feat: expand secret prefixes (#6319)

Author: aitchiss

packages/build/src/plugins_core/secrets_scanning/secret_prefixes.ts

@@ -0,0 +1,37 @@
+/**
+ * Likely secret prefixes used for enhanced secret scanning.
+ * Note: string comparison is case-insensitive so we use all lowercase here.
+ */
+
+const AWS_PREFIXES = ['aws_', 'asia', 'akia', 'aida', 'ar0a', 'apka', 'abia', 'asca']
+const SLACK_PREFIXES = ['xoxb-', 'xwfp-', 'xoxb-', 'xoxp-', 'xapp-']
+const GCP_PREFIXES = ['aiza', 'ya29']
+const NETLIFY_PREFIXES = ['nf_']
+const GITHUB_PREFIXES = ['ghp_', 'gho_', 'ghu_', 'ghs_', 'ghr_', 'github_pat_']
+const SHOPIFY_PREFIXES = ['shpss_', 'shpat_', 'shpca_', 'shppa_']
+const SQUARE_PREFIXES = ['sq0atp-']
+const OTHER_COMMON_PREFIXES = [
+  'pk_',
+  'sk_',
+  'pat_',
+  'sk-',
+  'db_',
+  'api_',
+  'secret_',
+  'auth_',
+  'access_',
+  'twilio_',
+  '-----begin',
+  'ls0t',
+]
+
+export const LIKELY_SECRET_PREFIXES = [
+  ...AWS_PREFIXES,
+  ...SLACK_PREFIXES,
+  ...GCP_PREFIXES,
+  ...NETLIFY_PREFIXES,
+  ...GITHUB_PREFIXES,
+  ...SHOPIFY_PREFIXES,
+  ...SQUARE_PREFIXES,
+  ...OTHER_COMMON_PREFIXES,
+]

packages/build/src/plugins_core/secrets_scanning/utils.ts

@@ -5,6 +5,8 @@ import { createInterface } from 'node:readline'
 import { fdir } from 'fdir'
 import { minimatch } from 'minimatch'
 
+import { LIKELY_SECRET_PREFIXES } from './secret_prefixes.js'
+
 export interface ScanResults {
   matches: MatchResult[]
   scannedFilesCount: number
@@ -119,9 +121,6 @@ export function getNonSecretKeysToScanFor(env: Record<string, unknown>, secretKe
   return nonSecretKeysToScanFor
 }
 
-const AWS_PREFIXES = ['aws_', 'asia']
-const SLACK_PREFIXES = ['xoxb-', 'xwfp-', 'xoxb-', 'xoxp-', 'xapp-']
-const LIKELY_SECRET_PREFIXES = ['pk_', 'sk_', 'pat_', 'db_', 'github_pat_', ...AWS_PREFIXES, ...SLACK_PREFIXES]
 const LIKELY_SECRET_MIN_LENGTH = 16
 
 /**