org.sonar.plugins.secrets.configuration.grafana.yaml Maven / Gradle / Ivy
provider:
metadata:
name: Grafana
category: Data Visualization Platform
message: Make sure this Grafana token gets revoked, changed, and removed from the code.
detection:
post:
patternNot:
- "(?i)(?:s|ex)ample|foo|bar|test|abcd|redacted"
rules:
- id: grafana-api-token # Note: deprecated
rspecKey: S6762
metadata:
name: Grafana API tokens should not be disclosed
detection:
pre:
include:
content:
# This secret pattern checks for the prefix "eyJrIjoi" which is `{"k":"` B64 encoded.
# The chance that this can be found in another secret or even normal data is
# still somewhat likely, so to be sure we filter for "grafana" here.
- grafana
matching:
pattern: "\\b(eyJrIjoi[a-zA-Z0-9+/]{48,}(?:={1,2}|\\b))"
examples:
- text: |
curl 'https://grafana.example.org/api/dashboards/home' -X 'Authorization: Bearer eyJrIjoiWWpNc1ZPS5RjdjdHTWlyVmtTcjI0Vk9xN1RkOGI1V3YiLCJuIjoieZl5b19vb30vb23iLCJpZCI6MX0='
containsSecret: true
match: eyJrIjoiWWpNc1ZPS5RjdjdHTWlyVmtTcjI0Vk9xN1RkOGI1V3YiLCJuIjoieZl5b19vb30vb23iLCJpZCI6MX0=
- text:
| # Some random text I found using GitHub search; decoded it is `{"k":"@LoadText", "v":"Loading..."}`.
curl 'https://not-a-dashboard.example.com' -d 'eyJrIjoiQExvYWRUZXh0IiwgInYiOiJMb2FkaW5nLi4uIn0='
containsSecret: false
- id: grafana-service-account-token
rspecKey: S6762
metadata:
name: Grafana service account tokens should not be disclosed
detection:
pre:
include:
content:
- glsa_
matching:
pattern: "\\b(glsa_[a-zA-Z0-9]{32}_[a-f0-9]{8})\\b"
post:
statisticalFilter:
threshold: 4.3
patternNot:
- "(?i)(?:s|ex)ample|foo|bar|test|abcd|redacted"
- glsa_yscW25imSKJIuav8zF37RZmnbiDvB05G_fcaaf58a
examples:
- text: |
import requests
token = 'glsa_geygSnIfuK5vBG0KgaflRCQfIb8mzaM7_b0999d91' # Noncompliant
response = requests.get('https://grafana.example.org/api/dashboards/home', headers={
'Authorization': f'Bearer {token}',
'Content-Type': 'application/json'
})
containsSecret: true
match: glsa_geygSnIfuK5vBG0KgaflRCQfIb8mzaM7_b0999d91
- text: |
curl 'https://grafana.example.org/api/dashboards/home' -X 'Authorization: Bearer glsa_4ElrwSYvDrgV8GQmlyTYfsc245dMyPCE_f804430f'
containsSecret: true
match: glsa_4ElrwSYvDrgV8GQmlyTYfsc245dMyPCE_f804430f
- text: |
import requests
token = os.getenv('GRAFANA_SERVICE_ACCOUNT_TOKEN')
response = requests.get('https://grafana.example.org/api/dashboards/home', headers={
'Authorization': f'Bearer {token}',
'Content-Type': 'application/json'
})
containsSecret: false
- id: grafana-cloud-access-token
rspecKey: S6762
metadata:
name: Grafana Cloud access tokens should not be disclosed
detection:
pre:
include:
content:
- glc_eyJ
matching:
pattern: "\\b(glc_eyJ[a-zA-Z0-9+/]{48,}(?:={1,2}|\\b))"
examples:
- text: |
import requests
token = 'glc_eyJvIjoiOTQzNzcyIiwibiI6ImJsYS10ZXN0MSIsImsiOiJyTjIyZ0gyZThDSTU0RVM1QTVWNnA2UXAiLCJtIjp7InIiOiJwcm9kLXVzLWVhc3QtMCJ9fQ==' # Noncompliant
response = requests.get('https://grafana.example.org/api/dashboards/home', headers={
'Authorization': f'Bearer {token}',
'Content-Type': 'application/json'
})
containsSecret: true
match: glc_eyJvIjoiOTQzNzcyIiwibiI6ImJsYS10ZXN0MSIsImsiOiJyTjIyZ0gyZThDSTU0RVM1QTVWNnA2UXAiLCJtIjp7InIiOiJwcm9kLXVzLWVhc3QtMCJ9fQ==
- text: |
import requests
token = os.getenv('GRAFANA_CLOUD_ACCESS_TOKEN')
response = requests.get('https://grafana.example.org/api/dashboards/home', headers={
'Authorization': f'Bearer {token}',
'Content-Type': 'application/json'
})
containsSecret: false
© 2015 - 2025 Weber Informatics LLC | Privacy Policy