mcp-server-semgrep/semgrep-rules/generic/secrets/gitleaks/github-refresh-token.yaml

MCP Server for Semgrep Integration - static code analysis with AI

rules:
- id: github-refresh-token
  message: A gitleaks github-refresh-token was detected which attempts to identify hard-coded credentials. It is not recommended to store credentials in source-code, as this risks secrets being leaked and used by either an internal or external malicious adversary. It is recommended to use environment variables to securely provide credentials or retrieve credentials from a secure vault or HSM (Hardware Security Module).
  languages:
    - regex
  severity: INFO
  metadata:
      likelihood: LOW
      impact: MEDIUM
      confidence: LOW
      category: security
      cwe:
        - "CWE-798: Use of Hard-coded Credentials"
      cwe2021-top25: true
      cwe2022-top25: true
      owasp:
        - A07:2021 - Identification and Authentication Failures
      references:
        - https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html
      source-rule-url: https://github.com/zricethezav/gitleaks/tree/master/cmd/generate/config/rules
      subcategory:
        - vuln
      technology:
        - gitleaks
  patterns:
    - pattern-regex: ghr_[0-9a-zA-Z]{36}