feat(secret): Add built-in secrets rules for Private Packagist #7826
Conversation
| Category: CategoryPrivatePackagist, | ||
| Title: "Private Packagist user token", | ||
| Severity: "HIGH", | ||
| // https://packagist.com/docs/composer-authentication#token-format |
There was a problem hiding this comment.
I don't see any other comments referring to the documentation of the token format, but I thought it would be useful.
Let me know if I should remove it.
|
The Private Packagist token actually contains a checksum which can be calculated based on the prefix and random string, but as far as I'm aware Trivy doesn't support this, so I haven't implemented such a check. |
| ID: "private-packagist-user-token", | ||
| Category: CategoryPrivatePackagist, | ||
| Title: "Private Packagist user token", | ||
| Severity: "HIGH", |
There was a problem hiding this comment.
I couldn't find any documentation on how to choose a severity level for secrets.
How should I determine the level?
There was a problem hiding this comment.
it's hard to say what seriousness to choose for a particular secret.
Unfortunately, there is no documentation or rules for this
but I think HIGH is perfect for this secret
There was a problem hiding this comment.
hello @nicwortel
Thanks for contribution!
left small comments, take a look, please
pkg/fanal/secret/builtin-rules.go
Outdated
| Keywords: []string{"packagist_uut_"}, | ||
| }, | ||
| { | ||
| ID: "private-packagist-organization-token", |
There was a problem hiding this comment.
Tokens differ only in prefixes.
what if we combine them into one secret (private-packagist-token)?
pkg/fanal/secret/builtin-rules.go
Outdated
| Title: "Private Packagist user token", | ||
| Severity: "HIGH", | ||
| // https://packagist.com/docs/composer-authentication#token-format | ||
| Regex: MustCompile(`packagist_uut_(?i)[a-z0-9]{68}`), |
There was a problem hiding this comment.
a prefix, a 60 hexadecimal character long random part, and an eight hexadecimal character long checksum
IIUC we can use a-f0-9.
There was a problem hiding this comment.
Good point, not sure why I didn't think of that myself 🙈
| @@ -0,0 +1,3 @@ | |||
| ORG_READ_TOKEN=packagist_ort_6675e11a686c692f3f2e3b6ce528c3d122d22d912ea69a20713cdf51714ba710ad74 | |||
There was a problem hiding this comment.
nit:
can you add a capital letter to one of the lines?
nicwortel
force-pushed
the
secret-rules-packagist
branch
2 times, most recently
from
9038224 to
5920049
Compare
|
@nicwortel I don't have access to edit this PR |
Private Packagist (Packagist.com) is a package repository for Composer, the dependency manager for PHP. Private Packagist generates user and organization tokens for authentication. All tokens are generated with a prefix and a checksum to help with automated secret scanning. See https://packagist.com/docs/composer-authentication#token-format.
nicwortel
force-pushed
the
secret-rules-packagist
branch
from
5920049 to
6b30b8f
Compare
Done 👍 |
Description
Private Packagist is a package repository for Composer, the dependency manager for PHP. It allows businesses to publish private packages for consumption within their organization, mirror open-source packages, receive vulnerability alerts, etc.
Private Packagist generates user and organization tokens for authentication.
All tokens are generated with a prefix and a checksum to help with automated secret scanning.
See https://packagist.com/docs/composer-authentication#token-format.
This pull requests adds built-in rules for the tokens generated by Private Packagist so Trivy can detect them.
Related issues
None.
Checklist