1

I want to identify the AWS basic auth from the files in a repository. For this I want to add a pattern for git-secret to scan the value for basic auth value in the repository.

I have tried with the below pattern:

git secrets --add '^\bBasic [A-Za-z0-9[!@#$%^&*(),.?":{}|<>=]{60}$'

patterns =  (\"|')?(Basic )[A-Za-z0-9\\+=]{60}(\"|')$

The script is as follows:

git secrets --add '^\bBasic [A-Za-z0-9[!@#$%^&*(),.?":{}|<>=]{60}$'
git secrets --add 'Basic [A-Za-z0-9!@#$%^&*(),.?":{}|<>=]{60}'

I expect the pattern to add for git-secret to identify the AWS basic auth value from the repository.

Here is an example of a basic auth value:

Basic aW5mQExampleauthvalueGlCeGUzeXk4UmMyT29HeFJOVFVEXAMPLEKEYS==

'Basic' + + <60 characters> then we should flag it. If it has less than 60, or more than 60, then it's not a valid string.

Secespitus
  • 710
  • 2
  • 14
  • 22
Rapid
  • 111
  • 2
  • 13

2 Answers2

0

Your pattern worked fine for me, you just missed one thing:

^(\"|')?Basic [A-Za-z0-9\\+=]{60}(\"|')?$

You forgot the last "?" for the second optional single or double quote.

Npok
  • 11
  • 1
  • Thank you for your answer, but this pattern work only for some scenario, if the string is below format it will not identify {"value" : "Basic aW5mQExampleauthvalueGlCeGUzeXk4UmMyT29HeFJOVFVEXAMPLEKEYS=="} – Rapid Jul 02 '19 at 08:09
  • If you have other characters before or after the key, you must either: take them into account in your regex, or remove "^ ... $" – Npok Jul 03 '19 at 08:20
0

for git-secret

Actually, that regex, as proposed by Npok's answer, won't need git-secret much longer.

(Plus: Secret scanning’s push protection is available on public repositories, for free (May. 2023))

As of June 2021:

Secret scanning now supports user defined patterns on private repositories:

GitHub Advanced Security customers can now specify custom patterns for use in private repo secret scanning.

secret scanning -- https://docs.github.com/assets/images/help/repository/secret-scanning-create-custom-pattern.png

When a new pattern is specified, secret scanning searches a repository's entire git history for it, as well as any new commits.

User defined patterns are in beta on cloud and will be available on GHES next quarter.
They can be defined at the repository and organization level.

See:

And:

Secret scanning now push protects custom patterns (Dec. 2022)

Previously, GitHub Advanced Security customers could enable push protection for all patterns supported by default.

Now, admins can also enable push protection for any custom pattern defined at the repository or organization level.
Push protection for enterprise-level custom patterns will come in January.

https://i0.wp.com/user-images.githubusercontent.com/81782111/207498360-10037928-bd7b-4379-83db-16e234db4880.png?w=960&ssl=1 -- blocked custom pattern

VonC
  • 1,262,500
  • 529
  • 4,410
  • 5,250