Two more allow rules plus updated negative sample

Author: cx-andre-pereira

assets/queries/common/passwords_and_secrets/regex_rules.json

@@ -87,6 +87,10 @@
         {
           "description": "Allow secrets retrieved from Bicep getSecret built in function",
           "regex": "(?i)['\"]?secret[_]?(key|value)?['\"]?\\s*(:|=)\\s*[a-zA-Z]*\\.getSecret\\(\\s*[\"']([A-Za-z0-9/~^_!@#&%(){};=?*+-<>,:;[\\]%$]+)[\"']\\)"
+        },
+        {
+          "description": "Avoiding Proto File fields",
+          "regex": "(?i)secret[_]?(key|value)?\\s*=\\s*[1-9][0-9]{0,8}\\s*;"
         }
       ],
       "specialMask": "(?i)['\"]?secret[_]?(key)?['\"]?\\s*(:|=)\\s*"
@@ -267,7 +271,13 @@
     {
       "id": "7f370dd5-eea3-4e5f-8354-3cb2506f9f13",
       "name": "Generic Access Key",
-      "regex": "(?i)^\\s*['\"]?(access)[_]?key['\"]?\\s*[:=]\\s*['\"]?([[A-Za-z0-9\/~^_!@&%()=?*+-]+)['\"]?",
+      "regex": "(?i)^\\s*['\"]?access[_]?key['\"]?\\s*[:=]\\s*['\"]?([[A-Za-z0-9\/~^_!@&%()=?*+-]+)['\"]?",
+      "allowRules": [
+        {
+          "description": "Avoiding Proto File fields",
+          "regex": "(?i)access[_]?key\\s*=\\s*[1-9][0-9]{0,8}\\s*;"
+        }
+      ],
       "specialMask": "(?i)['\"]?access[_]?key['\"]?\\s*[:=]\\s*"
     },
     {

assets/queries/common/passwords_and_secrets/test/negative60.proto

@@ -7,7 +7,15 @@ package com.example.security_test.v1;
 
 import "google/protobuf/wrappers.proto";
 
-message ResultsThatFlag {
+message SampleMessageNegative {
+  string the_secret = 15;                                      //Generic Secret
+  string another_secret_ = 16;                                 //Generic Secret
+  string the_secret_key = 17;                                  //Generic Secret
+  string a_secret_value = 18;                                  //Generic Secret
+  string another_secretvalue = 19;                             //Generic Secret
+  string another_secretkey = 31;                               //Generic Secret
+  double accesskey = 1212;                                     //Generic Access Key
+  string access_key = 1313;                                    //Generic Access Key
   google.protobuf.StringValue refresh_token = 536870911; // if value is larger - out of range error "Field numbers cannot be greater than 536870911."  - Generic Token
   google.protobuf.StringValue access_token= 1;                                    // Generic Token
   google.protobuf.StringValue id_token = 3;                                        // Generic Token
@@ -18,12 +26,6 @@ message ResultsThatFlag {
   google.protobuf.StringValue sas_token = 12;                                      // Generic Token
   google.protobuf.StringValue auth_token = 13;                                     // Generic Token
   google.protobuf.StringValue bot_token = 14;                                      // Generic Token
-  google.protobuf.StringValue verification_token=15;                               // Generic Token
-  google.protobuf.StringValue oauth_access_token = 16;                             // Generic Token
-  google.protobuf.StringValue app_token = 17;                                      // Generic Token
-  google.protobuf.StringValue personal_access_token = 18;                          // Generic Token
-  google.protobuf.StringValue service_account_token = 29;                          // Generic Token
-  google.protobuf.StringValue webhook_verification_token = 31;                     // Generic Token
   google.protobuf.StringValue callback_token = 32;                                 // Generic Token
   google.protobuf.StringValue k8s_service_account_token = 33;                      // Generic Token
   google.protobuf.StringValue registry_token = 34;                                 // Generic Token