init
This commit is contained in:
77
.opencode/skills/security-scan/references/secret-patterns.md
Normal file
77
.opencode/skills/security-scan/references/secret-patterns.md
Normal file
@@ -0,0 +1,77 @@
|
||||
# Secret Detection Patterns
|
||||
|
||||
Grep patterns for detecting hardcoded secrets. Use with Grep tool, exclude test/example files.
|
||||
|
||||
## High Confidence (Structured format, low false positive)
|
||||
|
||||
### AWS
|
||||
```
|
||||
AKIA[0-9A-Z]{16}
|
||||
```
|
||||
|
||||
### GitHub (Classic + Fine-grained)
|
||||
```
|
||||
gh[pousr]_[A-Za-z0-9_]{36,255}
|
||||
github_pat_[A-Za-z0-9_]{22,}
|
||||
```
|
||||
|
||||
### Stripe
|
||||
```
|
||||
sk_live_[0-9a-zA-Z]{24,}
|
||||
rk_live_[0-9a-zA-Z]{24,}
|
||||
```
|
||||
|
||||
### Slack
|
||||
```
|
||||
xox[baprs]-[0-9a-zA-Z-]{10,}
|
||||
```
|
||||
|
||||
### Google Cloud
|
||||
```
|
||||
AIza[0-9A-Za-z_-]{35}
|
||||
```
|
||||
|
||||
### Anthropic
|
||||
```
|
||||
sk-ant-[A-Za-z0-9_-]{40,}
|
||||
```
|
||||
|
||||
### Private Keys
|
||||
```
|
||||
-----BEGIN (RSA |EC |DSA |OPENSSH )?PRIVATE KEY-----
|
||||
```
|
||||
|
||||
### JWT / Bearer Tokens (in code, not headers)
|
||||
```
|
||||
eyJ[A-Za-z0-9_-]{10,}\.[A-Za-z0-9_-]{10,}\.[A-Za-z0-9_-]{10,}
|
||||
```
|
||||
|
||||
## Medium Confidence (Need context verification)
|
||||
|
||||
### Generic API Keys
|
||||
```
|
||||
(?i)(api[_-]?key|apikey|api[_-]?secret)\s*[:=]\s*['"][A-Za-z0-9/+=]{16,}['"]
|
||||
```
|
||||
|
||||
### Database URLs
|
||||
```
|
||||
(?i)(postgres|mysql|mongodb|redis)://[^:]+:[^@]+@
|
||||
```
|
||||
|
||||
### Passwords in Code
|
||||
```
|
||||
(?i)(password|passwd|pwd)\s*[:=]\s*['"][^'"]{8,}['"]
|
||||
```
|
||||
|
||||
### Generic Secrets
|
||||
```
|
||||
(?i)(secret|token|credential)\s*[:=]\s*['"][A-Za-z0-9/+=]{16,}['"]
|
||||
```
|
||||
|
||||
## Exclusion Patterns
|
||||
|
||||
Skip matches in these contexts:
|
||||
- Files: `*.example`, `*.test.*`, `*.spec.*`, `*.md`, `*.txt`
|
||||
- Directories: `node_modules/`, `dist/`, `vendor/`, `__pycache__/`
|
||||
- Content: Lines containing `TODO`, `FIXME`, `YOUR_`, `REPLACE_`, `xxx`, `placeholder`
|
||||
- Content: Variable declarations without actual values (`= process.env.`, `= os.getenv(`)
|
||||
@@ -0,0 +1,105 @@
|
||||
# Vulnerability Code Patterns
|
||||
|
||||
Grep patterns for detecting common vulnerability patterns. Use with Grep tool.
|
||||
|
||||
## SQL Injection
|
||||
|
||||
### String concatenation in queries
|
||||
```
|
||||
(?i)(query|sql|execute)\s*\(.*\+.*\)
|
||||
(?i)(SELECT|INSERT|UPDATE|DELETE|DROP).*['"].*\+
|
||||
```
|
||||
|
||||
### Template literals in queries (JS/TS)
|
||||
```
|
||||
(?i)(query|sql|execute)\s*\(`.*\$\{
|
||||
```
|
||||
|
||||
## XSS (Cross-Site Scripting)
|
||||
|
||||
### Dangerous DOM manipulation
|
||||
```
|
||||
\.innerHTML\s*=
|
||||
dangerouslySetInnerHTML
|
||||
document\.write\(
|
||||
```
|
||||
|
||||
### Unescaped output (template engines)
|
||||
```
|
||||
\{\{\{ # Handlebars unescaped (triple braces)
|
||||
<%-\s* # EJS unescaped (vs <%= escaped)
|
||||
\|safe\b # Jinja2/Django unescaped
|
||||
v-html= # Vue unescaped
|
||||
```
|
||||
|
||||
## Command Injection
|
||||
|
||||
### Unsanitized exec/spawn
|
||||
```
|
||||
(?i)(exec|execSync|spawn|spawnSync)\s*\(.*\+
|
||||
(?i)(exec|execSync|spawn|spawnSync)\s*\(`.*\$\{
|
||||
(?i)child_process.*\(.*\$\{
|
||||
os\.system\(.*\+
|
||||
subprocess\.(call|run|Popen)\(.*\+
|
||||
```
|
||||
|
||||
## Path Traversal
|
||||
|
||||
### User input in file paths
|
||||
```
|
||||
(?i)(readFile|writeFile|createReadStream|open)\s*\(.*req\.(params|query|body)
|
||||
(?i)(readFile|writeFile)\s*\(.*\+.*\)
|
||||
```
|
||||
|
||||
## Insecure Randomness
|
||||
|
||||
### Math.random for security
|
||||
```
|
||||
Math\.random\(\).*(?i)(token|key|secret|password|session|nonce|salt)
|
||||
```
|
||||
|
||||
## Dangerous Functions
|
||||
|
||||
### eval and equivalents
|
||||
```
|
||||
\beval\s*\(
|
||||
new\s+Function\s*\(
|
||||
setTimeout\s*\(\s*['"]
|
||||
setInterval\s*\(\s*['"]
|
||||
```
|
||||
|
||||
### Deserialization
|
||||
```
|
||||
(?i)(pickle\.loads|yaml\.load\(|unserialize\()
|
||||
JSON\.parse\(.*req\.(params|query|body)
|
||||
```
|
||||
|
||||
## Authentication / Authorization
|
||||
|
||||
### Hardcoded credentials
|
||||
```
|
||||
(?i)(admin|root|password)\s*[:=]\s*['"][^'"]{4,}['"]
|
||||
```
|
||||
|
||||
### Disabled security
|
||||
```
|
||||
(?i)(verify|ssl|tls|certificate)\s*[:=]\s*(false|False|0)
|
||||
(?i)rejectUnauthorized\s*:\s*false
|
||||
NODE_TLS_REJECT_UNAUTHORIZED.*0
|
||||
```
|
||||
|
||||
## Information Disclosure
|
||||
|
||||
### Debug/verbose in production
|
||||
```
|
||||
(?i)console\.(log|debug|trace)\s*\(.*(?:password|secret|token|key|credential)
|
||||
(?i)(DEBUG|VERBOSE)\s*[:=]\s*(true|True|1)
|
||||
```
|
||||
|
||||
## False Positive Indicators
|
||||
|
||||
Skip matches containing:
|
||||
- `test`, `spec`, `mock`, `fixture`, `example`, `sample`, `demo`
|
||||
- `TODO`, `FIXME`, `HACK`
|
||||
- Variable declarations reading from env: `process.env.`, `os.getenv(`
|
||||
- Comments (lines starting with `//`, `#`, `/*`)
|
||||
Reference in New Issue
Block a user