@@ -22,7 +22,7 @@ provider:
22
22
containsSecret: true
23
23
match: django-insecure-r&lvybzry1*k+qq)=x-!=0yd5l5#1gxzk!82@ru25*ntos3_9^
24
24
25
- - id : settings.py-secret-key
25
+ - id : settings.py-secret-key-string
26
26
rspecKey : S6687
27
27
metadata :
28
28
name : Django secret keys should not be disclosed
@@ -32,7 +32,8 @@ provider:
32
32
paths :
33
33
- " **/settings.py"
34
34
matching :
35
- pattern : " \\ bSECRET_KEY(?:_FALLBACKS)?\\ s*=\\ s*(?:os\\ .getenv\\ (\\ s*['\" ][^'\" ]+['\" ]\\ s*,\\ s*)?['\" ]([^'\" ]+)"
35
+ # Only detects secrets presented directly as a string.
36
+ pattern : " \\ bSECRET_KEY(?:_FALLBACKS)?\\ s*=\\ s*['\" ]([^'\"\\ r\\ n]+)"
36
37
context :
37
38
patternAround : " (?i)\\ bdjango"
38
39
post :
@@ -44,10 +45,10 @@ provider:
44
45
# noncompliant example
45
46
# See https://docs.djangoproject.com/en/1.9/howto/deployment/checklist/
46
47
# SECURITY WARNING: keep the secret key used in production secret!
47
- SECRET_KEY = 'r &lvybzry1*k+qq)=x-!=0yd5l5#1gxzk!82@ru25*ntos3_9 ^'
48
+ SECRET_KEY = 's &lvybzry1*k+qq)=x-!=0yd5l5#1gxzk!82@ru25*ntos1_9 ^'
48
49
fileName: settings.py
49
50
containsSecret: true
50
- match: r &lvybzry1*k+qq)=x-!=0yd5l5#1gxzk!82@ru25*ntos3_9 ^
51
+ match: s &lvybzry1*k+qq)=x-!=0yd5l5#1gxzk!82@ru25*ntos1_9 ^
51
52
- text : |
52
53
# compliant example
53
54
# See https://docs.djangoproject.com/en/1.9/howto/deployment/checklist/
@@ -60,7 +61,13 @@ provider:
60
61
# SECURITY WARNING: keep the secret key used in production secret!
61
62
SECRET_KEY = os.getenv("SECRET_KEY")
62
63
fileName: settings.py
63
- containsSecret: false
64
+ containsSecret: false
65
+ - text : |
66
+ # See https://docs.djangoproject.com/en/1.9/howto/deployment/checklist/
67
+ # SECURITY WARNING: keep the secret key used in production secret!
68
+ SECRET_KEY = os.getenv("SECRET_KEY", "s&lvybzry1*k+qq)=x-!=0yd5l5#1gxzk!82@ru25*ntos2_9^")
69
+ fileName: settings.py
70
+ containsSecret: false
64
71
- text : |
65
72
# See https://docs.djangoproject.com/en/1.9/howto/deployment/checklist/
66
73
# SECURITY WARNING: keep the secret key used in production secret!
@@ -70,10 +77,76 @@ provider:
70
77
- text : |
71
78
# See https://docs.djangoproject.com/en/1.9/howto/deployment/checklist/
72
79
# SECURITY WARNING: keep the secret key used in production secret!
73
- SECRET_KEY = os.getenv("PASS","r&lvybzry1*k+qq)=x-!=0yd5l5#1gxzk!82@ru25*ntos3_9^")
80
+ SECRET_KEY = env.str("SECRET_KEY", "s&lvybzry1*k+qq)=x-!=0yd5l5#1gxzk!82@ru25*ntos3_9^")
81
+ fileName: settings.py
82
+ containsSecret: false
83
+
84
+ - id : settings.py-secret-key-env-default
85
+ rspecKey : S6687
86
+ metadata :
87
+ name : Django secret keys should not be disclosed
88
+ detection :
89
+ pre :
90
+ include :
91
+ paths :
92
+ - " **/settings.py"
93
+ matching :
94
+ # Only detects secrets presented as a default value to os.environ(), environs.Env() or environs.Env.str()
95
+ pattern : " \\ bSECRET_KEY(?:_FALLBACKS)?\\ s*=\\ s*(?:os\\ .getenv|env(?:\\ .str)?)\\ (\\ s*['\" ][^'\"\\ r\\ n]+['\" ]\\ s*,\\ s*(?:default\\ s*=\\ s*)?['\" ]([^'\"\\ r\\ n]+)"
96
+ context :
97
+ patternAround : " (?i)\\ bdjango"
98
+ post :
99
+ patternNot :
100
+ - " (\\ w)\\ 1{4,}"
101
+ - " (?i)(ex|s)ample"
102
+ examples :
103
+ - text : |
104
+ # noncompliant example
105
+ # See https://docs.djangoproject.com/en/1.9/howto/deployment/checklist/
106
+ # SECURITY WARNING: keep the secret key used in production secret!
107
+ SECRET_KEY = 'd&lvybzry1*k+qq)=x-!=0yd5l5#1gxzk!82@ru25*ntos1_9^'
108
+ fileName: settings.py
109
+ containsSecret: false
110
+ - text : |
111
+ # compliant example
112
+ # See https://docs.djangoproject.com/en/1.9/howto/deployment/checklist/
113
+ # SECURITY WARNING: keep the secret key used in production secret!
114
+ SECRET_KEY = os.environ['SECRET_KEY']
115
+ fileName: settings.py
116
+ containsSecret: false
117
+ - text : |
118
+ # See https://docs.djangoproject.com/en/1.9/howto/deployment/checklist/
119
+ # SECURITY WARNING: keep the secret key used in production secret!
120
+ SECRET_KEY = os.getenv("SECRET_KEY")
121
+ fileName: settings.py
122
+ containsSecret: false
123
+ - text : |
124
+ # See https://docs.djangoproject.com/en/1.9/howto/deployment/checklist/
125
+ # SECURITY WARNING: keep the secret key used in production secret!
126
+ SECRET_KEY = os.getenv("SECRET_KEY", "d&lvybzry1*k+qq)=x-!=0yd5l5#1gxzk!82@ru25*ntos2_9^")
74
127
fileName: settings.py
75
128
containsSecret: true
76
- match: r&lvybzry1*k+qq)=x-!=0yd5l5#1gxzk!82@ru25*ntos3_9^
129
+ match: d&lvybzry1*k+qq)=x-!=0yd5l5#1gxzk!82@ru25*ntos2_9^
130
+ - text : |
131
+ # See https://docs.djangoproject.com/en/1.9/howto/deployment/checklist/
132
+ # SECURITY WARNING: keep the secret key used in production secret!
133
+ SECRET_KEY = env("SECRET_KEY")
134
+ fileName: settings.py
135
+ containsSecret: false
136
+ - text : |
137
+ # See https://docs.djangoproject.com/en/1.9/howto/deployment/checklist/
138
+ # SECURITY WARNING: keep the secret key used in production secret!
139
+ SECRET_KEY = env("SECRET_KEY", default="d&lvybzry1*k+qq)=x-!=0yd5l5#1gxzk!82@ru25*ntos3_9^")
140
+ fileName: settings.py
141
+ containsSecret: true
142
+ match: d&lvybzry1*k+qq)=x-!=0yd5l5#1gxzk!82@ru25*ntos3_9^
143
+ - text : |
144
+ # See https://docs.djangoproject.com/en/1.9/howto/deployment/checklist/
145
+ # SECURITY WARNING: keep the secret key used in production secret!
146
+ SECRET_KEY = env.str("SECRET_KEY", "d&lvybzry1*k+qq)=x-!=0yd5l5#1gxzk!82@ru25*ntos4_9^")
147
+ fileName: settings.py
148
+ containsSecret: true
149
+ match: d&lvybzry1*k+qq)=x-!=0yd5l5#1gxzk!82@ru25*ntos4_9^
77
150
78
151
- id : env-secret-key
79
152
rspecKey : S6687
0 commit comments