Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

feat(java): add hardcoded secret rule (CWE-798) #206

Merged
merged 1 commit into from
Jan 31, 2024
Merged

feat(java): add hardcoded secret rule (CWE-798) #206

merged 1 commit into from
Jan 31, 2024

Conversation

elsapet
Copy link
Collaborator

@elsapet elsapet commented Jan 30, 2024

Description

Add hardcoded secret rule for Java lang. Here we follow the existing PHP rule and catch on non-trivial strings (and char arrays) assigned to suspect variable names like PASSWORD or apiKey.

We do not check for usage as a leaked password in source code is bad practice, whether or not it is in use.

Relates to #197

Checklist

  • I've added a snapshot that shows my rule works as expected.
  • My rule has adequate metadata to explain its use.
  • PR title follows Conventional Commits format

@gitguardian GitGuardian
Copy link

gitguardian bot commented Jan 30, 2024
edited
Loading

⚠️ GitGuardian has uncovered 1 secret following the scan of your pull request.

Please consider investigating the findings and remediating the incidents. Failure to do so may lead to compromising the associated services or software components.

🔎 Detected hardcoded secret in your pull request
GitGuardian id GitGuardian status Secret Commit Filename
8500090 Triggered Generic High Entropy Secret 4c5b963 tests/java/lang/hardcoded_secret/testdata/main.java View secret
🛠 Guidelines to remediate hardcoded secrets
  1. Understand the implications of revoking this secret by investigating where it is used in your code.
  2. Replace and store your secret safely. Learn here the best practices.
  3. Revoke and rotate this secret.
  4. If possible, rewrite git history. Rewriting git history is not a trivial act. You might completely break other contributing developers' workflow and you risk accidentally deleting legitimate data.

To avoid such incidents in the future consider

🦉 GitGuardian detects secrets in your source code to help developers and security teams secure the modern development process. You are seeing this because you or someone else with access to this repository has authorized GitGuardian to scan your pull request.

Our GitHub checks need improvements? Share your feedbacks!

@elsapet elsapet requested a review from cfabianski January 30, 2024 13:18
@elsapet
Copy link
Collaborator Author

elsapet commented Jan 30, 2024

GitGuardian warning is expected as we use realistic test data here

@elsapet elsapet force-pushed the feat/java/hardcoded-secrets-rule branch from 238ab7d to 385c688 Compare January 30, 2024 13:21
@elsapet elsapet force-pushed the feat/java/hardcoded-secrets-rule branch from 385c688 to 4c5b963 Compare January 31, 2024 11:05
@elsapet elsapet merged commit 1ef57db into main Jan 31, 2024
19 checks passed
@elsapet elsapet deleted the feat/java/hardcoded-secrets-rule branch January 31, 2024 13:11
@elsapet elsapet changed the title feat(java): add hardcoded secret rule feat(java): add hardcoded secret rule (CWE-798) Feb 2, 2024
@elsapet elsapet mentioned this pull request Feb 2, 2024
Closed
37 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@cfabianski cfabianski cfabianski approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@elsapet @cfabianski