diff --git a/ee/tables/secretscan/config.toml b/ee/tables/secretscan/config.toml index c51a344a3..de71724ba 100644 --- a/ee/tables/secretscan/config.toml +++ b/ee/tables/secretscan/config.toml @@ -28,3 +28,15 @@ condition = "AND" # for the same reason. regexes = ['''^\s*[a-z\d][a-z\d_-]{0,35}=$'''] paths = ['''.*\.env(\..+)?$'''] +[[rules.allowlists]] +description = "Ignore key algorithms supported by AWS Certificate Manager (https://github.com/gitleaks/gitleaks/issues/1053)" +condition = "AND" +# Values retrieved from https://docs.aws.amazon.com/acm/latest/APIReference/API_CertificateDetail.html +stopwords = ["RSA_1024", "RSA_2048", "RSA_3072", "RSA_4096", "EC_prime256v1", "EC_secp384r1", "EC_secp521r1"] + +[[rules]] +id = "private-key" +[[rules.allowlists]] +description = "Ignore Cosign encrypted private keys (https://github.com/gitleaks/gitleaks/issues/1034)" +condition = "AND" +stopwords = ["BEGIN ENCRYPTED COSIGN PRIVATE KEY", "BEGIN ENCRYPTED SIGSTORE PRIVATE KEY"] diff --git a/ee/tables/secretscan/table_test.go b/ee/tables/secretscan/table_test.go index fb924a028..7e79466b6 100644 --- a/ee/tables/secretscan/table_test.go +++ b/ee/tables/secretscan/table_test.go @@ -513,6 +513,68 @@ spec: `, expectedFinding: true, }, + { + testCaseName: "key algorithm", + rawData: `key_algorithm = "EC_secp384r1"`, + expectedFinding: false, + }, + { + testCaseName: "key algorithm (true positive)", + rawData: `key_algorithm = "52b22b1e-2178-4a1e-bbba-50d0160ffab3"`, + expectedFinding: true, + }, + { + testCaseName: "encrypted private key (COSIGN labeled RSA key)", + rawData: `-----BEGIN ENCRYPTED COSIGN PRIVATE KEY----- +eyJrZGYiOnsibmFtZSI6InNjcnlwdCIsInBhcmFtcyI6eyJOIjozMjc2OCwiciI6 +OCwicCI6MX0sInNhbHQiOiJ4WWdoc09JTUxUWGNOT0RsclNIOUNKc1FlOVFnZmN1 +cmUrMXlLdHh1TlkwPSJ9LCJjaXBoZXIiOnsibmFtZSI6Im5hY2wvc2VjcmV0Ym94 +Iiwibm9uY2UiOiI0cS9PSlVmaXJkSUkrUjZ0ajZBMmcyQ0JqL25xdFNicCJ9LCJj +aXBoZXJ0ZXh0IjoiKzB4Q3NzcFN0WStBczdKanJpOWtsbHBWd2JhcUI4ZWJNdWto +eS9aVE1MSXRsL3B1YS9jWVJvbytLRGxMWWdmOW1kSjk4K1FnQW9oTktoYnJPMTcw +MHdBY1JTMjFDOE4zQUNJRUVZaWpOMllBNnMraGJSbkhjUnd4eGhDMDFtb2FvL0dO +Y1pmbEJheXZMV3pXblo4d2NDZ2ZpT1o1VXlRTEFJMHh0dnR6dEh3cTdDV1Vhd3V4 +RlhlNDZzck9TUE9SNHN6bytabWErUGovSFE9PSJ9 +-----END ENCRYPTED COSIGN PRIVATE KEY-----`, + expectedFinding: false, + }, + { + testCaseName: "encrypted private key (COSIGN labeled EC key)", + rawData: `-----BEGIN ENCRYPTED COSIGN PRIVATE KEY----- +eyJrZGYiOnsibmFtZSI6InNjcnlwdCIsInBhcmFtcyI6eyJOIjo2NTUzNiwiciI6 +OCwicCI6MX0sInNhbHQiOiJHK3F5WTYrNzhNS0JzMXNGTGs1ajYwcS9kS3Z1czBW +VkhlSHZybC9POTF3PSJ9LCJjaXBoZXIiOnsibmFtZSI6Im5hY2wvc2VjcmV0Ym94 +Iiwibm9uY2UiOiJRc2JGdG13WDRDK2ttV3ZCcVRaMEFGOUFYdk1jRmg1SCJ9LCJj +aXBoZXJ0ZXh0IjoiREM5T28zeldiYVQzSXYwdFVnWEdycjUxYW1samwwNlQ5MTNP +VkxPbWpuMWhnK2o2WXRUbWg3SGhZSlY1N2J5eGE0Q281bE9YYmRqbTJ3aklubEd1 +Um5aZCt5OExnekpSNzFSeEhKVzgrWmRlcFJmYWJMTjdHbDgrSFZEcERVQ3NxQnRh +VngyblpGbFEwWUl1anZwbFphblNGaUVvdERLVGkxZ3VhUXIwUHNzYU01NXZxbTRY +WS9rPSJ9 +-----END ENCRYPTED COSIGN PRIVATE KEY-----`, + expectedFinding: false, + }, + { + testCaseName: "encrypted private key (SIGSTORE labeled key)", + rawData: `-----BEGIN ENCRYPTED SIGSTORE PRIVATE KEY----- +eyJrZGYiOnsibmFtZSI6InNjcnlwdCIsInBhcmFtcyI6eyJOIjozMjc2OCwiciI6 +OCwicCI6MX0sInNhbHQiOiI3T3VGd2VsbWZZNXVId2NoaURSc210anNwZ2ZlZjFG +Mk5lOGFDTjVLYVpZPSJ9LCJjaXBoZXIiOnsibmFtZSI6Im5hY2wvc2VjcmV0Ym94 +Iiwibm9uY2UiOiJQNHk4OGhCb3ZTa09MbXN0bFVBaGJwdDJ0K2xTNUxQSCJ9LCJj +aXBoZXJ0ZXh0IjoiMnB1QzdyZldJOWh3bnJlQ2s4aUZDRlVwQlRrSzRJNlIvbFBF +cnBDekpXUGpJWXl4eGVIL1A2VW52cFJHdVhla1NNb3JMdGhLamdoQ1JlNy82NDVH +QWtoVm1LRC92eEF0S2EvbE1abENSQ3FlekJGUFd1dzNpeFRtZ2xhb2J1ZFVSbUVs +bmNGOGlZbzBTMVl6Y1ZOMVFwY2J2c0dNcUlYRzVlbmdteGp5dCtBcXlyZTF0Q0Y0 +V01tU1BlaEljNlBqd2h1Q2xHaVpJUWRvTGc9PSJ9 +-----END ENCRYPTED SIGSTORE PRIVATE KEY-----`, + expectedFinding: false, + }, + { + testCaseName: "encrypted private key (true positive, key is not encrypted)", + rawData: `-----BEGIN PRIVATE KEY----- +MC4CAQAwBQYDK2VwBCIEIALEbo1EFnWFqBK/wC+hhypG/8hXEerwdNetAoFoFVdv +-----END PRIVATE KEY-----`, + expectedFinding: true, + }, } { t.Run(tt.testCaseName, func(t *testing.T) { t.Parallel()