Merge pull request #4444 from BerriAI/litellm_better_Secret_redact

[Feat] Improve secret detection call hook - catch more cases

enterprise/enterprise_hooks/secrets_plugins/adafruit.py

@@ -0,0 +1,23 @@
+"""
+This plugin searches for Adafruit keys
+"""
+
+import re
+
+from detect_secrets.plugins.base import RegexBasedDetector
+
+
+class AdafruitKeyDetector(RegexBasedDetector):
+    """Scans for Adafruit keys."""
+
+    @property
+    def secret_type(self) -> str:
+        return "Adafruit API Key"
+
+    @property
+    def denylist(self) -> list[re.Pattern]:
+        return [
+            re.compile(
+                r"""(?i)(?:adafruit)(?:[0-9a-z\-_\t .]{0,20})(?:[\s|']|[\s|"]){0,3}(?:=|>|:{1,3}=|\|\|:|<=|=>|:|\?=)(?:'|\"|\s|=|\x60){0,5}([a-z0-9_-]{32})(?:['|\"|\n|\r|\s|\x60|;]|$)"""
+            )
+        ]

enterprise/enterprise_hooks/secrets_plugins/adobe.py

@@ -0,0 +1,26 @@
+"""
+This plugin searches for Adobe keys
+"""
+
+import re
+
+from detect_secrets.plugins.base import RegexBasedDetector
+
+
+class AdobeSecretDetector(RegexBasedDetector):
+    """Scans for Adobe client keys."""
+
+    @property
+    def secret_type(self) -> str:
+        return "Adobe Client Keys"
+
+    @property
+    def denylist(self) -> list[re.Pattern]:
+        return [
+            # Adobe Client ID (OAuth Web)
+            re.compile(
+                r"""(?i)(?:adobe)(?:[0-9a-z\-_\t .]{0,20})(?:[\s|']|[\s|"]){0,3}(?:=|>|:{1,3}=|\|\|:|<=|=>|:|\?=)(?:'|\"|\s|=|\x60){0,5}([a-f0-9]{32})(?:['|\"|\n|\r|\s|\x60|;]|$)"""
+            ),
+            # Adobe Client Secret
+            re.compile(r"(?i)\b((p8e-)[a-z0-9]{32})(?:['|\"|\n|\r|\s|\x60|;]|$)"),
+        ]

enterprise/enterprise_hooks/secrets_plugins/age_secret_key.py

@@ -0,0 +1,21 @@
+"""
+This plugin searches for Age secret keys
+"""
+
+import re
+
+from detect_secrets.plugins.base import RegexBasedDetector
+
+
+class AgeSecretKeyDetector(RegexBasedDetector):
+    """Scans for Age secret keys."""
+
+    @property
+    def secret_type(self) -> str:
+        return "Age Secret Key"
+
+    @property
+    def denylist(self) -> list[re.Pattern]:
+        return [
+            re.compile(r"""AGE-SECRET-KEY-1[QPZRY9X8GF2TVDW0S3JN54KHCE6MUA7L]{58}"""),
+        ]

enterprise/enterprise_hooks/secrets_plugins/airtable_api_key.py

@@ -0,0 +1,23 @@
+"""
+This plugin searches for Airtable API keys
+"""
+
+import re
+
+from detect_secrets.plugins.base import RegexBasedDetector
+
+
+class AirtableApiKeyDetector(RegexBasedDetector):
+    """Scans for Airtable API keys."""
+
+    @property
+    def secret_type(self) -> str:
+        return "Airtable API Key"
+
+    @property
+    def denylist(self) -> list[re.Pattern]:
+        return [
+            re.compile(
+                r"""(?i)(?:airtable)(?:[0-9a-z\-_\t .]{0,20})(?:[\s|']|[\s|"]){0,3}(?:=|>|:{1,3}=|\|\|:|<=|=>|:|\?=)(?:'|\"|\s|=|\x60){0,5}([a-z0-9]{17})(?:['|\"|\n|\r|\s|\x60|;]|$)"""
+            ),
+        ]

enterprise/enterprise_hooks/secrets_plugins/algolia_api_key.py

@@ -0,0 +1,21 @@
+"""
+This plugin searches for Algolia API keys
+"""
+
+import re
+
+from detect_secrets.plugins.base import RegexBasedDetector
+
+
+class AlgoliaApiKeyDetector(RegexBasedDetector):
+    """Scans for Algolia API keys."""
+
+    @property
+    def secret_type(self) -> str:
+        return "Algolia API Key"
+
+    @property
+    def denylist(self) -> list[re.Pattern]:
+        return [
+            re.compile(r"""(?i)\b((LTAI)[a-z0-9]{20})(?:['|\"|\n|\r|\s|\x60|;]|$)"""),
+        ]

enterprise/enterprise_hooks/secrets_plugins/alibaba.py

@@ -0,0 +1,26 @@
+"""
+This plugin searches for Alibaba secrets
+"""
+
+import re
+
+from detect_secrets.plugins.base import RegexBasedDetector
+
+
+class AlibabaSecretDetector(RegexBasedDetector):
+    """Scans for Alibaba AccessKey IDs and Secret Keys."""
+
+    @property
+    def secret_type(self) -> str:
+        return "Alibaba Secrets"
+
+    @property
+    def denylist(self) -> list[re.Pattern]:
+        return [
+            # For Alibaba AccessKey ID
+            re.compile(r"""(?i)\b((LTAI)[a-z0-9]{20})(?:['|\"|\n|\r|\s|\x60|;]|$)"""),
+            # For Alibaba Secret Key
+            re.compile(
+                r"""(?i)(?:alibaba)(?:[0-9a-z\-_\t .]{0,20})(?:[\s|']|[\s|"]){0,3}(?:=|>|:{1,3}=|\|\|:|<=|=>|:|\?=)(?:'|\"|\s|=|\x60){0,5}([a-z0-9]{30})(?:['|\"|\n|\r|\s|\x60|;]|$)"""
+            ),
+        ]

enterprise/enterprise_hooks/secrets_plugins/asana.py

@@ -0,0 +1,28 @@
+"""
+This plugin searches for Asana secrets
+"""
+
+import re
+
+from detect_secrets.plugins.base import RegexBasedDetector
+
+
+class AsanaSecretDetector(RegexBasedDetector):
+    """Scans for Asana Client IDs and Client Secrets."""
+
+    @property
+    def secret_type(self) -> str:
+        return "Asana Secrets"
+
+    @property
+    def denylist(self) -> list[re.Pattern]:
+        return [
+            # For Asana Client ID
+            re.compile(
+                r"""(?i)(?:asana)(?:[0-9a-z\-_\t .]{0,20})(?:[\s|']|[\s|"]){0,3}(?:=|>|:{1,3}=|\|\|:|<=|=>|:|\?=)(?:'|\"|\s|=|\x60){0,5}([0-9]{16})(?:['|\"|\n|\r|\s|\x60|;]|$)"""
+            ),
+            # For Asana Client Secret
+            re.compile(
+                r"""(?i)(?:asana)(?:[0-9a-z\-_\t .]{0,20})(?:[\s|']|[\s|"]){0,3}(?:=|>|:{1,3}=|\|\|:|<=|=>|:|\?=)(?:'|\"|\s|=|\x60){0,5}([a-z0-9]{32})(?:['|\"|\n|\r|\s|\x60|;]|$)"""
+            ),
+        ]

enterprise/enterprise_hooks/secrets_plugins/atlassian_api_token.py

@@ -0,0 +1,24 @@
+"""
+This plugin searches for Atlassian API tokens
+"""
+
+import re
+
+from detect_secrets.plugins.base import RegexBasedDetector
+
+
+class AtlassianApiTokenDetector(RegexBasedDetector):
+    """Scans for Atlassian API tokens."""
+
+    @property
+    def secret_type(self) -> str:
+        return "Atlassian API token"
+
+    @property
+    def denylist(self) -> list[re.Pattern]:
+        return [
+            # For Atlassian API token
+            re.compile(
+                r"""(?i)(?:atlassian|confluence|jira)(?:[0-9a-z\-_\t .]{0,20})(?:[\s|']|[\s|"]){0,3}(?:=|>|:{1,3}=|\|\|:|<=|=>|:|\?=)(?:'|\"|\s|=|\x60){0,5}([a-z0-9]{24})(?:['|\"|\n|\r|\s|\x60|;]|$)"""
+            ),
+        ]

enterprise/enterprise_hooks/secrets_plugins/authress_access_key.py

@@ -0,0 +1,24 @@
+"""
+This plugin searches for Authress Service Client Access Keys
+"""
+
+import re
+
+from detect_secrets.plugins.base import RegexBasedDetector
+
+
+class AuthressAccessKeyDetector(RegexBasedDetector):
+    """Scans for Authress Service Client Access Keys."""
+
+    @property
+    def secret_type(self) -> str:
+        return "Authress Service Client Access Key"
+
+    @property
+    def denylist(self) -> list[re.Pattern]:
+        return [
+            # For Authress Service Client Access Key
+            re.compile(
+                r"""(?i)\b((?:sc|ext|scauth|authress)_[a-z0-9]{5,30}\.[a-z0-9]{4,6}\.acc[_-][a-z0-9-]{10,32}\.[a-z0-9+/_=-]{30,120})(?:['|\"|\n|\r|\s|\x60|;]|$)"""
+            ),
+        ]

enterprise/enterprise_hooks/secrets_plugins/beamer_api_token.py

@@ -0,0 +1,24 @@
+"""
+This plugin searches for Beamer API tokens
+"""
+
+import re
+
+from detect_secrets.plugins.base import RegexBasedDetector
+
+
+class BeamerApiTokenDetector(RegexBasedDetector):
+    """Scans for Beamer API tokens."""
+
+    @property
+    def secret_type(self) -> str:
+        return "Beamer API token"
+
+    @property
+    def denylist(self) -> list[re.Pattern]:
+        return [
+            # For Beamer API token
+            re.compile(
+                r"""(?i)(?:beamer)(?:[0-9a-z\-_\t .]{0,20})(?:[\s|']|[\s|"]){0,3}(?:=|>|:{1,3}=|\|\|:|<=|=>|:|\?=)(?:'|\"|\s|=|\x60){0,5}(b_[a-z0-9=_\-]{44})(?:['|\"|\n|\r|\s|\x60|;]|$)"""
+            ),
+        ]

enterprise/enterprise_hooks/secrets_plugins/bitbucket.py

@@ -0,0 +1,28 @@
+"""
+This plugin searches for Bitbucket Client ID and Client Secret
+"""
+
+import re
+
+from detect_secrets.plugins.base import RegexBasedDetector
+
+
+class BitbucketDetector(RegexBasedDetector):
+    """Scans for Bitbucket Client ID and Client Secret."""
+
+    @property
+    def secret_type(self) -> str:
+        return "Bitbucket Secrets"
+
+    @property
+    def denylist(self) -> list[re.Pattern]:
+        return [
+            # For Bitbucket Client ID
+            re.compile(
+                r"""(?i)(?:bitbucket)(?:[0-9a-z\-_\t .]{0,20})(?:[\s|']|[\s|"]){0,3}(?:=|>|:{1,3}=|\|\|:|<=|=>|:|\?=)(?:'|\"|\s|=|\x60){0,5}([a-z0-9]{32})(?:['|\"|\n|\r|\s|\x60|;]|$)"""
+            ),
+            # For Bitbucket Client Secret
+            re.compile(
+                r"""(?i)(?:bitbucket)(?:[0-9a-z\-_\t .]{0,20})(?:[\s|']|[\s|"]){0,3}(?:=|>|:{1,3}=|\|\|:|<=|=>|:|\?=)(?:'|\"|\s|=|\x60){0,5}([a-z0-9=_\-]{64})(?:['|\"|\n|\r|\s|\x60|;]|$)"""
+            ),
+        ]

enterprise/enterprise_hooks/secrets_plugins/bittrex.py

@@ -0,0 +1,28 @@
+"""
+This plugin searches for Bittrex Access Key and Secret Key
+"""
+
+import re
+
+from detect_secrets.plugins.base import RegexBasedDetector
+
+
+class BittrexDetector(RegexBasedDetector):
+    """Scans for Bittrex Access Key and Secret Key."""
+
+    @property
+    def secret_type(self) -> str:
+        return "Bittrex Secrets"
+
+    @property
+    def denylist(self) -> list[re.Pattern]:
+        return [
+            # For Bittrex Access Key
+            re.compile(
+                r"""(?i)(?:bittrex)(?:[0-9a-z\-_\t .]{0,20})(?:[\s|']|[\s|"]){0,3}(?:=|>|:{1,3}=|\|\|:|<=|=>|:|\?=)(?:'|\"|\s|=|\x60){0,5}([a-z0-9]{32})(?:['|\"|\n|\r|\s|\x60|;]|$)"""
+            ),
+            # For Bittrex Secret Key
+            re.compile(
+                r"""(?i)(?:bittrex)(?:[0-9a-z\-_\t .]{0,20})(?:[\s|']|[\s|"]){0,3}(?:=|>|:{1,3}=|\|\|:|<=|=>|:|\?=)(?:'|\"|\s|=|\x60){0,5}([a-z0-9]{32})(?:['|\"|\n|\r|\s|\x60|;]|$)"""
+            ),
+        ]

enterprise/enterprise_hooks/secrets_plugins/clojars_api_token.py

@@ -0,0 +1,22 @@
+"""
+This plugin searches for Clojars API tokens
+"""
+
+import re
+
+from detect_secrets.plugins.base import RegexBasedDetector
+
+
+class ClojarsApiTokenDetector(RegexBasedDetector):
+    """Scans for Clojars API tokens."""
+
+    @property
+    def secret_type(self) -> str:
+        return "Clojars API token"
+
+    @property
+    def denylist(self) -> list[re.Pattern]:
+        return [
+            # For Clojars API token
+            re.compile(r"(?i)(CLOJARS_)[a-z0-9]{60}"),
+        ]

enterprise/enterprise_hooks/secrets_plugins/codecov_access_token.py

@@ -0,0 +1,24 @@
+"""
+This plugin searches for Codecov Access Token
+"""
+
+import re
+
+from detect_secrets.plugins.base import RegexBasedDetector
+
+
+class CodecovAccessTokenDetector(RegexBasedDetector):
+    """Scans for Codecov Access Token."""
+
+    @property
+    def secret_type(self) -> str:
+        return "Codecov Access Token"
+
+    @property
+    def denylist(self) -> list[re.Pattern]:
+        return [
+            # For Codecov Access Token
+            re.compile(
+                r"""(?i)(?:codecov)(?:[0-9a-z\-_\t .]{0,20})(?:[\s|']|[\s|"]){0,3}(?:=|>|:{1,3}=|\|\|:|<=|=>|:|\?=)(?:'|\"|\s|=|\x60){0,5}([a-z0-9]{32})(?:['|\"|\n|\r|\s|\x60|;]|$)"""
+            ),
+        ]

enterprise/enterprise_hooks/secrets_plugins/coinbase_access_token.py

@@ -0,0 +1,24 @@
+"""
+This plugin searches for Coinbase Access Token
+"""
+
+import re
+
+from detect_secrets.plugins.base import RegexBasedDetector
+
+
+class CoinbaseAccessTokenDetector(RegexBasedDetector):
+    """Scans for Coinbase Access Token."""
+
+    @property
+    def secret_type(self) -> str:
+        return "Coinbase Access Token"
+
+    @property
+    def denylist(self) -> list[re.Pattern]:
+        return [
+            # For Coinbase Access Token
+            re.compile(
+                r"""(?i)(?:coinbase)(?:[0-9a-z\-_\t .]{0,20})(?:[\s|']|[\s|"]){0,3}(?:=|>|:{1,3}=|\|\|:|<=|=>|:|\?=)(?:'|\"|\s|=|\x60){0,5}([a-z0-9_-]{64})(?:['|\"|\n|\r|\s|\x60|;]|$)"""
+            ),
+        ]