kingfisher/crates/kingfisher-rules/data/rules/gitlab.yml

rules:
  - name: GitLab Private Token
    id: kingfisher.gitlab.1
    pattern: |
      (?x)
      \b 
      (
        glpat-
        [0-9A-Za-z_-]{20}
      )
      \b
    pattern_requirements:
      min_digits: 2
    min_entropy: 3.5
    confidence: medium
    examples:
      - glpat-kSaPeOD_-T0JxMi3p28B
      - |
        docker build -t tweedledee \
        -f Dockerfile \
        --build-arg 'GO_REPO_TOKEN=glpat-tFrjFXD7soVU2fqxuDMh' \
    references:
      - https://github.com/diffblue/gitlab/blob/39c63ee83369bf5353256a6b95f3116728edd102/doc/api/personal_access_tokens.md
      - https://docs.gitlab.com/api/personal_access_tokens/
    validation:
      type: Http
      content:
        request:
          headers:
            PRIVATE-TOKEN: '{{ TOKEN }}'
          method: GET
          response_matcher:
            - report_response: true
            - type: WordMatch
              words:
                - '"id"'
          url: https://gitlab.com/api/v4/personal_access_tokens/self
    revocation:
      type: Http
      content:
        request:
          headers:
            PRIVATE-TOKEN: '{{ TOKEN }}'
          method: DELETE
          response_matcher:
            - report_response: true
            - type: StatusMatch
              status: [204]
          url: https://gitlab.com/api/v4/personal_access_tokens/self

  - name: GitLab Runner Registration Token
    id: kingfisher.gitlab.2
    pattern: |
      (?x)
      \b
      (
        GR1348941[0-9A-Za-z_-]{20}
      )
      \b
    pattern_requirements:
      min_digits: 2
    examples:
      - |
        sudo gitlab-runner register \
        --non-interactive \
        --url "https://gitlab.com/" \
        --registration-token "GR1348941_iAgdMy7a3NhZaa5oNoH" \
        --executor "docker" \
        --docker-image ubuntu:latest \
        --description "docker-runner" \
        --tag-list "docker, CICD, App" \
        --run-untagged="true" \
        --locked="false" \
        --access-level="not_protected"
    references:
      - https://docs.gitlab.com/api/runners/
    validation:
      type: Http
      content:
        request:
          method: POST
          headers:
            Content-Type: application/x-www-form-urlencoded
            Accept: application/json
          body: token={{ TOKEN }}
          response_matcher:
            - report_response: true
            - type: StatusMatch
              status: 200
            - type: WordMatch
              words:
                - '"token is missing"'
                - '"403 Forbidden"'
              negative: true
          url: https://gitlab.com/api/v4/runners/verify

  - name: GitLab Pipeline Trigger Token
    id: kingfisher.gitlab.3
    pattern: |
      (?x)
      \b
      (
        glptt-[0-9a-fA-F]{40}
      )
    pattern_requirements:
      min_digits: 2
    examples:
      - |
        curl    \
        -X POST \
        --fail  \
        --no-progress-meter \
        -F token=glptt-0d66598d696a02da33fb65e2a041f607c68ea50d \
        -F ref=main
    references:
      - https://docs.gitlab.com/api/pipeline_triggers/
    validation:
      type: Http
      content:
        request:
          headers:
            PRIVATE-TOKEN: '{{ TOKEN }}'
          method: GET
          response_matcher:
            - report_response: true
            - type: StatusMatch
              status: 
                - 200
            - type: WordMatch
              words:
                - '"token is missing"'
                - '"403 Forbidden"'
              negative: true
          url: https://gitlab.com/api/v4/ci/pipeline_triggers/{{ TOKEN }}
  - name: GitLab Private Token - Routable Format
    id: kingfisher.gitlab.4
    pattern: |
      (?x)
      \b
      (
        glpat-
        (?<base64_payload>[0-9A-Za-z_-]{27,300})
        \.
        (?<version>01)
        \.
        (?<base36_payload_length>[0-9a-zA-Z]{2})
        (?<crc32>[0-9a-z]{7})
      )
      \b
    pattern_requirements:
      min_digits: 2
      # GitLab's RoutableTokenGenerator renders the CRC32 digest as lowercase
      # base36 with a fixed width of 7 characters. The regex and checksum
      # expectation mirror that encoding so we only report matches that carry a
      # valid GitLab-style checksum.
      checksum:
        actual:
          template: "{{ crc32 }}"
          requires_capture: crc32
        expected: "{{ \"glpat-\" | append: base64_payload | append: \".01.\" | append: base36_payload_length | crc32 | base36: 7 }}"
        skip_if_missing: true
    min_entropy: 3.5
    confidence: medium
    examples:
      - glpat-vSY1cyL948aAB440qB6L4zlu9OzsUmEV.01.0w0sfevch
    references:
      - https://github.com/diffblue/gitlab/blob/39c63ee83369bf5353256a6b95f3116728edd102/doc/api/personal_access_tokens.md
      - https://docs.gitlab.com/api/personal_access_tokens/
    validation:
      type: Http
      content:
        request:
          headers:
            PRIVATE-TOKEN: '{{ TOKEN }}'
          method: GET
          response_matcher:
            - report_response: true
            - type: WordMatch
              words:
                - '"id"'
          url: https://gitlab.com/api/v4/personal_access_tokens/self
    revocation:
      type: Http
      content:
        request:
          headers:
            PRIVATE-TOKEN: '{{ TOKEN }}'
          method: DELETE
          response_matcher:
            - report_response: true
            - type: StatusMatch
              status: [204]
          url: https://gitlab.com/api/v4/personal_access_tokens/self