generic.secrets.security.detected-private-key.detected-private-key

Community Favorite
profile photo of semgrepsemgrep
Author
42,313
Download Count*
LGPL Commons Clause
License

Private Key detected. This is a sensitive credential and should not be hardcoded here. Instead, store this in a separate, private file.

Run Locally

Run in CI

Semgrep CI docs

Defintion

Edit RuleView Source
Open in Playground 
rules:
  - id: detected-private-key
    patterns:
      - pattern-either:
          - patterns:
              - pattern: -----BEGIN $TYPE PRIVATE KEY----- $KEY
              - metavariable-regex:
                  metavariable: $TYPE
                  regex: (?i)([dr]sa|ec|openssh|encrypted)?
          - patterns:
              - pattern: |
                  -----BEGIN PRIVATE KEY-----
                  $KEY
      - metavariable-analysis:
          metavariable: $KEY
          analyzer: entropy
    languages:
      - generic
    message: Private Key detected. This is a sensitive credential and should not be
      hardcoded here. Instead, store this in a separate, private file.
    severity: ERROR
    metadata:
      cwe:
        - "CWE-798: Use of Hard-coded Credentials"
      source-rule-url: https://github.com/grab/secret-scanner/blob/master/scanner/signatures/pattern.go
      category: security
      technology:
        - secrets
      confidence: LOW
      owasp:
        - A07:2021 - Identification and Authentication Failures
      references:
        - https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures
      cwe2022-top25: true
      cwe2021-top25: true
      subcategory:
        - audit
      likelihood: LOW
      impact: MEDIUM
      license: Commons Clause License Condition v1.0[LGPL-2.1-only]
      vulnerability_class:
        - Hard-coded Secrets

Examples

detected-private-key.txt

# ruleid: detected-private-key
-----BEGIN PRIVATE KEY-----
MIIEogIBAAKCAQEAjosMtDUqbE1/8zxZac1t8fkh2SxGuMXHk9yxniyM2m76donW

# ruleid: detected-private-key
-----BEGIN RSA PRIVATE KEY-----
MIIEogIBAAKCAQEAjosMtDUqbE1/8zxZac1t8fkh2SxGuMXHk9yxniyM2m76donW

# ruleid: detected-private-key
-----BEGIN DSA PRIVATE KEY-----
MIIEogIBAAKCAQEAjosMtDUqbE1/8zxZac1t8fkh2SxGuMXHk9yxniyM2m76donW

# ruleid: detected-private-key
-----BEGIN OPENSSH PRIVATE KEY-----
MIIEogIBAAKCAQEAjosMtDUqbE1/8zxZac1t8fkh2SxGuMXHk9yxniyM2m76donW

# ruleid: detected-private-key
-----BEGIN EC PRIVATE KEY-----
MIIEogIBAAKCAQEAjosMtDUqbE1/8zxZac1t8fkh2SxGuMXHk9yxniyM2m76donW

# ruleid: detected-private-key
-----BEGIN ENCRYPTED PRIVATE KEY-----
MIIEogIBAAKCAQEAjosMtDUqbE1/8zxZac1t8fkh2SxGuMXHk9yxniyM2m76donW

# ok: detected-private-key
-----BEGIN ENCRYPTED PRIVATE KEY-----
abababababababababababababababab