Merge pull request #1 from alejolagosm/main

Add secrets files to test new sniffs scanner

Author: dsalaza4

.github/workflows/dev.yml

@@ -0,0 +1,12 @@
+# Test workflow for machine
+name: Standalone CLI
+on: [push, pull_request]
+jobs:
+   machineStandalone:
+      runs-on: ubuntu-latest
+      steps:
+         - uses: actions/checkout@f095bcc56b7c2baf48f3ac70d6d6782f4f553222
+         - uses: docker://docker.io/fluidattacks/sast:latest
+           name: machineStandalone
+           with:
+             args: sast scan .

environment/.env

@@ -0,0 +1,43 @@
+# -------------------------------------------------------
+# Example .env file with intentionally hardcoded secrets
+# FOR TESTING SECRET SCANNERS ONLY (dummy values)
+# -------------------------------------------------------
+
+# AWS credentials
+AWS_ACCESS_KEY_ID=AKIA9ZQWERTYUIOPASDF
+AWS_SECRET_ACCESS_KEY=U8sdf78sdf78sdf87sdf78sdf87sdf78sdf87sdf78sdf
+AWS_SESSION_TOKEN=IQoJb3JpZ2luX2VjEOr//////////wEaCXVzLWVhc3QtMSJGMEQCIGdummySESSIONtokenExample0987654321abcdefghijklmnop
+
+# Database credentials
+DB_HOST=prod-db.internal.example.com
+DB_PORT=5432
+DB_USERNAME=prod_admin
+DB_PASSWORD=Str0ngP@ssw0rd!A9f3KlmPq8Xz2Tn4Yw6Rb0Cj1H
+
+# Generic API keys
+API_KEY=sk_live_51QwErTyUiOpAsDfGhJkLzXcVbNm1234567890abcdef
+API_TOKEN=ghp_ZYXWVUTSRQPONMLKJIHGFEDCBAabcdef123456
+
+# JWT / authentication secrets
+JWT_SECRET=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.dummyPayloadSignatureExampleABCDEFGHIJKLMNOPQRSTUVWXYZ1234567890
+SESSION_SECRET=super-session-secret-4f9d8f7s9df87s9df87s9df87s9df87s9df
+
+# Encryption keys
+ENCRYPTION_KEY=base64:QWxhZGRpbjpPcGVuU2VzYW1lMTIzNDU2Nzg5MGFiY2RlZg==
+PRIVATE_TOKEN=tok_9f8e7d6c5b4a39281716151413121110abcdefabcdef
+
+# Cloud provider examples
+AZURE_STORAGE_KEY=DefaultEndpointsProtocol=https;AccountName=dummystorageacct;AccountKey=QWERTYUIOPASDFGHJKLZXCVBNM1234567890abcdef==
+GOOGLE_API_KEY=AIzaSyDummyExampleKey1234567890abcdefghijklmnop
+
+# Application secrets
+DJANGO_SECRET_KEY=django-insecure-5z8x7c6v5b4n3m2a1s0d9f8g7h6j5k4l3p2o1i
+FLASK_SECRET_KEY=flask-secret-key-0987654321abcdefghijklmnopqrstuvwxyz
+
+# OAuth secrets
+OAUTH_CLIENT_ID=123456789012-abcdefghijklmnopqrstuvwxyz.apps.googleusercontent.com
+OAUTH_CLIENT_SECRET=GOCSPX-dummyOAuthSecretKeyExample1234567890
+
+# Misc high entropy values
+REDIS_PASSWORD=redispass-9sd8f7s9df87s9df87s9df87s9df87s9df
+SIGNING_KEY=MIICXAIBAAKBgQDZdummySigningKeyExample1234567890abcdefghijklmno

environment/.npmrc

@@ -0,0 +1,19 @@
+# -------------------------------------------------------
+# npm configuration with dummy secrets
+# -------------------------------------------------------
+
+registry=https://registry.npmjs.org/
+
+# npm authentication token
+//registry.npmjs.org/:_authToken=npm_abcdefghijklmnopqrstuvwxyz1234567890
+
+# GitHub Packages token
+//npm.pkg.github.com/:_authToken=ghp_ZYXWVUTSRQPONMLKJIHGFEDCBA123456789
+
+# Sonar private registry example
+//sonar.internal.example.com/:_authToken=squ_abcdef1234567890abcdef1234567890abcdef12
+
+# Internal registry credentials
+_auth=dXNlcm5hbWU6cGFzc3dvcmQtMTIzNDU2Nzg5MGFiY2RlZg==
+email=devops@example.com
+always-auth=true

environment/Dockerfile

@@ -0,0 +1,49 @@
+# -------------------------------------------------------
+# Example Dockerfile with intentionally hardcoded secrets
+# FOR TESTING SECRET SCANNERS ONLY (dummy values)
+# -------------------------------------------------------
+
+FROM ubuntu:22.04
+
+LABEL maintainer="security-test@example.com"
+ENV DEBIAN_FRONTEND=noninteractive
+
+# ---- Hardcoded AWS credentials ----
+ENV AWS_ACCESS_KEY_ID=AKIA7QWERTYUIOPZXCV
+ENV AWS_SECRET_ACCESS_KEY=K9sdf8s7df98s7df9s8df7s9df87s9df87s9df87s9df
+ENV AWS_SESSION_TOKEN=IQoJb3JpZ2luX2VjEJr//////////wEaCXVzLWVhc3QtMSJIMEYCIQDdummyhighentropyTOKENEXAMPLE1234567890abcdEfGhIjKlMnOpQrStUvWxYz0987654321
+
+# ---- Hardcoded database credentials ----
+ENV DB_USERNAME=admin_user
+ENV DB_PASSWORD=P@55w0rd!X9vTq3LmZr8YkN2wB6DfHsJpQ1cE7uA4iR0oM
+
+# ---- Hardcoded generic API token ----
+ENV API_TOKEN=ghp_A1b2C3d4E5f6G7h8I9j0KLMNOPQRSTUVWXYZabcd
+
+# ---- Hardcoded private key (dummy but realistic format) ----
+RUN mkdir -p /root/.ssh && \
+    echo "-----BEGIN OPENSSH PRIVATE KEY-----" > /root/.ssh/id_rsa && \
+    echo "b3BlbnNzaC1rZXktdjEAAAAABG5vbmUAAAAEbm9uZQAAAAAAAAABAAAAlwAAAAdzc2gtcn" >> /root/.ssh/id_rsa && \
+    echo "NhAAAAAwEAAQAAAIEA0dummyHIGHENTROPYSTRINGkjsdhf9823y4r9823y4r9823y4r98" >> /root/.ssh/id_rsa && \
+    echo "asdf987asdf987asdf987asdf987asdf987asdf987asdf987asdf987asdf987asdf98" >> /root/.ssh/id_rsa && \
+    echo "-----END OPENSSH PRIVATE KEY-----" >> /root/.ssh/id_rsa && \
+    chmod 600 /root/.ssh/id_rsa
+
+# ---- Hardcoded SSH public key ----
+RUN echo "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQC7dummyHIGHENTROPYKEYSTRING1234567890abcdefghijklmnopqrstuvwxyz user@example.com" \
+    > /root/.ssh/authorized_keys
+
+# ---- Hardcoded .env file ----
+RUN echo "SECRET_KEY=django-insecure-4f9d8f7s9df87s9df87s9df87s9df87s9df87s9df87s9df" > /app.env && \
+    echo "JWT_SECRET=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.dummyPayloadSignatureExample0987654321" >> /app.env
+
+# ---- Hardcoded config file with credentials ----
+RUN mkdir -p /opt/app && \
+    echo '{ \
+      "username": "service_account", \
+      "password": "Sup3rS3cr3tP@ssw0rd!0987654321asdfghjkl", \
+      "aws_access_key_id": "AKIAIOSFODNN7EXAMPLE", \
+      "aws_secret_access_key": "wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY" \
+    }' > /opt/app/config.json
+
+CMD ["bash"]

environment/backend/settings.py

@@ -0,0 +1,115 @@
+"""
+Django settings.py (dummy secrets for scanner benchmarking)
+DO NOT USE IN PRODUCTION
+"""
+
+from pathlib import Path
+
+BASE_DIR = Path(__file__).resolve().parent.parent
+
+# -------------------------------------------------------
+# Core Django secrets
+# -------------------------------------------------------
+
+SECRET_KEY = "django-insecure-5z8x7c6v5b4n3m2a1s0d9f8g7h6j5k4l3p2o1i9u8y7t6r"
+
+DEBUG = False
+
+ALLOWED_HOSTS = ["example.com", "api.example.com"]
+
+# -------------------------------------------------------
+# Database configuration
+# -------------------------------------------------------
+
+DATABASES = {
+    "default": {
+        "ENGINE": "django.db.backends.postgresql",
+        "NAME": "production_db",
+        "USER": "prod_admin",
+        "PASSWORD": "Pr0dDBP@ssw0rd!A9f3KlmPq8Xz2Tn4Yw6Rb0Cj",
+        "HOST": "prod-db.internal.example.com",
+        "PORT": "5432",
+    }
+}
+
+# -------------------------------------------------------
+# AWS configuration
+# -------------------------------------------------------
+
+AWS_ACCESS_KEY_ID = "AKIA7EXAMPLEQWERTYUI"
+AWS_SECRET_ACCESS_KEY = "wJalrXUtnFEMI/K7MDENG/bPxRfiCYdummyExampleKey123"
+AWS_STORAGE_BUCKET_NAME = "production-bucket"
+AWS_S3_REGION_NAME = "us-east-1"
+
+# -------------------------------------------------------
+# OpenAI configuration
+# -------------------------------------------------------
+
+OPENAI_API_KEY = "sk-proj-AbCdEfGhIjKlMnOpQrStUvWxYz1234567890abcdef"
+
+# -------------------------------------------------------
+# Cloudflare configuration
+# -------------------------------------------------------
+
+CLOUDFLARE_API_TOKEN = "CFAT-abcdefghijklmnopqrstuvwxyz1234567890"
+CLOUDFLARE_ZONE_ID = "1a2b3c4d5e6f7890abcdef1234567890"
+
+# -------------------------------------------------------
+# SonarQube configuration
+# -------------------------------------------------------
+
+SONAR_HOST_URL = "https://sonar.internal.example.com"
+SONAR_TOKEN = "squ_abcdef1234567890abcdef1234567890abcdef12"
+
+# -------------------------------------------------------
+# Stripe configuration
+# -------------------------------------------------------
+
+STRIPE_SECRET_KEY = "sk_live_abcdefghijklmnopqrstuvwxyz123456"
+STRIPE_PUBLIC_KEY = "pk_live_abcdefghijklmnopqrstuvwxyz123456"
+
+# -------------------------------------------------------
+# GitHub integration
+# -------------------------------------------------------
+
+GITHUB_TOKEN = "ghp_abcdefghijklmnopqrstuvwxyz1234567890ABCD"
+
+# -------------------------------------------------------
+# Email configuration
+# -------------------------------------------------------
+
+EMAIL_BACKEND = "django.core.mail.backends.smtp.EmailBackend"
+EMAIL_HOST = "smtp.mailgun.org"
+EMAIL_PORT = 587
+EMAIL_HOST_USER = "postmaster@example.com"
+EMAIL_HOST_PASSWORD = "MailgunP@ssw0rdExample0987654321"
+EMAIL_USE_TLS = True
+
+# -------------------------------------------------------
+# Redis / cache
+# -------------------------------------------------------
+
+REDIS_HOST = "redis.internal.example.com"
+REDIS_PORT = 6379
+REDIS_PASSWORD = "redis-secret-9sd8f7s9df87s9df87s9df87s9df87s9df"
+
+# -------------------------------------------------------
+# JWT configuration
+# -------------------------------------------------------
+
+JWT_SECRET_KEY = "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.dummyPayloadSignatureABCDEFGHIJKLMNOPQRSTUVWXYZ123456"
+
+# -------------------------------------------------------
+# Third-party API keys
+# -------------------------------------------------------
+
+SLACK_BOT_TOKEN = "xoxb-123456789012-abcdefghijklmnopqrstuvwxyz1234"
+TWILIO_ACCOUNT_SID = "ACabcdef1234567890abcdef1234567890"
+TWILIO_AUTH_TOKEN = "abcdef1234567890abcdef1234567890"
+
+# -------------------------------------------------------
+# Internal service secrets
+# -------------------------------------------------------
+
+INTERNAL_API_KEY = "internal-api-key-abcdefghijklmnopqrstuvwxyz123456"
+SIGNING_KEY = "MIICXAIBAAKBgQCdummySigningKeyExample0987654321abcdefghijklmnop"

environment/config.json

@@ -0,0 +1,21 @@
+{
+  "environment": "production",
+  "openai": {
+    "api_key": "sk-proj-1234567890ABCDEFGHIJKLMNOPQRSTUVWXYZabcdef"
+  },
+  "cloudflare": {
+    "api_token": "CFAT-0987654321abcdefghijklmnopqrstuvwxyz",
+    "zone_id": "1a2b3c4d5e6f7890abcdef1234567890"
+  },
+  "sonarqube": {
+    "token": "squ_abcdef1234567890abcdef1234567890abcdef12",
+    "url": "https://sonar.internal.example.com"
+  },
+  "aws": {
+    "access_key_id": "AKIAIOSFODNN7EXAMPLE",
+    "secret_access_key": "wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY"
+  },
+  "npm": {
+    "token": "npm_abcdefghijklmnopqrstuvwxyz1234567890"
+  }
+}

environment/dummy-workflow.yml

@@ -0,0 +1,33 @@
+# -------------------------------------------------------
+# GitHub Actions workflow with dummy secrets
+# -------------------------------------------------------
+name: Deploy Application
+
+on:
+  push:
+    branches: [ "main" ]
+
+jobs:
+  deploy:
+    runs-on: ubuntu-latest
+
+    env:
+      OPENAI_API_KEY: sk-proj-AbCdEfGhIjKlMnOpQrStUvWxYz1234567890
+      CLOUDFLARE_API_TOKEN: CFAT-ZYXWVUTSRQPONMLKJIHGFEDCBA123456
+      SONAR_TOKEN: squ_abcdefabcdefabcdefabcdefabcdefabcdef
+      DOCKERHUB_TOKEN: dckr_pat_abcdefghijklmnopqrstuvwxyz1234
+
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+
+      - name: Run SonarQube Scan
+        run: |
+          sonar-scanner \
+            -Dsonar.login=${SONAR_TOKEN}
+
+      - name: Deploy to Cloudflare
+        run: |
+          curl -X POST \
+            -H "Authorization: Bearer ${CLOUDFLARE_API_TOKEN}" \
+            https://api.cloudflare.com/client/v4/zones

environment/infra/terraform.tfvars

@@ -0,0 +1,34 @@
+# -------------------------------------------------------
+# Terraform variables (dummy secrets for benchmarking)
+# -------------------------------------------------------
+
+# AWS credentials
+aws_access_key = "AKIA5EXAMPLEZXCVBNMQWER"
+aws_secret_key = "wJalrXUtnFEMI/K7MDENG/bPxRfiCYdummyTerraformKey123"
+aws_session_token = "IQoJb3JpZ2luX2VjEO///////////wEaCXVzLWVhc3QtMSJGMEQCIDummySessionTokenExample1234567890"
+
+# Database credentials
+db_username = "terraform_admin"
+db_password = "TfPr0dDBP@ssw0rd0987654321abcdefghijklmnopqrstuvwxyz"
+
+# Cloudflare
+cloudflare_api_token = "CFAT-abcdefghijklmnopqrstuvwxyz1234567890"
+cloudflare_zone_id   = "1a2b3c4d5e6f7890abcdef1234567890"
+
+# OpenAI
+openai_api_key = "sk-proj-ABCDEFGHIJKLMNOPQRSTUVWXYZ1234567890abcdef"
+
+# SonarQube
+sonar_token = "squ_abcdefabcdefabcdefabcdefabcdefabcdef"
+
+# GitHub
+github_token = "ghp_abcdefghijklmnopqrstuvwxyz1234567890ABCD"
+
+# Stripe
+stripe_secret_key = "sk_live_abcdefghijklmnopqrstuvwxyz123456"
+
+# Generic encryption key
+encryption_key = "base64:VGhpc0lzQVRlcnJhZm9ybUVuY3J5cHRpb25LZXkxMjM0NTY3OA=="
+
+# Kubernetes
+kubeconfig_token = "eyJhbGciOiJSUzI1NiIsImtpZCI6ImR1bW15S1ViZVRva2VuMTIzNDU2"

environment/java.properties

@@ -0,0 +1,45 @@
+# -------------------------------------------------------
+# Example Java application.properties with dummy secrets
+# FOR TESTING SECRET SCANNERS ONLY
+# -------------------------------------------------------
+
+# Database configuration
+spring.datasource.url=jdbc:postgresql://prod-db.internal.example.com:5432/customerdb
+spring.datasource.username=prod_admin
+spring.datasource.password=Sup3rStr0ngP@ssw0rd!9f8e7d6c5b4a39281716
+
+# AWS credentials
+aws.accessKeyId=AKIA4ZXCVBNMASDFQWER
+aws.secretAccessKey=wJalrXUtnFEMI/K7MDENG/bPxRfiCYdummyEXAMPLEKEY123
+aws.sessionToken=IQoJb3JpZ2luX2VjEOr//////////wEaCXVzLWVhc3QtMSJHMEUCIQdummySESSIONExample0987654321abcdefghijklmnop
+
+# API tokens
+api.token=ghp_qwertyuiopasdfghjklzxcvbnm1234567890ABCDE
+api.key=sk_live_51DummyExampleKeyAbCdEfGhIjKlMnOpQrStUvWxYz
+
+# JWT secrets
+security.jwt.secret=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.dummyPayloadSignatureExampleABCDEFGHIJKLMNOPQRSTUVWXYZ1234567890
+security.jwt.refreshSecret=refresh-secret-0987654321abcdefghijklmnopqrstuvwxyz
+
+# Encryption keys
+security.encryption.key=base64:VGhpc0lzQUR1bW15RW5jcnlwdGlvbktleTEyMzQ1Njc4OTA=
+security.signing.key=MIICXAIBAAKBgQCdummySigningKeyExample0987654321abcdefghijklmnop
+
+# OAuth configuration
+oauth.client.id=123456789012-abcdefghijklmnopqrstuvwxyz.apps.googleusercontent.com
+oauth.client.secret=GOCSPX-dummyOAuthSecretKeyExample1234567890
+
+# Third-party integrations
+stripe.secret.key=sk_live_dummyStripeSecretKeyExample1234567890abcdef
+slack.bot.token=xoxb-123456789012-abcdefghijklmnopqrstuvwxyz1234
+twilio.auth.token=abcdef1234567890abcdef1234567890
+
+# Redis
+redis.password=redis-secret-9sd8f7s9df87s9df87s9df87s9df87s9df
+
+# Admin credentials
+admin.username=administrator
+admin.password=Adm1nP@ssw0rd!DummyHighEntropy0987654321
+
+# Generic high entropy secret
+internal.service.secret=7f3a9c2e8d4b6f1a0c9e5d3b2a8f7c6e5d4c3b2a1f0e9d8c7b6a5