From cc44c8f8bee92250bdcd69bf9fbaffabf0eb442a Mon Sep 17 00:00:00 2001
From: Miguel Neiva <miguel.neiva@checkmarx.com>
Date: Thu, 29 May 2025 15:26:51 +0100
Subject: [PATCH 1/3] fix: Fix Clojar rule not being correctly caught

---
 engine/rules/clojars.go | 26 ++++++++++++++++++++++++++
 engine/rules/rules.go   |  2 +-
 2 files changed, 27 insertions(+), 1 deletion(-)
 create mode 100644 engine/rules/clojars.go

diff --git a/engine/rules/clojars.go b/engine/rules/clojars.go
new file mode 100644
index 00000000..6a8ed8d8
--- /dev/null
+++ b/engine/rules/clojars.go
@@ -0,0 +1,26 @@
+package rules
+
+import (
+	"fmt"
+	"regexp"
+
+	"github.com/zricethezav/gitleaks/v8/cmd/generate/secrets"
+	"github.com/zricethezav/gitleaks/v8/config"
+)
+
+func Clojars() *config.Rule {
+	// define rule
+	r := config.Rule{
+		Description: "Uncovered a possible Clojars API token, risking unauthorized access to Clojure libraries and potential code manipulation.",
+		RuleID:      "clojars-api-token",
+		Regex:       regexp.MustCompile(`(?i)(CLOJARS_)([a-z0-9]{60})`),
+		Keywords:    []string{"clojars"},
+	}
+
+	// validate
+	tps := []string{
+		generateSampleSecret("clojars", "CLOJARS_"+secrets.NewSecret(alphaNumeric("60"))),
+	}
+	fmt.Println("Sample:", tps[0])
+	return validate(r, tps, nil)
+}
diff --git a/engine/rules/rules.go b/engine/rules/rules.go
index f53ac610..c83d8d6c 100644
--- a/engine/rules/rules.go
+++ b/engine/rules/rules.go
@@ -92,7 +92,7 @@ func getDefaultRules() *[]Rule {
 		{Rule: *rules.Beamer(), Tags: []string{TagApiToken}, ScoreParameters: ScoreParameters{Category: CategoryNewsAndMedia, RuleType: 4}},
 		{Rule: *rules.CodecovAccessToken(), Tags: []string{TagAccessToken}, ScoreParameters: ScoreParameters{Category: CategorySecurity, RuleType: 4}},
 		{Rule: *rules.CoinbaseAccessToken(), Tags: []string{TagAccessToken}, ScoreParameters: ScoreParameters{Category: CategoryCryptocurrencyExchange, RuleType: 4}},
-		{Rule: *rules.Clojars(), Tags: []string{TagApiToken}, ScoreParameters: ScoreParameters{Category: CategoryPackageManagement, RuleType: 4}},
+		{Rule: *Clojars(), Tags: []string{TagApiToken}, ScoreParameters: ScoreParameters{Category: CategoryPackageManagement, RuleType: 4}},
 		{Rule: *rules.ConfluentAccessToken(), Tags: []string{TagAccessToken}, ScoreParameters: ScoreParameters{Category: CategorySocialMedia, RuleType: 4}},
 		{Rule: *rules.ConfluentSecretKey(), Tags: []string{TagSecretKey}, ScoreParameters: ScoreParameters{Category: CategorySocialMedia, RuleType: 4}},
 		{Rule: *rules.Contentful(), Tags: []string{TagApiToken}, ScoreParameters: ScoreParameters{Category: CategoryContentManagementSystem, RuleType: 4}},

From cc843ecf637e74589df380207ac303461b7bfc72 Mon Sep 17 00:00:00 2001
From: Miguel Neiva <miguel.neiva@checkmarx.com>
Date: Thu, 29 May 2025 15:48:54 +0100
Subject: [PATCH 2/3] fix: github app token not being caught

---
 engine/rules/clojars.go |  2 -
 engine/rules/github.go  | 89 +++++++++++++++++++++++++++++++++++++++++
 engine/rules/rules.go   |  2 +-
 3 files changed, 90 insertions(+), 3 deletions(-)
 create mode 100644 engine/rules/github.go

diff --git a/engine/rules/clojars.go b/engine/rules/clojars.go
index 6a8ed8d8..dde57ef1 100644
--- a/engine/rules/clojars.go
+++ b/engine/rules/clojars.go
@@ -1,7 +1,6 @@
 package rules
 
 import (
-	"fmt"
 	"regexp"
 
 	"github.com/zricethezav/gitleaks/v8/cmd/generate/secrets"
@@ -21,6 +20,5 @@ func Clojars() *config.Rule {
 	tps := []string{
 		generateSampleSecret("clojars", "CLOJARS_"+secrets.NewSecret(alphaNumeric("60"))),
 	}
-	fmt.Println("Sample:", tps[0])
 	return validate(r, tps, nil)
 }
diff --git a/engine/rules/github.go b/engine/rules/github.go
new file mode 100644
index 00000000..d408d996
--- /dev/null
+++ b/engine/rules/github.go
@@ -0,0 +1,89 @@
+package rules
+
+import (
+	"regexp"
+
+	"github.com/zricethezav/gitleaks/v8/cmd/generate/secrets"
+	"github.com/zricethezav/gitleaks/v8/config"
+)
+
+func GitHubPat() *config.Rule {
+	// define rule
+	r := config.Rule{
+		Description: "Uncovered a GitHub Personal Access Token, potentially leading to unauthorized repository access and sensitive content exposure.",
+		RuleID:      "github-pat",
+		Regex:       regexp.MustCompile(`ghp_[0-9a-zA-Z]{36}`),
+		Keywords:    []string{"ghp_"},
+	}
+
+	// validate
+	tps := []string{
+		generateSampleSecret("github", "ghp_"+secrets.NewSecret(alphaNumeric("36"))),
+	}
+	return validate(r, tps, nil)
+}
+
+func GitHubFineGrainedPat() *config.Rule {
+	// define rule
+	r := config.Rule{
+		Description: "Found a GitHub Fine-Grained Personal Access Token, risking unauthorized repository access and code manipulation.",
+		RuleID:      "github-fine-grained-pat",
+		Regex:       regexp.MustCompile(`github_pat_[0-9a-zA-Z_]{82}`),
+		Keywords:    []string{"github_pat_"},
+	}
+
+	// validate
+	tps := []string{
+		generateSampleSecret("github", "github_pat_"+secrets.NewSecret(alphaNumeric("82"))),
+	}
+	return validate(r, tps, nil)
+}
+
+func GitHubOauth() *config.Rule {
+	// define rule
+	r := config.Rule{
+		Description: "Discovered a GitHub OAuth Access Token, posing a risk of compromised GitHub account integrations and data leaks.",
+		RuleID:      "github-oauth",
+		Regex:       regexp.MustCompile(`gho_[0-9a-zA-Z]{36}`),
+		Keywords:    []string{"gho_"},
+	}
+
+	// validate
+	tps := []string{
+		generateSampleSecret("github", "gho_"+secrets.NewSecret(alphaNumeric("36"))),
+	}
+	return validate(r, tps, nil)
+}
+
+func GitHubApp() *config.Rule {
+	// define rule
+	r := config.Rule{
+		Description: "Identified a GitHub App Token, which may compromise GitHub application integrations and source code security.",
+		RuleID:      "github-app-token",
+		Regex:       regexp.MustCompile(`ghu_[0-9a-zA-Z]{36}|ghs_[0-9a-zA-Z]{36}`),
+		Keywords:    []string{"ghu_", "ghs_"},
+	}
+
+	// validate
+	tps := []string{
+		generateSampleSecret("github", "ghu_"+secrets.NewSecret(alphaNumeric("36"))),
+		generateSampleSecret("github", "ghs_"+secrets.NewSecret(alphaNumeric("36"))),
+	}
+	return validate(r, tps, nil)
+}
+
+func GitHubRefresh() *config.Rule {
+	// define rule
+	r := config.Rule{
+		Description: "Detected a GitHub Refresh Token, which could allow prolonged unauthorized access to GitHub services.",
+		RuleID:      "github-refresh-token",
+		Regex:       regexp.MustCompile(`ghr_[0-9a-zA-Z]{36}`),
+		Keywords:    []string{"ghr_"},
+	}
+
+	// validate
+	tps := []string{
+		generateSampleSecret("github", "ghr_"+secrets.NewSecret(alphaNumeric("36"))),
+	}
+	return validate(r, tps, nil)
+}
diff --git a/engine/rules/rules.go b/engine/rules/rules.go
index c83d8d6c..c2eb08ee 100644
--- a/engine/rules/rules.go
+++ b/engine/rules/rules.go
@@ -131,7 +131,7 @@ func getDefaultRules() *[]Rule {
 		{Rule: *rules.GitHubPat(), Tags: []string{TagAccessToken}, ScoreParameters: ScoreParameters{Category: CategoryDevelopmentPlatform, RuleType: 4}},
 		{Rule: *rules.GitHubFineGrainedPat(), Tags: []string{TagAccessToken}, ScoreParameters: ScoreParameters{Category: CategoryAPIAccess, RuleType: 4}},
 		{Rule: *rules.GitHubOauth(), Tags: []string{TagAccessToken}, ScoreParameters: ScoreParameters{Category: CategoryAuthenticationAndAuthorization, RuleType: 4}},
-		{Rule: *rules.GitHubApp(), Tags: []string{TagAccessToken}, ScoreParameters: ScoreParameters{Category: CategoryCICD, RuleType: 4}},
+		{Rule: *GitHubApp(), Tags: []string{TagAccessToken}, ScoreParameters: ScoreParameters{Category: CategoryCICD, RuleType: 4}},
 		{Rule: *rules.GitHubRefresh(), Tags: []string{TagRefreshToken}, ScoreParameters: ScoreParameters{Category: CategoryAuthenticationAndAuthorization, RuleType: 4}},
 		{Rule: *rules.GitlabPat(), Tags: []string{TagAccessToken}, ScoreParameters: ScoreParameters{Category: CategorySourceCodeManagement, RuleType: 4}},
 		{Rule: *rules.GitlabPipelineTriggerToken(), Tags: []string{TagTriggerToken}, ScoreParameters: ScoreParameters{Category: CategoryCICD, RuleType: 4}},

From 8ef5abcc0ad9634402246893db7baf9e0d50d13d Mon Sep 17 00:00:00 2001
From: Miguel Neiva <miguel.neiva@checkmarx.com>
Date: Thu, 29 May 2025 15:55:21 +0100
Subject: [PATCH 3/3] chore: ignore true positive in 2ms workflow scan

---
 .2ms.yml   | 3 ++-
 WebGoat    | 1 +
 kubernetes | 1 +
 trivy      | 1 +
 youtube-dl | 1 +
 5 files changed, 6 insertions(+), 1 deletion(-)
 create mode 160000 WebGoat
 create mode 160000 kubernetes
 create mode 160000 trivy
 create mode 160000 youtube-dl

diff --git a/.2ms.yml b/.2ms.yml
index 7d346dc3..d643fc01 100644
--- a/.2ms.yml
+++ b/.2ms.yml
@@ -88,4 +88,5 @@ ignore-result:
   - f9e5e0b35a39914c67ee1660191a356d3c7ab1db # value used for testing, found at https://github.com/Checkmarx/2ms/commit/07aab5bb214c03fd9e75e46cebe2b407c88d4f73/reporting/report_test.go#diff-31d71ec2c2ba169dce79b1c2de097e30b43f1695ce364054ee7d6b33896c7040R10
   - 777f3d460d69a70e2ce760ca757b18f2aa984392 # value used for testing, found at https://github.com/Checkmarx/2ms/commit/07aab5bb214c03fd9e75e46cebe2b407c88d4f73/reporting/report_test.go#diff-31d71ec2c2ba169dce79b1c2de097e30b43f1695ce364054ee7d6b33896c7040R10
   - e392318c730d4cd0a04340f1e3d41d4c61f6eb20 # value used for testing, found at https://github.com/Checkmarx/2ms/commit/07aab5bb214c03fd9e75e46cebe2b407c88d4f73/reporting/report_test.go#diff-31d71ec2c2ba169dce79b1c2de097e30b43f1695ce364054ee7d6b33896c7040R10
-  - 8f0e0442b01c18b02cfb8e59555103f8233fc7bf # value used for testing, found at https://github.com/Checkmarx/2ms/commit/07aab5bb214c03fd9e75e46cebe2b407c88d4f73/reporting/report_test.go#diff-31d71ec2c2ba169dce79b1c2de097e30b43f1695ce364054ee7d6b33896c7040R10
\ No newline at end of file
+  - 8f0e0442b01c18b02cfb8e59555103f8233fc7bf # value used for testing, found at https://github.com/Checkmarx/2ms/commit/07aab5bb214c03fd9e75e46cebe2b407c88d4f73/reporting/report_test.go#diff-31d71ec2c2ba169dce79b1c2de097e30b43f1695ce364054ee7d6b33896c7040R10
+  - 353627158f2e7fa5bb60271cee17da80e5fbba17 # value used as true positive, found at https://github.com/Checkmarx/2ms/pull/292/commits/cc44c8f8bee92250bdcd69bf9fbaffabf0eb442a
\ No newline at end of file
diff --git a/WebGoat b/WebGoat
new file mode 160000
index 00000000..06c0be25
--- /dev/null
+++ b/WebGoat
@@ -0,0 +1 @@
+Subproject commit 06c0be257f3ec5b02521368b030018816ac94090
diff --git a/kubernetes b/kubernetes
new file mode 160000
index 00000000..d348426e
--- /dev/null
+++ b/kubernetes
@@ -0,0 +1 @@
+Subproject commit d348426eab1b2bedcc98b4d6a162ff7e7b1411d0
diff --git a/trivy b/trivy
new file mode 160000
index 00000000..93e6680b
--- /dev/null
+++ b/trivy
@@ -0,0 +1 @@
+Subproject commit 93e6680b1c6bbb590157f521c667c0f611775143
diff --git a/youtube-dl b/youtube-dl
new file mode 160000
index 00000000..a084c80f
--- /dev/null
+++ b/youtube-dl
@@ -0,0 +1 @@
+Subproject commit a084c80f7bac9ae343075a97cc0fb2c1c96ade89