semgrep · semgrep-dev-pr-bot · Sep 16, 2025 · Sep 16, 2025
diff --git a/ahamedjobayer57_personal_org/detected-jwt-token-copy b/ahamedjobayer57_personal_org/detected-jwt-token-copy
@@ -0,0 +1,23 @@
+# 0) valid jwt
+# ruleid: detected-jwt-token
+eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiaWF0IjoxNTE2MjM5MDIyfQ.SflKxwRJSMeKKF2QT4fwpMeJf36POk6yJV_adQssw5c
+
+# 1) valid jwt - but header contains CR/LF-s
+# ruleid: detected-jwt-token
+eyJ0eXAiOiJKV1QiLA0KImFsZyI6IkhTMjU2In0.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiaWF0IjoxNTE2MjM5MDIyfQ
+
+# 2) valid jwt - but claims contain bunch of LF newlines
+# ruleid: detected-jwt-token
+eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJuYW1lIjoiSm9lIiwKInN0YXR1cyI6ImVtcGxveWVlIgp9
+
+# 3) valid jwt - claims contain strings with unicode accents
+# ruleid: detected-jwt-token
+eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IsWww6HFkcOtIMOWxZHDqcOoIiwiaWF0IjoxNTE2MjM5MDIyfQ.k5HibI_uLn_RTuPcaCNkaVaQH2y5q6GvJg8GPpGMRwQ
+
+# 4) no signature - but still valid
+# ruleid: detected-jwt-token
+eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiaWF0IjoxNTE2MjM5MDIyfQ
+
+# 5) Not a JWT token, but was matching against an earlier rule
+# ok: detected-jwt-token
+foreignKeyJsonObject.get(
diff --git a/ahamedjobayer57_personal_org/detected-jwt-token-copy.yaml b/ahamedjobayer57_personal_org/detected-jwt-token-copy.yaml
@@ -0,0 +1,27 @@
+rules:
+- id: detected-jwt-token-copy
+  languages:
+  - regex
+  severity: ERROR
+  message: JWT token detected
+  pattern-regex: eyJ[A-Za-z0-9-_=]{14,}\.[A-Za-z0-9-_=]{13,}\.?[A-Za-z0-9-_.+/=]*?
+  metadata:
+    source-rule-url: https://github.com/Yelp/detect-secrets/blob/master/detect_secrets/plugins/jwt.py
+    category: security
+    technology:
+    - secrets
+    - jwt
+    confidence: LOW
+    references:
+    - https://semgrep.dev/blog/2020/hardcoded-secrets-unverified-tokens-and-other-common-jwt-mistakes/
+    cwe:
+    - 'CWE-321: Use of Hard-coded Cryptographic Key'
+    owasp:
+    - A02:2021 - Cryptographic Failures
+    subcategory:
+    - audit
+    likelihood: LOW
+    impact: MEDIUM
+    license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license
+    vulnerability_class:
+    - Cryptographic Issues