sumyapp · March 14, 2019 13:32
diff --git a/goodcheck.yml b/goodcheck.yml
 rules:
  # Inspired by this rule: https://github.com/Skyscanner/sonar-secrets/blob/v1.3.0/java/src/main/java/org/sonar/skyscanner/java/checks/PrivateKeys.java
  - id: review.sider.general.security.private_keys.rsa
    pattern: 
      token: "-----BEGIN RSA PRIVATE KEY-----"
      case_sensitive: true
    message: Do not put private keys in this repository.
    fail:
      - "-----BEGIN RSA PRIVATE KEY-----"
    pass:
      - "PRIVATE KEY"
  - id: review.sider.general.security.private_keys.dsa
    pattern: 
      token: "-----BEGIN DSA PRIVATE KEY-----"
      case_sensitive: true
    message: Do not put private keys in this repository.
    fail:
      - "-----BEGIN DSA PRIVATE KEY-----"
    pass:
      - "PRIVATE KEY"
  - id: review.sider.general.security.private_keys.ec
    pattern: 
      token: "-----BEGIN EC PRIVATE KEY-----"
      case_sensitive: true
    message: Do not put private keys in this repository.
    fail:
      - "-----BEGIN EC PRIVATE KEY-----"
    pass:
      - "PRIVATE KEY"
  - id: review.sider.general.security.private_keys.openssh
    pattern: 
      token: "-----BEGIN OPENSSH PRIVATE KEY-----"
      case_sensitive: true
    message: Do not put private keys in this repository.
    fail:
      - "-----BEGIN OPENSSH PRIVATE KEY-----"
    pass:
      - "PRIVATE KEY"
  - id: review.sider.general.security.private_keys.privatekey
    pattern: 
      token: "-----BEGIN PRIVATE KEY-----"
      case_sensitive: true
    message: Do not put private keys in this repository.
    fail:
      - "-----BEGIN PRIVATE KEY-----"
    pass:
      - "PRIVATE KEY"

  # Inspired by this rule: https://github.com/Skyscanner/sonar-secrets/blob/v1.3.0/java/src/main/java/org/sonar/skyscanner/java/checks/Passwords.java
  - id: review.sider.general.security.passwords.hardcode
    pattern:
      regexp: .*(password|passwd|pwd)
      case_sensitive: false
      multiline: true
    message: Do not hard code password.
    justification:
      - If it is just a variable name
      - If not hard-coded
    fail:
      - "password = 'passw0rd'"
      - "passwd = 'passw0rd'"
      - "pwd = 'passw0rd'"
    pass:
      - "DigestUtils.sha256Hex(param)"

  # Inspired by this rule: https://github.com/Skyscanner/sonar-secrets/blob/v1.3.0/java/src/main/java/org/sonar/skyscanner/java/checks/AWSCredentials.java
  - id: review.sider.general.security.aws.access_key
    pattern:
      regexp: (?=.*[A-Z])(?=.*[0-9])[A-Z0-9]{20}
      case_sensitive: true
      multiline: false
    message: Do not put AWS screts in this repository.
    fail:
      - "AWS_ACCESS_KEY_ID = 'AKIAJ73UMGWBD4ODFECQ'"
      - "AKIAJ73UMGWBD4ODFECQ"
  - id: review.sider.general.security.aws.secret_access_token
    pattern:
      regexp: (?=.*[A-Z])(?=.*[a-z])(?=.*[0-9])[A-Za-z0-9+/]{40}
      case_sensitive: true
      multiline: false
    message: Do not put AWS screts in this repository.
    fail:
      - "AWS_SECRET_ACCESS_KEY = 'ug9nHbCpATKVNWNgQc47IyNVn+/4YcoRC+BItPrP'"
      - "ug4nHbCpATKVNWNgQc47IyNVn+/9YcoRC+BItPrP"
  - id: review.sider.general.security.aws.session_token
    pattern:
      regexp: (?=.*[a-z])(?=.*[A-Z])[A-Za-z0-9+/]{270,290}
      case_sensitive: true
      multiline: false
    message: Do not put AWS screts in this repository.
    fail:
      - "AWS_SESSION_TOKEN = 'AxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxFAxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxFAxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxFAxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxFAxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx'"
      - "AxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxFAxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxFAxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxFAxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxFAxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx"
  # Inspired by this rule: https://github.com/Skyscanner/sonar-secrets/blob/v1.3.0/java/src/main/java/org/sonar/skyscanner/java/checks/APIKeys.java
  - id: review.sider.general.security.apikeys.hardcode
    pattern:
      regexp: .*(api|gitlab|github|slack|google)_?(key|token|secret)$
      case_sensitive: false
      multiline: true
    message: Do not hard code API Keys.
    justification:
      - If it is just a variable name
      - If not hard-coded
    fail:
      - "api_key"
      - "gitlab_token"
      - "github_token"
      - "slack_secret"
      - "google_token"
	rules:
	# Inspired by this rule: https://github.com/Skyscanner/sonar-secrets/blob/v1.3.0/java/src/main/java/org/sonar/skyscanner/java/checks/PrivateKeys.java
	- id: review.sider.general.security.private_keys.rsa
	pattern:
	token: "-----BEGIN RSA PRIVATE KEY-----"
	case_sensitive: true
	message: Do not put private keys in this repository.
	fail:
	- "-----BEGIN RSA PRIVATE KEY-----"
	pass:
	- "PRIVATE KEY"
	- id: review.sider.general.security.private_keys.dsa
	pattern:
	token: "-----BEGIN DSA PRIVATE KEY-----"
	case_sensitive: true
	message: Do not put private keys in this repository.
	fail:
	- "-----BEGIN DSA PRIVATE KEY-----"
	pass:
	- "PRIVATE KEY"
	- id: review.sider.general.security.private_keys.ec
	pattern:
	token: "-----BEGIN EC PRIVATE KEY-----"
	case_sensitive: true
	message: Do not put private keys in this repository.
	fail:
	- "-----BEGIN EC PRIVATE KEY-----"
	pass:
	- "PRIVATE KEY"
	- id: review.sider.general.security.private_keys.openssh
	pattern:
	token: "-----BEGIN OPENSSH PRIVATE KEY-----"
	case_sensitive: true
	message: Do not put private keys in this repository.
	fail:
	- "-----BEGIN OPENSSH PRIVATE KEY-----"
	pass:
	- "PRIVATE KEY"
	- id: review.sider.general.security.private_keys.privatekey
	pattern:
	token: "-----BEGIN PRIVATE KEY-----"
	case_sensitive: true
	message: Do not put private keys in this repository.
	fail:
	- "-----BEGIN PRIVATE KEY-----"
	pass:
	- "PRIVATE KEY"

	# Inspired by this rule: https://github.com/Skyscanner/sonar-secrets/blob/v1.3.0/java/src/main/java/org/sonar/skyscanner/java/checks/Passwords.java
	- id: review.sider.general.security.passwords.hardcode
	pattern:
	regexp: .*(password\|passwd\|pwd)
	case_sensitive: false
	multiline: true
	message: Do not hard code password.
	justification:
	- If it is just a variable name
	- If not hard-coded
	fail:
	- "password = 'passw0rd'"
	- "passwd = 'passw0rd'"
	- "pwd = 'passw0rd'"
	pass:
	- "DigestUtils.sha256Hex(param)"

	# Inspired by this rule: https://github.com/Skyscanner/sonar-secrets/blob/v1.3.0/java/src/main/java/org/sonar/skyscanner/java/checks/AWSCredentials.java
	- id: review.sider.general.security.aws.access_key
	pattern:
	regexp: (?=.[A-Z])(?=.[0-9])[A-Z0-9]{20}
	case_sensitive: true
	multiline: false
	message: Do not put AWS screts in this repository.
	fail:
	- "AWS_ACCESS_KEY_ID = 'AKIAJ73UMGWBD4ODFECQ'"
	- "AKIAJ73UMGWBD4ODFECQ"
	- id: review.sider.general.security.aws.secret_access_token
	pattern:
	regexp: (?=.[A-Z])(?=.[a-z])(?=.*[0-9])[A-Za-z0-9+/]{40}
	case_sensitive: true
	multiline: false
	message: Do not put AWS screts in this repository.
	fail:
	- "AWS_SECRET_ACCESS_KEY = 'ug9nHbCpATKVNWNgQc47IyNVn+/4YcoRC+BItPrP'"
	- "ug4nHbCpATKVNWNgQc47IyNVn+/9YcoRC+BItPrP"
	- id: review.sider.general.security.aws.session_token
	pattern:
	regexp: (?=.[a-z])(?=.[A-Z])[A-Za-z0-9+/]{270,290}
	case_sensitive: true
	multiline: false
	message: Do not put AWS screts in this repository.
	fail:
	- "AWS_SESSION_TOKEN = 'AxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxFAxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxFAxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxFAxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxFAxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx'"
	- "AxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxFAxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxFAxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxFAxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxFAxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx"
	# Inspired by this rule: https://github.com/Skyscanner/sonar-secrets/blob/v1.3.0/java/src/main/java/org/sonar/skyscanner/java/checks/APIKeys.java
	- id: review.sider.general.security.apikeys.hardcode
	pattern:
	regexp: .*(api\|gitlab\|github\|slack\|google)_?(key\|token\|secret)$
	case_sensitive: false
	multiline: true
	message: Do not hard code API Keys.
	justification:
	- If it is just a variable name
	- If not hard-coded
	fail:
	- "api_key"
	- "gitlab_token"
	- "github_token"
	- "slack_secret"
	- "google_token"