generic.secrets.gitleaks.jwt.jwt

profile photo of semgrepsemgrep
Author
unknown
Download Count*

A gitleaks jwt was detected which attempts to identify hard-coded credentials. It is not recommended to store credentials in source-code, as this risks secrets being leaked and used by either an internal or external malicious adversary. It is recommended to use environment variables to securely provide credentials or retrieve credentials from a secure vault or HSM (Hardware Security Module).

Run Locally

Run in CI

Defintion

rules:
  - id: jwt
    message: A gitleaks jwt was detected which attempts to identify hard-coded
      credentials. It is not recommended to store credentials in source-code, as
      this risks secrets being leaked and used by either an internal or external
      malicious adversary. It is recommended to use environment variables to
      securely provide credentials or retrieve credentials from a secure vault
      or HSM (Hardware Security Module).
    languages:
      - regex
    severity: INFO
    metadata:
      likelihood: LOW
      impact: MEDIUM
      confidence: LOW
      category: security
      cwe:
        - "CWE-798: Use of Hard-coded Credentials"
      cwe2021-top25: true
      cwe2022-top25: true
      owasp:
        - A07:2021 - Identification and Authentication Failures
      references:
        - https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html
      source-rule-url: https://github.com/zricethezav/gitleaks/tree/master/cmd/generate/config/rules
      subcategory:
        - vuln
      technology:
        - gitleaks
      license: Commons Clause License Condition v1.0[LGPL-2.1-only]
      vulnerability_class:
        - Hard-coded Secrets
    patterns:
      - pattern-regex: \b(ey[a-zA-Z0-9]{17,}\.ey[a-zA-Z0-9\/\\_-]{17,}\.(?:[a-zA-Z0-9\/\\_-]{10,}={0,2})?)(?:['|\"|\n|\r|\s|\x60|;]|$)

Examples

jwt.go

// ruleid: jwt
eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiaWF0IjoxNTE2MjM5MDIyfQ.SflKxwRJSMeKKF2QT4fwpMeJf36POk6yJV_adQssw5c