Add new rule for Kubernetes Bootstrap Token

CHANGELOG.md

@@ -28,6 +28,7 @@ The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/),
 
   - `Credentials in .NET System.DirectoryServices.DirectoryEntry` ([#234](https://github.com/praetorian-inc/noseyparker/pull/234))
   - `Credentials in .NET System.Net.NetworkCredential` ([#234](https://github.com/praetorian-inc/noseyparker/pull/234))
+  - `Kubernetes Bootstrap Token` ([#235](https://github.com/praetorian-inc/noseyparker/pull/235))
 
 
 ## [v0.21.0](https://github.com/praetorian-inc/noseyparker/releases/v0.21.0) (2024-11-20)

README.md

@@ -6,7 +6,7 @@ Nosey Parker is a command-line tool that finds secrets and sensitive information
 
 **Key features:**
 - It natively scans files, directories, and Git repository history
-- It uses regular expression matching with a set of [157 patterns](crates/noseyparker/data/default/builtin/rules) chosen for high signal-to-noise based on experience and feedback from offensive security engagements
+- It uses regular expression matching with a set of [158 patterns](crates/noseyparker/data/default/builtin/rules) chosen for high signal-to-noise based on experience and feedback from offensive security engagements
 - It deduplicates its findings, grouping matches together that share the same secret, which in practice can reduce review burden by 100x or more compared to other tools
 - It is fast: it can scan at hundreds of megabytes per second on a single core, and is able to scan 100GB of Linux kernel source history in less than 2 minutes on an older MacBook Pro
 - It scales: it has scanned inputs as large as 20TiB during security engagements

crates/noseyparker-cli/tests/rules/snapshots/test_noseyparker__rules__rules_check_builtins-2.snap

@@ -2,4 +2,4 @@
 source: crates/noseyparker-cli/tests/rules/mod.rs
 expression: stdout
 ---
-157 rules and 3 rulesets: no issues detected
+158 rules and 3 rulesets: no issues detected

crates/noseyparker-cli/tests/rules/snapshots/test_noseyparker__rules__rules_list_json-2.snap

@@ -1982,6 +1982,32 @@ expression: stdout
         ]
       }
     },
+    {
+      "id": "np.kubernetes.1",
+      "structural_id": "22e2737b6122f2c9a606413dd423bbb02cce8ada",
+      "name": "Kubernetes Bootstrap Token",
+      "syntax": {
+        "name": "Kubernetes Bootstrap Token",
+        "id": "np.kubernetes.1",
+        "pattern": "(?x)\n(?: token | Token | TOKEN | bootstrap | BOOTSTRAP)\n.{0,8}\n\\b\n([a-z0-9]{6}\\.[a-z0-9]{16})\n\\b\n",
+        "examples": [
+          "BOOTSTRAP_TOKEN: \"be8dfd.da8a689a46edc282\"",
+          "--tls-bootstrap-token abcdef.1234567890abcdef"
+        ],
+        "negative_examples": [
+          "abcdef.0123456789abcdef"
+        ],
+        "references": [
+          "https://kubernetes.io/docs/reference/access-authn-authz/bootstrap-tokens/#token-format",
+          "https://github.com/kubernetes/cluster-bootstrap/blob/e37c6240fdbd81679a5bcfdf4a265e4eafde7e8d/token/util/helpers.go"
+        ],
+        "categories": [
+          "api",
+          "secret",
+          "fuzzy"
+        ]
+      }
+    },
     {
       "id": "np.linkedin.1",
       "structural_id": "2fb4e1caf47a02501461f43476d779dc3c867f0f",
@@ -3802,7 +3828,7 @@ expression: stdout
     {
       "id": "default",
       "name": "Nosey Parker default rules",
-      "num_rules": 136
+      "num_rules": 137
     },
     {
       "id": "np.assets",

crates/noseyparker-cli/tests/rules/snapshots/test_noseyparker__rules__rules_list_noargs-2.snap

@@ -87,6 +87,7 @@ expression: stdout
  np.jwt.2             JSON Web Token Secret                                         fuzzy, secret 
  np.jwt.3             JSON Web Token Secret                                         fuzzy, secret 
  np.krb5.asrep.23.1   Password Hash (Kerberos 5, etype 23, AS-REP)                  hashed, secret 
+ np.kubernetes.1      Kubernetes Bootstrap Token                                    api, fuzzy, secret 
  np.linkedin.1        LinkedIn Client ID                                            api, fuzzy, identifier 
  np.linkedin.2        LinkedIn Secret Key                                           api, fuzzy, secret 
  np.mailchimp.1       MailChimp API Key                                             api, fuzzy, secret 
@@ -164,6 +165,6 @@ expression: stdout
 
  Ruleset ID   Ruleset Name                         Rules 
 ─────────────────────────────────────────────────────────
- default      Nosey Parker default rules             136 
+ default      Nosey Parker default rules             137 
  np.assets    Nosey Parker asset detection rules      15 
  np.hashes    Nosey Parker password hash rules         6

crates/noseyparker/data/default/builtin/rules/kubernetes.yml

@@ -0,0 +1,30 @@
+rules:
+
+- name: Kubernetes Bootstrap Token
+  id: np.kubernetes.1
+
+  description: |
+    A Kubernetes Boostrap Token was found.
+    This is a bearer token that allows a node to connect to a cluster.
+    An attacker may be able to use this token to create valid signatures that could be used to compromise TLS trust within the cluster.
+
+  pattern: |
+    (?x)
+    (?: token | Token | TOKEN | bootstrap | BOOTSTRAP)
+    .{0,8}
+    \b
+    ([a-z0-9]{6}\.[a-z0-9]{16})
+    \b
+
+  categories: [api, secret, fuzzy]
+
+  examples:
+  - 'BOOTSTRAP_TOKEN: "be8dfd.da8a689a46edc282"'
+  - '--tls-bootstrap-token abcdef.1234567890abcdef'
+
+  negative_examples:
+  - abcdef.0123456789abcdef
+
+  references:
+  - https://kubernetes.io/docs/reference/access-authn-authz/bootstrap-tokens/#token-format
+  - https://github.com/kubernetes/cluster-bootstrap/blob/e37c6240fdbd81679a5bcfdf4a265e4eafde7e8d/token/util/helpers.go

crates/noseyparker/data/default/builtin/rulesets/default.yml

@@ -86,6 +86,7 @@ rulesets:
   - np.jwt.1          # JSON Web Token (base64url-encoded)
   - np.jwt.2          # JSON Web Token Secret
   - np.jwt.3          # JSON Web Token Secret
+  - np.kubernetes.1   # Kubernetes Bootstrap Token
   - np.linkedin.2     # LinkedIn Secret Key
   - np.mailchimp.1    # MailChimp API Key
   - np.mailgun.1      # Mailgun API Key