Skip to content

Commit 7707270

Browse files
andyblundellandyblundell
authored
Update security.md (#143)
1 parent 0cd7c86 commit 7707270

File tree

1 file changed

+0
-24
lines changed

1 file changed

+0
-24
lines changed

practices/security.md

Lines changed: 0 additions & 24 deletions
Original file line numberDiff line numberDiff line change
@@ -68,30 +68,6 @@ The remainder of this page gives more detailed and specific recommendations to b
6868
- Be careful not to **leak information**, e.g. error messages, stack traces, headers
6969
- **Don't trust** yourself or others!
7070
- Code must be automatically scanned for secrets or other sensitive data:
71-
- It is recommended to use RegEx expressions to catch any potential issues in your code.
72-
73-
<details><summary>Base set of recommended RegEx expressions for scanning (click to expand)</summary>
74-
75-
``` yml
76-
Banned:
77-
78-
'[0-9a-fA-F]{1,4}:[0-9a-fA-F]{1,4}:[0-9a-fA-F]{1,4}:[0-9a-fA-F]{1,4}:[0-9a-fA-F]{1,4}:[0-9a-fA-F]{1,4}:[0-9a-fA-F]{1,4}:[0-9a-fA-F]{1,4}' # IPv6
79-
'[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}' # IPv4
80-
'[a-z]{2}-[a-z-]*-[1,2,3]\.rds\.amazonaws\.com' # AWS RDS (Aurora) endpoint
81-
'rds\.[a-z]{2}-[a-z-]*-[1,2,3]\.amazonaws\.com' # AWS RDS endpoint
82-
'dynamodb\.[a-z]{2}-[a-z-]*-[1,2,3]\.amazonaws\.com' # AWS DynamoDB endpoint
83-
'[a-z]{2}-[a-z-]*-[1,2,3]\.es\.amazonaws\.com' # AWS Elasticsearch endpoint
84-
'[a-z]*[1-3]\.cache\.amazonaws\.com' # AWS ElastiCache endpoint
85-
'hooks\.slack\.com/services/T[a-zA-Z0-9]*/B[a-zA-Z0-9]*/[a-zA-Z0-9]*' # Slack webhook URL
86-
'-----BEGIN[[:blank:]]CERTIFICATE-----' # SSL PEM certificate
87-
'-----BEGIN[[:blank:]]PRIVATE[[:blank:]]KEY-----' # SSL PEM key
88-
89-
Allowed:
90-
91-
'(000000000000|123456789012)' # AWS mock account numbers
92-
'(127\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}|10\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}|172\.(1[6-9|2[0-9]|3[0-1])\.[0-9]{1,3}\.[0-9]{1,3}|192\.168\.[0-9]{1,3}\.[0-9]{1,3}|0\.0\.0\.0|8\.8\.8\.8|8\.8\.4\.4|208\.67\.222\.222|208\.67\.220\.220)' # IPv4 exceptions
93-
```
94-
</details>
9571
- To catch any issues early and to minimise potential exposure, scan code on developer machines *before* code is committed to the code repository. Recommended solution options:
9672
- [awslabs git-secrets](https://github.com/awslabs/git-secrets)
9773
- [GitLeaks](https://github.com/zricethezav/gitleaks)

0 commit comments

Comments
 (0)