semgrep-rules icon indicating copy to clipboard operation
semgrep-rules copied to clipboard
verified publisher icon semgrep

Exclude Slack webhook sample URL

Open dbarlett opened this issue 1 year ago • 5 comments

Is your feature request related to a problem? Please describe. Semgrep returns a false positive for the Slack webhook sample URL https://hooks.slack.com/services/T00000000/B00000000/XXXXXXXXXXXXXXXXXXXXXXXX, which is used in Slack documentation.

Describe the solution you'd like Modify the regex in generic.secrets.security.detected-slack-webhook.detected-slack-webhook to exclude the sample URL https://hooks.slack.com/services/T00000000/B00000000/XXXXXXXXXXXXXXXXXXXXXXXX.

Describe alternatives you've considered Submit an upstream PR to update https://github.com/dxa4481/truffleHogRegexes/blob/master/truffleHogRegexes/regexes.json#L33, but that repo hasn't been updated since 2021.

Use case Documentation, such as the following, in repos scanned by Semgrep:

Enter your Slack webhook URL, which is in the format https://hooks.slack.com/services/T00000000/B00000000/XXXXXXXXXXXXXXXXXXXXXXXX.

Additional context None

dbarlett avatar Aug 27 '24 12:08 dbarlett

this is really about the rule rather than the engine but I've flagged it to the secrets team!

ievans avatar Aug 27 '24 21:08 ievans

@dbarlett I've moved this to the correct repo -- we would welcome a PR to fix the rule here!

ievans avatar Aug 27 '24 21:08 ievans

(https://github.com/semgrep/semgrep-rules/blob/release/generic/secrets/security/detected-slack-webhook.yaml)

ievans avatar Aug 27 '24 21:08 ievans

Thanks @ievans. Is your CLA available for review before submitting a PR?

dbarlett avatar Aug 27 '24 21:08 dbarlett

yes https://cla-assistant.io/semgrep/semgrep-rules

ievans avatar Aug 27 '24 22:08 ievans