org.sonar.plugins.secrets.configuration.docker-hub.yaml Maven / Gradle / Ivy
provider:
metadata:
name: Docker Hub
category: Container Repository
message: Make sure this Docker Hub token gets revoked, changed, and removed from the code.
rules:
- id: docker-hub-personal-access-token
rspecKey: S6782
metadata:
name: Docker Hub tokens should not be disclosed
message: Make sure this Docker Hub personal access token gets revoked, changed, and removed from the code.
detection:
pre:
include:
content:
- dckr_pat_
matching:
pattern: "\\b(dckr_pat_[\\w-]{27})\\b"
post:
statisticalFilter:
threshold: 4.22
patternNot:
- "(?i)(?:s|ex)ample|foo|bar|test|abcd|redacted|123456"
# Example from https://docs.docker.com/scout/integrations/registry/artifactory/
- dckr_pat__dsaCAs_xL3kNyupAa7dwO1alwg
examples:
- text: |
steps:
- name: Login to DockerHub
uses: docker/login-action@v2
with:
username: mobythewhale
password: dckr_pat_cq7wQZcv9xZkVlxMhDTcTV00CDo # Noncompliant
containsSecret: true
match: dckr_pat_cq7wQZcv9xZkVlxMhDTcTV00CDo
- text: |
steps:
- name: Login to DockerHub
uses: docker/login-action@v2
with:
username: ${{ secrets.dockerUsername }}
password: ${{ secrets.dockerAccessToken }}
containsSecret: false
- text: |
{
"agent_id": "acme-prod-agent",
"docker": {
"organization_name": "acme",
"username": "mobythewhale",
"pat": "dckr_pat__dsaCAs_xL3kNyupAa7dwO1alwg"
}
}
containsSecret: false
© 2015 - 2025 Weber Informatics LLC | Privacy Policy