Skip to content

Commit f732bc5

Browse files
ESS-ENNESS-ENN
committed
openai-hardcoded-secret-python
1 parent 2f95a8e commit f732bc5

File tree

3 files changed

+46
-0
lines changed

3 files changed

+46
-0
lines changed

rules/python/security/openai-hardcoded-secret-python.yml

Lines changed: 24 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,24 @@
1+
id: openai-hardcoded-secret-python
2+
language: python
3+
severity: warning
4+
message: >-
5+
A secret is hard-coded in the application. Secrets stored in source
6+
code, such as credentials, identifiers, and other types of sensitive data,
7+
can be leaked and used by internal or external malicious actors. Use
8+
environment variables to securely provide credentials and other secrets or
9+
retrieve them from a secure vault or Hardware Security Module (HSM).
10+
note: >-
11+
[CWE-798]: Use of Hard-coded Credentials
12+
[OWASP A07:2021]: Identification and Authentication Failures
13+
[REFERENCES]
14+
https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html
15+
utils:
16+
match_api_key:
17+
kind: string_content
18+
regex: \b(sk-[[:alnum:]]{20}T3BlbkFJ[[:alnum:]]{20})\b
19+
inside:
20+
stopBy: end
21+
kind: string
22+
rule:
23+
all:
24+
- matches: match_api_key

tests/__snapshots__/openai-hardcoded-secret-python-snapshot.yml

Lines changed: 14 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,14 @@
1+
id: openai-hardcoded-secret-python
2+
snapshots:
3+
? |
4+
api_key="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"
5+
f = "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"
6+
: labels:
7+
- source: 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
8+
style: primary
9+
start: 9
10+
end: 60
11+
- source: '"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"'
12+
style: secondary
13+
start: 8
14+
end: 61

tests/python/openai-hardcoded-secret-python-test.yml

Lines changed: 8 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,8 @@
1+
id: openai-hardcoded-secret-python
2+
valid:
3+
- |
4+
openai.api_key="sk-ExamplexT3BlbkFJp6xpvsfpkEsmAJawIm0V"
5+
invalid:
6+
- |
7+
api_key="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"
8+
f = "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"

0 commit comments

Comments
 (0)