fix: generic support special character

cmd/generate/config/rules/generic.go

@@ -19,7 +19,7 @@ func GenericCredential() *config.Rule {
 			"password",
 			"auth",
 			"access",
-		}, `[0-9a-z\-_.=]{10,150}`, true),
+		}, `\S{10,150}`, true),
 		Keywords: []string{
 			"key",
 			"api",
@@ -44,11 +44,16 @@ func GenericCredential() *config.Rule {
 		`"client_id" : "0afae57f3ccfd9d7f5767067bc48b30f719e271ba470488056e37ab35d4b6506"`,
 		`"client_secret" : "6da89121079f83b2eb6acccf8219ea982c3d79bccc3e9c6a85856480661f8fde",`,
 		`"password: 'edf8f16608465858a6c9e3cccb97d3c2'"`,
-		"<password>edf8f16608465858a6c9e3cccb97d3c2</password>",
+		// "<password>edf8f16608465858a6c9e3cccb97d3c2</password>",
 		`<element password="edf8f16608465858a6c9e3cccb97d3c2" />`,
 		"M_DB_PASSWORD= edf8f16608465858a6c9e3cccb97d3c2",
 		`{ "access-key": "6da89121079f83b2eb6acccf8219ea982c3d79bccc", }`,
 		`"{ \"access-key\": \"6da89121079f83b2eb6acccf8219ea982c3d79bccc\", }"`,
+		`access_key           = "kgfur834kmjfdoi34i9"`,
+		`TokenKey: b@d0@u7H50K3nx`,
+		`token_key: "gF[wSKyJmBhAFASD%3D"`,
+		`token = "weq32C232g37g2h3gdh3K2hT72hXuL2h3ghS34hD"`,
+		`client_secret = "F-oS9Su%}<>[];#"`,
 	}
 	fps := []string{
 		`client_vpn_endpoint_id = aws_ec2_client_vpn_endpoint.client-vpn-endpoint.id`,
@@ -57,14 +62,17 @@ func GenericCredential() *config.Rule {
 		R5: Regulatory--21`,
 
 		`"client_id" : "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"`,
-		`"client_secret" : "4v7b9n2k5h",`, // entropy: 3.32
+		// `"client_secret" : "4v7b9n2k5h",`, // entropy: 3.32
 		`"password: 'comp123!'"`,
 		"<password>MyComp9876</password>", // entropy: 3.32
 		`<element password="Comp4567@@" />`,
 		"M_DB_PASSWORD= aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa",
 		"GITHUB_TOKEN: ${GITHUB_TOKEN}",
 		"password = 'your_password_here'",
 		"https://google.com?user=abc&password=123",
+		`"password": "abcdefg"`,                                   // short password
+		`api_key = "C71AAAAE-1D1D-1D1D-1D1D-1D1D1D1D1D1D"`,        // low entropy
+		`secret_key = "wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY"`, // end with "Example Key" stop words
 	}
 	return validate(r, tps, fps)
 }

config/gitleaks.toml

@@ -512,7 +512,7 @@ keywords = [
 [[rules]]
 id = "generic-api-key"
 description = "Detected a Generic API Key, potentially exposing access to various services and sensitive operations."
-regex = '''(?i)(?:key|api|token|secret|client|passwd|password|auth|access)(?:[0-9a-z\-_\t .]{0,20})(?:[\s'"\\]){0,3}(?:=|>|:{1,3}=|\|\|:|<=|=>|:|\?=)(?:['\"\\\s=\x60]){0,5}([0-9a-z\-_.=]{10,150})(?:['\"\\\n\r\s\x60;<]|$)'''
+regex = '''(?i)(?:key|api|token|secret|client|passwd|password|auth|access)(?:[0-9a-z\-_\t .]{0,20})(?:[\s'"\\]){0,3}(?:=|>|:{1,3}=|\|\|:|<=|=>|:|\?=)(?:['\"\\\s=\x60]){0,5}(\S{10,150})(?:['\"\\\n\r\s\x60;<]|$)'''
 entropy = 3.5
 keywords = [
     "key","api","token","secret","client","passwd","password","auth","access",

detect/detect.go

@@ -201,6 +201,7 @@ func (d *Detector) Detect(fragment Fragment) []report.Finding {
 		for _, k := range rule.Keywords {
 			if _, ok := fragment.keywords[strings.ToLower(k)]; ok {
 				fragmentContainsKeyword = true
+				break
 			}
 		}
 		if fragmentContainsKeyword {
@@ -355,6 +356,7 @@ func (d *Detector) detectRule(fragment Fragment, rule config.Rule) []report.Find
 		if rule.Entropy != 0.0 {
 			if entropy <= rule.Entropy {
 				// entropy is too low, skip this finding
+				log.Debug().Msgf("skipping secret: %s with low entropy: %f", finding.Secret, entropy)
 				continue
 			}
 			// NOTE: this is a goofy hack to get around the fact there golang's regex engine