Merge pull request #8 from owasp-noir:patterns/add-new-patterns

hahwul · web-flow · commit 36978fbbab22 · 2025-03-27T00:58:46.000+09:00
Add detection rules for GitHub, GitLab, Discord, and Slack tokens/webhooks
diff --git a/secrets/aws-s3-key.yaml b/secrets/aws-s3-key.yaml
@@ -2,7 +2,7 @@ id: s3-access-key
 info:
   name: Detect S3_ACCESS_KEY
   author: [hahwul]
-  severity: critical
+  severity: high
   description: Detects the presence of S3 Access Keys in the code
   reference: ['']
 matchers-condition: or
diff --git a/secrets/github-token.yaml b/secrets/github-token.yaml
@@ -0,0 +1,23 @@
+id: github-token
+info:
+  name: Detect GITHUB_TOKEN
+  author: [hahwul]
+  severity: critical
+  description: Detects the presence of GitHub tokens in the code
+  reference: ['']
+matchers-condition: or
+matchers:
+  - type: word
+    patterns: ['GITHUB_TOKEN', 'GH_TOKEN', 'github_pat_']
+    condition: or
+  - type: regex
+    patterns:
+      - 'github_pat_[A-Za-z0-9_]{22}_[A-Za-z0-9]{59}'
+      - 'ghp_[A-Za-z0-9]{36}'
+      - 'gho_[A-Za-z0-9]{36}'
+      - 'ghu_[A-Za-z0-9]{36}'
+      - 'ghs_[A-Za-z0-9]{36}'
+      - 'ghr_[A-Za-z0-9]{36}'
+    condition: or
+category: secret
+techs: ['*']
diff --git a/secrets/gitlab-token.yaml b/secrets/gitlab-token.yaml
@@ -0,0 +1,19 @@
+id: gitlab-token
+info:
+  name: Detect GITLAB_TOKEN
+  author: [hahwul]
+  severity: critical
+  description: Detects the presence of GitLab tokens in the code
+  reference: ['']
+matchers-condition: or
+matchers:
+  - type: word
+    patterns: ['GITLAB_TOKEN', 'GITLAB_API_TOKEN', 'GITLAB_API_PRIVATE_TOKEN']
+    condition: or
+  - type: regex
+    patterns:
+      - 'glpat-[A-Za-z0-9_-]{20}'
+      - 'glptt-[A-Za-z0-9_-]{20}'
+    condition: or
+category: secret
+techs: ['*']
diff --git a/secrets/webhook-discord.yaml b/secrets/webhook-discord.yaml
@@ -0,0 +1,18 @@
+id: webhook-discord
+info:
+  name: Detect DISCORD_WEBHOOK
+  author: [hahwul]
+  severity: low
+  description: Detects the presence of Discord webhook URLs in the code
+  reference: ['']
+matchers-condition: or
+matchers:
+  - type: word
+    patterns: ['https://discord.com/api/webhooks/', 'https://discordapp.com/api/webhooks/']
+    condition: or
+  - type: regex
+    patterns:
+      - 'https://discord(?:app)?\.com/api/webhooks/[0-9]{17,19}/[A-Za-z0-9_-]{60,68}'
+    condition: or
+category: secret
+techs: ['*']
diff --git a/secrets/webhook-slack.yaml b/secrets/webhook-slack.yaml
@@ -0,0 +1,18 @@
+id: webhook-slack
+info:
+  name: Detect SLACK_WEBHOOK
+  author: [hahwul]
+  severity: low
+  description: Detects the presence of Slack webhook URLs in the code
+  reference: ['']
+matchers-condition: or
+matchers:
+  - type: word
+    patterns: ['https://hooks.slack.com/services/']
+    condition: or
+  - type: regex
+    patterns:
+      - 'https://hooks\.slack\.com/services/T[a-zA-Z0-9_]{8}/B[a-zA-Z0-9_]{8}/[a-zA-Z0-9_]{24}'
+    condition: or
+category: secret
+techs: ['*']
