Add Defined Networking API Tokens (gitleaks#1096)

Adds detection support for Defined Networking tokens (https://docs.defined.net/guides/automating-host-creation/) I added a fixture in addition to the generator, I think I may be able to use the `generateUniqueToken` instead of the semi-generic option? Let me know if I should update accordingly. Remove testing fixture
AikidoSec · Mar 14, 2023 · 6b0c303 · 6b0c303
1 parent 1fb3a77
commit 6b0c303
Show file tree

Hide file tree

Showing 3 changed files with 42 additions and 0 deletions.
diff --git a/cmd/generate/config/main.go b/cmd/generate/config/main.go
@@ -41,6 +41,7 @@ func main() {
 	configRules = append(configRules, rules.Contentful())
 	configRules = append(configRules, rules.Databricks())
 	configRules = append(configRules, rules.DatadogtokenAccessToken())
+	configRules = append(configRules, rules.DefinedNetworkingAPIToken())
 	configRules = append(configRules, rules.DigitalOceanPAT())
 	configRules = append(configRules, rules.DigitalOceanOAuthToken())
 	configRules = append(configRules, rules.DigitalOceanRefreshToken())

diff --git a/cmd/generate/config/rules/definednetworking.go b/cmd/generate/config/rules/definednetworking.go
@@ -0,0 +1,32 @@
+package rules
+
+import (
+	"github.com/zricethezav/gitleaks/v8/cmd/generate/secrets"
+	"github.com/zricethezav/gitleaks/v8/config"
+)
+
+func DefinedNetworkingAPIToken() *config.Rule {
+	// Define Rule
+	r := config.Rule{
+		// Human redable description of the rule
+		Description: "Defined Networking API token",
+
+		// Unique ID for the rule
+		RuleID: "defined-networking-api-token",
+
+		// Regex capture group for the actual secret
+		SecretGroup: 1,
+
+		// Regex used for detecting secrets. See regex section below for more details
+		Regex: generateSemiGenericRegex([]string{"dnkey"}, `dnkey-[a-z0-9=_\-]{26}-[a-z0-9=_\-]{52}`),
+
+		// Keywords used for string matching on fragments (think of this as a prefilter)
+		Keywords: []string{"dnkey"},
+	}
+
+	// validate
+	tps := []string{
+		generateSampleSecret("dnkey", "dnkey-"+secrets.NewSecret(alphaNumericExtended("26"))+"-"+secrets.NewSecret(alphaNumericExtended("52"))),
+	}
+	return validate(r, tps, nil)
+}
diff --git a/config/gitleaks.toml b/config/gitleaks.toml
@@ -242,6 +242,15 @@ keywords = [
     "datadog",
 ]
 
+[[rules]]
+description = "Defined Networking API token"
+id = "defined-networking-api-token"
+regex = '''(?i)(?:dnkey)(?:[0-9a-z\-_\t .]{0,20})(?:[\s|']|[\s|"]){0,3}(?:=|>|:=|\|\|:|<=|=>|:)(?:'|\"|\s|=|\x60){0,5}(dnkey-[a-z0-9=_\-]{26}-[a-z0-9=_\-]{52})(?:['|\"|\n|\r|\s|\x60|;]|$)'''
+secretGroup = 1
+keywords = [
+    "dnkey",
+]
+
 [[rules]]
 description = "DigitalOcean OAuth Access Token"
 id = "digitalocean-access-token"