Skip to content

Commit 107a418

Browse files
nwittstrucknwittstruck
authored
Add support for GitLab Runner Tokens (Routable) (gitleaks#1820)
This commit adds support for GitLabs routable runner tokens. For the specification see: https://handbook.gitlab.com/handbook/engineering/architecture/design-documents/cells/routable_tokens/#proposal Issue: gitleaks#1819 Co-authored-by: Nicholas Wittstruck <[email protected]>
1 parent 7fac002 commit 107a418

File tree

3 files changed

+25
-0
lines changed

3 files changed

+25
-0
lines changed

cmd/generate/config/main.go

Lines changed: 1 addition & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -111,6 +111,7 @@ func main() {
111111
rules.GitlabPipelineTriggerToken(),
112112
rules.GitlabRunnerRegistrationToken(),
113113
rules.GitlabRunnerAuthenticationToken(),
114+
rules.GitlabRunnerAuthenticationTokenRoutable(),
114115
rules.GitlabScimToken(),
115116
rules.GitlabSessionCookie(),
116117
rules.GitterAccessToken(),

cmd/generate/config/rules/gitlab.go

Lines changed: 17 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -177,6 +177,23 @@ func GitlabRunnerAuthenticationToken() *config.Rule {
177177
return utils.Validate(r, tps, nil)
178178
}
179179

180+
func GitlabRunnerAuthenticationTokenRoutable() *config.Rule {
181+
r := config.Rule{
182+
RuleID: "gitlab-runner-authentication-token-routable",
183+
Description: "Discovered a GitLab Runner Authentication Token (Routable), posing a risk to CI/CD pipeline integrity and unauthorized access.",
184+
Regex: regexp.MustCompile(`\bglrt-t\d_[0-9a-zA-Z_\-]{27,300}\.[0-9a-z]{2}[0-9a-z]{7}\b`),
185+
Entropy: 4,
186+
Keywords: []string{"glrt-"},
187+
}
188+
189+
tps := utils.GenerateSampleSecrets("gitlab", "glrt-t"+secrets.NewSecret(utils.Numeric("1"))+"_"+secrets.NewSecret(utils.AlphaNumeric("27"))+"."+secrets.NewSecret(utils.AlphaNumeric("2"))+secrets.NewSecret(utils.AlphaNumeric("7")))
190+
fps := []string{
191+
"glrt-tx_xxxxxxxxxxxxxxxxxxxxxxxxxxx.xxxxxxxxx",
192+
}
193+
194+
return utils.Validate(r, tps, fps)
195+
}
196+
180197
func GitlabScimToken() *config.Rule {
181198
r := config.Rule{
182199
RuleID: "gitlab-scim-token",

config/gitleaks.toml

Lines changed: 7 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -2220,6 +2220,13 @@ regex = '''glrt-[0-9a-zA-Z_\-]{20}'''
22202220
entropy = 3
22212221
keywords = ["glrt-"]
22222222

2223+
[[rules]]
2224+
id = "gitlab-runner-authentication-token-routable"
2225+
description = "Discovered a GitLab Runner Authentication Token (Routable), posing a risk to CI/CD pipeline integrity and unauthorized access."
2226+
regex = '''\bglrt-t\d_[0-9a-zA-Z_\-]{27,300}\.[0-9a-z]{2}[0-9a-z]{7}\b'''
2227+
entropy = 4
2228+
keywords = ["glrt-"]
2229+
22232230
[[rules]]
22242231
id = "gitlab-scim-token"
22252232
description = "Discovered a GitLab SCIM Token, posing a risk to unauthorized access for a organization or instance."

0 commit comments

Comments
 (0)