From 979d2569af69de4124ae42d1f50a3bde3fc38377 Mon Sep 17 00:00:00 2001
From: cx-artur-ribeiro <153724638+cx-artur-ribeiro@users.noreply.github.com>
Date: Mon, 30 Mar 2026 09:31:09 +0100
Subject: [PATCH 1/4] fix: add support for xml generic token
---
engine/rules/ruledefine/generic_credential_test.go | 2 ++
engine/rules/ruledefine/utils.go | 11 ++++++++++-
2 files changed, 12 insertions(+), 1 deletion(-)
diff --git a/engine/rules/ruledefine/generic_credential_test.go b/engine/rules/ruledefine/generic_credential_test.go
index 4449663e..d922f459 100644
--- a/engine/rules/ruledefine/generic_credential_test.go
+++ b/engine/rules/ruledefine/generic_credential_test.go
@@ -85,6 +85,8 @@ func TestGenericCredential(t *testing.T) {
" utils.GetEnvOrDefault(\"api_token\", \"dafa7817-e246-48f3-91a7-e87653d587b8\")",
// xml cases
"API_KEY\nAIzaSyATDL7Wz3Ze6BU31Yv3fVVth30Skyib29g",
+ ``,
+ ``,
},
falsePositives: []string{
"issuerKeyHash=npmXsmT2_C1iJZ-SD7RuL8exZ=6ucd",
diff --git a/engine/rules/ruledefine/utils.go b/engine/rules/ruledefine/utils.go
index ec60d7de..d832c484 100644
--- a/engine/rules/ruledefine/utils.go
+++ b/engine/rules/ruledefine/utils.go
@@ -19,10 +19,18 @@ const (
identifierSuffix = `)(?:[ \t\w.-]{0,20})[\s'"]{0,3}`
identifierSuffixIncludingXml = `)(?:[0-9a-z\-_\t .]{0,20})(?:<\/key>\s{0,10} and similar patterns.
+ xmlAttributeValuePair = `(?:\s*value\s*=\s*["'])?`
+
// commonly used assignment operators or function call
// operator = `(?:=|>|:{1,3}=|\|\|:|<=|=>|:|\?=)`
operator = `(?:=|>|:{1,3}=|\|\||:|=>|\?=|,)`
+ // optionalOperator allows YAML/JSON (operator required or absorbed by secretPrefix) and XML
+ // Parameter lines where xmlAttributeValuePair consumed value=" and the secret follows immediately.
+ optionalOperator = `(?:` + operator + `)?`
+
// boundaries for the secret
// \x60 = `
secretPrefixUnique = `\b(`
@@ -80,7 +88,8 @@ func generateSemiGenericRegexIncludingXml(identifiers []string, secretRegex stri
writeIdentifiersIncludingXml(&sb, identifiers)
sb.WriteString(identifierCaseInsensitiveSuffix)
}
- sb.WriteString(operator)
+ sb.WriteString(xmlAttributeValuePair)
+ sb.WriteString(optionalOperator)
sb.WriteString(secretPrefix)
sb.WriteString(secretRegex)
sb.WriteString(secretSuffixIncludingXml)
From aadd2d807fdcab95bf1103c88a439c02df69f266 Mon Sep 17 00:00:00 2001
From: cx-artur-ribeiro <153724638+cx-artur-ribeiro@users.noreply.github.com>
Date: Mon, 30 Mar 2026 09:45:04 +0100
Subject: [PATCH 2/4] update: kics-github-action version
---
.github/workflows/pr-validation.yml | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/.github/workflows/pr-validation.yml b/.github/workflows/pr-validation.yml
index 34644dbf..b4b4f7ee 100644
--- a/.github/workflows/pr-validation.yml
+++ b/.github/workflows/pr-validation.yml
@@ -60,7 +60,7 @@ jobs:
- run: mkdir -p kics-results
- name: Run KICS scan
- uses: checkmarx/kics-github-action@03c9abe351b01c3e4dbe60fa00ff79ee07d73f44 # master
+ uses: checkmarx/kics-github-action@05aa5eb70eede1355220f4ca5238d96b397e30a6 # 2.1.20
with:
path: .
output_path: kics-results
From e837a9e1d0bc9a7f417baeb76105ffcf2d22a33c Mon Sep 17 00:00:00 2001
From: cx-artur-ribeiro <153724638+cx-artur-ribeiro@users.noreply.github.com>
Date: Mon, 30 Mar 2026 13:44:39 +0100
Subject: [PATCH 3/4] fix: operator for xml include
---
.2ms.yml | 4 +++-
engine/rules/ruledefine/generic_credential.go | 2 ++
engine/rules/ruledefine/utils.go | 13 ++++---------
3 files changed, 9 insertions(+), 10 deletions(-)
diff --git a/.2ms.yml b/.2ms.yml
index ab55d19d..55c69746 100644
--- a/.2ms.yml
+++ b/.2ms.yml
@@ -1388,4 +1388,6 @@ ignore-result:
- 0ee50cf76ca12b4b03bfb8f233527d846965ae8a # unit test from generic_credential_test.go (remove later)
- 1ab798f14ecce9ea8a9229803c33f06e0093306a # unit test from generic_credential_test.go (remove later)
- 4154ccf54f5d43a54103495dcf0e228353dc02f4 # unit test from generic_credential_test.go (remove later)
-- 783d3aa8f0e14f6d1527879bbcb3ae6195134b33 # unit test from generic_credential_test.go (remove later)
\ No newline at end of file
+- 783d3aa8f0e14f6d1527879bbcb3ae6195134b33 # unit test from generic_credential_test.go (remove later)
+- 4b68fb6117b9245a27ff07671dbad3b7734ad9f3 # unit test from generic_credential_test.go
+- de0438bff48b729dad27525d63839271790dca00 # unit test from generic_credential_test.go
diff --git a/engine/rules/ruledefine/generic_credential.go b/engine/rules/ruledefine/generic_credential.go
index 27513163..fa71dccc 100644
--- a/engine/rules/ruledefine/generic_credential.go
+++ b/engine/rules/ruledefine/generic_credential.go
@@ -107,6 +107,8 @@ func GenericCredential() *Rule {
regexp.MustCompile(`--mount=type=secret,`).String(),
// https://github.com/gitleaks/gitleaks/issues/1800
regexp.MustCompile(`import[ \t]+{[ \t\w,]+}[ \t]+from[ \t]+['"][^'"]+['"]`).String(),
+ // Rails CSRF: name="authenticity_token" value="..." (matched via value= bridge)
+ regexp.MustCompile(`(?i)name\s*=\s*["']authenticity_token["']`).String(),
},
},
{
diff --git a/engine/rules/ruledefine/utils.go b/engine/rules/ruledefine/utils.go
index d832c484..5e8b9a93 100644
--- a/engine/rules/ruledefine/utils.go
+++ b/engine/rules/ruledefine/utils.go
@@ -19,17 +19,13 @@ const (
identifierSuffix = `)(?:[ \t\w.-]{0,20})[\s'"]{0,3}`
identifierSuffixIncludingXml = `)(?:[0-9a-z\-_\t .]{0,20})(?:<\/key>\s{0,10} and similar patterns.
- xmlAttributeValuePair = `(?:\s*value\s*=\s*["'])?`
-
// commonly used assignment operators or function call
// operator = `(?:=|>|:{1,3}=|\|\|:|<=|=>|:|\?=)`
operator = `(?:=|>|:{1,3}=|\|\||:|=>|\?=|,)`
- // optionalOperator allows YAML/JSON (operator required or absorbed by secretPrefix) and XML
- // Parameter lines where xmlAttributeValuePair consumed value=" and the secret follows immediately.
- optionalOperator = `(?:` + operator + `)?`
+ // operatorOrXmlValue requires either a normal assignment operator (YAML, JSON, plist `>` after
+ // , etc.) or XML attribute value="..." (e.g. ).
+ operatorOrXmlValue = `(?:(?:\s*value\s*=\s*["'])|(?:` + operator + `))`
// boundaries for the secret
// \x60 = `
@@ -88,8 +84,7 @@ func generateSemiGenericRegexIncludingXml(identifiers []string, secretRegex stri
writeIdentifiersIncludingXml(&sb, identifiers)
sb.WriteString(identifierCaseInsensitiveSuffix)
}
- sb.WriteString(xmlAttributeValuePair)
- sb.WriteString(optionalOperator)
+ sb.WriteString(operatorOrXmlValue)
sb.WriteString(secretPrefix)
sb.WriteString(secretRegex)
sb.WriteString(secretSuffixIncludingXml)
From f72be4f7a12825e637cd43a79959c28af66d5ed8 Mon Sep 17 00:00:00 2001
From: cx-artur-ribeiro <153724638+cx-artur-ribeiro@users.noreply.github.com>
Date: Mon, 30 Mar 2026 13:55:25 +0100
Subject: [PATCH 4/4] update: comments clarity
---
engine/rules/ruledefine/generic_credential.go | 2 +-
engine/rules/ruledefine/utils.go | 2 +-
2 files changed, 2 insertions(+), 2 deletions(-)
diff --git a/engine/rules/ruledefine/generic_credential.go b/engine/rules/ruledefine/generic_credential.go
index fa71dccc..2bb3a29a 100644
--- a/engine/rules/ruledefine/generic_credential.go
+++ b/engine/rules/ruledefine/generic_credential.go
@@ -107,7 +107,7 @@ func GenericCredential() *Rule {
regexp.MustCompile(`--mount=type=secret,`).String(),
// https://github.com/gitleaks/gitleaks/issues/1800
regexp.MustCompile(`import[ \t]+{[ \t\w,]+}[ \t]+from[ \t]+['"][^'"]+['"]`).String(),
- // Rails CSRF: name="authenticity_token" value="..." (matched via value= bridge)
+ // Example case: name="authenticity_token" value="..."
regexp.MustCompile(`(?i)name\s*=\s*["']authenticity_token["']`).String(),
},
},
diff --git a/engine/rules/ruledefine/utils.go b/engine/rules/ruledefine/utils.go
index 5e8b9a93..4b96948e 100644
--- a/engine/rules/ruledefine/utils.go
+++ b/engine/rules/ruledefine/utils.go
@@ -24,7 +24,7 @@ const (
operator = `(?:=|>|:{1,3}=|\|\||:|=>|\?=|,)`
// operatorOrXmlValue requires either a normal assignment operator (YAML, JSON, plist `>` after
- // , etc.) or XML attribute value="..." (e.g. ).
+ // ) or XML attribute value="..." ().
operatorOrXmlValue = `(?:(?:\s*value\s*=\s*["'])|(?:` + operator + `))`
// boundaries for the secret