From 2e253e136cfa3dd39c473eabfc9b1516e0a31f2b Mon Sep 17 00:00:00 2001
From: Luca Sangalli <luca.sangalli@onfido.com>
Date: Mon, 2 Sep 2024 14:58:51 +0200
Subject: [PATCH] Added Onfido API token detection to recognize this type of
 secrets

---
 .../detected-onfido-live-api-token.txt        |  8 ++++++++
 .../detected-onfido-live-api-token.yaml       | 20 +++++++++++++++++++
 2 files changed, 28 insertions(+)
 create mode 100644 generic/secrets/security/detected-onfido-live-api-token.txt
 create mode 100644 generic/secrets/security/detected-onfido-live-api-token.yaml

diff --git a/generic/secrets/security/detected-onfido-live-api-token.txt b/generic/secrets/security/detected-onfido-live-api-token.txt
new file mode 100644
index 0000000000..e5df356ef3
--- /dev/null
+++ b/generic/secrets/security/detected-onfido-live-api-token.txt
@@ -0,0 +1,8 @@
+# ruleid: detected-onfido-live-api-token
+api_live.abc123ABC-_.abc123ABC-_abc123ABC-_abc123ABC-
+
+# ruleid: detected-onfido-live-api-token
+api_live_ca.abc123ABC-_.abc123ABC-_abc123ABC-_abc123ABC-
+
+# ruleid: detected-onfido-live-api-token
+api_live_us.abc123ABC-_.abc123ABC-_abc123ABC-_abc123ABC-
diff --git a/generic/secrets/security/detected-onfido-live-api-token.yaml b/generic/secrets/security/detected-onfido-live-api-token.yaml
new file mode 100644
index 0000000000..be579fa82c
--- /dev/null
+++ b/generic/secrets/security/detected-onfido-live-api-token.yaml
@@ -0,0 +1,20 @@
+rules:
+- id: detected-onfido-live-api-token
+  pattern-regex: (?:api_live(?:_[a-zA-Z]{2})?\.[a-zA-Z0-9-_]{11}\.[-_a-zA-Z0-9]{32})
+  languages: [regex]
+  message: Onfido live API Token detected
+  severity: ERROR
+  metadata:
+    cwe:
+    - 'CWE-798: Use of Hard-coded Credentials'
+    category: security
+    technology:
+    - secrets
+    - onfido
+    confidence: HIGH
+    references:
+    - https://documentation.onfido.com/api/latest/#api-tokens
+    subcategory:
+    - audit
+    likelihood: HIGH
+    impact: HIGH
\ No newline at end of file