generic.secrets.security.detected-npm-registry-auth-token.detected-npm-registry-auth-token
Community Favorite
semgrepAuthor
37,965
Download Count*
License
NPM registry authentication token detected
Run Locally
Run in CI
Defintion
rules:
- id: detected-npm-registry-auth-token
patterns:
- pattern: $AUTHTOKEN = $VALUE
- metavariable-regex:
metavariable: $AUTHTOKEN
regex: _(authToken|auth|password)
- pattern-not: $AUTHTOKEN = ${...}
languages:
- generic
message: NPM registry authentication token detected
paths:
include:
- "*npmrc*"
severity: ERROR
metadata:
cwe:
- "CWE-798: Use of Hard-coded Credentials"
category: security
technology:
- secrets
- npm
confidence: LOW
owasp:
- A07:2021 - Identification and Authentication Failures
references:
- https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures
cwe2022-top25: true
cwe2021-top25: true
subcategory:
- audit
likelihood: LOW
impact: MEDIUM
license: Commons Clause License Condition v1.0[LGPL-2.1-only]
vulnerability_class:
- Hard-coded Secrets
Examples
detected-npm-registry-auth-token.npmrc
registry="https://registry.npmjs.org/"
always-auth=true
package-lock=false
@myorg:registry=https://somewhere-else.com/myorg
@another:registry=https://somewhere-else.com/another
@acme:registry=https://acme.npm/releases
# Informative
email=test@example.com
# Risk
# ruleid: detected-npm-registry-auth-token
_auth = stvtaW46YWRtaW4=
# ruleid: detected-npm-registry-auth-token
//registry.npmjs.org/:_authToken=27dfe8d8-889b-4380-92ff-9c3c6ea5d478
# ruleid: detected-npm-registry-auth-token
//somewhere-else.com/another:_auth=CorrectHorseBatteryStaple
# ruleid: detected-npm-registry-auth-token
//acme.npm/releases:_password=CorrectHorseBatteryStaple
# ok: detected-npm-registry-auth-token
//registry.npmjs.org/:_authToken=${NPM_TOKEN}Short Link: https://sg.run/Ppg3