AllSecretMatchers returns the default list of SecretMatchers
()
| 89 | |
| 90 | // AllSecretMatchers returns the default list of SecretMatchers |
| 91 | func AllSecretMatchers() []SecretMatcher { |
| 92 | |
| 93 | return []SecretMatcher{ |
| 94 | awsMatcher(), |
| 95 | gcpKeyMatcher(), |
| 96 | firebaseMatcher(), |
| 97 | githubKeyMatcher(), |
| 98 | |
| 99 | // REACT_APP_... containing objects |
| 100 | {"(object) @matches", func(n *Node) *Secret { |
| 101 | |
| 102 | // disabled due to high false positive rate |
| 103 | return nil |
| 104 | |
| 105 | o := n.AsObject() |
| 106 | |
| 107 | hasReactAppKeys := false |
| 108 | for _, k := range o.GetKeys() { |
| 109 | if strings.HasPrefix(k, "REACT_APP_") { |
| 110 | hasReactAppKeys = true |
| 111 | break |
| 112 | } |
| 113 | } |
| 114 | |
| 115 | if !hasReactAppKeys { |
| 116 | return nil |
| 117 | } |
| 118 | |
| 119 | return &Secret{ |
| 120 | Kind: "reactApp", |
| 121 | Data: o.AsMap(), |
| 122 | } |
| 123 | }}, |
| 124 | |
| 125 | // generic secrets |
| 126 | {"(pair) @matches", func(n *Node) *Secret { |
| 127 | |
| 128 | // disabled due to very high false positive rate |
| 129 | // but left easy to enable for research purposes |
| 130 | return nil |
| 131 | |
| 132 | key := n.ChildByFieldName("key") |
| 133 | if key == nil { |
| 134 | return nil |
| 135 | } |
| 136 | |
| 137 | keyStr := strings.ToLower(key.RawString()) |
| 138 | if !strings.Contains(keyStr, "secret") { |
| 139 | return nil |
| 140 | } |
| 141 | |
| 142 | value := n.ChildByFieldName("value") |
| 143 | if value == nil || value.Type() != "string" { |
| 144 | return nil |
| 145 | } |
| 146 | |
| 147 | data := map[string]string{ |
| 148 | "key": value.RawString(), |
no test coverage detected