Add a plugin for GitHub token detection

detect_secrets/plugins/github_token.py

@@ -0,0 +1,16 @@
+"""
+This plugin searches for GitHub tokens
+"""
+import re
+
+from detect_secrets.plugins.base import RegexBasedDetector
+
+
+class GitHubTokenDetector(RegexBasedDetector):
+    """Scans for GitHub tokens."""
+    secret_type = 'GitHub token'
+
+    denylist = [
+        # ref. https://github.blog/2021-04-05-behind-githubs-new-authentication-token-formats/
+        re.compile(r'(ghp|gho|ghu|ghs|ghr)_[A-Za-z0-9_]{36}'),
+    ]

tests/plugins/github_token_test.py

@@ -0,0 +1,19 @@
+import pytest
+
+from detect_secrets.plugins.github_token import GitHubTokenDetector
+
+
+class TestGitHubTokenDetector:
+
+    @pytest.mark.parametrize(
+        'payload, should_flag',
+        [
+            ('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', True),
+            ('foo_wWPw5k4aXcaT4fNP0UcnZwJUVFk6LO0pINUx', False),
+            ('foo', False),
+        ],
+    )
+    def test_analyze(self, payload, should_flag):
+        logic = GitHubTokenDetector()
+        output = logic.analyze_line(filename='mock_filename', line=payload)
+        assert len(output) == int(should_flag)