Skip to content

feat(rules): Add 1Password secret key detection #1834

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 7 commits into from
Apr 30, 2025
Merged

feat(rules): Add 1Password secret key detection #1834

merged 7 commits into from
Apr 30, 2025

Conversation

jrdnbradford
Copy link
Contributor

Description:

Closes #1813 by adding support for detecting 1Password secret keys.

Checklist:

  • Does your PR pass tests?
  • Have you written new tests for your changes?
  • Have you lint your code locally prior to submission?

rgmz
rgmz reviewed Apr 17, 2025
View reviewed changes
Copy link
Contributor

@rgmz rgmz left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This looks pretty high confidence. :O

@jrdnbradford
Copy link
Contributor Author

jrdnbradford commented Apr 17, 2025
edited
Loading

Thanks for this feedback, @rgmz! I've made these changes. The tests failed due to GenerateSampleSecrets just happening to create a key that didn't match the minimum set Entropy of 4.

I ran

 for i in $(seq 100); do go generate ./... ; done

And it only generated a tps key with an Entropy < 4 once for this new rule that caused a validation failure (although there were a few other tpss that failed to validate for other rules, I presume due to a similar issue). I can lower Entropy a bit, or leave as is. Whichever you prefer.

@jrdnbradford
Copy link
Contributor Author

jrdnbradford commented Apr 17, 2025
edited
Loading

After running some simulations I found that GenerateSampleSecrets was creating more low entropy tpss for the 1Password keys than I thought. I've decreased the Entropy to a value that makes more sense.

@zricethezav
Copy link
Collaborator

ty @jrdnbradford @rgmz. This looks solid to me

@zricethezav zricethezav merged commit 23cb69f into gitleaks:master Apr 30, 2025
2 checks passed
@jrdnbradford jrdnbradford deleted the 1pw-secret-key branch April 30, 2025 15:18
alayne222 pushed a commit to alayne222/gitleaks that referenced this pull request May 28, 2025
@jrdnbradford @rgmz
feat(rules): Add 1Password secret key detection (gitleaks#1834)
b8589ac 
* Add `1password-secret-key` detection

* Document key details

* Update cmd/generate/config/rules/1password.go

Co-authored-by: Richard Gomez <32133502+rgmz@users.noreply.github.com>

* Generate new `.toml`

* Use `GenerateSampleSecrets` to test more scenarios

* Comment lowercase `fps`

* Decrease entropy

---------

Co-authored-by: Richard Gomez <32133502+rgmz@users.noreply.github.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
1 more reviewer

@rgmz rgmz rgmz left review comments

Reviewers whose approvals may not affect merge requirements
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

1Password Secret Key Rule
3 participants
@jrdnbradford @zricethezav @rgmz