secrets within the README.md file, but with a higher entropy threshold (10.0) to reduce false negatives. It's good to have this rule in place to prevent alerts on known placeholders and maintain proper scan results.
gitea-actions
commented
[Score: 4] The high entropy value (5.0) set for the generic API keys in README.md might overlook actual secrets. Consider reducing the entropy threshold to ensure sensitive information is detected. [Score: 4] The high entropy value (5.0) set for the generic API keys in README.md might overlook actual secrets. Consider reducing the entropy threshold to ensure sensitive information is detected.
|
||||
|
||||
[[rules]]
|
||||
id = "sidekiq-secret"
|
||||
|
||||
Reference in New Issue
Block a user
[Lines 38-39] [Score: 4] The regular expression for generic API keys catches any string containing "api", "key", "secret", or "token" followed by one or more non-space characters. While this is a good starting point, it might catch too many false positives if the project uses these terms in non-sensitive contexts. Consider refining the regular expression to better match actual API keys.