Skip to content

Instantly share code, notes, and snippets.

@soutaro

soutaro/goodcheck.yml

Forked from sumyapp/goodcheck.yml
Last active March 14, 2019 23:11
Show Gist options
  • Save soutaro/8be3265b53d50355345ca067eb665561 to your computer and use it in GitHub Desktop.
Save soutaro/8be3265b53d50355345ca067eb665561 to your computer and use it in GitHub Desktop.
Download ZIP
Secret check Goodcheck.yml, Inspired by Skyscanner/sonar-secrets
Raw
goodcheck.yml
rules:
# Inspired by this rule: https://github.com/Skyscanner/sonar-secrets/blob/v1.3.0/java/src/main/java/org/sonar/skyscanner/java/checks/PrivateKeys.java
- id: review.sider.general.security.private_keys
pattern:
- "-----BEGIN RSA PRIVATE KEY-----"
- "-----BEGIN DSA PRIVATE KEY-----"
- "-----BEGIN EC PRIVATE KEY-----"
- "-----BEGIN OPENSSH PRIVATE KEY-----"
- "-----BEGIN PRIVATE KEY-----"
message: Do not put private keys in this repository.
# Inspired by this rule: https://github.com/Skyscanner/sonar-secrets/blob/v1.3.0/java/src/main/java/org/sonar/skyscanner/java/checks/Passwords.java
- id: review.sider.general.security.passwords.hardcode
pattern:
regexp: password|passwd|pwd
case_sensitive: false
message: Do not hard code password.
justification:
- When it is a variable name.
- When password is not hard-coded.
fail:
- "PASSWORD = 'passw0rd'"
- "passwd = 'passw0rd'"
- "pwd = 'passw0rd'"
# Inspired by this rule: https://github.com/Skyscanner/sonar-secrets/blob/v1.3.0/java/src/main/java/org/sonar/skyscanner/java/checks/AWSCredentials.java
- id: review.sider.general.security.aws.access_key
pattern:
regexp: (?=.*[A-Z])(?=.*[0-9])[A-Z0-9]{20}
case_sensitive: true
multiline: false
message: Do not put AWS screts in this repository.
fail:
- "AWS_ACCESS_KEY_ID = 'AKIAJ73UMGWBD4ODFECQ'"
- "AKIAJ73UMGWBD4ODFECQ"
- id: review.sider.general.security.aws.secret_access_token
pattern:
regexp: (?=.*[A-Z])(?=.*[a-z])(?=.*[0-9])[A-Za-z0-9+/]{40}
case_sensitive: true
multiline: false
message: Do not put AWS screts in this repository.
fail:
- "AWS_SECRET_ACCESS_KEY = 'ug9nHbCpATKVNWNgQc47IyNVn+/4YcoRC+BItPrP'"
- "ug4nHbCpATKVNWNgQc47IyNVn+/9YcoRC+BItPrP"
- id: review.sider.general.security.aws.session_token
pattern:
regexp: (?=.*[a-z])(?=.*[A-Z])[A-Za-z0-9+/]{270,290}
case_sensitive: true
multiline: false
message: Do not put AWS screts in this repository.
fail:
- "AWS_SESSION_TOKEN = 'AxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxFAxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxFAxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxFAxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxFAxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx'"
- "AxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxFAxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxFAxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxFAxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxFAxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx"
# Inspired by this rule: https://github.com/Skyscanner/sonar-secrets/blob/v1.3.0/java/src/main/java/org/sonar/skyscanner/java/checks/APIKeys.java
- id: review.sider.general.security.apikeys.hardcode
pattern:
regexp: .*(api|gitlab|github|slack|google)_?(key|token|secret)$
case_sensitive: false
multiline: true
message: Do not hard code API Keys.
justification:
- If it is just a variable name
- If not hard-coded
fail:
- "api_key"
- "gitlab_token"
- "github_token"
- "slack_secret"
- "google_token"
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment