Class: Rules::HardcodedSecrets

Inherits:

Base

• Object
• Base
• Rules::HardcodedSecrets

Defined in:

lib/rules/hardcoded_secrets.rb

Constant Summary

PATTERNS =

{
    "AWS access key" => /AKIA[0-9A-Z]{16}/,
    "GitHub personal access token" => /ghp_[A-Za-z0-9]{36}/,
    "GitHub fine-grained PAT" => /github_pat_[A-Za-z0-9_]{82}/,
    "GitHub OAuth token" => /gho_[A-Za-z0-9]{36}/,
    "GitHub server token" => /ghs_[A-Za-z0-9]{36}/,
    "Private key" => /-----BEGIN (?:RSA |EC |DSA |OPENSSH )?PRIVATE KEY-----/,
    "Slack webhook" => /hooks\.slack\.com\/services\/T[A-Z0-9]+\/B[A-Z0-9]+\/[A-Za-z0-9]+/,
    "Generic API key" => /(?:api[_-]?key|apikey|secret[_-]?key|auth[_-]?token)\s*[:=]\s*['"][A-Za-z0-9]{30,}['"]/i,
}.freeze

PASSWORD_PATTERN =

/password:\s*[^\s${\#]+/i

SAFE_VALUE_PATTERN =

/\$\{\{.*\}\}|\$[A-Z_]+|\A[A-Z][A-Z0-9_]+\z/

SAFE_PASSWORDS =

%w[postgres password test example changeme admin root dummy placeholder true false].freeze

ENV_NAME_SLOTS =

Actions whose ‘with:` slots accept env-var names (not values). When the value looks like an UPPER_SNAKE_CASE identifier it is an env-var name reference, not a hardcoded credential.

{
    /actions\/setup-java/ => %w[server-username server-password gpg-passphrase gpg-private-key keystore-password],
}.freeze

ENV_VAR_NAME_PATTERN =

/\A[A-Z][A-Z0-9_]*\z/

Instance Method Summary

• #check(workflow) ⇒ Object
• #description ⇒ Object
• #name ⇒ Object
• #severity ⇒ Object

Instance Method Details

#check(workflow) ⇒ Object

# File 'lib/rules/hardcoded_secrets.rb', line 31

def check(workflow)
    findings = []
    allowlisted_lines = build_env_name_slot_lines(workflow)

    workflow.raw_lines.each_with_index do |line, idx|
        line_num = idx + 1
        stripped = line.strip

        # Skip comment lines
        next if stripped.start_with?("#")

        PATTERNS.each do |label, pattern|
            if line.match?(pattern)
                findings << finding(workflow,
                    line: line_num,
                    code: stripped,
                    message: "#{label} found hardcoded in workflow",
                    fix: "Move to GitHub Actions secrets: ${{ secrets.SECRET_NAME }}"
                )
            end
        end

        # Check for hardcoded passwords (skip safe references and common test values)
        if line.match?(PASSWORD_PATTERN)
            # Extract the value after password:
            value = line[/password:\s*(.+)/i, 1]&.strip
            if value && !value.match?(SAFE_VALUE_PATTERN) && !value.start_with?("#")
                next if SAFE_PASSWORDS.include?(value.strip.downcase)
                next if allowlisted_lines.include?(line_num)
                findings << finding(workflow,
                    line: line_num,
                    code: stripped,
                    message: "Hardcoded password found in workflow",
                    fix: "Move to GitHub Actions secrets: ${{ secrets.SECRET_NAME }}"
                )
            end
        end
    end

    findings
end

#description ⇒ Object

# File 'lib/rules/hardcoded_secrets.rb', line 4

def description = "Hardcoded secret, token, or key in workflow"

#name ⇒ Object

# File 'lib/rules/hardcoded_secrets.rb', line 3

def name = "hardcoded-secrets"

#severity ⇒ Object

# File 'lib/rules/hardcoded_secrets.rb', line 5

def severity = :critical