Substantially improved and revamped credential pattern matching (See testing/regex_testing/test_cases.txt for a comprehensive set of examples for all pattern matching enhancements listed in this update)
- Added support for XML formatted passwords/secrets
- Added support for
Password: notquotedvalue(we already support password followed by equal sign... this was just for colon without quotes) - Condensed regexes (easier to maintain and keep everything in sync)
- Increased our testing suite to over 1,100 test cases
- Enhanced environment variable detection including increased language support (
${variable},#{variable},%%variable%%, etc..)- Password/secret/key values beginning with
$will not be flagged unless an additional numeric or special character is included in the value:myPwd = $uperStr0ngwill be flagged, butmyPwd = $passwordwill not be flagged as it is assumed a variable (known limitation: we do not yet process regexes based on file extension) - Password/secret/key values wrapped in
${},#{}, or{}are assumed variables and will not be flagged even if they contain a numeric value i.e.apiKey = $S3_APIKEYwill be flagged, butapiKey = ${S3_APIKEY}will not be flagged - XML formatted passwords/secrets/keys have an additional environment variable check to consider values wrapped in
%%environment variables i.e.<Password>%%variable%%</Password>is considered a variable
- Password/secret/key values beginning with
- Updated keys regex to look for more characters (matches password chars now)
- A wider range of special characters will now be included to help identify more hard-coded credentials
- Overall reduction in false positives due to new credential character requirements
- To be flagged as a hard-coded password/secret/key the value must now include at least one special or numeric character
Updated SEDATED® references from ℠ to ®