From dcdc7e4f996f27abe668e79d1cfbe05b60babfb5 Mon Sep 17 00:00:00 2001 From: Braxton Date: Tue, 24 Mar 2026 16:08:51 -0400 Subject: [PATCH 1/6] Add option as common stopword --- .../gitleaks/8.27.0/include/common_stopwords | 3 +- target/patterns/gitleaks/8.18.2 | 36 ++++++++++++------- target/patterns/gitleaks/8.27.0 | 36 ++++++++++++------- 3 files changed, 50 insertions(+), 25 deletions(-) diff --git a/patterns/gitleaks/8.27.0/include/common_stopwords b/patterns/gitleaks/8.27.0/include/common_stopwords index 423a79cc..b7a6199f 100644 --- a/patterns/gitleaks/8.27.0/include/common_stopwords +++ b/patterns/gitleaks/8.27.0/include/common_stopwords @@ -58,9 +58,10 @@ 'notreal', 'oauth-basic', 'opens', +'option', +'pass123', 'passp', 'passw', -'pass123', 'path', 'pbench', 'place', diff --git a/target/patterns/gitleaks/8.18.2 b/target/patterns/gitleaks/8.18.2 index 8f552c95..339456bf 100644 --- a/target/patterns/gitleaks/8.18.2 +++ b/target/patterns/gitleaks/8.18.2 @@ -126,9 +126,10 @@ stopwords = [ 'notreal', 'oauth-basic', 'opens', +'option', +'pass123', 'passp', 'passw', -'pass123', 'path', 'pbench', 'place', @@ -379,9 +380,10 @@ stopwords = [ 'notreal', 'oauth-basic', 'opens', +'option', +'pass123', 'passp', 'passw', -'pass123', 'path', 'pbench', 'place', @@ -533,9 +535,10 @@ stopwords = [ 'notreal', 'oauth-basic', 'opens', +'option', +'pass123', 'passp', 'passw', -'pass123', 'path', 'pbench', 'place', @@ -731,9 +734,10 @@ stopwords = [ 'notreal', 'oauth-basic', 'opens', +'option', +'pass123', 'passp', 'passw', -'pass123', 'path', 'pbench', 'place', @@ -1531,9 +1535,10 @@ stopwords = [ 'notreal', 'oauth-basic', 'opens', +'option', +'pass123', 'passp', 'passw', -'pass123', 'path', 'pbench', 'place', @@ -1638,9 +1643,10 @@ stopwords = [ 'notreal', 'oauth-basic', 'opens', +'option', +'pass123', 'passp', 'passw', -'pass123', 'path', 'pbench', 'place', @@ -1782,9 +1788,10 @@ stopwords = [ 'notreal', 'oauth-basic', 'opens', +'option', +'pass123', 'passp', 'passw', -'pass123', 'path', 'pbench', 'place', @@ -2039,9 +2046,10 @@ stopwords = [ 'notreal', 'oauth-basic', 'opens', +'option', +'pass123', 'passp', 'passw', -'pass123', 'path', 'pbench', 'place', @@ -2217,9 +2225,10 @@ stopwords = [ 'notreal', 'oauth-basic', 'opens', +'option', +'pass123', 'passp', 'passw', -'pass123', 'path', 'pbench', 'place', @@ -2343,9 +2352,10 @@ stopwords = [ 'notreal', 'oauth-basic', 'opens', +'option', +'pass123', 'passp', 'passw', -'pass123', 'path', 'pbench', 'place', @@ -2453,9 +2463,10 @@ stopwords = [ 'notreal', 'oauth-basic', 'opens', +'option', +'pass123', 'passp', 'passw', -'pass123', 'path', 'pbench', 'place', @@ -2580,9 +2591,10 @@ stopwords = [ 'notreal', 'oauth-basic', 'opens', +'option', +'pass123', 'passp', 'passw', -'pass123', 'path', 'pbench', 'place', diff --git a/target/patterns/gitleaks/8.27.0 b/target/patterns/gitleaks/8.27.0 index 8f552c95..339456bf 100644 --- a/target/patterns/gitleaks/8.27.0 +++ b/target/patterns/gitleaks/8.27.0 @@ -126,9 +126,10 @@ stopwords = [ 'notreal', 'oauth-basic', 'opens', +'option', +'pass123', 'passp', 'passw', -'pass123', 'path', 'pbench', 'place', @@ -379,9 +380,10 @@ stopwords = [ 'notreal', 'oauth-basic', 'opens', +'option', +'pass123', 'passp', 'passw', -'pass123', 'path', 'pbench', 'place', @@ -533,9 +535,10 @@ stopwords = [ 'notreal', 'oauth-basic', 'opens', +'option', +'pass123', 'passp', 'passw', -'pass123', 'path', 'pbench', 'place', @@ -731,9 +734,10 @@ stopwords = [ 'notreal', 'oauth-basic', 'opens', +'option', +'pass123', 'passp', 'passw', -'pass123', 'path', 'pbench', 'place', @@ -1531,9 +1535,10 @@ stopwords = [ 'notreal', 'oauth-basic', 'opens', +'option', +'pass123', 'passp', 'passw', -'pass123', 'path', 'pbench', 'place', @@ -1638,9 +1643,10 @@ stopwords = [ 'notreal', 'oauth-basic', 'opens', +'option', +'pass123', 'passp', 'passw', -'pass123', 'path', 'pbench', 'place', @@ -1782,9 +1788,10 @@ stopwords = [ 'notreal', 'oauth-basic', 'opens', +'option', +'pass123', 'passp', 'passw', -'pass123', 'path', 'pbench', 'place', @@ -2039,9 +2046,10 @@ stopwords = [ 'notreal', 'oauth-basic', 'opens', +'option', +'pass123', 'passp', 'passw', -'pass123', 'path', 'pbench', 'place', @@ -2217,9 +2225,10 @@ stopwords = [ 'notreal', 'oauth-basic', 'opens', +'option', +'pass123', 'passp', 'passw', -'pass123', 'path', 'pbench', 'place', @@ -2343,9 +2352,10 @@ stopwords = [ 'notreal', 'oauth-basic', 'opens', +'option', +'pass123', 'passp', 'passw', -'pass123', 'path', 'pbench', 'place', @@ -2453,9 +2463,10 @@ stopwords = [ 'notreal', 'oauth-basic', 'opens', +'option', +'pass123', 'passp', 'passw', -'pass123', 'path', 'pbench', 'place', @@ -2580,9 +2591,10 @@ stopwords = [ 'notreal', 'oauth-basic', 'opens', +'option', +'pass123', 'passp', 'passw', -'pass123', 'path', 'pbench', 'place', From 195fd5c326a5e5edf4a5c57c4403dbe160c28b79 Mon Sep 17 00:00:00 2001 From: Alex Layne Date: Thu, 26 Mar 2026 17:19:46 -0400 Subject: [PATCH 2/6] Added three new rules into testing file --- patterns/gitleaks/8.27.0/98-general.toml | 27 ++++++++++++++++++++++++ 1 file changed, 27 insertions(+) diff --git a/patterns/gitleaks/8.27.0/98-general.toml b/patterns/gitleaks/8.27.0/98-general.toml index 0e97f661..455843e8 100644 --- a/patterns/gitleaks/8.27.0/98-general.toml +++ b/patterns/gitleaks/8.27.0/98-general.toml @@ -49,6 +49,16 @@ '''(?i)(?:sample|example).{0,128}\b(?:A3T[A-Z0-9]|ACCA|ABIA|AKIA|AGPA|AIDA|AROA|AIPA|ANPA|ANVA|ASIA)(?:[A-Z0-9]{16})\b''', ] +[[rules]] + id = '9eKXOSk_IL5' + description = 'AWS API Gateway pattern' + regex = '''[0-9a-z]+.execute-api.[0-9a-z.-_]+.amazonaws.com''' + tags = ['type:secret', 'alert:repo-owner'] + keywords = [ + 'amazonaws', + 'execute-api' + ] + [[rules]] id = 'QqS4RvI6Zmg' description = 'Authorization Header' @@ -817,6 +827,23 @@ 'AIzaSyDr2UxVnv_U85AbhhY8XSHSIavUW0DC-sY', ] +[[rules]] + id = '9lFJvq24U9i' + description = 'Google Cloud Platform OAuth' + regex = '''[0-9]+-[0-9A-Za-z_]{32}\.apps\.googleusercontent\.com''' + tags = ['type:secret', 'alert:repo-owner'] + keywords = [ + 'apps', + 'googleusercontent', + ] + +[[rules]] + id = '24HsNTZRb7o' + description = 'Google OAuth Access Token' + regex = '''ya29\.[0-9A-Za-z\-_]+''' + keywords = [ + 'ya29' + ] [[rules]] id = 'F8ySDDFvEPA' description = 'Groq API Key' From de12e8e38268b507c5589457f5b27f063905ecbf Mon Sep 17 00:00:00 2001 From: Alex Layne Date: Mon, 30 Mar 2026 13:41:34 -0400 Subject: [PATCH 3/6] Move previous changes to correct testing file, add Docker Swarm Token pattern --- patterns/gitleaks/8.27.0/98-general.toml | 27 ----------------- patterns/gitleaks/8.27.0/99-testing.toml | 37 ++++++++++++++++++++++++ 2 files changed, 37 insertions(+), 27 deletions(-) diff --git a/patterns/gitleaks/8.27.0/98-general.toml b/patterns/gitleaks/8.27.0/98-general.toml index 455843e8..0e97f661 100644 --- a/patterns/gitleaks/8.27.0/98-general.toml +++ b/patterns/gitleaks/8.27.0/98-general.toml @@ -49,16 +49,6 @@ '''(?i)(?:sample|example).{0,128}\b(?:A3T[A-Z0-9]|ACCA|ABIA|AKIA|AGPA|AIDA|AROA|AIPA|ANPA|ANVA|ASIA)(?:[A-Z0-9]{16})\b''', ] -[[rules]] - id = '9eKXOSk_IL5' - description = 'AWS API Gateway pattern' - regex = '''[0-9a-z]+.execute-api.[0-9a-z.-_]+.amazonaws.com''' - tags = ['type:secret', 'alert:repo-owner'] - keywords = [ - 'amazonaws', - 'execute-api' - ] - [[rules]] id = 'QqS4RvI6Zmg' description = 'Authorization Header' @@ -827,23 +817,6 @@ 'AIzaSyDr2UxVnv_U85AbhhY8XSHSIavUW0DC-sY', ] -[[rules]] - id = '9lFJvq24U9i' - description = 'Google Cloud Platform OAuth' - regex = '''[0-9]+-[0-9A-Za-z_]{32}\.apps\.googleusercontent\.com''' - tags = ['type:secret', 'alert:repo-owner'] - keywords = [ - 'apps', - 'googleusercontent', - ] - -[[rules]] - id = '24HsNTZRb7o' - description = 'Google OAuth Access Token' - regex = '''ya29\.[0-9A-Za-z\-_]+''' - keywords = [ - 'ya29' - ] [[rules]] id = 'F8ySDDFvEPA' description = 'Groq API Key' diff --git a/patterns/gitleaks/8.27.0/99-testing.toml b/patterns/gitleaks/8.27.0/99-testing.toml index c4c77441..9bed4004 100644 --- a/patterns/gitleaks/8.27.0/99-testing.toml +++ b/patterns/gitleaks/8.27.0/99-testing.toml @@ -63,6 +63,16 @@ 'uyxv0adauy29tlyis', ] +[[rules]] + id = '9eKXOSk_IL5' + description = 'AWS API Gateway pattern' + regex = '''[0-9a-z]+.execute-api.[0-9a-z.-_]+.amazonaws.com''' + tags = ['type:secret', 'group:leaktk-testing'] + keywords = [ + 'amazonaws', + 'execute-api' + ] + [[rules]] id = 'qUN8svLm9sk' description = 'Dropbox Refresh Token' @@ -90,6 +100,14 @@ 'sl.', ] +[[rules]] + id = 'dX1904tMEXk' + description = 'Docker Swarm Token' + regex = '''SWMTKN-1-[a-z0-9]{50}-[a-z0-9]{25}''' + keywords = [ + 'SWMTKN' + ] + # This rule WAY WAY overmatches at the moment and can cause the scanner to # time out on large json files. # @@ -119,6 +137,25 @@ # '"universe_domain"', # ] +[[rules]] + id = '9lFJvq24U9i' + description = 'Google Cloud Platform OAuth' + regex = '''[0-9]+-[0-9A-Za-z_]{32}\.apps\.googleusercontent\.com''' + tags = ['type:secret', 'group:leaktk-testing'] + keywords = [ + 'apps', + 'googleusercontent', + ] + +[[rules]] + id = '24HsNTZRb7o' + description = 'Google OAuth Access Token' + regex = '''ya29\.[0-9A-Za-z\-_]+''' + ['type:secret', 'group:leaktk-testing'] + keywords = [ + 'ya29' + ] + [[rules]] id = 'JH9jBKr63QI' description = 'Label Studio API Key' From b3dde54ce15454f17796c472569c689da38c2940 Mon Sep 17 00:00:00 2001 From: Alex Layne Date: Mon, 30 Mar 2026 13:43:27 -0400 Subject: [PATCH 4/6] add correct tags to docker swarm token --- patterns/gitleaks/8.27.0/99-testing.toml | 1 + 1 file changed, 1 insertion(+) diff --git a/patterns/gitleaks/8.27.0/99-testing.toml b/patterns/gitleaks/8.27.0/99-testing.toml index 9bed4004..864cff45 100644 --- a/patterns/gitleaks/8.27.0/99-testing.toml +++ b/patterns/gitleaks/8.27.0/99-testing.toml @@ -104,6 +104,7 @@ id = 'dX1904tMEXk' description = 'Docker Swarm Token' regex = '''SWMTKN-1-[a-z0-9]{50}-[a-z0-9]{25}''' + tags = ['type:secret', 'group:leaktk-testing'] keywords = [ 'SWMTKN' ] From 1f276332ace998d8742b9c4d34e2a0ab549f5c05 Mon Sep 17 00:00:00 2001 From: Alex Layne Date: Mon, 30 Mar 2026 14:02:02 -0400 Subject: [PATCH 5/6] Firefox cookies pattern --- patterns/gitleaks/8.27.0/99-testing.toml | 11 +++++++++++ 1 file changed, 11 insertions(+) diff --git a/patterns/gitleaks/8.27.0/99-testing.toml b/patterns/gitleaks/8.27.0/99-testing.toml index 864cff45..94c461ff 100644 --- a/patterns/gitleaks/8.27.0/99-testing.toml +++ b/patterns/gitleaks/8.27.0/99-testing.toml @@ -109,6 +109,17 @@ 'SWMTKN' ] +[[rules]] + id = 'SgR9ek_sCbS' + description = 'Firefox Login Cookies File" + regex = '''Firefox\/Profiles\/.*\/cookies\.sqlite''' + tags = ['type:secret', 'group:leaktk-testing'] + keywords = [ + 'Firefox', + 'cookies', + ] + + # This rule WAY WAY overmatches at the moment and can cause the scanner to # time out on large json files. # From 3c3f712557623fa7f4a80783724c1ebca2a0550e Mon Sep 17 00:00:00 2001 From: Alex Layne Date: Mon, 30 Mar 2026 14:10:26 -0400 Subject: [PATCH 6/6] Smartsheets and Sonar base patterns --- patterns/gitleaks/8.27.0/99-testing.toml | 20 +++++++++++++++++++- 1 file changed, 19 insertions(+), 1 deletion(-) diff --git a/patterns/gitleaks/8.27.0/99-testing.toml b/patterns/gitleaks/8.27.0/99-testing.toml index 94c461ff..709d2de8 100644 --- a/patterns/gitleaks/8.27.0/99-testing.toml +++ b/patterns/gitleaks/8.27.0/99-testing.toml @@ -119,7 +119,6 @@ 'cookies', ] - # This rule WAY WAY overmatches at the moment and can cause the scanner to # time out on large json files. # @@ -177,6 +176,25 @@ 'label_studio_api_key', ] +#Smartsheets and Sonar patterns result in a lot of FPs, need further tuning +[[rules]] + id = 'GoeSKUlQf0Q' + description = 'Smartsheets Token" + regex = '''smartsheets.{0,40}\b([a-zA-Z0-9]{37})\b''' + tags = ['type:secret', 'group:leaktk-testing'] + keywords = [ + 'smartsheets' + ] + +[[rules]] + id = 'o1MeiRAJuCr' + description = 'Sonar Token" + regex = '''sonar.{0,40}\b([a-zA-Z0-9]{37})\b''' + tags = ['type:secret', 'group:leaktk-testing'] + keywords = [ + 'sonar' + ] + [[rules]] id = 'X2X0u9K8QKY' description = 'SonarQube Token'