org.openrewrite.java.security.secrets.FindArtifactorySecrets
Locates Artifactory secrets stored in plain text in code.
- security
GitHub, Issue Tracker, Maven Central
- groupId: org.openrewrite.recipe
- artifactId: rewrite-java-security
- version: 2.0.1
{% tabs %} {% tab title="Test.java" %}
{% code title="Test.java" %}
class Test {
String[] artifactoryStrings = {
"AP6xxxxxxxxxx",
"AP2xxxxxxxxxx",
"AP3xxxxxxxxxx",
"AP5xxxxxxxxxx",
"APAxxxxxxxxxx",
"APBxxxxxxxxxx",
"AKCxxxxxxxxxx",
" AP6xxxxxxxxxx",
" AKCxxxxxxxxxx",
"=AP6xxxxxxxxxx",
"=AKCxxxxxxxxxx",
"\"AP6xxxxxxxxxx\"",
"\"AKCxxxxxxxxxx\"",
"artif-key:AP6xxxxxxxxxx",
"artif-key:AKCxxxxxxxxxx",
"X-JFrog-Art-Api: AKCxxxxxxxxxx",
"X-JFrog-Art-Api: AP6xxxxxxxxxx",
"artifactoryx:_password=AKCxxxxxxxxxx",
"artifactoryx:_password=AP6xxxxxxxxxx",
"testAKCwithinsomeirrelevantstring",
"testAP6withinsomeirrelevantstring",
"X-JFrog-Art-Api: $API_KEY",
"X-JFrog-Art-Api: $PASSWORD",
"artifactory:_password=AP6xxxxxx",
"artifactory:_password=AKCxxxxxxxx"};
}{% endcode %}
{% code title="Test.java" %}
class Test {
String[] artifactoryStrings = {
/*~~(Artifactory)~~>*/"AP6xxxxxxxxxx",
/*~~(Artifactory)~~>*/"AP2xxxxxxxxxx",
/*~~(Artifactory)~~>*/"AP3xxxxxxxxxx",
/*~~(Artifactory)~~>*/"AP5xxxxxxxxxx",
/*~~(Artifactory)~~>*/"APAxxxxxxxxxx",
/*~~(Artifactory)~~>*/"APBxxxxxxxxxx",
/*~~(Artifactory)~~>*/"AKCxxxxxxxxxx",
/*~~(Artifactory)~~>*/" AP6xxxxxxxxxx",
/*~~(Artifactory)~~>*/" AKCxxxxxxxxxx",
/*~~(Artifactory)~~>*/"=AP6xxxxxxxxxx",
/*~~(Artifactory)~~>*/"=AKCxxxxxxxxxx",
/*~~(Artifactory)~~>*/"\"AP6xxxxxxxxxx\"",
/*~~(Artifactory)~~>*/"\"AKCxxxxxxxxxx\"",
/*~~(Artifactory)~~>*/"artif-key:AP6xxxxxxxxxx",
/*~~(Artifactory)~~>*/"artif-key:AKCxxxxxxxxxx",
/*~~(Artifactory)~~>*/"X-JFrog-Art-Api: AKCxxxxxxxxxx",
/*~~(Artifactory)~~>*/"X-JFrog-Art-Api: AP6xxxxxxxxxx",
/*~~(Artifactory)~~>*/"artifactoryx:_password=AKCxxxxxxxxxx",
/*~~(Artifactory)~~>*/"artifactoryx:_password=AP6xxxxxxxxxx",
"testAKCwithinsomeirrelevantstring",
"testAP6withinsomeirrelevantstring",
"X-JFrog-Art-Api: $API_KEY",
"X-JFrog-Art-Api: $PASSWORD",
"artifactory:_password=AP6xxxxxx",
"artifactory:_password=AKCxxxxxxxx"};
}{% endcode %}
{% endtab %} {% tab title="Diff" %} {% code %}
--- Test.java
+++ Test.java
@@ -3,19 +3,19 @@
class Test {
String[] artifactoryStrings = {
- "AP6xxxxxxxxxx",
- "AP2xxxxxxxxxx",
- "AP3xxxxxxxxxx",
- "AP5xxxxxxxxxx",
- "APAxxxxxxxxxx",
- "APBxxxxxxxxxx",
- "AKCxxxxxxxxxx",
- " AP6xxxxxxxxxx",
- " AKCxxxxxxxxxx",
- "=AP6xxxxxxxxxx",
- "=AKCxxxxxxxxxx",
- "\"AP6xxxxxxxxxx\"",
- "\"AKCxxxxxxxxxx\"",
- "artif-key:AP6xxxxxxxxxx",
- "artif-key:AKCxxxxxxxxxx",
- "X-JFrog-Art-Api: AKCxxxxxxxxxx",
- "X-JFrog-Art-Api: AP6xxxxxxxxxx",
- "artifactoryx:_password=AKCxxxxxxxxxx",
- "artifactoryx:_password=AP6xxxxxxxxxx",
+ /*~~(Artifactory)~~>*/"AP6xxxxxxxxxx",
+ /*~~(Artifactory)~~>*/"AP2xxxxxxxxxx",
+ /*~~(Artifactory)~~>*/"AP3xxxxxxxxxx",
+ /*~~(Artifactory)~~>*/"AP5xxxxxxxxxx",
+ /*~~(Artifactory)~~>*/"APAxxxxxxxxxx",
+ /*~~(Artifactory)~~>*/"APBxxxxxxxxxx",
+ /*~~(Artifactory)~~>*/"AKCxxxxxxxxxx",
+ /*~~(Artifactory)~~>*/" AP6xxxxxxxxxx",
+ /*~~(Artifactory)~~>*/" AKCxxxxxxxxxx",
+ /*~~(Artifactory)~~>*/"=AP6xxxxxxxxxx",
+ /*~~(Artifactory)~~>*/"=AKCxxxxxxxxxx",
+ /*~~(Artifactory)~~>*/"\"AP6xxxxxxxxxx\"",
+ /*~~(Artifactory)~~>*/"\"AKCxxxxxxxxxx\"",
+ /*~~(Artifactory)~~>*/"artif-key:AP6xxxxxxxxxx",
+ /*~~(Artifactory)~~>*/"artif-key:AKCxxxxxxxxxx",
+ /*~~(Artifactory)~~>*/"X-JFrog-Art-Api: AKCxxxxxxxxxx",
+ /*~~(Artifactory)~~>*/"X-JFrog-Art-Api: AP6xxxxxxxxxx",
+ /*~~(Artifactory)~~>*/"artifactoryx:_password=AKCxxxxxxxxxx",
+ /*~~(Artifactory)~~>*/"artifactoryx:_password=AP6xxxxxxxxxx",
"testAKCwithinsomeirrelevantstring",{% endcode %} {% endtab %} {% endtabs %}
{% tabs %} {% tab title="Test.java" %}
{% code title="Test.java" %}
class Test {
String[] artifactoryStrings = {
"AP6xxxxxxxxxx",
"AP2xxxxxxxxxx",
"AP3xxxxxxxxxx",
"AP5xxxxxxxxxx",
"APAxxxxxxxxxx",
"APBxxxxxxxxxx",
"AKCxxxxxxxxxx",
" AP6xxxxxxxxxx",
" AKCxxxxxxxxxx",
"=AP6xxxxxxxxxx",
"=AKCxxxxxxxxxx",
"\"AP6xxxxxxxxxx\"",
"\"AKCxxxxxxxxxx\"",
"artif-key:AP6xxxxxxxxxx",
"artif-key:AKCxxxxxxxxxx",
"X-JFrog-Art-Api: AKCxxxxxxxxxx",
"X-JFrog-Art-Api: AP6xxxxxxxxxx",
"artifactoryx:_password=AKCxxxxxxxxxx",
"artifactoryx:_password=AP6xxxxxxxxxx",
"testAKCwithinsomeirrelevantstring",
"testAP6withinsomeirrelevantstring",
"X-JFrog-Art-Api: $API_KEY",
"X-JFrog-Art-Api: $PASSWORD",
"artifactory:_password=AP6xxxxxx",
"artifactory:_password=AKCxxxxxxxx"};
}{% endcode %}
{% code title="Test.java" %}
class Test {
String[] artifactoryStrings = {
/*~~(Artifactory)~~>*/"AP6xxxxxxxxxx",
/*~~(Artifactory)~~>*/"AP2xxxxxxxxxx",
/*~~(Artifactory)~~>*/"AP3xxxxxxxxxx",
/*~~(Artifactory)~~>*/"AP5xxxxxxxxxx",
/*~~(Artifactory)~~>*/"APAxxxxxxxxxx",
/*~~(Artifactory)~~>*/"APBxxxxxxxxxx",
/*~~(Artifactory)~~>*/"AKCxxxxxxxxxx",
/*~~(Artifactory)~~>*/" AP6xxxxxxxxxx",
/*~~(Artifactory)~~>*/" AKCxxxxxxxxxx",
/*~~(Artifactory)~~>*/"=AP6xxxxxxxxxx",
/*~~(Artifactory)~~>*/"=AKCxxxxxxxxxx",
/*~~(Artifactory)~~>*/"\"AP6xxxxxxxxxx\"",
/*~~(Artifactory)~~>*/"\"AKCxxxxxxxxxx\"",
/*~~(Artifactory)~~>*/"artif-key:AP6xxxxxxxxxx",
/*~~(Artifactory)~~>*/"artif-key:AKCxxxxxxxxxx",
/*~~(Artifactory)~~>*/"X-JFrog-Art-Api: AKCxxxxxxxxxx",
/*~~(Artifactory)~~>*/"X-JFrog-Art-Api: AP6xxxxxxxxxx",
/*~~(Artifactory)~~>*/"artifactoryx:_password=AKCxxxxxxxxxx",
/*~~(Artifactory)~~>*/"artifactoryx:_password=AP6xxxxxxxxxx",
"testAKCwithinsomeirrelevantstring",
"testAP6withinsomeirrelevantstring",
"X-JFrog-Art-Api: $API_KEY",
"X-JFrog-Art-Api: $PASSWORD",
"artifactory:_password=AP6xxxxxx",
"artifactory:_password=AKCxxxxxxxx"};
}{% endcode %}
{% endtab %} {% tab title="Diff" %} {% code %}
--- Test.java
+++ Test.java
@@ -3,19 +3,19 @@
class Test {
String[] artifactoryStrings = {
- "AP6xxxxxxxxxx",
- "AP2xxxxxxxxxx",
- "AP3xxxxxxxxxx",
- "AP5xxxxxxxxxx",
- "APAxxxxxxxxxx",
- "APBxxxxxxxxxx",
- "AKCxxxxxxxxxx",
- " AP6xxxxxxxxxx",
- " AKCxxxxxxxxxx",
- "=AP6xxxxxxxxxx",
- "=AKCxxxxxxxxxx",
- "\"AP6xxxxxxxxxx\"",
- "\"AKCxxxxxxxxxx\"",
- "artif-key:AP6xxxxxxxxxx",
- "artif-key:AKCxxxxxxxxxx",
- "X-JFrog-Art-Api: AKCxxxxxxxxxx",
- "X-JFrog-Art-Api: AP6xxxxxxxxxx",
- "artifactoryx:_password=AKCxxxxxxxxxx",
- "artifactoryx:_password=AP6xxxxxxxxxx",
+ /*~~(Artifactory)~~>*/"AP6xxxxxxxxxx",
+ /*~~(Artifactory)~~>*/"AP2xxxxxxxxxx",
+ /*~~(Artifactory)~~>*/"AP3xxxxxxxxxx",
+ /*~~(Artifactory)~~>*/"AP5xxxxxxxxxx",
+ /*~~(Artifactory)~~>*/"APAxxxxxxxxxx",
+ /*~~(Artifactory)~~>*/"APBxxxxxxxxxx",
+ /*~~(Artifactory)~~>*/"AKCxxxxxxxxxx",
+ /*~~(Artifactory)~~>*/" AP6xxxxxxxxxx",
+ /*~~(Artifactory)~~>*/" AKCxxxxxxxxxx",
+ /*~~(Artifactory)~~>*/"=AP6xxxxxxxxxx",
+ /*~~(Artifactory)~~>*/"=AKCxxxxxxxxxx",
+ /*~~(Artifactory)~~>*/"\"AP6xxxxxxxxxx\"",
+ /*~~(Artifactory)~~>*/"\"AKCxxxxxxxxxx\"",
+ /*~~(Artifactory)~~>*/"artif-key:AP6xxxxxxxxxx",
+ /*~~(Artifactory)~~>*/"artif-key:AKCxxxxxxxxxx",
+ /*~~(Artifactory)~~>*/"X-JFrog-Art-Api: AKCxxxxxxxxxx",
+ /*~~(Artifactory)~~>*/"X-JFrog-Art-Api: AP6xxxxxxxxxx",
+ /*~~(Artifactory)~~>*/"artifactoryx:_password=AKCxxxxxxxxxx",
+ /*~~(Artifactory)~~>*/"artifactoryx:_password=AP6xxxxxxxxxx",
"testAKCwithinsomeirrelevantstring",{% endcode %} {% endtab %} {% endtabs %}
This recipe has no required configuration options. It can be activated by adding a dependency on org.openrewrite.recipe:rewrite-java-security:2.0.1 in your build file or by running a shell command (in which case no build changes are needed):
{% tabs %}
{% tab title="Gradle" %}
{% code title="build.gradle" %}
plugins {
id("org.openrewrite.rewrite") version("6.1.4")
}
rewrite {
activeRecipe("org.openrewrite.java.security.secrets.FindArtifactorySecrets")
}
repositories {
mavenCentral()
}
dependencies {
rewrite("org.openrewrite.recipe:rewrite-java-security:2.0.1")
}{% endcode %} {% endtab %} {% tab title="Maven POM" %} {% code title="pom.xml" %}
<project>
<build>
<plugins>
<plugin>
<groupId>org.openrewrite.maven</groupId>
<artifactId>rewrite-maven-plugin</artifactId>
<version>5.2.4</version>
<configuration>
<activeRecipes>
<recipe>org.openrewrite.java.security.secrets.FindArtifactorySecrets</recipe>
</activeRecipes>
</configuration>
<dependencies>
<dependency>
<groupId>org.openrewrite.recipe</groupId>
<artifactId>rewrite-java-security</artifactId>
<version>2.0.1</version>
</dependency>
</dependencies>
</plugin>
</plugins>
</build>
</project>
{% endcode %} {% endtab %}
{% tab title="Maven Command Line" %} {% code title="shell" %} You will need to have Maven installed on your machine before you can run the following command.
mvn -U org.openrewrite.maven:rewrite-maven-plugin:run \
-Drewrite.recipeArtifactCoordinates=org.openrewrite.recipe:rewrite-java-security:RELEASE \
-Drewrite.activeRecipes=org.openrewrite.java.security.secrets.FindArtifactorySecrets{% endcode %} {% endtab %} {% endtabs %}
{% tabs %} {% tab title="Recipe List" %}
- Find secrets with regular expressions
- secretName:
Artifactory - valuePattern:
(?:\s|=|:|"|^)AP[\dABCDEF][a-zA-Z0-9]{8,}(?:\s|"|$)
- secretName:
- Find secrets with regular expressions
- secretName:
Artifactory - valuePattern:
(?:\s|=|:|"|^)AKC[a-zA-Z0-9]{10,}(?:\s|"|$)
- secretName:
{% endtab %}
{% tab title="Yaml Recipe List" %}
---
type: specs.openrewrite.org/v1beta/recipe
name: org.openrewrite.java.security.secrets.FindArtifactorySecrets
displayName: Find Artifactory secrets
description: Locates Artifactory secrets stored in plain text in code.
tags:
- security
recipeList:
- org.openrewrite.java.security.secrets.FindSecretsByPattern:
secretName: Artifactory
valuePattern: (?:\s|=|:|"|^)AP[\dABCDEF][a-zA-Z0-9]{8,}(?:\s|"|$)
- org.openrewrite.java.security.secrets.FindSecretsByPattern:
secretName: Artifactory
valuePattern: (?:\s|=|:|"|^)AKC[a-zA-Z0-9]{10,}(?:\s|"|$)
{% endtab %} {% endtabs %}
The community edition of the Moderne platform enables you to easily run recipes across thousands of open-source repositories.
Please contact Moderne for more information about safely running the recipes on your own codebase in a private SaaS.