Added Onfido API token detection to recognize this type of secrets (#…

…3463)
semgrep · Sep 3, 2024 · c2c65f6 · c2c65f6
1 parent e2df3ce
commit c2c65f6
Show file tree

Hide file tree

Showing 2 changed files with 28 additions and 0 deletions.
diff --git a/generic/secrets/security/detected-onfido-live-api-token.txt b/generic/secrets/security/detected-onfido-live-api-token.txt
@@ -0,0 +1,8 @@
+# ruleid: detected-onfido-live-api-token
+api_live.abc123ABC-_.abc123ABC-_abc123ABC-_abc123ABC-
+
+# ruleid: detected-onfido-live-api-token
+api_live_ca.abc123ABC-_.abc123ABC-_abc123ABC-_abc123ABC-
+
+# ruleid: detected-onfido-live-api-token
+api_live_us.abc123ABC-_.abc123ABC-_abc123ABC-_abc123ABC-
diff --git a/generic/secrets/security/detected-onfido-live-api-token.yaml b/generic/secrets/security/detected-onfido-live-api-token.yaml
@@ -0,0 +1,20 @@
+rules:
+- id: detected-onfido-live-api-token
+  pattern-regex: (?:api_live(?:_[a-zA-Z]{2})?\.[a-zA-Z0-9-_]{11}\.[-_a-zA-Z0-9]{32})
+  languages: [regex]
+  message: Onfido live API Token detected
+  severity: ERROR
+  metadata:
+    cwe:
+    - 'CWE-798: Use of Hard-coded Credentials'
+    category: security
+    technology:
+    - secrets
+    - onfido
+    confidence: HIGH
+    references:
+    - https://documentation.onfido.com/api/latest/#api-tokens
+    subcategory:
+    - audit
+    likelihood: HIGH
+    impact: HIGH