From e13407e1534c0165fcc7ebab9fb124947801b82c Mon Sep 17 00:00:00 2001 From: "matt@temporal.io" Date: Fri, 3 Nov 2023 13:47:21 -0700 Subject: [PATCH 1/3] add temporal api key scanner --- README.md | 1 + vendors/README.md | 24 +++++++++++++++++++++++- vendors/patterns.yml | 35 ++++++++++++++++++++++++++++++++++- vendors/temporal.txt | 29 +++++++++++++++++++++++++++++ 4 files changed, 87 insertions(+), 2 deletions(-) create mode 100644 vendors/temporal.txt diff --git a/README.md b/README.md index 226ab656..74e9c290 100644 --- a/README.md +++ b/README.md @@ -77,3 +77,4 @@ Click on each header to find the patterns and additional information for that se - Okta token - DataDog API key - DataDog APP key +- Temporal API key diff --git a/vendors/README.md b/vendors/README.md index d42af553..edbe0c73 100644 --- a/vendors/README.md +++ b/vendors/README.md @@ -490,4 +490,26 @@ Add these additional matches to the [Secret Scanning Custom Pattern](https://doc - Not Match: `a0b1c2d3e4f5a6b7c8d9e0f1a2b3c4d5e6f7a8b9`

- \ No newline at end of file + + +## Temporal API key + + + +*version: v0.1* + +**Comments / Notes:** + +- Temporal API Keys start with prefix tmprl_ + + +
+Pattern Format +

+ +```regex +tmprl_[a-zA-Z0-9]+_[a-zA-Z0-9]+ +``` + +

+
diff --git a/vendors/patterns.yml b/vendors/patterns.yml index fcc9265d..19e2a790 100644 --- a/vendors/patterns.yml +++ b/vendors/patterns.yml @@ -159,7 +159,7 @@ patterns: end: | (\z|[^0-9A-Za-z_+/=-]) additional_not_match: - # Avoid long runs of hexadecimal only + # Avoid long runs of hexadecimal only - "[0-9A-Fa-f-]{30}" # Avoid long runs of alphabetic and _ - only - "[a-zA-Z_-]{30}" @@ -259,3 +259,36 @@ patterns: comments: - "Looks for surrounding context to confirm this is a DataDog App key, not some other 40-byte hex string" + - name: Temporal API key + type: temporal_api_key + regex: + version: 0.1 + pattern: | + tmprl_[a-zA-Z0-9]+_[a-zA-Z0-9]+ + expected: + - name: temporal.txt + start_offset: 30 + end_offset: 132 + - name: temporal.txt + start_offset: 185 + end_offset: 287 + - name: temporal.txt + start_offset: 319 + end_offset: 421 + - name: temporal.txt + start_offset: 482 + end_offset: 584 + - name: temporal.txt + start_offset: 643 + end_offset: 745 + - name: temporal.txt + start_offset: 829 + end_offset: 931 + - name: temporal.txt + start_offset: 996 + end_offset: 1098 + - name: temporal.txt + start_offset: 1154 + end_offset: 1256 + comments: + - "Temporal API Keys start with prefix tmprl_" diff --git a/vendors/temporal.txt b/vendors/temporal.txt new file mode 100644 index 00000000..3c6cff13 --- /dev/null +++ b/vendors/temporal.txt @@ -0,0 +1,29 @@ +# env vars +TEMPORAL_API_KEY=tmprl_LZDV3buJhgjdeiNMwvU9F3JQpOccnVP6_XQPtInroPz3ik8kDcba6IFpyzFLiMrGOtHYzg98iAjRg74RGQOMDezmE8Hlkrjrl + +# some other config format +TEMPORAL_API_KEY = "tmprl_LZDV3buJhgjdeiNMwvU9F3JQpOccnVP6_XQPtInroPz3ik8kDcba6IFpyzFLiMrGOtHYzg98iAjRg74RGQOMDezmE8Hlkrjrl" + +# YAML +temporal_api_key: tmprl_LZDV3buJhgjdeiNMwvU9F3JQpOccnVP6_XQPtInroPz3ik8kDcba6IFpyzFLiMrGOtHYzg98iAjRg74RGQOMDezmE8Hlkrjrl + +# Docker +env: + - name: TEMPORAL_API_KEY + value: "tmprl_LZDV3buJhgjdeiNMwvU9F3JQpOccnVP6_XQPtInroPz3ik8kDcba6IFpyzFLiMrGOtHYzg98iAjRg74RGQOMDezmE8Hlkrjrl" + +# Winston config +new TemporalWinston({ + apiKey:'tmprl_LZDV3buJhgjdeiNMwvU9F3JQpOccnVP6_XQPtInroPz3ik8kDcba6IFpyzFLiMrGOtHYzg98iAjRg74RGQOMDezmE8Hlkrjrl' +}); + +# shell script use of terraformer +terraformer import temporal --api-key=tmprl_LZDV3buJhgjdeiNMwvU9F3JQpOccnVP6_XQPtInroPz3ik8kDcba6IFpyzFLiMrGOtHYzg98iAjRg74RGQOMDezmE8Hlkrjrl + +# content of .tf file +provider "temporal" { + api_key = "tmprl_LZDV3buJhgjdeiNMwvU9F3JQpOccnVP6_XQPtInroPz3ik8kDcba6IFpyzFLiMrGOtHYzg98iAjRg74RGQOMDezmE8Hlkrjrl" +} + +# Capistrano, Capfile +set :temporal_api_key, "tmprl_LZDV3buJhgjdeiNMwvU9F3JQpOccnVP6_XQPtInroPz3ik8kDcba6IFpyzFLiMrGOtHYzg98iAjRg74RGQOMDezmE8Hlkrjrl" From a1b0a5925065647bca61c634fb25bf48d674d54f Mon Sep 17 00:00:00 2001 From: "matt@temporal.io" Date: Fri, 3 Nov 2023 14:13:03 -0700 Subject: [PATCH 2/3] update offsets --- .github/scripts/validate.py | 12 ++++++------ vendors/patterns.yml | 32 ++++++++++++++++---------------- 2 files changed, 22 insertions(+), 22 deletions(-) diff --git a/.github/scripts/validate.py b/.github/scripts/validate.py index a36bd7a7..d4a35eaf 100644 --- a/.github/scripts/validate.py +++ b/.github/scripts/validate.py @@ -21,9 +21,9 @@ parser = argparse.ArgumentParser(description="Validate a directory of files.") parser.add_argument("--debug", action="store_true", help="Print debug messages") parser.add_argument("-p", "--path", default="./", help="Directory to scan") -parser.add_argument( - "--token", default=os.environ.get("GITHUB_TOKEN"), help="GitHub token to use" -) +# parser.add_argument( +# "--token", default=os.environ.get("GITHUB_TOKEN"), help="GitHub token to use" +# ) parser_modes = parser.add_argument_group("modes") parser_modes.add_argument("--validate", action="store_true", help="Validation Mode") @@ -219,9 +219,9 @@ def compareSnapshots(default: str, current: str) -> List[str]: logging.warning("No patterns found") sys.exit(0) - GitHub.init( - "advanced-security/secret-scanning-custom-patterns", token=arguments.token - ) + # GitHub.init( + # "mattkim/secret-scanning-custom-patterns", token=arguments.token + # ) secret_scanning = SecretScanning() # todo: caching diff --git a/vendors/patterns.yml b/vendors/patterns.yml index 19e2a790..bc69d687 100644 --- a/vendors/patterns.yml +++ b/vendors/patterns.yml @@ -267,28 +267,28 @@ patterns: tmprl_[a-zA-Z0-9]+_[a-zA-Z0-9]+ expected: - name: temporal.txt - start_offset: 30 - end_offset: 132 + start_offset: 28 + end_offset: 131 - name: temporal.txt - start_offset: 185 - end_offset: 287 + start_offset: 180 + end_offset: 283 - name: temporal.txt - start_offset: 319 - end_offset: 421 + start_offset: 311 + end_offset: 414 - name: temporal.txt - start_offset: 482 - end_offset: 584 + start_offset: 469 + end_offset: 572 - name: temporal.txt - start_offset: 643 - end_offset: 745 + start_offset: 626 + end_offset: 729 - name: temporal.txt - start_offset: 829 - end_offset: 931 + start_offset: 808 + end_offset: 911 - name: temporal.txt - start_offset: 996 - end_offset: 1098 + start_offset: 969 + end_offset: 1072 - name: temporal.txt - start_offset: 1154 - end_offset: 1256 + start_offset: 1123 + end_offset: 1226 comments: - "Temporal API Keys start with prefix tmprl_" From a4b5f37551bc99ab195872f519c2412c202f698f Mon Sep 17 00:00:00 2001 From: "matt@temporal.io" Date: Fri, 3 Nov 2023 14:13:41 -0700 Subject: [PATCH 3/3] undo github script updates --- .github/scripts/validate.py | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/.github/scripts/validate.py b/.github/scripts/validate.py index d4a35eaf..a36bd7a7 100644 --- a/.github/scripts/validate.py +++ b/.github/scripts/validate.py @@ -21,9 +21,9 @@ parser = argparse.ArgumentParser(description="Validate a directory of files.") parser.add_argument("--debug", action="store_true", help="Print debug messages") parser.add_argument("-p", "--path", default="./", help="Directory to scan") -# parser.add_argument( -# "--token", default=os.environ.get("GITHUB_TOKEN"), help="GitHub token to use" -# ) +parser.add_argument( + "--token", default=os.environ.get("GITHUB_TOKEN"), help="GitHub token to use" +) parser_modes = parser.add_argument_group("modes") parser_modes.add_argument("--validate", action="store_true", help="Validation Mode") @@ -219,9 +219,9 @@ def compareSnapshots(default: str, current: str) -> List[str]: logging.warning("No patterns found") sys.exit(0) - # GitHub.init( - # "mattkim/secret-scanning-custom-patterns", token=arguments.token - # ) + GitHub.init( + "advanced-security/secret-scanning-custom-patterns", token=arguments.token + ) secret_scanning = SecretScanning() # todo: caching