Align GitLab token regexes with TruffleHog and add source provenance (#566)

* Add built-in rules for GitLab token types to detect them regardless of TruffleHog verification

Author: Copilot

pkg/scanner/engine/engine_test.go

@@ -2,6 +2,7 @@ package engine
 
 import (
 	"fmt"
+	"strings"
 	"testing"
 	"time"
 
@@ -249,3 +250,76 @@ func TestDeduplicateFindingsWithState_TrimsAtLimit(t *testing.T) {
 		t.Fatalf("expected state len 500 after trim, got %d", len(newState))
 	}
 }
+
+func TestDetectHits_GitLabTokenDetection(t *testing.T) {
+	// GitLab tokens should be detected by built-in rules regardless of TruffleHog
+	// verification status (which only verifies against gitlab.com).
+	tests := []struct {
+		name  string
+		text  []byte
+		token string
+	}{
+		{
+			name:  "personal access token v2",
+			text:  []byte("export GITLAB_TOKEN=glpat-abcdefghij1234567890"),
+			token: "glpat-",
+		},
+		{
+			name:  "personal access token v2 max length",
+			text:  []byte("export GITLAB_TOKEN=glpat-abcdefghij12345678901x"),
+			token: "glpat-",
+		},
+		{
+			name:  "personal access token v3",
+			text:  []byte("export GITLAB_TOKEN=glpat-abcDEFghij1234567890_-=xyzABC0ab.ab.abc012345"),
+			token: "glpat-",
+		},
+		{
+			name:  "pipeline trigger token",
+			text:  []byte("TRIGGER_TOKEN=glptt-abcdefghij1234567890"),
+			token: "glptt-",
+		},
+		{
+			name:  "deploy token",
+			text:  []byte("DEPLOY_TOKEN=gldt-abcdefghij1234567890xx"),
+			token: "gldt-",
+		},
+		{
+			name:  "runner authentication token",
+			text:  []byte("RUNNER_TOKEN=glrt-abcdefghij1234567890xx"),
+			token: "glrt-",
+		},
+		{
+			name:  "runner registration token",
+			text:  []byte("RUNNER_TOKEN=glrtr-abcdefghij1234567890x"),
+			token: "glrtr-",
+		},
+		{
+			name:  "legacy runner token",
+			text:  []byte("TOKEN=GR1348941abcdefghij1234567890"),
+			token: "GR1348941",
+		},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			// Use verification=true to prove that the built-in rules catch
+			// GitLab tokens even when TruffleHog verification is active.
+			findings, err := DetectHits(tt.text, 1, true, 60*time.Second)
+			if err != nil {
+				t.Fatalf("DetectHits() error = %v", err)
+			}
+
+			foundByBuiltinRule := false
+			for _, f := range findings {
+				if strings.Contains(f.Text, tt.token) && f.Pattern.Pattern.Confidence == "high" {
+					foundByBuiltinRule = true
+					break
+				}
+			}
+			if !foundByBuiltinRule {
+				t.Errorf("Expected GitLab token %q to be detected by built-in rule, findings: %v", tt.token, findings)
+			}
+		})
+	}
+}

pkg/scanner/rules/rules.go

@@ -104,6 +104,41 @@ func InitRules(confidenceFilter []string) {
 func AppendPipeleekRules(rules []types.PatternElement) []types.PatternElement {
 	customRules := []types.PatternElement{}
 	customRules = append(customRules, types.PatternElement{Pattern: types.PatternPattern{Name: "Gitlab - Predefined Environment Variable", Regex: `(GITLAB_USER_ID|KUBECONFIG|CI_SERVER_TLS_KEY_FILE|CI_REPOSITORY_URL|CI_REGISTRY_PASSWORD|DOCKER_AUTH_CONFIG)=.*`, Confidence: "medium"}})
+
+	// Built-in rules for GitLab token types to ensure detection regardless of
+	// TruffleHog verification (which only verifies against gitlab.com and
+	// therefore misses tokens for self-hosted GitLab instances).
+	customRules = append(customRules,
+		// https://github.com/trufflesecurity/trufflehog/blob/main/pkg/detectors/gitlab/v2/gitlab_v2.go
+		types.PatternElement{Pattern: types.PatternPattern{Name: "Gitlab - Personal Access Token v2", Regex: `glpat-[a-zA-Z0-9\-=_]{20,22}`, Confidence: "high"}},
+		// https://github.com/trufflesecurity/trufflehog/blob/afd5336caad0f61da51750ffe39869974b27b0db/pkg/detectors/gitlab/v3/gitlab_v3.go#L34
+		types.PatternElement{Pattern: types.PatternPattern{Name: "Gitlab - Personal Access Token v3", Regex: `\b(glpat-[a-zA-Z0-9\-=_]{27,300}.[0-9a-z]{2}.[a-z0-9]{9})\b`, Confidence: "high"}},
+		// https://github.com/gitlabhq/gitlabhq/blob/master/app/models/ci/trigger.rb
+		types.PatternElement{Pattern: types.PatternPattern{Name: "Gitlab - Pipeline Trigger Token", Regex: `glptt-[a-zA-Z0-9\-=_]{20,}`, Confidence: "high"}},
+		// https://github.com/gitlabhq/gitlabhq/blob/master/app/models/ci/runner.rb (CREATED_RUNNER_TOKEN_PREFIX)
+		types.PatternElement{Pattern: types.PatternPattern{Name: "Gitlab - Runner Authentication Token", Regex: `glrt-[a-zA-Z0-9\-=_]{20,}`, Confidence: "high"}},
+		// https://github.com/gitlabhq/gitlabhq/blob/master/app/models/ci/runner.rb (REGISTRATION_RUNNER_TOKEN_PREFIX)
+		types.PatternElement{Pattern: types.PatternPattern{Name: "Gitlab - Runner Registration Token", Regex: `glrtr-[a-zA-Z0-9\-=_]{20,}`, Confidence: "high"}},
+		// https://github.com/gitlabhq/gitlabhq/blob/master/app/models/deploy_token.rb
+		types.PatternElement{Pattern: types.PatternPattern{Name: "Gitlab - Deploy Token", Regex: `gldt-[a-zA-Z0-9\-=_]{20,}`, Confidence: "high"}},
+		// https://github.com/gitlabhq/gitlabhq/blob/master/app/models/ci/build.rb
+		types.PatternElement{Pattern: types.PatternPattern{Name: "Gitlab - CI Build Token", Regex: `glcbt-[a-zA-Z0-9\-=_]{20,}`, Confidence: "high"}},
+		// https://github.com/gitlabhq/gitlabhq/blob/master/spec/lib/authn/tokens/oauth_application_secret_spec.rb
+		types.PatternElement{Pattern: types.PatternPattern{Name: "Gitlab - OAuth Application Secret", Regex: `gloas-[a-zA-Z0-9\-=_]{20,}`, Confidence: "high"}},
+		// https://docs.gitlab.com/security/token_overview/
+		types.PatternElement{Pattern: types.PatternPattern{Name: "Gitlab - SCIM/OAuth Access Token", Regex: `glsoat-[a-zA-Z0-9\-=_]{20,}`, Confidence: "high"}},
+		// https://docs.gitlab.com/security/token_overview/
+		types.PatternElement{Pattern: types.PatternPattern{Name: "Gitlab - Feed Token", Regex: `glft-[a-zA-Z0-9\-=_]{20,}`, Confidence: "high"}},
+		// https://docs.gitlab.com/security/token_overview/
+		types.PatternElement{Pattern: types.PatternPattern{Name: "Gitlab - Incoming Mail Token", Regex: `glimt-[a-zA-Z0-9\-=_]{20,}`, Confidence: "high"}},
+		// https://docs.gitlab.com/security/token_overview/
+		types.PatternElement{Pattern: types.PatternPattern{Name: "Gitlab - Feature Flags Client Token", Regex: `glffct-[a-zA-Z0-9\-=_]{20,}`, Confidence: "high"}},
+		// https://docs.gitlab.com/security/token_overview/
+		types.PatternElement{Pattern: types.PatternPattern{Name: "Gitlab - Agent for Kubernetes Token", Regex: `glagent-[a-zA-Z0-9\-=_]{20,}`, Confidence: "high"}},
+		// https://github.com/gitlabhq/gitlabhq/blob/master/app/models/concerns/runners_token_prefixable.rb
+		types.PatternElement{Pattern: types.PatternPattern{Name: "Gitlab - Runner Token (Legacy)", Regex: `GR1348941[a-zA-Z0-9\-=_]{20,}`, Confidence: "high"}},
+	)
+
 	return slices.Concat(rules, customRules)
 }
 

pkg/scanner/rules/rules_test.go

@@ -22,14 +22,14 @@ func TestAppendPipeleekRules(t *testing.T) {
 		{
 			name:          "empty rules",
 			inputRules:    []types.PatternElement{},
-			expectedCount: 1,
+			expectedCount: 15,
 		},
 		{
 			name: "with existing rules",
 			inputRules: []types.PatternElement{
 				{Pattern: types.PatternPattern{Name: "Test Rule", Regex: "test", Confidence: "high"}},
 			},
-			expectedCount: 2,
+			expectedCount: 16,
 		},
 	}
 
@@ -318,3 +318,36 @@ func TestDownloadFile_BadOutputPath(t *testing.T) {
 	err := downloadFile(srv.URL, "/nonexistent-dir/rules.yml", client)
 	assert.Error(t, err)
 }
+
+func TestAppendPipeleekRules_GitLabTokenRules(t *testing.T) {
+	result := AppendPipeleekRules([]types.PatternElement{})
+
+	expectedTokenRules := []string{
+		"Gitlab - Personal Access Token v2",
+		"Gitlab - Personal Access Token v3",
+		"Gitlab - Pipeline Trigger Token",
+		"Gitlab - Runner Authentication Token",
+		"Gitlab - Runner Registration Token",
+		"Gitlab - Deploy Token",
+		"Gitlab - CI Build Token",
+		"Gitlab - OAuth Application Secret",
+		"Gitlab - SCIM/OAuth Access Token",
+		"Gitlab - Feed Token",
+		"Gitlab - Incoming Mail Token",
+		"Gitlab - Feature Flags Client Token",
+		"Gitlab - Agent for Kubernetes Token",
+		"Gitlab - Runner Token (Legacy)",
+	}
+
+	for _, expectedName := range expectedTokenRules {
+		found := false
+		for _, rule := range result {
+			if rule.Pattern.Name == expectedName {
+				found = true
+				assert.Equal(t, "high", rule.Pattern.Confidence, "GitLab token rule %q should have high confidence", expectedName)
+				break
+			}
+		}
+		assert.True(t, found, "Expected GitLab token rule %q to be present", expectedName)
+	}
+}