Checkmarx · baruchiro · Aug 23, 2023 · Aug 11, 2023 · Aug 11, 2023 · Aug 11, 2023
@@ -0,0 +1,20 @@
+package secrets
+
+import (
+	"regexp"
+
+	"github.com/zricethezav/gitleaks/v8/config"
+)
+
+func AuthenticatedURL() *config.Rule {
+	regex, _ := regexp.Compile(":\\/\\/(.+:.+)?@")
+	rule := config.Rule{
+		Description: "Identify username:password inside URLS",
+		RuleID:      "username-password-secret",
+		Regex:       regex,
+		Keywords:    []string{},
+		SecretGroup: 1,
+	}
+
+	return &rule
+}
@@ -11,6 +11,7 @@ import (
 
 	"github.com/checkmarx/2ms/plugins"
 	"github.com/checkmarx/2ms/reporting"
+	secrets "github.com/checkmarx/2ms/secrets/rules"
 	"github.com/rs/zerolog/log"
 	"github.com/spf13/cobra"
 	"github.com/zricethezav/gitleaks/v8/cmd/generate/config/rules"
@@ -368,6 +369,7 @@ func loadAllRules() ([]Rule, error) {
 	allRules = append(allRules, Rule{Rule: *rules.YandexAWSAccessToken(), Tags: []string{TagAccessToken}})
 	allRules = append(allRules, Rule{Rule: *rules.YandexAccessToken(), Tags: []string{TagAccessToken}})
 	allRules = append(allRules, Rule{Rule: *rules.ZendeskSecretKey(), Tags: []string{TagSecretKey}})
+	allRules = append(allRules, Rule{Rule: *secrets.AuthenticatedURL(), Tags: []string{TagPassword}})
 
 	return allRules, nil
 }

@@ -2,11 +2,86 @@ package secrets
 
 import (
 	"fmt"
+	"sync"
 	"testing"
 
+	"github.com/checkmarx/2ms/plugins"
+	"github.com/checkmarx/2ms/reporting"
 	"github.com/zricethezav/gitleaks/v8/config"
 )
 
+func TestSecrets(t *testing.T) {
+	secrets := []struct {
+		Content    string
+		Name       string
+		ShouldFind bool
+	}{
+		{
+			Content:    "",
+			Name:       "empty",
+			ShouldFind: false,
+		},
+		{
+			Content:    "mongodb+srv://radar:mytoken@io.dbb.mongodb.net/?retryWrites=true&w=majority",
+			Name:       "Authenticated URL",
+			ShouldFind: true,
+		},
+		{
+			Content:    "--output=https://elastic:bF21iC0bfTVXo3qhpJqTGs78@c22f5bc9787c4c268d3b069ad866bdc2.eu-central-1.aws.cloud.es.io:9243/tfs",
+			Name:       "Authenticated URL",
+			ShouldFind: true,
+		},
+		{
+			Content:    "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",
+			Name:       "GitHub Personal Access Token",
+			ShouldFind: true,
+		},
+		{
+			Content:    "AKCp8jRRiQSAbghbuZmHKZcaKGEqbAASGH2SAb3rxXJQsSq9dGga8gFXe6aHpcRmzuHxN6oaT",
+			Name:       "JFROG Secret without keyword",
+			ShouldFind: false,
+		},
+		{
+			Content:    "--set imagePullSecretJfrog.password=AKCp8kqqfQbYifrbyvqusjyk6N3QKprXTv9B8HTitLbJzXT1kW7dDticXTsJpCrbqtizAwK4D \\",
+			Name:       "JFROG Secret with keyword (real example)",
+			ShouldFind: true,
+		},
+		{
+			Content:    "--docker-password=AKCp8kqX8yeKBTqgm2XExHsp8yVdJn6SAgQmS1nJMfMDmzxEqX74rUGhedaWu7Eovid3VsMwb",
+			Name:       "JFROG Secret as kubectl argument",
+			ShouldFind: true,
+		},
+	}
+
+	detector, err := Init([]string{}, []string{})
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	for _, secret := range secrets {
+		name := secret.Name
+		if name == "" {
+			name = secret.Content
+		}
+		t.Run(name, func(t *testing.T) {
+			fmt.Printf("Start test %s", name)
+			secretsChan := make(chan reporting.Secret, 1)
+			wg := &sync.WaitGroup{}
+			wg.Add(1)
+			detector.Detect(plugins.Item{Content: secret.Content}, secretsChan, wg, nil)
+			close(secretsChan)
+
+			s := <-secretsChan
+			if s.Value == "" && secret.ShouldFind {
+				t.Errorf("secret \"%s\" not found", secret.Name)
+			}
+			if s.Value != "" && !secret.ShouldFind {
+				t.Errorf("should not find")
+			}
+		})
+	}
+
+}
 func TestLoadAllRules(t *testing.T) {
 	rules, _ := loadAllRules()