search

gitleaks / gitleaks

Protect and discover secrets using Gitleaks 🔑
https://gitleaks.io
MIT License
17.4k stars 1.42k forks source link

GitLeaks does not detect Discord Bot Tokens in source code #1447

Open vimfn opened 2 months ago

vimfn commented 2 months ago

During the use of gitleaks, it was found that it does not detect Discord Bot Tokens.

We found a rule that should check these key types, but it doesn't work:

[[rules]]
id = "discord-api-key"
description = "Discord API key"
regex = '''(?i)(discord[a-z0-9_ .\-,]{0,25})(=|>|:=|\|\|:|<=|=>|:).{0,5}['\"]([a-h0-9]{64})['\"]'''
secretGroup = 3
entropy = 3.5

For the test, we used this key: MTIwMTE0MDk0MDQ2Nzg3MTc1NA.GIA1aR.l4cyaDp557_lJ_AV_wFHanBKwFJlB1KOxfKG6I

This key in the source code wasn't detected. If you want me to look into it and make a PR with a fix let me know.

rgmz commented 1 month ago

I'm not a familiar with Discord tokens, however, it appears the existing GitLeaks rules only check for generic alpha/numeric patterns.

For the test, we used this key: MTIwMTE0MDk0MDQ2Nzg3MTc1NA.GIA1aR.l4cyaDp557_lJ_AV_wFHanBKwFJlB1KOxfKG6I

I'm guessing that "bot tokens" are a distinct secret that would need to be added, and are not the same as "API keys".