Skip to main content
Semgrep Secrets uses proprietary validators to determine if a secret is actively being used. Validators are included in the rules that Semgrep Secrets uses. This article walks you through the syntax required to write your own custom validators.
NOTE
  • The syntax for Semgrep Secrets validators is experimental and subject to change.
  • Semgrep currently supports validation using HTTP and HTTPS.

Sample validator

Syntax

validator

type

NOTESemgrep only supports web services with HTTP(S).

request

Subkeys for headers

The following keys are for use with headers:

Example

response

The response key is used to determine the validation state. It accepts a list of objects with the Subkeys match and result.

Subkeys for match

Match accepts a list of objects. No specific key is required, but at least one key must be present.

Subkeys for result

Use severity in the result to set finding severity based on validation status. For example, if the secret is invalid, the severity may be MEDIUM or LOW.

Subkeys for content

Example

Sample rules with validators

Base64 encoding

You can use Base64 encoding by leveraging the __semgrep_internal_encode_64(...) utility. Base64 encoding can be applied to the following fields:
  • url
  • body
  • header values
NOTEThe Base64 encoding of fields is experimental and can change at any time.