fix: reduce false positives by hashicorp (#6)

### Description: To add this rule I took examples from the official Hashicorp documentation, but now I used this rule and it find too generic cases such as `const TagPassword = "password"`. Using the `Entropy` field is a balance between true/false positives, since with `3.5` it will ignore almost all passwords less then 10 characters length. ### Checklist: * [x] Does your PR pass tests? * [x] Have you written new tests for your changes? * [x] Have you lint your code locally prior to submission? Original: gitleaks#1358
Checkmarx · Mar 28, 2024 · aea43c0 · aea43c0
1 parent b4c1a00
commit aea43c0
Show file tree

Hide file tree

Showing 4 changed files with 1,498 additions and 8 deletions.
diff --git a/.gitignore b/.gitignore
@@ -21,3 +21,6 @@ testdata/expected/report/*.got.*
 *.out
 
 dist/
+
+#IDE
+.vscode/settings.json
diff --git a/cmd/generate/config/rules/hashicorp.go b/cmd/generate/config/rules/hashicorp.go
@@ -30,20 +30,28 @@ func HashicorpField() *config.Rule {
 	r := config.Rule{
 		Description: "Identified a HashiCorp Terraform password field, risking unauthorized infrastructure configuration and security breaches.",
 		RuleID:      "hashicorp-tf-password",
-		Regex:       generateSemiGenericRegex(keywords, fmt.Sprintf(`"(%s)"`, alphaNumericExtended("8,20")), true),
+		Regex:       generateSemiGenericRegex(keywords, fmt.Sprintf(`"%s"`, alphaNumericExtendedLong("8,20")), true),
 		Keywords:    keywords,
-		SecretGroup: 2,
+		SecretGroup: 1,
+		Entropy:     3.5,
+		Allowlist: config.Allowlist{
+			StopWords: DefaultStopWords,
+		},
 	}
 
 	tps := []string{
 		// Example from: https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/sql_server.html
-		"administrator_login_password = " + `"thisIsDog11"`,
+		`administrator_login_password = "dgu6ju90k71r"`, // gitleaks:allow
 		// https://registry.terraform.io/providers/petoju/mysql/latest/docs
-		"password       = " + `"rootpasswd"`,
+		`password       = "gcerq4bcholjoh\s"`, // gitleaks:allow
 	}
 	fps := []string{
+		`administrator_login_password = "thisIsDog11"`, // entropy too low
+		`password       = "rootpasswd"`,                // entropy too low
 		"administrator_login_password = var.db_password",
 		`password = "${aws_db_instance.default.password}"`,
+		`update_password: "on_create"`,
+		// `const TagPassword = "dgu6ju90k71r"`, indeed it is a password, but it is not a terraform password field
 	}
 	return validate(r, tps, fps)
 }
diff --git a/cmd/generate/config/rules/rule.go b/cmd/generate/config/rules/rule.go
@@ -134,7 +134,7 @@ func alphaNumericExtended(size string) string {
 }
 
 func alphaNumericExtendedLong(size string) string {
-	return fmt.Sprintf(`[a-z0-9\/=_\+\-]{%s}`, size)
+	return fmt.Sprintf(`[a-z0-9\/=_\+\-\\]{%s}`, size)
 }
 
 func hex8_4_4_4_12() string {
-Original file line number
+Diff line change
@@ Expand Up / @@ -21,3 +21,6 @@ testdata/expected/report/*.got.* @@
     *.out
     dist/
+    #IDE
+    .vscode/settings.json