feat(secret): Support for detecting Hugging Face Access Tokens (aquasecurity#6236)

chrisking · DmitriyLewen · web-flow · commit 66399116627a · 2024-03-07T14:00:52.000Z
Co-authored-by: DmitriyLewen &lt;dmitriy.lewen@smartforce.io&gt;
diff --git a/pkg/fanal/secret/builtin-rules.go b/pkg/fanal/secret/builtin-rules.go
@@ -69,6 +69,7 @@ var (
 	CategoryTwitch               = types.SecretRuleCategory("Twitch")
 	CategoryTypeform             = types.SecretRuleCategory("Typeform")
 	CategoryDocker               = types.SecretRuleCategory("Docker")
+	CategoryHuggingFace          = types.SecretRuleCategory("HuggingFace")
 )
 
 // Reusable regex patterns
@@ -158,6 +159,15 @@ var builtinRules = []Rule{
 		Regex:    MustCompile(`glpat-[0-9a-zA-Z\-\_]{20}`),
 		Keywords: []string{"glpat-"},
 	},
+	{
+		// cf. https://huggingface.co/docs/hub/en/security-tokens
+		ID:       "hugging-face-access-token",
+		Category: CategoryHuggingFace,
+		Severity: "CRITICAL",
+		Title:    "Hugging Face Access Token",
+		Regex:    MustCompile(`hf_[A-Za-z0-9]{39}`),
+		Keywords: []string{"hf_"},
+	},
 	{
 		ID:              "private-key",
 		Category:        CategoryAsymmetricPrivateKey,
diff --git a/pkg/fanal/secret/scanner_test.go b/pkg/fanal/secret/scanner_test.go
@@ -609,6 +609,28 @@ func TestSecretScanner(t *testing.T) {
 			},
 		},
 	}
+	wantFindingHuggingFace := types.SecretFinding{
+		RuleID:    "hugging-face-access-token",
+		Category:  secret.CategoryHuggingFace,
+		Title:     "Hugging Face Access Token",
+		Severity:  "CRITICAL",
+		StartLine: 1,
+		EndLine:   1,
+		Match:     "HF_example_token: ******************************************",
+		Code: types.Code{
+			Lines: []types.Line{
+				{
+					Number:      1,
+					Content:     "HF_example_token: ******************************************",
+					Highlighted: "HF_example_token: ******************************************",
+					IsCause:     true,
+					FirstCause:  true,
+					LastCause:   true,
+				},
+			},
+		},
+	}
+
 	wantMultiLine := types.SecretFinding{
 		RuleID:    "multi-line-secret",
 		Category:  "general",
@@ -701,6 +723,15 @@ func TestSecretScanner(t *testing.T) {
 				Findings: []types.SecretFinding{wantFindingDockerKey1, wantFindingDockerKey2},
 			},
 		},
+		{
+			name:          "find Hugging face secret",
+			configPath:    filepath.Join("testdata", "config.yaml"),
+			inputFilePath: filepath.Join("testdata", "hugging-face-secret.txt"),
+			want: types.Secret{
+				FilePath: filepath.Join("testdata", "hugging-face-secret.txt"),
+				Findings: []types.SecretFinding{wantFindingHuggingFace},
+			},
+		},
 		{
 			name:          "include when keyword found",
 			configPath:    filepath.Join("testdata", "config-happy-keywords.yaml"),
diff --git a/pkg/fanal/secret/testdata/hugging-face-secret.txt b/pkg/fanal/secret/testdata/hugging-face-secret.txt
@@ -0,0 +1 @@
+HF_example_token: hf_Testpoiqazwsxedcrfvtgbyhn12345ujmik6789

Original file line number	Diff line number	Diff line change
`@@ -0,0 +1 @@`
	`1`	`+HF_example_token: hf_Testpoiqazwsxedcrfvtgbyhn12345ujmik6789`