Checkmarx · baruchiro · Aug 23, 2023 · Aug 11, 2023 · Aug 11, 2023 · Aug 11, 2023
diff --git a/secrets/custom_rules.go b/secrets/custom_rules.go
@@ -0,0 +1,19 @@
+package secrets
+
+type CustomRuleConfiguration struct {
+	Description  string
+	RegexPattern string
+	RuleID       string
+	Tags         []string
+	SecretGroup  int
+}
+
+var customRules = []CustomRuleConfiguration{
+	{
+		Description:  "Identify username:password inside URLS",
+		RuleID:       "username-password-secret",
+		RegexPattern: ":\\/\\/(.+:.+)?@",
+		Tags:         []string{TagPassword},
+		SecretGroup:  1,
+	},
+}
@@ -128,6 +128,30 @@ func (s *Secrets) AddRegexRules(patterns []string) error {
 	return nil
 }
 
+func addCustomRules(rules []CustomRuleConfiguration) ([]Rule, error) {
+	var customRules []Rule
+	customRules = make([]Rule, len(rules))
+	for idx, rule := range rules {
+		regex, err := regexp.Compile(rule.RegexPattern)
+		if err != nil {
+			return nil, fmt.Errorf("failed to compile custom regex rule %s: %w", rule.RuleID, err)
+		}
+		customRules[idx] = Rule{
+			Rule: config.Rule{
+				Description: rule.Description,
+				RuleID:      rule.RuleID,
+				Regex:       regex,
+				Keywords:    []string{},
+			},
+			Tags: rule.Tags,
+		}
+		if rule.SecretGroup != 0 {
+			customRules[idx].Rule.SecretGroup = rule.SecretGroup
+		}
+	}
+	return customRules, nil
+}
+
 func getFindingId(item plugins.Item, finding report.Finding) string {
 	idParts := []string{item.ID, finding.RuleID, finding.Secret}
 	sha := sha1.Sum([]byte(strings.Join(idParts, "-")))
@@ -369,6 +393,12 @@ func loadAllRules() ([]Rule, error) {
 	allRules = append(allRules, Rule{Rule: *rules.YandexAccessToken(), Tags: []string{TagAccessToken}})
 	allRules = append(allRules, Rule{Rule: *rules.ZendeskSecretKey(), Tags: []string{TagSecretKey}})
 
+	builtCustomRules, err := addCustomRules(customRules)
+	if err != nil {
+		return nil, err
+	}
+	allRules = append(allRules, builtCustomRules...)
+
 	return allRules, nil
 }
 

@@ -31,6 +31,24 @@ func TestLoadAllRules_DuplicateRuleID(t *testing.T) {
 	}
 }
 
+func TestLoadAllRules_CustomRulesLoaded(t *testing.T) {
+	allRules, err := loadAllRules()
+	ruleIDMap := make(map[string]bool)
+	if err != nil {
+		t.Error(err)
+	}
+
+	for _, rule := range allRules {
+		ruleIDMap[rule.Rule.RuleID] = true
+	}
+	for _, customRule := range customRules {
+		_, ok := ruleIDMap[customRule.RuleID]
+		if !ok {
+			t.Errorf("custom rule not found: %s", customRule.RuleID)
+		}
+	}
+}
+
 func TestIsAllFilter_AllFilterNotPresent(t *testing.T) {
 	filters := []string{"token", "key"}