Skip to content

Detect Azure AD client secrets #1199

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 1 commit into from
Oct 9, 2024
Merged

Detect Azure AD client secrets #1199

merged 1 commit into from
Oct 9, 2024

Conversation

rgmz
Copy link
Contributor

@rgmz rgmz commented Jun 16, 2023
edited
Loading

Description:

This PR adds a detection for Azure Active Directory client secrets.

Outdated issue; I've removed the allowlist

Warning
For some reason the generator does not apply the Allowlist to the generated config.
I think the config template logic needs to be updated.

Input

gitleaks/cmd/generate/config/rules/azure.go

Lines 25 to 31 in d8c0321

"Q~",
},
Allowlist: config.Allowlist{
Regexes: []*regexp.Regexp{
regexp.MustCompile(`^~+$`),
},
},

Output

gitleaks/config/gitleaks.toml

Lines 139 to 147 in d8c0321

[[rules]]
description = "Azure AD Client Secret"
id = "azure-ad-client-secret"
regex = '''(?:^|[\\'"` >=:])([a-zA-Z0-9_~.]{3}\dQ~[a-zA-Z0-9_~.-]{31,34})(?:$|[\\'"` <])'''
secretGroup = 1
keywords = [
"q~",
]

Checklist:

  • Does your PR pass tests?
  • Have you written new tests for your changes?
  • Have you lint your code locally prior to submission? (go vet, right?)

@rgmz rgmz mentioned this pull request Jun 16, 2023
Merged
3 tasks
@rgmz rgmz force-pushed the feat/azure-ad-secret branch 3 times, most recently from 9a25ec4 to ce5a5ca Compare June 20, 2023 16:36
@NsovoBaloyi
Copy link

The Generic API key rule should be able to pick up Azure secrets after this pull request is merged #1130

The current rule won't pick up secrets if that secret has special characters in it

@rgmz
Copy link
Contributor Author

rgmz commented Jun 22, 2023

The Generic API key rule should be able to pick up Azure secrets after this pull request is merged #1130

Eh, given that Azure AD client secrets (appear to) have a known well-defined pattern, I'd rather have a separate pattern to detect them with high confidence than assume they'll be picked up by the generic rule. The generic rule is a balancing act between false and true positives, per #1165 (comment).

@rgmz rgmz force-pushed the feat/azure-ad-secret branch 4 times, most recently from df43a03 to 6c002a7 Compare August 20, 2023 00:24
@rgmz rgmz mentioned this pull request Oct 8, 2024
Closed
@rgmz rgmz force-pushed the feat/azure-ad-secret branch 3 times, most recently from c89da25 to 7fb6957 Compare October 8, 2024 23:00
@rgmz rgmz force-pushed the feat/azure-ad-secret branch from 7fb6957 to 1dee4e2 Compare October 8, 2024 23:05
@zricethezav zricethezav merged commit 8fb39ba into gitleaks:master Oct 9, 2024
1 check passed
@rgmz rgmz deleted the feat/azure-ad-secret branch October 9, 2024 11:47
alayne222 pushed a commit to alayne222/gitleaks that referenced this pull request May 28, 2025
@rgmz
feat(azure): detect Azure AD client secrets (gitleaks#1199)
f2d0a24
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@zricethezav zricethezav zricethezav approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@rgmz @NsovoBaloyi @zricethezav