add stricter secret detection

2024-06-27 15:12:13 -07:00 · 2024-06-27 15:12:13 -07:00 · 84ee37086c
commit 84ee37086c
parent 552bac586f
96 changed files with 2337 additions and 0 deletions
--- a/enterprise/enterprise_hooks/secrets_plugins/github_token.py
+++ b/enterprise/enterprise_hooks/secrets_plugins/github_token.py
@ -0,0 +1,26 @@
+"""
+This plugin searches for GitHub tokens
+"""
+
+import re
+
+from detect_secrets.plugins.base import RegexBasedDetector
+
+
+class GitHubTokenCustomDetector(RegexBasedDetector):
+    """Scans for GitHub tokens."""
+
+    @property
+    def secret_type(self) -> str:
+        return "GitHub Token"
+
+    @property
+    def denylist(self) -> list[re.Pattern]:
+        return [
+            # GitHub App/Personal Access/OAuth Access/Refresh Token
+            # ref. https://github.blog/2021-04-05-behind-githubs-new-authentication-token-formats/
+            re.compile(r"(?:ghp|gho|ghu|ghs|ghr)_[A-Za-z0-9_]{36}"),
+            # GitHub Fine-Grained Personal Access Token
+            re.compile(r"github_pat_[0-9a-zA-Z_]{82}"),
+            re.compile(r"gho_[0-9a-zA-Z]{36}"),
+        ]