diff --git a/.github/FUNDING.yml b/.github/FUNDING.yml
deleted file mode 100644
index c9e8d9176..000000000
--- a/.github/FUNDING.yml
+++ /dev/null
@@ -1,3 +0,0 @@
-# These are supported funding model platforms
-
-github: [zricethezav]
diff --git a/.github/workflows/gitleaks.yml b/.github/workflows/gitleaks.yml
deleted file mode 100644
index da8fe85b5..000000000
--- a/.github/workflows/gitleaks.yml
+++ /dev/null
@@ -1,14 +0,0 @@
-name: gitleaks
-on: [push, workflow_dispatch]
-jobs:
- scan:
- name: gitleaks
- runs-on: ubuntu-latest
- steps:
- - uses: actions/checkout@v3
- with:
- fetch-depth: 0
- - uses: gitleaks/gitleaks-action@v2
- env:
- GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
- GITLEAKS_LICENSE: ${{ secrets.GITLEAKS_LICENSE}}
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
deleted file mode 100644
index 432c070b1..000000000
--- a/.github/workflows/release.yml
+++ /dev/null
@@ -1,57 +0,0 @@
-name: Create and publish a Docker image
-
-on:
- release:
- types: [published]
-
-env:
- REGISTRY: ghcr.io
- IMAGE_NAME: ${{ github.repository }}
-
-jobs:
- build-and-push-image:
- runs-on: ubuntu-latest
- permissions:
- contents: read
- packages: write
-
- steps:
- - name: Checkout repository
- uses: actions/checkout@v2
-
- - name: Set up QEMU
- uses: docker/setup-qemu-action@8b122486cedac8393e77aa9734c3528886e4a1a8
-
- - name: Set up Docker Buildx
- id: buildx
- uses: docker/setup-buildx-action@dc7b9719a96d48369863986a06765841d7ea23f6
-
- - name: Log in to Docker Hub
- uses: docker/login-action@49ed152c8eca782a232dede0303416e8f356c37b
- with:
- username: ${{ github.actor }}
- password: ${{ secrets.DOCKER_PASSWORD }}
-
- - name: Log in to the Container registry
- uses: docker/login-action@49ed152c8eca782a232dede0303416e8f356c37b
- with:
- registry: ${{ env.REGISTRY }}
- username: ${{ github.actor }}
- password: ${{ secrets.GITHUB_TOKEN }}
-
- - name: Extract metadata (tags, labels) for Docker
- id: meta
- uses: docker/metadata-action@98669ae865ea3cffbcbaa878cf57c20bbf1c6c38
- with:
- images: |
- zricethezav/gitleaks
- ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}
-
- - name: Build and push Docker image
- uses: docker/build-push-action@e551b19e49efd4e98792db7592c17c09b89db8d8
- with:
- platforms: linux/amd64,linux/arm64
- context: .
- push: true
- tags: ${{ steps.meta.outputs.tags }}
- labels: ${{ steps.meta.outputs.labels }}
diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml
index 07dc79d8a..931488a3a 100644
--- a/.github/workflows/test.yml
+++ b/.github/workflows/test.yml
@@ -1,9 +1,6 @@
name: Test
on:
- push:
- branches:
- - "*"
pull_request:
branches:
- "*"
diff --git a/cmd/generate/config/main.go b/cmd/generate/config/main.go
index 5d5b6ac91..6fd1c31fa 100644
--- a/cmd/generate/config/main.go
+++ b/cmd/generate/config/main.go
@@ -36,7 +36,8 @@ func main() {
rules.AsanaClientSecret(),
rules.Atlassian(),
rules.Authress(),
- rules.AWS(),
+ rules.AWSAccessKey(),
+ rules.AWSSecretKey(),
rules.BitBucketClientID(),
rules.BitBucketClientSecret(),
rules.BittrexAccessKey(),
@@ -70,7 +71,9 @@ func main() {
rules.EasyPost(),
rules.EasyPostTestAPI(),
rules.EtsyAccessToken(),
- rules.Facebook(),
+ rules.FacebookSecret(),
+ rules.FacebookAccessToken(),
+ rules.FacebookPageAccessToken(),
rules.FastlyAPIToken(),
rules.FinicityClientSecret(),
rules.FinicityAPIToken(),
diff --git a/cmd/generate/config/rules/adobe.go b/cmd/generate/config/rules/adobe.go
index d0aab619a..a4e633b14 100644
--- a/cmd/generate/config/rules/adobe.go
+++ b/cmd/generate/config/rules/adobe.go
@@ -28,6 +28,7 @@ func AdobeClientSecret() *config.Rule {
RuleID: "adobe-client-secret",
Regex: generateUniqueTokenRegex(`(p8e-)(?i)[a-z0-9]{32}`, true),
Keywords: []string{"p8e-"},
+ SecretGroup: 1,
}
// validate
diff --git a/cmd/generate/config/rules/alibaba.go b/cmd/generate/config/rules/alibaba.go
index 1c90fb6e3..bc1f91670 100644
--- a/cmd/generate/config/rules/alibaba.go
+++ b/cmd/generate/config/rules/alibaba.go
@@ -12,6 +12,7 @@ func AlibabaAccessKey() *config.Rule {
RuleID: "alibaba-access-key-id",
Regex: generateUniqueTokenRegex(`(LTAI)(?i)[a-z0-9]{20}`, true),
Keywords: []string{"LTAI"},
+ SecretGroup: 1,
}
// validate
diff --git a/cmd/generate/config/rules/aws.go b/cmd/generate/config/rules/aws.go
index 1536861df..2beb102ac 100644
--- a/cmd/generate/config/rules/aws.go
+++ b/cmd/generate/config/rules/aws.go
@@ -1,18 +1,22 @@
package rules
import (
- "regexp"
-
+ "github.com/zricethezav/gitleaks/v8/cmd/generate/secrets"
"github.com/zricethezav/gitleaks/v8/config"
)
-func AWS() *config.Rule {
+// https://summitroute.com/blog/2018/06/20/aws_security_credential_formats/
+
+var credFileAccessKey = "aws_access_key_id=AKIALALEMEL33243OLIB" // gitleaks:allow
+var credFileSecretKey = "aws_secret_access_key=" + secrets.NewSecret(hex("40"))
+var credFileSessionToken = "aws_session_token=" + secrets.NewSecret(hex("928"))
+
+func AWSAccessKey() *config.Rule {
// define rule
r := config.Rule{
Description: "Identified a pattern that may indicate AWS credentials, risking unauthorized cloud resource access and data breaches on AWS platforms.",
- RuleID: "aws-access-token",
- Regex: regexp.MustCompile(
- "(?:A3T[A-Z0-9]|AKIA|ASIA|ABIA|ACCA)[A-Z0-9]{16}"),
+ RuleID: "aws-access-key",
+ Regex: generateUniqueTokenRegex("(?:A3T[A-Z0-9]|AKIA|ASIA|ABIA|ACCA)[A-Z2-7]{16}", false),
Keywords: []string{
"AKIA",
"ASIA",
@@ -22,6 +26,34 @@ func AWS() *config.Rule {
}
// validate
- tps := []string{generateSampleSecret("AWS", "AKIALALEMEL33243OLIB")} // gitleaks:allow
- return validate(r, tps, nil)
+ tps := []string{
+ generateSampleSecret("AWS", "AKIALALEMEL33243OLIB"), // gitleaks:allow
+ credFileAccessKey,
+ }
+ fps := []string{
+ generateSampleSecret("AWS", "AKIALALEMEL33243O000"), // includes 0 which can't be result of base32 encoding
+ `"RoleId": "AROAWORVRXQ5NC76T7223"`,
+ credFileSecretKey,
+ credFileSessionToken,
+ }
+ return validate(r, tps, fps)
+}
+
+func AWSSecretKey() *config.Rule {
+ // define rule
+ r := config.Rule{
+ Description: "Identified a pattern that may indicate AWS credentials, risking unauthorized cloud resource access and data breaches on AWS platforms.",
+ RuleID: "aws-secret-key",
+ Regex: generateUniqueTokenRegex("[0-9A-Z+\\/]{40}", true),
+ }
+
+ // validate
+ tps := []string{
+ credFileSecretKey,
+ }
+ fps := []string{
+ credFileAccessKey,
+ credFileSessionToken,
+ }
+ return validate(r, tps, fps)
}
diff --git a/cmd/generate/config/rules/facebook.go b/cmd/generate/config/rules/facebook.go
index 1ddff73be..25bb38b97 100644
--- a/cmd/generate/config/rules/facebook.go
+++ b/cmd/generate/config/rules/facebook.go
@@ -5,11 +5,13 @@ import (
"github.com/zricethezav/gitleaks/v8/config"
)
-func Facebook() *config.Rule {
+// This rule includes both App Secret and Client Access Token
+// https://developers.facebook.com/docs/facebook-login/guides/access-tokens/
+func FacebookSecret() *config.Rule {
// define rule
r := config.Rule{
- Description: "Discovered a Facebook Access Token, posing a risk of unauthorized access to Facebook accounts and personal data exposure.",
- RuleID: "facebook",
+ Description: "Discovered a Facebook Application secret, posing a risk of unauthorized access to Facebook accounts and personal data exposure.",
+ RuleID: "facebook-secret",
Regex: generateSemiGenericRegex([]string{"facebook"}, hex("32"), true),
Keywords: []string{"facebook"},
@@ -18,6 +20,46 @@ func Facebook() *config.Rule {
// validate
tps := []string{
generateSampleSecret("facebook", secrets.NewSecret(hex("32"))),
+ `facebook_app_secret = "6dca6432e45d933e13650d1882bd5e69"`, // gitleaks:allow
+ `facebook_client_access_token: 26f5fd13099f2c1331aafb86f6489692`, // gitleaks:allow
+ }
+ return validate(r, tps, nil)
+}
+
+// https://developers.facebook.com/docs/facebook-login/guides/access-tokens/#apptokens
+func FacebookAccessToken() *config.Rule {
+ // define rule
+ r := config.Rule{
+ Description: "Discovered a Facebook Access Token, posing a risk of unauthorized access to Facebook accounts and personal data exposure.",
+ RuleID: "facebook-access-token",
+ Regex: generateUniqueTokenRegex(`\d{15,16}\|[0-9a-z\-_]{27}`, true),
+ }
+
+ // validate
+ tps := []string{
+ `{"access_token":"911602140448729|AY-lRJZq9BoDLobvAiP25L7RcMg","token_type":"bearer"}`, // gitleaks:allow
+ `1308742762612587|rhoK1cbv0DOU_RTX_87O4MkX7AI`, // gitleaks:allow
+ `1477036645700765|wRPf2v3mt2JfMqCLK8n7oltrEmc`, // gitleaks:allow
+ }
+ return validate(r, tps, nil)
+}
+
+// https://developers.facebook.com/docs/facebook-login/guides/access-tokens/#pagetokens
+func FacebookPageAccessToken() *config.Rule {
+ // define rule
+ r := config.Rule{
+ Description: "Discovered a Facebook Page Access Token, posing a risk of unauthorized access to Facebook accounts and personal data exposure.",
+ RuleID: "facebook-page-access-token",
+ Regex: generateUniqueTokenRegex("EAA[MC]"+alphaNumeric("20,"), true),
+ Keywords: []string{"EAAM", "EAAC"},
+ }
+
+ // validate
+ tps := []string{
+ `EAAM9GOnCB9kBO2frzOAWGN2zMnZClQshlWydZCrBNdodesbwimx1mfVJgqZBP5RSpMfUzWhtjTTXHG5I1UlvlwRZCgjm3ZBVGeTYiqAAoxyED6HaUdhpGVNoPUwAuAWWFsi9OvyYBQt22DGLqMIgD7VktuCTTZCWKasz81Q822FPhMTB9VFFyClNzQ0NLZClt9zxpsMMrUZCo1VU1rL3CKavir5QTfBjfCEzHNlWAUDUV2YZD`, // gitleaks:allow
+ `EAAM9GOnCB9kBO2zXpAtRBmCrsPPjdA3KeBl4tqsEpcYd09cpjm9MZCBIklZBjIQBKGIJgFwm8IE17G5pipsfRBRBEHMWxvJsL7iHLUouiprxKRQfAagw8BEEDucceqxTiDhVW2IZAQNNbf0d1JhcapAGntx5S1Csm4j0GgZB3DuUfI2HJ9aViTtdfH2vjBy0wtpXm2iamevohGfoF4NgyRHusDLjqy91uYMkfrkc`, // gitleaks:allow
+ `- name: FACEBOOK_TOKEN
+ value: "EAACEdEose0cBA1bad3afsf2aew"`, // gitleaks:allow
}
return validate(r, tps, nil)
}
diff --git a/cmd/generate/config/rules/generic.go b/cmd/generate/config/rules/generic.go
index e5b7ebe10..590b0561f 100644
--- a/cmd/generate/config/rules/generic.go
+++ b/cmd/generate/config/rules/generic.go
@@ -43,12 +43,28 @@ func GenericCredential() *config.Rule {
generateSampleSecret("generic", "Zf3D0LXCM3EIMbgJpUNnkRtOfOueHznB"),
`"client_id" : "0afae57f3ccfd9d7f5767067bc48b30f719e271ba470488056e37ab35d4b6506"`,
`"client_secret" : "6da89121079f83b2eb6acccf8219ea982c3d79bccc3e9c6a85856480661f8fde",`,
+ `"password: 'edf8f16608465858a6c9e3cccb97d3c2'"`,
+ "edf8f16608465858a6c9e3cccb97d3c2",
+ ``,
+ "M_DB_PASSWORD= edf8f16608465858a6c9e3cccb97d3c2",
+ `{ "access-key": "6da89121079f83b2eb6acccf8219ea982c3d79bccc", }`,
+ `"{ \"access-key\": \"6da89121079f83b2eb6acccf8219ea982c3d79bccc\", }"`,
}
fps := []string{
`client_vpn_endpoint_id = aws_ec2_client_vpn_endpoint.client-vpn-endpoint.id`,
`password combination.
-R5: Regulatory--21`,
+ R5: Regulatory--21`,
+
+ `"client_id" : "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"`,
+ `"client_secret" : "4v7b9n2k5h",`, // entropy: 3.32
+ `"password: 'comp123!'"`,
+ "MyComp9876", // entropy: 3.32
+ ``,
+ "M_DB_PASSWORD= aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa",
+ "GITHUB_TOKEN: ${GITHUB_TOKEN}",
+ "password = 'your_password_here'",
+ "https://google.com?user=abc&password=123",
}
return validate(r, tps, fps)
}
diff --git a/cmd/generate/config/rules/hashicorp.go b/cmd/generate/config/rules/hashicorp.go
index 62ce7f5b5..d1aa7324c 100644
--- a/cmd/generate/config/rules/hashicorp.go
+++ b/cmd/generate/config/rules/hashicorp.go
@@ -30,8 +30,9 @@ func HashicorpField() *config.Rule {
r := config.Rule{
Description: "Identified a HashiCorp Terraform password field, risking unauthorized infrastructure configuration and security breaches.",
RuleID: "hashicorp-tf-password",
- Regex: generateSemiGenericRegex(keywords, fmt.Sprintf(`"%s"`, alphaNumericExtended("8,20")), true),
+ Regex: generateSemiGenericRegex(keywords, fmt.Sprintf(`"(%s)"`, alphaNumericExtended("8,20")), true),
Keywords: keywords,
+ SecretGroup: 2,
}
tps := []string{
diff --git a/cmd/generate/config/rules/lob.go b/cmd/generate/config/rules/lob.go
index db0b13c1b..b2fff396e 100644
--- a/cmd/generate/config/rules/lob.go
+++ b/cmd/generate/config/rules/lob.go
@@ -17,6 +17,7 @@ func LobPubAPIToken() *config.Rule {
"live_pub",
"_pub",
},
+ SecretGroup: 1,
}
// validate
@@ -36,6 +37,7 @@ func LobAPIToken() *config.Rule {
"test_",
"live_",
},
+ SecretGroup: 1,
}
// validate
diff --git a/cmd/generate/config/rules/mailchimp.go b/cmd/generate/config/rules/mailchimp.go
index fe2f8a8dd..6dca25792 100644
--- a/cmd/generate/config/rules/mailchimp.go
+++ b/cmd/generate/config/rules/mailchimp.go
@@ -10,7 +10,7 @@ func MailChimp() *config.Rule {
r := config.Rule{
RuleID: "mailchimp-api-key",
Description: "Identified a Mailchimp API key, potentially compromising email marketing campaigns and subscriber data.",
- Regex: generateSemiGenericRegex([]string{"mailchimp"}, `[a-f0-9]{32}-us20`, true),
+ Regex: generateSemiGenericRegex([]string{"MailchimpSDK.initialize", "mailchimp"}, hex("32")+`-us\d\d`, true),
Keywords: []string{
"mailchimp",
@@ -20,6 +20,12 @@ func MailChimp() *config.Rule {
// validate
tps := []string{
generateSampleSecret("mailchimp", secrets.NewSecret(hex("32"))+"-us20"),
+ `mailchimp_api_key: cefa780880ba5f5696192a34f6292c35-us18`, // gitleaks:allow
+ `MAILCHIMPE_KEY = "b5b9f8e50c640da28993e8b6a48e3e53-us18"`, // gitleaks:allow
}
- return validate(r, tps, nil)
+ fps := []string{
+ // False Negative
+ `MailchimpSDK.initialize(token: 3012a5754bbd716926f99c028f7ea428-us18)`, // gitleaks:allow
+ }
+ return validate(r, tps, fps)
}
diff --git a/cmd/generate/config/rules/rule.go b/cmd/generate/config/rules/rule.go
index b868bc8f3..bb2220b78 100644
--- a/cmd/generate/config/rules/rule.go
+++ b/cmd/generate/config/rules/rule.go
@@ -18,7 +18,7 @@ const (
identifierCaseInsensitivePrefix = `(?i:`
identifierCaseInsensitiveSuffix = `)`
identifierPrefix = `(?:`
- identifierSuffix = `)(?:[0-9a-z\-_\t .]{0,20})(?:[\s|']|[\s|"]){0,3}`
+ identifierSuffix = `)(?:[0-9a-z\-_\t .]{0,20})(?:[\s'"\\]){0,3}`
// commonly used assignment operators or function call
operator = `(?:=|>|:{1,3}=|\|\|:|<=|=>|:|\?=)`
@@ -26,8 +26,8 @@ const (
// boundaries for the secret
// \x60 = `
secretPrefixUnique = `\b(`
- secretPrefix = `(?:'|\"|\s|=|\x60){0,5}(`
- secretSuffix = `)(?:['|\"|\n|\r|\s|\x60|;]|$)`
+ secretPrefix = `(?:['\"\\\s=\x60]){0,5}(`
+ secretSuffix = `)(?:['\"\\\n\r\s\x60;<]|$)`
)
func generateSemiGenericRegex(identifiers []string, secretRegex string, isCaseInsensitive bool) *regexp.Regexp {
diff --git a/cmd/generate/config/rules/scalingo.go b/cmd/generate/config/rules/scalingo.go
index 945e061a1..bcc5f79f6 100644
--- a/cmd/generate/config/rules/scalingo.go
+++ b/cmd/generate/config/rules/scalingo.go
@@ -1,8 +1,6 @@
package rules
import (
- "regexp"
-
"github.com/zricethezav/gitleaks/v8/cmd/generate/secrets"
"github.com/zricethezav/gitleaks/v8/config"
)
@@ -12,13 +10,14 @@ func ScalingoAPIToken() *config.Rule {
r := config.Rule{
Description: "Found a Scalingo API token, posing a risk to cloud platform services and application deployment security.",
RuleID: "scalingo-api-token",
- Regex: regexp.MustCompile(`\btk-us-[a-zA-Z0-9-_]{48}\b`),
+ Regex: generateUniqueTokenRegex(`tk-us-[a-zA-Z0-9-_]{48}`, false),
Keywords: []string{"tk-us-"},
}
// validate
tps := []string{
generateSampleSecret("scalingo", "tk-us-"+secrets.NewSecret(alphaNumericExtendedShort("48"))),
+ `scalingo_api_token = "tk-us-loys7ib9yrxcys_ta2sq85mjar6lgcsspkd9x61s7h5epf_-"`, // gitleaks:allow
}
return validate(r, tps, nil)
}
diff --git a/cmd/generate/config/rules/shippo.go b/cmd/generate/config/rules/shippo.go
index 608c26a0d..13bb78af5 100644
--- a/cmd/generate/config/rules/shippo.go
+++ b/cmd/generate/config/rules/shippo.go
@@ -15,6 +15,7 @@ func ShippoAPIToken() *config.Rule {
Keywords: []string{
"shippo_",
},
+ SecretGroup: 1,
}
// validate
diff --git a/cmd/generate/config/rules/square.go b/cmd/generate/config/rules/square.go
index 84cc8dda4..889312e18 100644
--- a/cmd/generate/config/rules/square.go
+++ b/cmd/generate/config/rules/square.go
@@ -10,13 +10,16 @@ func SquareAccessToken() *config.Rule {
r := config.Rule{
RuleID: "square-access-token",
Description: "Detected a Square Access Token, risking unauthorized payment processing and financial transaction exposure.",
- Regex: generateUniqueTokenRegex(`sq0atp-[0-9A-Za-z\-_]{22}`, true),
- Keywords: []string{"sq0atp-"},
+ Regex: generateUniqueTokenRegex(`(EAAA|sq0atp-)[0-9A-Za-z\-_]{22,60}`, true),
+ Keywords: []string{"sq0atp-", "EAAA"},
+ SecretGroup: 1,
}
// validate
tps := []string{
generateSampleSecret("square", secrets.NewSecret(`sq0atp-[0-9A-Za-z\-_]{22}`)),
+ "ARG token=sq0atp-812erere3wewew45678901", // gitleaks:allow
+ "ARG token=EAAAlsBxkkVgvmr7FasTFbM6VUGZ31EJ4jZKTJZySgElBDJ_wyafHuBFquFexY7E", // gitleaks:allow",
}
return validate(r, tps, nil)
}
@@ -33,6 +36,7 @@ func SquareSecret() *config.Rule {
// validate
tps := []string{
generateSampleSecret("square", secrets.NewSecret(`sq0csp-[0-9A-Za-z\\-_]{43}`)),
+ `value: "sq0csp-0p9h7g6f4s3s3s3-4a3ardgwa6ADRDJDDKUFYDYDYDY"`, // gitleaks:allow
}
return validate(r, tps, nil)
}
diff --git a/cmd/generate/config/rules/stripe.go b/cmd/generate/config/rules/stripe.go
index b1a2713ff..e14d716fe 100644
--- a/cmd/generate/config/rules/stripe.go
+++ b/cmd/generate/config/rules/stripe.go
@@ -15,6 +15,7 @@ func StripeAccessToken() *config.Rule {
"sk_test",
"sk_live",
},
+ SecretGroup: 1,
}
// validate
diff --git a/config/allowlist.go b/config/allowlist.go
index 6716be56f..e72db8377 100644
--- a/config/allowlist.go
+++ b/config/allowlist.go
@@ -14,7 +14,13 @@ type Allowlist struct {
// Regexes is slice of content regular expressions that are allowed to be ignored.
Regexes []*regexp.Regexp
- // RegexTarget
+ // Can be `match` or `line`.
+ //
+ // If `match` the _Regexes_ will be tested against the match of the _Rule.Regex_.
+ //
+ // If `line` the _Regexes_ will be tested against the entire line.
+ //
+ // If RegexTarget is empty, it will be tested against the found secret.
RegexTarget string
// Paths is a slice of path regular expressions that are allowed to be ignored.
diff --git a/config/config.go b/config/config.go
index a7980ecec..e3706e01a 100644
--- a/config/config.go
+++ b/config/config.go
@@ -4,6 +4,7 @@ import (
_ "embed"
"fmt"
"regexp"
+ "sort"
"strings"
"github.com/rs/zerolog/log"
@@ -62,7 +63,7 @@ type Config struct {
Keywords []string
// used to keep sarif results consistent
- orderedRules []string
+ OrderedRules []string
}
// Extend is a struct that allows users to define how they want their
@@ -158,7 +159,7 @@ func (vc *ViperConfig) Translate() (Config, error) {
StopWords: vc.Allowlist.StopWords,
},
Keywords: keywords,
- orderedRules: orderedRules,
+ OrderedRules: orderedRules,
}
if maxExtendDepth != extendDepth {
@@ -177,9 +178,9 @@ func (vc *ViperConfig) Translate() (Config, error) {
return c, nil
}
-func (c *Config) OrderedRules() []Rule {
+func (c *Config) GetOrderedRules() []Rule {
var orderedRules []Rule
- for _, id := range c.orderedRules {
+ for _, id := range c.OrderedRules {
if _, ok := c.Rules[id]; ok {
orderedRules = append(orderedRules, c.Rules[id])
}
@@ -240,6 +241,7 @@ func (c *Config) extend(extensionConfig Config) {
log.Trace().Msgf("adding %s to base config", ruleID)
c.Rules[ruleID] = rule
c.Keywords = append(c.Keywords, rule.Keywords...)
+ c.OrderedRules = append(c.OrderedRules, ruleID)
}
}
@@ -250,4 +252,7 @@ func (c *Config) extend(extensionConfig Config) {
extensionConfig.Allowlist.Paths...)
c.Allowlist.Regexes = append(c.Allowlist.Regexes,
extensionConfig.Allowlist.Regexes...)
+
+ // sort to keep extended rules in order
+ sort.Strings(c.OrderedRules)
}
diff --git a/config/gitleaks.toml b/config/gitleaks.toml
index e5bd7d28f..99d0330f9 100644
--- a/config/gitleaks.toml
+++ b/config/gitleaks.toml
@@ -28,7 +28,7 @@ paths = [
[[rules]]
id = "adafruit-api-key"
description = "Identified a potential Adafruit API Key, which could lead to unauthorized access to Adafruit services and sensitive data exposure."
-regex = '''(?i)(?:adafruit)(?:[0-9a-z\-_\t .]{0,20})(?:[\s|']|[\s|"]){0,3}(?:=|>|:{1,3}=|\|\|:|<=|=>|:|\?=)(?:'|\"|\s|=|\x60){0,5}([a-z0-9_-]{32})(?:['|\"|\n|\r|\s|\x60|;]|$)'''
+regex = '''(?i)(?:adafruit)(?:[0-9a-z\-_\t .]{0,20})(?:[\s'"\\]){0,3}(?:=|>|:{1,3}=|\|\|:|<=|=>|:|\?=)(?:['\"\\\s=\x60]){0,5}([a-z0-9_-]{32})(?:['\"\\\n\r\s\x60;<]|$)'''
keywords = [
"adafruit",
]
@@ -36,7 +36,7 @@ keywords = [
[[rules]]
id = "adobe-client-id"
description = "Detected a pattern that resembles an Adobe OAuth Web Client ID, posing a risk of compromised Adobe integrations and data breaches."
-regex = '''(?i)(?:adobe)(?:[0-9a-z\-_\t .]{0,20})(?:[\s|']|[\s|"]){0,3}(?:=|>|:{1,3}=|\|\|:|<=|=>|:|\?=)(?:'|\"|\s|=|\x60){0,5}([a-f0-9]{32})(?:['|\"|\n|\r|\s|\x60|;]|$)'''
+regex = '''(?i)(?:adobe)(?:[0-9a-z\-_\t .]{0,20})(?:[\s'"\\]){0,3}(?:=|>|:{1,3}=|\|\|:|<=|=>|:|\?=)(?:['\"\\\s=\x60]){0,5}([a-f0-9]{32})(?:['\"\\\n\r\s\x60;<]|$)'''
keywords = [
"adobe",
]
@@ -44,7 +44,8 @@ keywords = [
[[rules]]
id = "adobe-client-secret"
description = "Discovered a potential Adobe Client Secret, which, if exposed, could allow unauthorized Adobe service access and data manipulation."
-regex = '''(?i)\b((p8e-)(?i)[a-z0-9]{32})(?:['|\"|\n|\r|\s|\x60|;]|$)'''
+regex = '''(?i)\b((p8e-)(?i)[a-z0-9]{32})(?:['\"\\\n\r\s\x60;<]|$)'''
+secretGroup = 1
keywords = [
"p8e-",
]
@@ -60,7 +61,7 @@ keywords = [
[[rules]]
id = "airtable-api-key"
description = "Uncovered a possible Airtable API Key, potentially compromising database access and leading to data leakage or alteration."
-regex = '''(?i)(?:airtable)(?:[0-9a-z\-_\t .]{0,20})(?:[\s|']|[\s|"]){0,3}(?:=|>|:{1,3}=|\|\|:|<=|=>|:|\?=)(?:'|\"|\s|=|\x60){0,5}([a-z0-9]{17})(?:['|\"|\n|\r|\s|\x60|;]|$)'''
+regex = '''(?i)(?:airtable)(?:[0-9a-z\-_\t .]{0,20})(?:[\s'"\\]){0,3}(?:=|>|:{1,3}=|\|\|:|<=|=>|:|\?=)(?:['\"\\\s=\x60]){0,5}([a-z0-9]{17})(?:['\"\\\n\r\s\x60;<]|$)'''
keywords = [
"airtable",
]
@@ -68,7 +69,7 @@ keywords = [
[[rules]]
id = "algolia-api-key"
description = "Identified an Algolia API Key, which could result in unauthorized search operations and data exposure on Algolia-managed platforms."
-regex = '''(?i)(?:algolia)(?:[0-9a-z\-_\t .]{0,20})(?:[\s|']|[\s|"]){0,3}(?:=|>|:{1,3}=|\|\|:|<=|=>|:|\?=)(?:'|\"|\s|=|\x60){0,5}([a-z0-9]{32})(?:['|\"|\n|\r|\s|\x60|;]|$)'''
+regex = '''(?i)(?:algolia)(?:[0-9a-z\-_\t .]{0,20})(?:[\s'"\\]){0,3}(?:=|>|:{1,3}=|\|\|:|<=|=>|:|\?=)(?:['\"\\\s=\x60]){0,5}([a-z0-9]{32})(?:['\"\\\n\r\s\x60;<]|$)'''
keywords = [
"algolia",
]
@@ -76,7 +77,8 @@ keywords = [
[[rules]]
id = "alibaba-access-key-id"
description = "Detected an Alibaba Cloud AccessKey ID, posing a risk of unauthorized cloud resource access and potential data compromise."
-regex = '''(?i)\b((LTAI)(?i)[a-z0-9]{20})(?:['|\"|\n|\r|\s|\x60|;]|$)'''
+regex = '''(?i)\b((LTAI)(?i)[a-z0-9]{20})(?:['\"\\\n\r\s\x60;<]|$)'''
+secretGroup = 1
keywords = [
"ltai",
]
@@ -84,7 +86,7 @@ keywords = [
[[rules]]
id = "alibaba-secret-key"
description = "Discovered a potential Alibaba Cloud Secret Key, potentially allowing unauthorized operations and data access within Alibaba Cloud."
-regex = '''(?i)(?:alibaba)(?:[0-9a-z\-_\t .]{0,20})(?:[\s|']|[\s|"]){0,3}(?:=|>|:{1,3}=|\|\|:|<=|=>|:|\?=)(?:'|\"|\s|=|\x60){0,5}([a-z0-9]{30})(?:['|\"|\n|\r|\s|\x60|;]|$)'''
+regex = '''(?i)(?:alibaba)(?:[0-9a-z\-_\t .]{0,20})(?:[\s'"\\]){0,3}(?:=|>|:{1,3}=|\|\|:|<=|=>|:|\?=)(?:['\"\\\s=\x60]){0,5}([a-z0-9]{30})(?:['\"\\\n\r\s\x60;<]|$)'''
keywords = [
"alibaba",
]
@@ -92,7 +94,7 @@ keywords = [
[[rules]]
id = "asana-client-id"
description = "Discovered a potential Asana Client ID, risking unauthorized access to Asana projects and sensitive task information."
-regex = '''(?i)(?:asana)(?:[0-9a-z\-_\t .]{0,20})(?:[\s|']|[\s|"]){0,3}(?:=|>|:{1,3}=|\|\|:|<=|=>|:|\?=)(?:'|\"|\s|=|\x60){0,5}([0-9]{16})(?:['|\"|\n|\r|\s|\x60|;]|$)'''
+regex = '''(?i)(?:asana)(?:[0-9a-z\-_\t .]{0,20})(?:[\s'"\\]){0,3}(?:=|>|:{1,3}=|\|\|:|<=|=>|:|\?=)(?:['\"\\\s=\x60]){0,5}([0-9]{16})(?:['\"\\\n\r\s\x60;<]|$)'''
keywords = [
"asana",
]
@@ -100,7 +102,7 @@ keywords = [
[[rules]]
id = "asana-client-secret"
description = "Identified an Asana Client Secret, which could lead to compromised project management integrity and unauthorized access."
-regex = '''(?i)(?:asana)(?:[0-9a-z\-_\t .]{0,20})(?:[\s|']|[\s|"]){0,3}(?:=|>|:{1,3}=|\|\|:|<=|=>|:|\?=)(?:'|\"|\s|=|\x60){0,5}([a-z0-9]{32})(?:['|\"|\n|\r|\s|\x60|;]|$)'''
+regex = '''(?i)(?:asana)(?:[0-9a-z\-_\t .]{0,20})(?:[\s'"\\]){0,3}(?:=|>|:{1,3}=|\|\|:|<=|=>|:|\?=)(?:['\"\\\s=\x60]){0,5}([a-z0-9]{32})(?:['\"\\\n\r\s\x60;<]|$)'''
keywords = [
"asana",
]
@@ -108,7 +110,7 @@ keywords = [
[[rules]]
id = "atlassian-api-token"
description = "Detected an Atlassian API token, posing a threat to project management and collaboration tool security and data confidentiality."
-regex = '''(?i)(?:atlassian|confluence|jira)(?:[0-9a-z\-_\t .]{0,20})(?:[\s|']|[\s|"]){0,3}(?:=|>|:{1,3}=|\|\|:|<=|=>|:|\?=)(?:'|\"|\s|=|\x60){0,5}([a-z0-9]{24})(?:['|\"|\n|\r|\s|\x60|;]|$)'''
+regex = '''(?i)(?:atlassian|confluence|jira)(?:[0-9a-z\-_\t .]{0,20})(?:[\s'"\\]){0,3}(?:=|>|:{1,3}=|\|\|:|<=|=>|:|\?=)(?:['\"\\\s=\x60]){0,5}([a-z0-9]{24})(?:['\"\\\n\r\s\x60;<]|$)'''
keywords = [
"atlassian","confluence","jira",
]
@@ -116,23 +118,28 @@ keywords = [
[[rules]]
id = "authress-service-client-access-key"
description = "Uncovered a possible Authress Service Client Access Key, which may compromise access control services and sensitive data."
-regex = '''(?i)\b((?:sc|ext|scauth|authress)_[a-z0-9]{5,30}\.[a-z0-9]{4,6}\.acc[_-][a-z0-9-]{10,32}\.[a-z0-9+/_=-]{30,120})(?:['|\"|\n|\r|\s|\x60|;]|$)'''
+regex = '''(?i)\b((?:sc|ext|scauth|authress)_[a-z0-9]{5,30}\.[a-z0-9]{4,6}\.acc[_-][a-z0-9-]{10,32}\.[a-z0-9+/_=-]{30,120})(?:['\"\\\n\r\s\x60;<]|$)'''
keywords = [
"sc_","ext_","scauth_","authress_",
]
[[rules]]
-id = "aws-access-token"
+id = "aws-access-key"
description = "Identified a pattern that may indicate AWS credentials, risking unauthorized cloud resource access and data breaches on AWS platforms."
-regex = '''(?:A3T[A-Z0-9]|AKIA|ASIA|ABIA|ACCA)[A-Z0-9]{16}'''
+regex = '''\b((?:A3T[A-Z0-9]|AKIA|ASIA|ABIA|ACCA)[A-Z2-7]{16})(?:['\"\\\n\r\s\x60;<]|$)'''
keywords = [
"akia","asia","abia","acca",
]
+[[rules]]
+id = "aws-secret-key"
+description = "Identified a pattern that may indicate AWS credentials, risking unauthorized cloud resource access and data breaches on AWS platforms."
+regex = '''(?i)\b([0-9A-Z+\/]{40})(?:['\"\\\n\r\s\x60;<]|$)'''
+
[[rules]]
id = "beamer-api-token"
description = "Detected a Beamer API token, potentially compromising content management and exposing sensitive notifications and updates."
-regex = '''(?i)(?:beamer)(?:[0-9a-z\-_\t .]{0,20})(?:[\s|']|[\s|"]){0,3}(?:=|>|:{1,3}=|\|\|:|<=|=>|:|\?=)(?:'|\"|\s|=|\x60){0,5}(b_[a-z0-9=_\-]{44})(?:['|\"|\n|\r|\s|\x60|;]|$)'''
+regex = '''(?i)(?:beamer)(?:[0-9a-z\-_\t .]{0,20})(?:[\s'"\\]){0,3}(?:=|>|:{1,3}=|\|\|:|<=|=>|:|\?=)(?:['\"\\\s=\x60]){0,5}(b_[a-z0-9=_\-]{44})(?:['\"\\\n\r\s\x60;<]|$)'''
keywords = [
"beamer",
]
@@ -140,7 +147,7 @@ keywords = [
[[rules]]
id = "bitbucket-client-id"
description = "Discovered a potential Bitbucket Client ID, risking unauthorized repository access and potential codebase exposure."
-regex = '''(?i)(?:bitbucket)(?:[0-9a-z\-_\t .]{0,20})(?:[\s|']|[\s|"]){0,3}(?:=|>|:{1,3}=|\|\|:|<=|=>|:|\?=)(?:'|\"|\s|=|\x60){0,5}([a-z0-9]{32})(?:['|\"|\n|\r|\s|\x60|;]|$)'''
+regex = '''(?i)(?:bitbucket)(?:[0-9a-z\-_\t .]{0,20})(?:[\s'"\\]){0,3}(?:=|>|:{1,3}=|\|\|:|<=|=>|:|\?=)(?:['\"\\\s=\x60]){0,5}([a-z0-9]{32})(?:['\"\\\n\r\s\x60;<]|$)'''
keywords = [
"bitbucket",
]
@@ -148,7 +155,7 @@ keywords = [
[[rules]]
id = "bitbucket-client-secret"
description = "Discovered a potential Bitbucket Client Secret, posing a risk of compromised code repositories and unauthorized access."
-regex = '''(?i)(?:bitbucket)(?:[0-9a-z\-_\t .]{0,20})(?:[\s|']|[\s|"]){0,3}(?:=|>|:{1,3}=|\|\|:|<=|=>|:|\?=)(?:'|\"|\s|=|\x60){0,5}([a-z0-9=_\-]{64})(?:['|\"|\n|\r|\s|\x60|;]|$)'''
+regex = '''(?i)(?:bitbucket)(?:[0-9a-z\-_\t .]{0,20})(?:[\s'"\\]){0,3}(?:=|>|:{1,3}=|\|\|:|<=|=>|:|\?=)(?:['\"\\\s=\x60]){0,5}([a-z0-9=_\-]{64})(?:['\"\\\n\r\s\x60;<]|$)'''
keywords = [
"bitbucket",
]
@@ -156,7 +163,7 @@ keywords = [
[[rules]]
id = "bittrex-access-key"
description = "Identified a Bittrex Access Key, which could lead to unauthorized access to cryptocurrency trading accounts and financial loss."
-regex = '''(?i)(?:bittrex)(?:[0-9a-z\-_\t .]{0,20})(?:[\s|']|[\s|"]){0,3}(?:=|>|:{1,3}=|\|\|:|<=|=>|:|\?=)(?:'|\"|\s|=|\x60){0,5}([a-z0-9]{32})(?:['|\"|\n|\r|\s|\x60|;]|$)'''
+regex = '''(?i)(?:bittrex)(?:[0-9a-z\-_\t .]{0,20})(?:[\s'"\\]){0,3}(?:=|>|:{1,3}=|\|\|:|<=|=>|:|\?=)(?:['\"\\\s=\x60]){0,5}([a-z0-9]{32})(?:['\"\\\n\r\s\x60;<]|$)'''
keywords = [
"bittrex",
]
@@ -164,7 +171,7 @@ keywords = [
[[rules]]
id = "bittrex-secret-key"
description = "Detected a Bittrex Secret Key, potentially compromising cryptocurrency transactions and financial security."
-regex = '''(?i)(?:bittrex)(?:[0-9a-z\-_\t .]{0,20})(?:[\s|']|[\s|"]){0,3}(?:=|>|:{1,3}=|\|\|:|<=|=>|:|\?=)(?:'|\"|\s|=|\x60){0,5}([a-z0-9]{32})(?:['|\"|\n|\r|\s|\x60|;]|$)'''
+regex = '''(?i)(?:bittrex)(?:[0-9a-z\-_\t .]{0,20})(?:[\s'"\\]){0,3}(?:=|>|:{1,3}=|\|\|:|<=|=>|:|\?=)(?:['\"\\\s=\x60]){0,5}([a-z0-9]{32})(?:['\"\\\n\r\s\x60;<]|$)'''
keywords = [
"bittrex",
]
@@ -204,7 +211,7 @@ keywords = [
[[rules]]
id = "codecov-access-token"
description = "Found a pattern resembling a Codecov Access Token, posing a risk of unauthorized access to code coverage reports and sensitive data."
-regex = '''(?i)(?:codecov)(?:[0-9a-z\-_\t .]{0,20})(?:[\s|']|[\s|"]){0,3}(?:=|>|:{1,3}=|\|\|:|<=|=>|:|\?=)(?:'|\"|\s|=|\x60){0,5}([a-z0-9]{32})(?:['|\"|\n|\r|\s|\x60|;]|$)'''
+regex = '''(?i)(?:codecov)(?:[0-9a-z\-_\t .]{0,20})(?:[\s'"\\]){0,3}(?:=|>|:{1,3}=|\|\|:|<=|=>|:|\?=)(?:['\"\\\s=\x60]){0,5}([a-z0-9]{32})(?:['\"\\\n\r\s\x60;<]|$)'''
keywords = [
"codecov",
]
@@ -212,7 +219,7 @@ keywords = [
[[rules]]
id = "coinbase-access-token"
description = "Detected a Coinbase Access Token, posing a risk of unauthorized access to cryptocurrency accounts and financial transactions."
-regex = '''(?i)(?:coinbase)(?:[0-9a-z\-_\t .]{0,20})(?:[\s|']|[\s|"]){0,3}(?:=|>|:{1,3}=|\|\|:|<=|=>|:|\?=)(?:'|\"|\s|=|\x60){0,5}([a-z0-9_-]{64})(?:['|\"|\n|\r|\s|\x60|;]|$)'''
+regex = '''(?i)(?:coinbase)(?:[0-9a-z\-_\t .]{0,20})(?:[\s'"\\]){0,3}(?:=|>|:{1,3}=|\|\|:|<=|=>|:|\?=)(?:['\"\\\s=\x60]){0,5}([a-z0-9_-]{64})(?:['\"\\\n\r\s\x60;<]|$)'''
keywords = [
"coinbase",
]
@@ -220,7 +227,7 @@ keywords = [
[[rules]]
id = "confluent-access-token"
description = "Identified a Confluent Access Token, which could compromise access to streaming data platforms and sensitive data flow."
-regex = '''(?i)(?:confluent)(?:[0-9a-z\-_\t .]{0,20})(?:[\s|']|[\s|"]){0,3}(?:=|>|:{1,3}=|\|\|:|<=|=>|:|\?=)(?:'|\"|\s|=|\x60){0,5}([a-z0-9]{16})(?:['|\"|\n|\r|\s|\x60|;]|$)'''
+regex = '''(?i)(?:confluent)(?:[0-9a-z\-_\t .]{0,20})(?:[\s'"\\]){0,3}(?:=|>|:{1,3}=|\|\|:|<=|=>|:|\?=)(?:['\"\\\s=\x60]){0,5}([a-z0-9]{16})(?:['\"\\\n\r\s\x60;<]|$)'''
keywords = [
"confluent",
]
@@ -228,7 +235,7 @@ keywords = [
[[rules]]
id = "confluent-secret-key"
description = "Found a Confluent Secret Key, potentially risking unauthorized operations and data access within Confluent services."
-regex = '''(?i)(?:confluent)(?:[0-9a-z\-_\t .]{0,20})(?:[\s|']|[\s|"]){0,3}(?:=|>|:{1,3}=|\|\|:|<=|=>|:|\?=)(?:'|\"|\s|=|\x60){0,5}([a-z0-9]{64})(?:['|\"|\n|\r|\s|\x60|;]|$)'''
+regex = '''(?i)(?:confluent)(?:[0-9a-z\-_\t .]{0,20})(?:[\s'"\\]){0,3}(?:=|>|:{1,3}=|\|\|:|<=|=>|:|\?=)(?:['\"\\\s=\x60]){0,5}([a-z0-9]{64})(?:['\"\\\n\r\s\x60;<]|$)'''
keywords = [
"confluent",
]
@@ -236,7 +243,7 @@ keywords = [
[[rules]]
id = "contentful-delivery-api-token"
description = "Discovered a Contentful delivery API token, posing a risk to content management systems and data integrity."
-regex = '''(?i)(?:contentful)(?:[0-9a-z\-_\t .]{0,20})(?:[\s|']|[\s|"]){0,3}(?:=|>|:{1,3}=|\|\|:|<=|=>|:|\?=)(?:'|\"|\s|=|\x60){0,5}([a-z0-9=_\-]{43})(?:['|\"|\n|\r|\s|\x60|;]|$)'''
+regex = '''(?i)(?:contentful)(?:[0-9a-z\-_\t .]{0,20})(?:[\s'"\\]){0,3}(?:=|>|:{1,3}=|\|\|:|<=|=>|:|\?=)(?:['\"\\\s=\x60]){0,5}([a-z0-9=_\-]{43})(?:['\"\\\n\r\s\x60;<]|$)'''
keywords = [
"contentful",
]
@@ -244,7 +251,7 @@ keywords = [
[[rules]]
id = "databricks-api-token"
description = "Uncovered a Databricks API token, which may compromise big data analytics platforms and sensitive data processing."
-regex = '''(?i)\b(dapi[a-h0-9]{32})(?:['|\"|\n|\r|\s|\x60|;]|$)'''
+regex = '''(?i)\b(dapi[a-h0-9]{32})(?:['\"\\\n\r\s\x60;<]|$)'''
keywords = [
"dapi",
]
@@ -252,7 +259,7 @@ keywords = [
[[rules]]
id = "datadog-access-token"
description = "Detected a Datadog Access Token, potentially risking monitoring and analytics data exposure and manipulation."
-regex = '''(?i)(?:datadog)(?:[0-9a-z\-_\t .]{0,20})(?:[\s|']|[\s|"]){0,3}(?:=|>|:{1,3}=|\|\|:|<=|=>|:|\?=)(?:'|\"|\s|=|\x60){0,5}([a-z0-9]{40})(?:['|\"|\n|\r|\s|\x60|;]|$)'''
+regex = '''(?i)(?:datadog)(?:[0-9a-z\-_\t .]{0,20})(?:[\s'"\\]){0,3}(?:=|>|:{1,3}=|\|\|:|<=|=>|:|\?=)(?:['\"\\\s=\x60]){0,5}([a-z0-9]{40})(?:['\"\\\n\r\s\x60;<]|$)'''
keywords = [
"datadog",
]
@@ -260,7 +267,7 @@ keywords = [
[[rules]]
id = "defined-networking-api-token"
description = "Identified a Defined Networking API token, which could lead to unauthorized network operations and data breaches."
-regex = '''(?i)(?:dnkey)(?:[0-9a-z\-_\t .]{0,20})(?:[\s|']|[\s|"]){0,3}(?:=|>|:{1,3}=|\|\|:|<=|=>|:|\?=)(?:'|\"|\s|=|\x60){0,5}(dnkey-[a-z0-9=_\-]{26}-[a-z0-9=_\-]{52})(?:['|\"|\n|\r|\s|\x60|;]|$)'''
+regex = '''(?i)(?:dnkey)(?:[0-9a-z\-_\t .]{0,20})(?:[\s'"\\]){0,3}(?:=|>|:{1,3}=|\|\|:|<=|=>|:|\?=)(?:['\"\\\s=\x60]){0,5}(dnkey-[a-z0-9=_\-]{26}-[a-z0-9=_\-]{52})(?:['\"\\\n\r\s\x60;<]|$)'''
keywords = [
"dnkey",
]
@@ -268,7 +275,7 @@ keywords = [
[[rules]]
id = "digitalocean-access-token"
description = "Found a DigitalOcean OAuth Access Token, risking unauthorized cloud resource access and data compromise."
-regex = '''(?i)\b(doo_v1_[a-f0-9]{64})(?:['|\"|\n|\r|\s|\x60|;]|$)'''
+regex = '''(?i)\b(doo_v1_[a-f0-9]{64})(?:['\"\\\n\r\s\x60;<]|$)'''
keywords = [
"doo_v1_",
]
@@ -276,7 +283,7 @@ keywords = [
[[rules]]
id = "digitalocean-pat"
description = "Discovered a DigitalOcean Personal Access Token, posing a threat to cloud infrastructure security and data privacy."
-regex = '''(?i)\b(dop_v1_[a-f0-9]{64})(?:['|\"|\n|\r|\s|\x60|;]|$)'''
+regex = '''(?i)\b(dop_v1_[a-f0-9]{64})(?:['\"\\\n\r\s\x60;<]|$)'''
keywords = [
"dop_v1_",
]
@@ -284,7 +291,7 @@ keywords = [
[[rules]]
id = "digitalocean-refresh-token"
description = "Uncovered a DigitalOcean OAuth Refresh Token, which could allow prolonged unauthorized access and resource manipulation."
-regex = '''(?i)\b(dor_v1_[a-f0-9]{64})(?:['|\"|\n|\r|\s|\x60|;]|$)'''
+regex = '''(?i)\b(dor_v1_[a-f0-9]{64})(?:['\"\\\n\r\s\x60;<]|$)'''
keywords = [
"dor_v1_",
]
@@ -292,7 +299,7 @@ keywords = [
[[rules]]
id = "discord-api-token"
description = "Detected a Discord API key, potentially compromising communication channels and user data privacy on Discord."
-regex = '''(?i)(?:discord)(?:[0-9a-z\-_\t .]{0,20})(?:[\s|']|[\s|"]){0,3}(?:=|>|:{1,3}=|\|\|:|<=|=>|:|\?=)(?:'|\"|\s|=|\x60){0,5}([a-f0-9]{64})(?:['|\"|\n|\r|\s|\x60|;]|$)'''
+regex = '''(?i)(?:discord)(?:[0-9a-z\-_\t .]{0,20})(?:[\s'"\\]){0,3}(?:=|>|:{1,3}=|\|\|:|<=|=>|:|\?=)(?:['\"\\\s=\x60]){0,5}([a-f0-9]{64})(?:['\"\\\n\r\s\x60;<]|$)'''
keywords = [
"discord",
]
@@ -300,7 +307,7 @@ keywords = [
[[rules]]
id = "discord-client-id"
description = "Identified a Discord client ID, which may lead to unauthorized integrations and data exposure in Discord applications."
-regex = '''(?i)(?:discord)(?:[0-9a-z\-_\t .]{0,20})(?:[\s|']|[\s|"]){0,3}(?:=|>|:{1,3}=|\|\|:|<=|=>|:|\?=)(?:'|\"|\s|=|\x60){0,5}([0-9]{18})(?:['|\"|\n|\r|\s|\x60|;]|$)'''
+regex = '''(?i)(?:discord)(?:[0-9a-z\-_\t .]{0,20})(?:[\s'"\\]){0,3}(?:=|>|:{1,3}=|\|\|:|<=|=>|:|\?=)(?:['\"\\\s=\x60]){0,5}([0-9]{18})(?:['\"\\\n\r\s\x60;<]|$)'''
keywords = [
"discord",
]
@@ -308,7 +315,7 @@ keywords = [
[[rules]]
id = "discord-client-secret"
description = "Discovered a potential Discord client secret, risking compromised Discord bot integrations and data leaks."
-regex = '''(?i)(?:discord)(?:[0-9a-z\-_\t .]{0,20})(?:[\s|']|[\s|"]){0,3}(?:=|>|:{1,3}=|\|\|:|<=|=>|:|\?=)(?:'|\"|\s|=|\x60){0,5}([a-z0-9=_\-]{32})(?:['|\"|\n|\r|\s|\x60|;]|$)'''
+regex = '''(?i)(?:discord)(?:[0-9a-z\-_\t .]{0,20})(?:[\s'"\\]){0,3}(?:=|>|:{1,3}=|\|\|:|<=|=>|:|\?=)(?:['\"\\\s=\x60]){0,5}([a-z0-9=_\-]{32})(?:['\"\\\n\r\s\x60;<]|$)'''
keywords = [
"discord",
]
@@ -324,7 +331,7 @@ keywords = [
[[rules]]
id = "droneci-access-token"
description = "Detected a Droneci Access Token, potentially compromising continuous integration and deployment workflows."
-regex = '''(?i)(?:droneci)(?:[0-9a-z\-_\t .]{0,20})(?:[\s|']|[\s|"]){0,3}(?:=|>|:{1,3}=|\|\|:|<=|=>|:|\?=)(?:'|\"|\s|=|\x60){0,5}([a-z0-9]{32})(?:['|\"|\n|\r|\s|\x60|;]|$)'''
+regex = '''(?i)(?:droneci)(?:[0-9a-z\-_\t .]{0,20})(?:[\s'"\\]){0,3}(?:=|>|:{1,3}=|\|\|:|<=|=>|:|\?=)(?:['\"\\\s=\x60]){0,5}([a-z0-9]{32})(?:['\"\\\n\r\s\x60;<]|$)'''
keywords = [
"droneci",
]
@@ -332,7 +339,7 @@ keywords = [
[[rules]]
id = "dropbox-api-token"
description = "Identified a Dropbox API secret, which could lead to unauthorized file access and data breaches in Dropbox storage."
-regex = '''(?i)(?:dropbox)(?:[0-9a-z\-_\t .]{0,20})(?:[\s|']|[\s|"]){0,3}(?:=|>|:{1,3}=|\|\|:|<=|=>|:|\?=)(?:'|\"|\s|=|\x60){0,5}([a-z0-9]{15})(?:['|\"|\n|\r|\s|\x60|;]|$)'''
+regex = '''(?i)(?:dropbox)(?:[0-9a-z\-_\t .]{0,20})(?:[\s'"\\]){0,3}(?:=|>|:{1,3}=|\|\|:|<=|=>|:|\?=)(?:['\"\\\s=\x60]){0,5}([a-z0-9]{15})(?:['\"\\\n\r\s\x60;<]|$)'''
keywords = [
"dropbox",
]
@@ -340,7 +347,7 @@ keywords = [
[[rules]]
id = "dropbox-long-lived-api-token"
description = "Found a Dropbox long-lived API token, risking prolonged unauthorized access to cloud storage and sensitive data."
-regex = '''(?i)(?:dropbox)(?:[0-9a-z\-_\t .]{0,20})(?:[\s|']|[\s|"]){0,3}(?:=|>|:{1,3}=|\|\|:|<=|=>|:|\?=)(?:'|\"|\s|=|\x60){0,5}([a-z0-9]{11}(AAAAAAAAAA)[a-z0-9\-_=]{43})(?:['|\"|\n|\r|\s|\x60|;]|$)'''
+regex = '''(?i)(?:dropbox)(?:[0-9a-z\-_\t .]{0,20})(?:[\s'"\\]){0,3}(?:=|>|:{1,3}=|\|\|:|<=|=>|:|\?=)(?:['\"\\\s=\x60]){0,5}([a-z0-9]{11}(AAAAAAAAAA)[a-z0-9\-_=]{43})(?:['\"\\\n\r\s\x60;<]|$)'''
keywords = [
"dropbox",
]
@@ -348,7 +355,7 @@ keywords = [
[[rules]]
id = "dropbox-short-lived-api-token"
description = "Discovered a Dropbox short-lived API token, posing a risk of temporary but potentially harmful data access and manipulation."
-regex = '''(?i)(?:dropbox)(?:[0-9a-z\-_\t .]{0,20})(?:[\s|']|[\s|"]){0,3}(?:=|>|:{1,3}=|\|\|:|<=|=>|:|\?=)(?:'|\"|\s|=|\x60){0,5}(sl\.[a-z0-9\-=_]{135})(?:['|\"|\n|\r|\s|\x60|;]|$)'''
+regex = '''(?i)(?:dropbox)(?:[0-9a-z\-_\t .]{0,20})(?:[\s'"\\]){0,3}(?:=|>|:{1,3}=|\|\|:|<=|=>|:|\?=)(?:['\"\\\s=\x60]){0,5}(sl\.[a-z0-9\-=_]{135})(?:['\"\\\n\r\s\x60;<]|$)'''
keywords = [
"dropbox",
]
@@ -388,15 +395,28 @@ keywords = [
[[rules]]
id = "etsy-access-token"
description = "Found an Etsy Access Token, potentially compromising Etsy shop management and customer data."
-regex = '''(?i)(?:etsy)(?:[0-9a-z\-_\t .]{0,20})(?:[\s|']|[\s|"]){0,3}(?:=|>|:{1,3}=|\|\|:|<=|=>|:|\?=)(?:'|\"|\s|=|\x60){0,5}([a-z0-9]{24})(?:['|\"|\n|\r|\s|\x60|;]|$)'''
+regex = '''(?i)(?:etsy)(?:[0-9a-z\-_\t .]{0,20})(?:[\s'"\\]){0,3}(?:=|>|:{1,3}=|\|\|:|<=|=>|:|\?=)(?:['\"\\\s=\x60]){0,5}([a-z0-9]{24})(?:['\"\\\n\r\s\x60;<]|$)'''
keywords = [
"etsy",
]
[[rules]]
-id = "facebook"
+id = "facebook-access-token"
description = "Discovered a Facebook Access Token, posing a risk of unauthorized access to Facebook accounts and personal data exposure."
-regex = '''(?i)(?:facebook)(?:[0-9a-z\-_\t .]{0,20})(?:[\s|']|[\s|"]){0,3}(?:=|>|:{1,3}=|\|\|:|<=|=>|:|\?=)(?:'|\"|\s|=|\x60){0,5}([a-f0-9]{32})(?:['|\"|\n|\r|\s|\x60|;]|$)'''
+regex = '''(?i)\b(\d{15,16}\|[0-9a-z\-_]{27})(?:['\"\\\n\r\s\x60;<]|$)'''
+
+[[rules]]
+id = "facebook-page-access-token"
+description = "Discovered a Facebook Page Access Token, posing a risk of unauthorized access to Facebook accounts and personal data exposure."
+regex = '''(?i)\b(EAA[MC][a-z0-9]{20,})(?:['\"\\\n\r\s\x60;<]|$)'''
+keywords = [
+ "eaam","eaac",
+]
+
+[[rules]]
+id = "facebook-secret"
+description = "Discovered a Facebook Application secret, posing a risk of unauthorized access to Facebook accounts and personal data exposure."
+regex = '''(?i)(?:facebook)(?:[0-9a-z\-_\t .]{0,20})(?:[\s'"\\]){0,3}(?:=|>|:{1,3}=|\|\|:|<=|=>|:|\?=)(?:['\"\\\s=\x60]){0,5}([a-f0-9]{32})(?:['\"\\\n\r\s\x60;<]|$)'''
keywords = [
"facebook",
]
@@ -404,7 +424,7 @@ keywords = [
[[rules]]
id = "fastly-api-token"
description = "Uncovered a Fastly API key, which may compromise CDN and edge cloud services, leading to content delivery and security issues."
-regex = '''(?i)(?:fastly)(?:[0-9a-z\-_\t .]{0,20})(?:[\s|']|[\s|"]){0,3}(?:=|>|:{1,3}=|\|\|:|<=|=>|:|\?=)(?:'|\"|\s|=|\x60){0,5}([a-z0-9=_\-]{32})(?:['|\"|\n|\r|\s|\x60|;]|$)'''
+regex = '''(?i)(?:fastly)(?:[0-9a-z\-_\t .]{0,20})(?:[\s'"\\]){0,3}(?:=|>|:{1,3}=|\|\|:|<=|=>|:|\?=)(?:['\"\\\s=\x60]){0,5}([a-z0-9=_\-]{32})(?:['\"\\\n\r\s\x60;<]|$)'''
keywords = [
"fastly",
]
@@ -412,7 +432,7 @@ keywords = [
[[rules]]
id = "finicity-api-token"
description = "Detected a Finicity API token, potentially risking financial data access and unauthorized financial operations."
-regex = '''(?i)(?:finicity)(?:[0-9a-z\-_\t .]{0,20})(?:[\s|']|[\s|"]){0,3}(?:=|>|:{1,3}=|\|\|:|<=|=>|:|\?=)(?:'|\"|\s|=|\x60){0,5}([a-f0-9]{32})(?:['|\"|\n|\r|\s|\x60|;]|$)'''
+regex = '''(?i)(?:finicity)(?:[0-9a-z\-_\t .]{0,20})(?:[\s'"\\]){0,3}(?:=|>|:{1,3}=|\|\|:|<=|=>|:|\?=)(?:['\"\\\s=\x60]){0,5}([a-f0-9]{32})(?:['\"\\\n\r\s\x60;<]|$)'''
keywords = [
"finicity",
]
@@ -420,7 +440,7 @@ keywords = [
[[rules]]
id = "finicity-client-secret"
description = "Identified a Finicity Client Secret, which could lead to compromised financial service integrations and data breaches."
-regex = '''(?i)(?:finicity)(?:[0-9a-z\-_\t .]{0,20})(?:[\s|']|[\s|"]){0,3}(?:=|>|:{1,3}=|\|\|:|<=|=>|:|\?=)(?:'|\"|\s|=|\x60){0,5}([a-z0-9]{20})(?:['|\"|\n|\r|\s|\x60|;]|$)'''
+regex = '''(?i)(?:finicity)(?:[0-9a-z\-_\t .]{0,20})(?:[\s'"\\]){0,3}(?:=|>|:{1,3}=|\|\|:|<=|=>|:|\?=)(?:['\"\\\s=\x60]){0,5}([a-z0-9]{20})(?:['\"\\\n\r\s\x60;<]|$)'''
keywords = [
"finicity",
]
@@ -428,7 +448,7 @@ keywords = [
[[rules]]
id = "finnhub-access-token"
description = "Found a Finnhub Access Token, risking unauthorized access to financial market data and analytics."
-regex = '''(?i)(?:finnhub)(?:[0-9a-z\-_\t .]{0,20})(?:[\s|']|[\s|"]){0,3}(?:=|>|:{1,3}=|\|\|:|<=|=>|:|\?=)(?:'|\"|\s|=|\x60){0,5}([a-z0-9]{20})(?:['|\"|\n|\r|\s|\x60|;]|$)'''
+regex = '''(?i)(?:finnhub)(?:[0-9a-z\-_\t .]{0,20})(?:[\s'"\\]){0,3}(?:=|>|:{1,3}=|\|\|:|<=|=>|:|\?=)(?:['\"\\\s=\x60]){0,5}([a-z0-9]{20})(?:['\"\\\n\r\s\x60;<]|$)'''
keywords = [
"finnhub",
]
@@ -436,7 +456,7 @@ keywords = [
[[rules]]
id = "flickr-access-token"
description = "Discovered a Flickr Access Token, posing a risk of unauthorized photo management and potential data leakage."
-regex = '''(?i)(?:flickr)(?:[0-9a-z\-_\t .]{0,20})(?:[\s|']|[\s|"]){0,3}(?:=|>|:{1,3}=|\|\|:|<=|=>|:|\?=)(?:'|\"|\s|=|\x60){0,5}([a-z0-9]{32})(?:['|\"|\n|\r|\s|\x60|;]|$)'''
+regex = '''(?i)(?:flickr)(?:[0-9a-z\-_\t .]{0,20})(?:[\s'"\\]){0,3}(?:=|>|:{1,3}=|\|\|:|<=|=>|:|\?=)(?:['\"\\\s=\x60]){0,5}([a-z0-9]{32})(?:['\"\\\n\r\s\x60;<]|$)'''
keywords = [
"flickr",
]
@@ -476,7 +496,7 @@ keywords = [
[[rules]]
id = "freshbooks-access-token"
description = "Discovered a Freshbooks Access Token, posing a risk to accounting software access and sensitive financial data exposure."
-regex = '''(?i)(?:freshbooks)(?:[0-9a-z\-_\t .]{0,20})(?:[\s|']|[\s|"]){0,3}(?:=|>|:{1,3}=|\|\|:|<=|=>|:|\?=)(?:'|\"|\s|=|\x60){0,5}([a-z0-9]{64})(?:['|\"|\n|\r|\s|\x60|;]|$)'''
+regex = '''(?i)(?:freshbooks)(?:[0-9a-z\-_\t .]{0,20})(?:[\s'"\\]){0,3}(?:=|>|:{1,3}=|\|\|:|<=|=>|:|\?=)(?:['\"\\\s=\x60]){0,5}([a-z0-9]{64})(?:['\"\\\n\r\s\x60;<]|$)'''
keywords = [
"freshbooks",
]
@@ -484,7 +504,7 @@ keywords = [
[[rules]]
id = "gcp-api-key"
description = "Uncovered a GCP API key, which could lead to unauthorized access to Google Cloud services and data breaches."
-regex = '''(?i)\b(AIza[0-9A-Za-z\\-_]{35})(?:['|\"|\n|\r|\s|\x60|;]|$)'''
+regex = '''(?i)\b(AIza[0-9A-Za-z\\-_]{35})(?:['\"\\\n\r\s\x60;<]|$)'''
keywords = [
"aiza",
]
@@ -492,7 +512,7 @@ keywords = [
[[rules]]
id = "generic-api-key"
description = "Detected a Generic API Key, potentially exposing access to various services and sensitive operations."
-regex = '''(?i)(?:key|api|token|secret|client|passwd|password|auth|access)(?:[0-9a-z\-_\t .]{0,20})(?:[\s|']|[\s|"]){0,3}(?:=|>|:{1,3}=|\|\|:|<=|=>|:|\?=)(?:'|\"|\s|=|\x60){0,5}([0-9a-z\-_.=]{10,150})(?:['|\"|\n|\r|\s|\x60|;]|$)'''
+regex = '''(?i)(?:key|api|token|secret|client|passwd|password|auth|access)(?:[0-9a-z\-_\t .]{0,20})(?:[\s'"\\]){0,3}(?:=|>|:{1,3}=|\|\|:|<=|=>|:|\?=)(?:['\"\\\s=\x60]){0,5}([0-9a-z\-_.=]{10,150})(?:['\"\\\n\r\s\x60;<]|$)'''
entropy = 3.5
keywords = [
"key","api","token","secret","client","passwd","password","auth","access",
@@ -2043,7 +2063,7 @@ keywords = [
[[rules]]
id = "gitter-access-token"
description = "Uncovered a Gitter Access Token, which may lead to unauthorized access to chat and communication services."
-regex = '''(?i)(?:gitter)(?:[0-9a-z\-_\t .]{0,20})(?:[\s|']|[\s|"]){0,3}(?:=|>|:{1,3}=|\|\|:|<=|=>|:|\?=)(?:'|\"|\s|=|\x60){0,5}([a-z0-9_-]{40})(?:['|\"|\n|\r|\s|\x60|;]|$)'''
+regex = '''(?i)(?:gitter)(?:[0-9a-z\-_\t .]{0,20})(?:[\s'"\\]){0,3}(?:=|>|:{1,3}=|\|\|:|<=|=>|:|\?=)(?:['\"\\\s=\x60]){0,5}([a-z0-9_-]{40})(?:['\"\\\n\r\s\x60;<]|$)'''
keywords = [
"gitter",
]
@@ -2051,7 +2071,7 @@ keywords = [
[[rules]]
id = "gocardless-api-token"
description = "Detected a GoCardless API token, potentially risking unauthorized direct debit payment operations and financial data exposure."
-regex = '''(?i)(?:gocardless)(?:[0-9a-z\-_\t .]{0,20})(?:[\s|']|[\s|"]){0,3}(?:=|>|:{1,3}=|\|\|:|<=|=>|:|\?=)(?:'|\"|\s|=|\x60){0,5}(live_(?i)[a-z0-9\-_=]{40})(?:['|\"|\n|\r|\s|\x60|;]|$)'''
+regex = '''(?i)(?:gocardless)(?:[0-9a-z\-_\t .]{0,20})(?:[\s'"\\]){0,3}(?:=|>|:{1,3}=|\|\|:|<=|=>|:|\?=)(?:['\"\\\s=\x60]){0,5}(live_(?i)[a-z0-9\-_=]{40})(?:['\"\\\n\r\s\x60;<]|$)'''
keywords = [
"live_","gocardless",
]
@@ -2059,7 +2079,7 @@ keywords = [
[[rules]]
id = "grafana-api-key"
description = "Identified a Grafana API key, which could compromise monitoring dashboards and sensitive data analytics."
-regex = '''(?i)\b(eyJrIjoi[A-Za-z0-9]{70,400}={0,2})(?:['|\"|\n|\r|\s|\x60|;]|$)'''
+regex = '''(?i)\b(eyJrIjoi[A-Za-z0-9]{70,400}={0,2})(?:['\"\\\n\r\s\x60;<]|$)'''
keywords = [
"eyjrijoi",
]
@@ -2067,7 +2087,7 @@ keywords = [
[[rules]]
id = "grafana-cloud-api-token"
description = "Found a Grafana cloud API token, risking unauthorized access to cloud-based monitoring services and data exposure."
-regex = '''(?i)\b(glc_[A-Za-z0-9+/]{32,400}={0,2})(?:['|\"|\n|\r|\s|\x60|;]|$)'''
+regex = '''(?i)\b(glc_[A-Za-z0-9+/]{32,400}={0,2})(?:['\"\\\n\r\s\x60;<]|$)'''
keywords = [
"glc_",
]
@@ -2075,7 +2095,7 @@ keywords = [
[[rules]]
id = "grafana-service-account-token"
description = "Discovered a Grafana service account token, posing a risk of compromised monitoring services and data integrity."
-regex = '''(?i)\b(glsa_[A-Za-z0-9]{32}_[A-Fa-f0-9]{8})(?:['|\"|\n|\r|\s|\x60|;]|$)'''
+regex = '''(?i)\b(glsa_[A-Za-z0-9]{32}_[A-Fa-f0-9]{8})(?:['\"\\\n\r\s\x60;<]|$)'''
keywords = [
"glsa_",
]
@@ -2091,7 +2111,8 @@ keywords = [
[[rules]]
id = "hashicorp-tf-password"
description = "Identified a HashiCorp Terraform password field, risking unauthorized infrastructure configuration and security breaches."
-regex = '''(?i)(?:administrator_login_password|password)(?:[0-9a-z\-_\t .]{0,20})(?:[\s|']|[\s|"]){0,3}(?:=|>|:{1,3}=|\|\|:|<=|=>|:|\?=)(?:'|\"|\s|=|\x60){0,5}("[a-z0-9=_\-]{8,20}")(?:['|\"|\n|\r|\s|\x60|;]|$)'''
+regex = '''(?i)(?:administrator_login_password|password)(?:[0-9a-z\-_\t .]{0,20})(?:[\s'"\\]){0,3}(?:=|>|:{1,3}=|\|\|:|<=|=>|:|\?=)(?:['\"\\\s=\x60]){0,5}("([a-z0-9=_\-]{8,20})")(?:['\"\\\n\r\s\x60;<]|$)'''
+secretGroup = 2
keywords = [
"administrator_login_password","password",
]
@@ -2099,7 +2120,7 @@ keywords = [
[[rules]]
id = "heroku-api-key"
description = "Detected a Heroku API Key, potentially compromising cloud application deployments and operational security."
-regex = '''(?i)(?:heroku)(?:[0-9a-z\-_\t .]{0,20})(?:[\s|']|[\s|"]){0,3}(?:=|>|:{1,3}=|\|\|:|<=|=>|:|\?=)(?:'|\"|\s|=|\x60){0,5}([0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12})(?:['|\"|\n|\r|\s|\x60|;]|$)'''
+regex = '''(?i)(?:heroku)(?:[0-9a-z\-_\t .]{0,20})(?:[\s'"\\]){0,3}(?:=|>|:{1,3}=|\|\|:|<=|=>|:|\?=)(?:['\"\\\s=\x60]){0,5}([0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12})(?:['\"\\\n\r\s\x60;<]|$)'''
keywords = [
"heroku",
]
@@ -2107,7 +2128,7 @@ keywords = [
[[rules]]
id = "hubspot-api-key"
description = "Found a HubSpot API Token, posing a risk to CRM data integrity and unauthorized marketing operations."
-regex = '''(?i)(?:hubspot)(?:[0-9a-z\-_\t .]{0,20})(?:[\s|']|[\s|"]){0,3}(?:=|>|:{1,3}=|\|\|:|<=|=>|:|\?=)(?:'|\"|\s|=|\x60){0,5}([0-9A-F]{8}-[0-9A-F]{4}-[0-9A-F]{4}-[0-9A-F]{4}-[0-9A-F]{12})(?:['|\"|\n|\r|\s|\x60|;]|$)'''
+regex = '''(?i)(?:hubspot)(?:[0-9a-z\-_\t .]{0,20})(?:[\s'"\\]){0,3}(?:=|>|:{1,3}=|\|\|:|<=|=>|:|\?=)(?:['\"\\\s=\x60]){0,5}([0-9A-F]{8}-[0-9A-F]{4}-[0-9A-F]{4}-[0-9A-F]{4}-[0-9A-F]{12})(?:['\"\\\n\r\s\x60;<]|$)'''
keywords = [
"hubspot",
]
@@ -2133,7 +2154,7 @@ keywords = [
[[rules]]
id = "infracost-api-token"
description = "Detected an Infracost API Token, risking unauthorized access to cloud cost estimation tools and financial data."
-regex = '''(?i)\b(ico-[a-zA-Z0-9]{32})(?:['|\"|\n|\r|\s|\x60|;]|$)'''
+regex = '''(?i)\b(ico-[a-zA-Z0-9]{32})(?:['\"\\\n\r\s\x60;<]|$)'''
keywords = [
"ico-",
]
@@ -2141,7 +2162,7 @@ keywords = [
[[rules]]
id = "intercom-api-key"
description = "Identified an Intercom API Token, which could compromise customer communication channels and data privacy."
-regex = '''(?i)(?:intercom)(?:[0-9a-z\-_\t .]{0,20})(?:[\s|']|[\s|"]){0,3}(?:=|>|:{1,3}=|\|\|:|<=|=>|:|\?=)(?:'|\"|\s|=|\x60){0,5}([a-z0-9=_\-]{60})(?:['|\"|\n|\r|\s|\x60|;]|$)'''
+regex = '''(?i)(?:intercom)(?:[0-9a-z\-_\t .]{0,20})(?:[\s'"\\]){0,3}(?:=|>|:{1,3}=|\|\|:|<=|=>|:|\?=)(?:['\"\\\s=\x60]){0,5}([a-z0-9=_\-]{60})(?:['\"\\\n\r\s\x60;<]|$)'''
keywords = [
"intercom",
]
@@ -2149,7 +2170,7 @@ keywords = [
[[rules]]
id = "jfrog-api-key"
description = "Found a JFrog API Key, posing a risk of unauthorized access to software artifact repositories and build pipelines."
-regex = '''(?i)(?:jfrog|artifactory|bintray|xray)(?:[0-9a-z\-_\t .]{0,20})(?:[\s|']|[\s|"]){0,3}(?:=|>|:{1,3}=|\|\|:|<=|=>|:|\?=)(?:'|\"|\s|=|\x60){0,5}([a-z0-9]{73})(?:['|\"|\n|\r|\s|\x60|;]|$)'''
+regex = '''(?i)(?:jfrog|artifactory|bintray|xray)(?:[0-9a-z\-_\t .]{0,20})(?:[\s'"\\]){0,3}(?:=|>|:{1,3}=|\|\|:|<=|=>|:|\?=)(?:['\"\\\s=\x60]){0,5}([a-z0-9]{73})(?:['\"\\\n\r\s\x60;<]|$)'''
keywords = [
"jfrog","artifactory","bintray","xray",
]
@@ -2157,7 +2178,7 @@ keywords = [
[[rules]]
id = "jfrog-identity-token"
description = "Discovered a JFrog Identity Token, potentially compromising access to JFrog services and sensitive software artifacts."
-regex = '''(?i)(?:jfrog|artifactory|bintray|xray)(?:[0-9a-z\-_\t .]{0,20})(?:[\s|']|[\s|"]){0,3}(?:=|>|:{1,3}=|\|\|:|<=|=>|:|\?=)(?:'|\"|\s|=|\x60){0,5}([a-z0-9]{64})(?:['|\"|\n|\r|\s|\x60|;]|$)'''
+regex = '''(?i)(?:jfrog|artifactory|bintray|xray)(?:[0-9a-z\-_\t .]{0,20})(?:[\s'"\\]){0,3}(?:=|>|:{1,3}=|\|\|:|<=|=>|:|\?=)(?:['\"\\\s=\x60]){0,5}([a-z0-9]{64})(?:['\"\\\n\r\s\x60;<]|$)'''
keywords = [
"jfrog","artifactory","bintray","xray",
]
@@ -2165,7 +2186,7 @@ keywords = [
[[rules]]
id = "jwt"
description = "Uncovered a JSON Web Token, which may lead to unauthorized access to web applications and sensitive user data."
-regex = '''\b(ey[a-zA-Z0-9]{17,}\.ey[a-zA-Z0-9\/\\_-]{17,}\.(?:[a-zA-Z0-9\/\\_-]{10,}={0,2})?)(?:['|\"|\n|\r|\s|\x60|;]|$)'''
+regex = '''\b(ey[a-zA-Z0-9]{17,}\.ey[a-zA-Z0-9\/\\_-]{17,}\.(?:[a-zA-Z0-9\/\\_-]{10,}={0,2})?)(?:['\"\\\n\r\s\x60;<]|$)'''
keywords = [
"ey",
]
@@ -2181,7 +2202,7 @@ keywords = [
[[rules]]
id = "kraken-access-token"
description = "Identified a Kraken Access Token, potentially compromising cryptocurrency trading accounts and financial security."
-regex = '''(?i)(?:kraken)(?:[0-9a-z\-_\t .]{0,20})(?:[\s|']|[\s|"]){0,3}(?:=|>|:{1,3}=|\|\|:|<=|=>|:|\?=)(?:'|\"|\s|=|\x60){0,5}([a-z0-9\/=_\+\-]{80,90})(?:['|\"|\n|\r|\s|\x60|;]|$)'''
+regex = '''(?i)(?:kraken)(?:[0-9a-z\-_\t .]{0,20})(?:[\s'"\\]){0,3}(?:=|>|:{1,3}=|\|\|:|<=|=>|:|\?=)(?:['\"\\\s=\x60]){0,5}([a-z0-9\/=_\+\-]{80,90})(?:['\"\\\n\r\s\x60;<]|$)'''
keywords = [
"kraken",
]
@@ -2189,7 +2210,7 @@ keywords = [
[[rules]]
id = "kucoin-access-token"
description = "Found a Kucoin Access Token, risking unauthorized access to cryptocurrency exchange services and transactions."
-regex = '''(?i)(?:kucoin)(?:[0-9a-z\-_\t .]{0,20})(?:[\s|']|[\s|"]){0,3}(?:=|>|:{1,3}=|\|\|:|<=|=>|:|\?=)(?:'|\"|\s|=|\x60){0,5}([a-f0-9]{24})(?:['|\"|\n|\r|\s|\x60|;]|$)'''
+regex = '''(?i)(?:kucoin)(?:[0-9a-z\-_\t .]{0,20})(?:[\s'"\\]){0,3}(?:=|>|:{1,3}=|\|\|:|<=|=>|:|\?=)(?:['\"\\\s=\x60]){0,5}([a-f0-9]{24})(?:['\"\\\n\r\s\x60;<]|$)'''
keywords = [
"kucoin",
]
@@ -2197,7 +2218,7 @@ keywords = [
[[rules]]
id = "kucoin-secret-key"
description = "Discovered a Kucoin Secret Key, which could lead to compromised cryptocurrency operations and financial data breaches."
-regex = '''(?i)(?:kucoin)(?:[0-9a-z\-_\t .]{0,20})(?:[\s|']|[\s|"]){0,3}(?:=|>|:{1,3}=|\|\|:|<=|=>|:|\?=)(?:'|\"|\s|=|\x60){0,5}([0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12})(?:['|\"|\n|\r|\s|\x60|;]|$)'''
+regex = '''(?i)(?:kucoin)(?:[0-9a-z\-_\t .]{0,20})(?:[\s'"\\]){0,3}(?:=|>|:{1,3}=|\|\|:|<=|=>|:|\?=)(?:['\"\\\s=\x60]){0,5}([0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12})(?:['\"\\\n\r\s\x60;<]|$)'''
keywords = [
"kucoin",
]
@@ -2205,7 +2226,7 @@ keywords = [
[[rules]]
id = "launchdarkly-access-token"
description = "Uncovered a Launchdarkly Access Token, potentially compromising feature flag management and application functionality."
-regex = '''(?i)(?:launchdarkly)(?:[0-9a-z\-_\t .]{0,20})(?:[\s|']|[\s|"]){0,3}(?:=|>|:{1,3}=|\|\|:|<=|=>|:|\?=)(?:'|\"|\s|=|\x60){0,5}([a-z0-9=_\-]{40})(?:['|\"|\n|\r|\s|\x60|;]|$)'''
+regex = '''(?i)(?:launchdarkly)(?:[0-9a-z\-_\t .]{0,20})(?:[\s'"\\]){0,3}(?:=|>|:{1,3}=|\|\|:|<=|=>|:|\?=)(?:['\"\\\s=\x60]){0,5}([a-z0-9=_\-]{40})(?:['\"\\\n\r\s\x60;<]|$)'''
keywords = [
"launchdarkly",
]
@@ -2221,7 +2242,7 @@ keywords = [
[[rules]]
id = "linear-client-secret"
description = "Identified a Linear Client Secret, which may compromise secure integrations and sensitive project management data."
-regex = '''(?i)(?:linear)(?:[0-9a-z\-_\t .]{0,20})(?:[\s|']|[\s|"]){0,3}(?:=|>|:{1,3}=|\|\|:|<=|=>|:|\?=)(?:'|\"|\s|=|\x60){0,5}([a-f0-9]{32})(?:['|\"|\n|\r|\s|\x60|;]|$)'''
+regex = '''(?i)(?:linear)(?:[0-9a-z\-_\t .]{0,20})(?:[\s'"\\]){0,3}(?:=|>|:{1,3}=|\|\|:|<=|=>|:|\?=)(?:['\"\\\s=\x60]){0,5}([a-f0-9]{32})(?:['\"\\\n\r\s\x60;<]|$)'''
keywords = [
"linear",
]
@@ -2229,7 +2250,7 @@ keywords = [
[[rules]]
id = "linkedin-client-id"
description = "Found a LinkedIn Client ID, risking unauthorized access to LinkedIn integrations and professional data exposure."
-regex = '''(?i)(?:linkedin|linked-in)(?:[0-9a-z\-_\t .]{0,20})(?:[\s|']|[\s|"]){0,3}(?:=|>|:{1,3}=|\|\|:|<=|=>|:|\?=)(?:'|\"|\s|=|\x60){0,5}([a-z0-9]{14})(?:['|\"|\n|\r|\s|\x60|;]|$)'''
+regex = '''(?i)(?:linkedin|linked-in)(?:[0-9a-z\-_\t .]{0,20})(?:[\s'"\\]){0,3}(?:=|>|:{1,3}=|\|\|:|<=|=>|:|\?=)(?:['\"\\\s=\x60]){0,5}([a-z0-9]{14})(?:['\"\\\n\r\s\x60;<]|$)'''
keywords = [
"linkedin","linked-in",
]
@@ -2237,7 +2258,7 @@ keywords = [
[[rules]]
id = "linkedin-client-secret"
description = "Discovered a LinkedIn Client secret, potentially compromising LinkedIn application integrations and user data."
-regex = '''(?i)(?:linkedin|linked-in)(?:[0-9a-z\-_\t .]{0,20})(?:[\s|']|[\s|"]){0,3}(?:=|>|:{1,3}=|\|\|:|<=|=>|:|\?=)(?:'|\"|\s|=|\x60){0,5}([a-z0-9]{16})(?:['|\"|\n|\r|\s|\x60|;]|$)'''
+regex = '''(?i)(?:linkedin|linked-in)(?:[0-9a-z\-_\t .]{0,20})(?:[\s'"\\]){0,3}(?:=|>|:{1,3}=|\|\|:|<=|=>|:|\?=)(?:['\"\\\s=\x60]){0,5}([a-z0-9]{16})(?:['\"\\\n\r\s\x60;<]|$)'''
keywords = [
"linkedin","linked-in",
]
@@ -2245,7 +2266,8 @@ keywords = [
[[rules]]
id = "lob-api-key"
description = "Uncovered a Lob API Key, which could lead to unauthorized access to mailing and address verification services."
-regex = '''(?i)(?:lob)(?:[0-9a-z\-_\t .]{0,20})(?:[\s|']|[\s|"]){0,3}(?:=|>|:{1,3}=|\|\|:|<=|=>|:|\?=)(?:'|\"|\s|=|\x60){0,5}((live|test)_[a-f0-9]{35})(?:['|\"|\n|\r|\s|\x60|;]|$)'''
+regex = '''(?i)(?:lob)(?:[0-9a-z\-_\t .]{0,20})(?:[\s'"\\]){0,3}(?:=|>|:{1,3}=|\|\|:|<=|=>|:|\?=)(?:['\"\\\s=\x60]){0,5}((live|test)_[a-f0-9]{35})(?:['\"\\\n\r\s\x60;<]|$)'''
+secretGroup = 1
keywords = [
"test_","live_",
]
@@ -2253,7 +2275,8 @@ keywords = [
[[rules]]
id = "lob-pub-api-key"
description = "Detected a Lob Publishable API Key, posing a risk of exposing mail and print service integrations."
-regex = '''(?i)(?:lob)(?:[0-9a-z\-_\t .]{0,20})(?:[\s|']|[\s|"]){0,3}(?:=|>|:{1,3}=|\|\|:|<=|=>|:|\?=)(?:'|\"|\s|=|\x60){0,5}((test|live)_pub_[a-f0-9]{31})(?:['|\"|\n|\r|\s|\x60|;]|$)'''
+regex = '''(?i)(?:lob)(?:[0-9a-z\-_\t .]{0,20})(?:[\s'"\\]){0,3}(?:=|>|:{1,3}=|\|\|:|<=|=>|:|\?=)(?:['\"\\\s=\x60]){0,5}((test|live)_pub_[a-f0-9]{31})(?:['\"\\\n\r\s\x60;<]|$)'''
+secretGroup = 1
keywords = [
"test_pub","live_pub","_pub",
]
@@ -2261,7 +2284,7 @@ keywords = [
[[rules]]
id = "mailchimp-api-key"
description = "Identified a Mailchimp API key, potentially compromising email marketing campaigns and subscriber data."
-regex = '''(?i)(?:mailchimp)(?:[0-9a-z\-_\t .]{0,20})(?:[\s|']|[\s|"]){0,3}(?:=|>|:{1,3}=|\|\|:|<=|=>|:|\?=)(?:'|\"|\s|=|\x60){0,5}([a-f0-9]{32}-us20)(?:['|\"|\n|\r|\s|\x60|;]|$)'''
+regex = '''(?i)(?:MailchimpSDK.initialize|mailchimp)(?:[0-9a-z\-_\t .]{0,20})(?:[\s'"\\]){0,3}(?:=|>|:{1,3}=|\|\|:|<=|=>|:|\?=)(?:['\"\\\s=\x60]){0,5}([a-f0-9]{32}-us\d\d)(?:['\"\\\n\r\s\x60;<]|$)'''
keywords = [
"mailchimp",
]
@@ -2269,7 +2292,7 @@ keywords = [
[[rules]]
id = "mailgun-private-api-token"
description = "Found a Mailgun private API token, risking unauthorized email service operations and data breaches."
-regex = '''(?i)(?:mailgun)(?:[0-9a-z\-_\t .]{0,20})(?:[\s|']|[\s|"]){0,3}(?:=|>|:{1,3}=|\|\|:|<=|=>|:|\?=)(?:'|\"|\s|=|\x60){0,5}(key-[a-f0-9]{32})(?:['|\"|\n|\r|\s|\x60|;]|$)'''
+regex = '''(?i)(?:mailgun)(?:[0-9a-z\-_\t .]{0,20})(?:[\s'"\\]){0,3}(?:=|>|:{1,3}=|\|\|:|<=|=>|:|\?=)(?:['\"\\\s=\x60]){0,5}(key-[a-f0-9]{32})(?:['\"\\\n\r\s\x60;<]|$)'''
keywords = [
"mailgun",
]
@@ -2277,7 +2300,7 @@ keywords = [
[[rules]]
id = "mailgun-pub-key"
description = "Discovered a Mailgun public validation key, which could expose email verification processes and associated data."
-regex = '''(?i)(?:mailgun)(?:[0-9a-z\-_\t .]{0,20})(?:[\s|']|[\s|"]){0,3}(?:=|>|:{1,3}=|\|\|:|<=|=>|:|\?=)(?:'|\"|\s|=|\x60){0,5}(pubkey-[a-f0-9]{32})(?:['|\"|\n|\r|\s|\x60|;]|$)'''
+regex = '''(?i)(?:mailgun)(?:[0-9a-z\-_\t .]{0,20})(?:[\s'"\\]){0,3}(?:=|>|:{1,3}=|\|\|:|<=|=>|:|\?=)(?:['\"\\\s=\x60]){0,5}(pubkey-[a-f0-9]{32})(?:['\"\\\n\r\s\x60;<]|$)'''
keywords = [
"mailgun",
]
@@ -2285,7 +2308,7 @@ keywords = [
[[rules]]
id = "mailgun-signing-key"
description = "Uncovered a Mailgun webhook signing key, potentially compromising email automation and data integrity."
-regex = '''(?i)(?:mailgun)(?:[0-9a-z\-_\t .]{0,20})(?:[\s|']|[\s|"]){0,3}(?:=|>|:{1,3}=|\|\|:|<=|=>|:|\?=)(?:'|\"|\s|=|\x60){0,5}([a-h0-9]{32}-[a-h0-9]{8}-[a-h0-9]{8})(?:['|\"|\n|\r|\s|\x60|;]|$)'''
+regex = '''(?i)(?:mailgun)(?:[0-9a-z\-_\t .]{0,20})(?:[\s'"\\]){0,3}(?:=|>|:{1,3}=|\|\|:|<=|=>|:|\?=)(?:['\"\\\s=\x60]){0,5}([a-h0-9]{32}-[a-h0-9]{8}-[a-h0-9]{8})(?:['\"\\\n\r\s\x60;<]|$)'''
keywords = [
"mailgun",
]
@@ -2293,7 +2316,7 @@ keywords = [
[[rules]]
id = "mapbox-api-token"
description = "Detected a MapBox API token, posing a risk to geospatial services and sensitive location data exposure."
-regex = '''(?i)(?:mapbox)(?:[0-9a-z\-_\t .]{0,20})(?:[\s|']|[\s|"]){0,3}(?:=|>|:{1,3}=|\|\|:|<=|=>|:|\?=)(?:'|\"|\s|=|\x60){0,5}(pk\.[a-z0-9]{60}\.[a-z0-9]{22})(?:['|\"|\n|\r|\s|\x60|;]|$)'''
+regex = '''(?i)(?:mapbox)(?:[0-9a-z\-_\t .]{0,20})(?:[\s'"\\]){0,3}(?:=|>|:{1,3}=|\|\|:|<=|=>|:|\?=)(?:['\"\\\s=\x60]){0,5}(pk\.[a-z0-9]{60}\.[a-z0-9]{22})(?:['\"\\\n\r\s\x60;<]|$)'''
keywords = [
"mapbox",
]
@@ -2301,7 +2324,7 @@ keywords = [
[[rules]]
id = "mattermost-access-token"
description = "Identified a Mattermost Access Token, which may compromise team communication channels and data privacy."
-regex = '''(?i)(?:mattermost)(?:[0-9a-z\-_\t .]{0,20})(?:[\s|']|[\s|"]){0,3}(?:=|>|:{1,3}=|\|\|:|<=|=>|:|\?=)(?:'|\"|\s|=|\x60){0,5}([a-z0-9]{26})(?:['|\"|\n|\r|\s|\x60|;]|$)'''
+regex = '''(?i)(?:mattermost)(?:[0-9a-z\-_\t .]{0,20})(?:[\s'"\\]){0,3}(?:=|>|:{1,3}=|\|\|:|<=|=>|:|\?=)(?:['\"\\\s=\x60]){0,5}([a-z0-9]{26})(?:['\"\\\n\r\s\x60;<]|$)'''
keywords = [
"mattermost",
]
@@ -2309,7 +2332,7 @@ keywords = [
[[rules]]
id = "messagebird-api-token"
description = "Found a MessageBird API token, risking unauthorized access to communication platforms and message data."
-regex = '''(?i)(?:messagebird|message-bird|message_bird)(?:[0-9a-z\-_\t .]{0,20})(?:[\s|']|[\s|"]){0,3}(?:=|>|:{1,3}=|\|\|:|<=|=>|:|\?=)(?:'|\"|\s|=|\x60){0,5}([a-z0-9]{25})(?:['|\"|\n|\r|\s|\x60|;]|$)'''
+regex = '''(?i)(?:messagebird|message-bird|message_bird)(?:[0-9a-z\-_\t .]{0,20})(?:[\s'"\\]){0,3}(?:=|>|:{1,3}=|\|\|:|<=|=>|:|\?=)(?:['\"\\\s=\x60]){0,5}([a-z0-9]{25})(?:['\"\\\n\r\s\x60;<]|$)'''
keywords = [
"messagebird","message-bird","message_bird",
]
@@ -2317,7 +2340,7 @@ keywords = [
[[rules]]
id = "messagebird-client-id"
description = "Discovered a MessageBird client ID, potentially compromising API integrations and sensitive communication data."
-regex = '''(?i)(?:messagebird|message-bird|message_bird)(?:[0-9a-z\-_\t .]{0,20})(?:[\s|']|[\s|"]){0,3}(?:=|>|:{1,3}=|\|\|:|<=|=>|:|\?=)(?:'|\"|\s|=|\x60){0,5}([0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12})(?:['|\"|\n|\r|\s|\x60|;]|$)'''
+regex = '''(?i)(?:messagebird|message-bird|message_bird)(?:[0-9a-z\-_\t .]{0,20})(?:[\s'"\\]){0,3}(?:=|>|:{1,3}=|\|\|:|<=|=>|:|\?=)(?:['\"\\\s=\x60]){0,5}([0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12})(?:['\"\\\n\r\s\x60;<]|$)'''
keywords = [
"messagebird","message-bird","message_bird",
]
@@ -2333,7 +2356,7 @@ keywords = [
[[rules]]
id = "netlify-access-token"
description = "Detected a Netlify Access Token, potentially compromising web hosting services and site management."
-regex = '''(?i)(?:netlify)(?:[0-9a-z\-_\t .]{0,20})(?:[\s|']|[\s|"]){0,3}(?:=|>|:{1,3}=|\|\|:|<=|=>|:|\?=)(?:'|\"|\s|=|\x60){0,5}([a-z0-9=_\-]{40,46})(?:['|\"|\n|\r|\s|\x60|;]|$)'''
+regex = '''(?i)(?:netlify)(?:[0-9a-z\-_\t .]{0,20})(?:[\s'"\\]){0,3}(?:=|>|:{1,3}=|\|\|:|<=|=>|:|\?=)(?:['\"\\\s=\x60]){0,5}([a-z0-9=_\-]{40,46})(?:['\"\\\n\r\s\x60;<]|$)'''
keywords = [
"netlify",
]
@@ -2341,7 +2364,7 @@ keywords = [
[[rules]]
id = "new-relic-browser-api-token"
description = "Identified a New Relic ingest browser API token, risking unauthorized access to application performance data and analytics."
-regex = '''(?i)(?:new-relic|newrelic|new_relic)(?:[0-9a-z\-_\t .]{0,20})(?:[\s|']|[\s|"]){0,3}(?:=|>|:{1,3}=|\|\|:|<=|=>|:|\?=)(?:'|\"|\s|=|\x60){0,5}(NRJS-[a-f0-9]{19})(?:['|\"|\n|\r|\s|\x60|;]|$)'''
+regex = '''(?i)(?:new-relic|newrelic|new_relic)(?:[0-9a-z\-_\t .]{0,20})(?:[\s'"\\]){0,3}(?:=|>|:{1,3}=|\|\|:|<=|=>|:|\?=)(?:['\"\\\s=\x60]){0,5}(NRJS-[a-f0-9]{19})(?:['\"\\\n\r\s\x60;<]|$)'''
keywords = [
"nrjs-",
]
@@ -2349,7 +2372,7 @@ keywords = [
[[rules]]
id = "new-relic-user-api-id"
description = "Found a New Relic user API ID, posing a risk to application monitoring services and data integrity."
-regex = '''(?i)(?:new-relic|newrelic|new_relic)(?:[0-9a-z\-_\t .]{0,20})(?:[\s|']|[\s|"]){0,3}(?:=|>|:{1,3}=|\|\|:|<=|=>|:|\?=)(?:'|\"|\s|=|\x60){0,5}([a-z0-9]{64})(?:['|\"|\n|\r|\s|\x60|;]|$)'''
+regex = '''(?i)(?:new-relic|newrelic|new_relic)(?:[0-9a-z\-_\t .]{0,20})(?:[\s'"\\]){0,3}(?:=|>|:{1,3}=|\|\|:|<=|=>|:|\?=)(?:['\"\\\s=\x60]){0,5}([a-z0-9]{64})(?:['\"\\\n\r\s\x60;<]|$)'''
keywords = [
"new-relic","newrelic","new_relic",
]
@@ -2357,7 +2380,7 @@ keywords = [
[[rules]]
id = "new-relic-user-api-key"
description = "Discovered a New Relic user API Key, which could lead to compromised application insights and performance monitoring."
-regex = '''(?i)(?:new-relic|newrelic|new_relic)(?:[0-9a-z\-_\t .]{0,20})(?:[\s|']|[\s|"]){0,3}(?:=|>|:{1,3}=|\|\|:|<=|=>|:|\?=)(?:'|\"|\s|=|\x60){0,5}(NRAK-[a-z0-9]{27})(?:['|\"|\n|\r|\s|\x60|;]|$)'''
+regex = '''(?i)(?:new-relic|newrelic|new_relic)(?:[0-9a-z\-_\t .]{0,20})(?:[\s'"\\]){0,3}(?:=|>|:{1,3}=|\|\|:|<=|=>|:|\?=)(?:['\"\\\s=\x60]){0,5}(NRAK-[a-z0-9]{27})(?:['\"\\\n\r\s\x60;<]|$)'''
keywords = [
"nrak",
]
@@ -2365,7 +2388,7 @@ keywords = [
[[rules]]
id = "npm-access-token"
description = "Uncovered an npm access token, potentially compromising package management and code repository access."
-regex = '''(?i)\b(npm_[a-z0-9]{36})(?:['|\"|\n|\r|\s|\x60|;]|$)'''
+regex = '''(?i)\b(npm_[a-z0-9]{36})(?:['\"\\\n\r\s\x60;<]|$)'''
keywords = [
"npm_",
]
@@ -2373,7 +2396,7 @@ keywords = [
[[rules]]
id = "nytimes-access-token"
description = "Detected a Nytimes Access Token, risking unauthorized access to New York Times APIs and content services."
-regex = '''(?i)(?:nytimes|new-york-times,|newyorktimes)(?:[0-9a-z\-_\t .]{0,20})(?:[\s|']|[\s|"]){0,3}(?:=|>|:{1,3}=|\|\|:|<=|=>|:|\?=)(?:'|\"|\s|=|\x60){0,5}([a-z0-9=_\-]{32})(?:['|\"|\n|\r|\s|\x60|;]|$)'''
+regex = '''(?i)(?:nytimes|new-york-times,|newyorktimes)(?:[0-9a-z\-_\t .]{0,20})(?:[\s'"\\]){0,3}(?:=|>|:{1,3}=|\|\|:|<=|=>|:|\?=)(?:['\"\\\s=\x60]){0,5}([a-z0-9=_\-]{32})(?:['\"\\\n\r\s\x60;<]|$)'''
keywords = [
"nytimes","new-york-times","newyorktimes",
]
@@ -2381,7 +2404,7 @@ keywords = [
[[rules]]
id = "okta-access-token"
description = "Identified an Okta Access Token, which may compromise identity management services and user authentication data."
-regex = '''(?i)(?:okta)(?:[0-9a-z\-_\t .]{0,20})(?:[\s|']|[\s|"]){0,3}(?:=|>|:{1,3}=|\|\|:|<=|=>|:|\?=)(?:'|\"|\s|=|\x60){0,5}([a-z0-9=_\-]{42})(?:['|\"|\n|\r|\s|\x60|;]|$)'''
+regex = '''(?i)(?:okta)(?:[0-9a-z\-_\t .]{0,20})(?:[\s'"\\]){0,3}(?:=|>|:{1,3}=|\|\|:|<=|=>|:|\?=)(?:['\"\\\s=\x60]){0,5}([a-z0-9=_\-]{42})(?:['\"\\\n\r\s\x60;<]|$)'''
keywords = [
"okta",
]
@@ -2389,7 +2412,7 @@ keywords = [
[[rules]]
id = "openai-api-key"
description = "Found an OpenAI API Key, posing a risk of unauthorized access to AI services and data manipulation."
-regex = '''(?i)\b(sk-[a-zA-Z0-9]{20}T3BlbkFJ[a-zA-Z0-9]{20})(?:['|\"|\n|\r|\s|\x60|;]|$)'''
+regex = '''(?i)\b(sk-[a-zA-Z0-9]{20}T3BlbkFJ[a-zA-Z0-9]{20})(?:['\"\\\n\r\s\x60;<]|$)'''
keywords = [
"t3blbkfj",
]
@@ -2397,7 +2420,7 @@ keywords = [
[[rules]]
id = "plaid-api-token"
description = "Discovered a Plaid API Token, potentially compromising financial data aggregation and banking services."
-regex = '''(?i)(?:plaid)(?:[0-9a-z\-_\t .]{0,20})(?:[\s|']|[\s|"]){0,3}(?:=|>|:{1,3}=|\|\|:|<=|=>|:|\?=)(?:'|\"|\s|=|\x60){0,5}(access-(?:sandbox|development|production)-[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12})(?:['|\"|\n|\r|\s|\x60|;]|$)'''
+regex = '''(?i)(?:plaid)(?:[0-9a-z\-_\t .]{0,20})(?:[\s'"\\]){0,3}(?:=|>|:{1,3}=|\|\|:|<=|=>|:|\?=)(?:['\"\\\s=\x60]){0,5}(access-(?:sandbox|development|production)-[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12})(?:['\"\\\n\r\s\x60;<]|$)'''
keywords = [
"plaid",
]
@@ -2405,7 +2428,7 @@ keywords = [
[[rules]]
id = "plaid-client-id"
description = "Uncovered a Plaid Client ID, which could lead to unauthorized financial service integrations and data breaches."
-regex = '''(?i)(?:plaid)(?:[0-9a-z\-_\t .]{0,20})(?:[\s|']|[\s|"]){0,3}(?:=|>|:{1,3}=|\|\|:|<=|=>|:|\?=)(?:'|\"|\s|=|\x60){0,5}([a-z0-9]{24})(?:['|\"|\n|\r|\s|\x60|;]|$)'''
+regex = '''(?i)(?:plaid)(?:[0-9a-z\-_\t .]{0,20})(?:[\s'"\\]){0,3}(?:=|>|:{1,3}=|\|\|:|<=|=>|:|\?=)(?:['\"\\\s=\x60]){0,5}([a-z0-9]{24})(?:['\"\\\n\r\s\x60;<]|$)'''
entropy = 3.5
keywords = [
"plaid",
@@ -2414,7 +2437,7 @@ keywords = [
[[rules]]
id = "plaid-secret-key"
description = "Detected a Plaid Secret key, risking unauthorized access to financial accounts and sensitive transaction data."
-regex = '''(?i)(?:plaid)(?:[0-9a-z\-_\t .]{0,20})(?:[\s|']|[\s|"]){0,3}(?:=|>|:{1,3}=|\|\|:|<=|=>|:|\?=)(?:'|\"|\s|=|\x60){0,5}([a-z0-9]{30})(?:['|\"|\n|\r|\s|\x60|;]|$)'''
+regex = '''(?i)(?:plaid)(?:[0-9a-z\-_\t .]{0,20})(?:[\s'"\\]){0,3}(?:=|>|:{1,3}=|\|\|:|<=|=>|:|\?=)(?:['\"\\\s=\x60]){0,5}([a-z0-9]{30})(?:['\"\\\n\r\s\x60;<]|$)'''
entropy = 3.5
keywords = [
"plaid",
@@ -2423,7 +2446,7 @@ keywords = [
[[rules]]
id = "planetscale-api-token"
description = "Identified a PlanetScale API token, potentially compromising database management and operations."
-regex = '''(?i)\b(pscale_tkn_(?i)[a-z0-9=\-_\.]{32,64})(?:['|\"|\n|\r|\s|\x60|;]|$)'''
+regex = '''(?i)\b(pscale_tkn_(?i)[a-z0-9=\-_\.]{32,64})(?:['\"\\\n\r\s\x60;<]|$)'''
keywords = [
"pscale_tkn_",
]
@@ -2431,7 +2454,7 @@ keywords = [
[[rules]]
id = "planetscale-oauth-token"
description = "Found a PlanetScale OAuth token, posing a risk to database access control and sensitive data integrity."
-regex = '''(?i)\b(pscale_oauth_(?i)[a-z0-9=\-_\.]{32,64})(?:['|\"|\n|\r|\s|\x60|;]|$)'''
+regex = '''(?i)\b(pscale_oauth_(?i)[a-z0-9=\-_\.]{32,64})(?:['\"\\\n\r\s\x60;<]|$)'''
keywords = [
"pscale_oauth_",
]
@@ -2439,7 +2462,7 @@ keywords = [
[[rules]]
id = "planetscale-password"
description = "Discovered a PlanetScale password, which could lead to unauthorized database operations and data breaches."
-regex = '''(?i)\b(pscale_pw_(?i)[a-z0-9=\-_\.]{32,64})(?:['|\"|\n|\r|\s|\x60|;]|$)'''
+regex = '''(?i)\b(pscale_pw_(?i)[a-z0-9=\-_\.]{32,64})(?:['\"\\\n\r\s\x60;<]|$)'''
keywords = [
"pscale_pw_",
]
@@ -2447,7 +2470,7 @@ keywords = [
[[rules]]
id = "postman-api-token"
description = "Uncovered a Postman API token, potentially compromising API testing and development workflows."
-regex = '''(?i)\b(PMAK-(?i)[a-f0-9]{24}\-[a-f0-9]{34})(?:['|\"|\n|\r|\s|\x60|;]|$)'''
+regex = '''(?i)\b(PMAK-(?i)[a-f0-9]{24}\-[a-f0-9]{34})(?:['\"\\\n\r\s\x60;<]|$)'''
keywords = [
"pmak-",
]
@@ -2455,7 +2478,7 @@ keywords = [
[[rules]]
id = "prefect-api-token"
description = "Detected a Prefect API token, risking unauthorized access to workflow management and automation services."
-regex = '''(?i)\b(pnu_[a-z0-9]{36})(?:['|\"|\n|\r|\s|\x60|;]|$)'''
+regex = '''(?i)\b(pnu_[a-z0-9]{36})(?:['\"\\\n\r\s\x60;<]|$)'''
keywords = [
"pnu_",
]
@@ -2471,7 +2494,7 @@ keywords = [
[[rules]]
id = "pulumi-api-token"
description = "Found a Pulumi API token, posing a risk to infrastructure as code services and cloud resource management."
-regex = '''(?i)\b(pul-[a-f0-9]{40})(?:['|\"|\n|\r|\s|\x60|;]|$)'''
+regex = '''(?i)\b(pul-[a-f0-9]{40})(?:['\"\\\n\r\s\x60;<]|$)'''
keywords = [
"pul-",
]
@@ -2487,7 +2510,7 @@ keywords = [
[[rules]]
id = "rapidapi-access-token"
description = "Uncovered a RapidAPI Access Token, which could lead to unauthorized access to various APIs and data services."
-regex = '''(?i)(?:rapidapi)(?:[0-9a-z\-_\t .]{0,20})(?:[\s|']|[\s|"]){0,3}(?:=|>|:{1,3}=|\|\|:|<=|=>|:|\?=)(?:'|\"|\s|=|\x60){0,5}([a-z0-9_-]{50})(?:['|\"|\n|\r|\s|\x60|;]|$)'''
+regex = '''(?i)(?:rapidapi)(?:[0-9a-z\-_\t .]{0,20})(?:[\s'"\\]){0,3}(?:=|>|:{1,3}=|\|\|:|<=|=>|:|\?=)(?:['\"\\\s=\x60]){0,5}([a-z0-9_-]{50})(?:['\"\\\n\r\s\x60;<]|$)'''
keywords = [
"rapidapi",
]
@@ -2495,7 +2518,7 @@ keywords = [
[[rules]]
id = "readme-api-token"
description = "Detected a Readme API token, risking unauthorized documentation management and content exposure."
-regex = '''(?i)\b(rdme_[a-z0-9]{70})(?:['|\"|\n|\r|\s|\x60|;]|$)'''
+regex = '''(?i)\b(rdme_[a-z0-9]{70})(?:['\"\\\n\r\s\x60;<]|$)'''
keywords = [
"rdme_",
]
@@ -2503,7 +2526,7 @@ keywords = [
[[rules]]
id = "rubygems-api-token"
description = "Identified a Rubygem API token, potentially compromising Ruby library distribution and package management."
-regex = '''(?i)\b(rubygems_[a-f0-9]{48})(?:['|\"|\n|\r|\s|\x60|;]|$)'''
+regex = '''(?i)\b(rubygems_[a-f0-9]{48})(?:['\"\\\n\r\s\x60;<]|$)'''
keywords = [
"rubygems_",
]
@@ -2511,7 +2534,7 @@ keywords = [
[[rules]]
id = "scalingo-api-token"
description = "Found a Scalingo API token, posing a risk to cloud platform services and application deployment security."
-regex = '''\btk-us-[a-zA-Z0-9-_]{48}\b'''
+regex = '''\b(tk-us-[a-zA-Z0-9-_]{48})(?:['\"\\\n\r\s\x60;<]|$)'''
keywords = [
"tk-us-",
]
@@ -2519,7 +2542,7 @@ keywords = [
[[rules]]
id = "sendbird-access-id"
description = "Discovered a Sendbird Access ID, which could compromise chat and messaging platform integrations."
-regex = '''(?i)(?:sendbird)(?:[0-9a-z\-_\t .]{0,20})(?:[\s|']|[\s|"]){0,3}(?:=|>|:{1,3}=|\|\|:|<=|=>|:|\?=)(?:'|\"|\s|=|\x60){0,5}([0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12})(?:['|\"|\n|\r|\s|\x60|;]|$)'''
+regex = '''(?i)(?:sendbird)(?:[0-9a-z\-_\t .]{0,20})(?:[\s'"\\]){0,3}(?:=|>|:{1,3}=|\|\|:|<=|=>|:|\?=)(?:['\"\\\s=\x60]){0,5}([0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12})(?:['\"\\\n\r\s\x60;<]|$)'''
keywords = [
"sendbird",
]
@@ -2527,7 +2550,7 @@ keywords = [
[[rules]]
id = "sendbird-access-token"
description = "Uncovered a Sendbird Access Token, potentially risking unauthorized access to communication services and user data."
-regex = '''(?i)(?:sendbird)(?:[0-9a-z\-_\t .]{0,20})(?:[\s|']|[\s|"]){0,3}(?:=|>|:{1,3}=|\|\|:|<=|=>|:|\?=)(?:'|\"|\s|=|\x60){0,5}([a-f0-9]{40})(?:['|\"|\n|\r|\s|\x60|;]|$)'''
+regex = '''(?i)(?:sendbird)(?:[0-9a-z\-_\t .]{0,20})(?:[\s'"\\]){0,3}(?:=|>|:{1,3}=|\|\|:|<=|=>|:|\?=)(?:['\"\\\s=\x60]){0,5}([a-f0-9]{40})(?:['\"\\\n\r\s\x60;<]|$)'''
keywords = [
"sendbird",
]
@@ -2535,7 +2558,7 @@ keywords = [
[[rules]]
id = "sendgrid-api-token"
description = "Detected a SendGrid API token, posing a risk of unauthorized email service operations and data exposure."
-regex = '''(?i)\b(SG\.(?i)[a-z0-9=_\-\.]{66})(?:['|\"|\n|\r|\s|\x60|;]|$)'''
+regex = '''(?i)\b(SG\.(?i)[a-z0-9=_\-\.]{66})(?:['\"\\\n\r\s\x60;<]|$)'''
keywords = [
"sg.",
]
@@ -2543,7 +2566,7 @@ keywords = [
[[rules]]
id = "sendinblue-api-token"
description = "Identified a Sendinblue API token, which may compromise email marketing services and subscriber data privacy."
-regex = '''(?i)\b(xkeysib-[a-f0-9]{64}\-(?i)[a-z0-9]{16})(?:['|\"|\n|\r|\s|\x60|;]|$)'''
+regex = '''(?i)\b(xkeysib-[a-f0-9]{64}\-(?i)[a-z0-9]{16})(?:['\"\\\n\r\s\x60;<]|$)'''
keywords = [
"xkeysib-",
]
@@ -2551,7 +2574,7 @@ keywords = [
[[rules]]
id = "sentry-access-token"
description = "Found a Sentry Access Token, risking unauthorized access to error tracking services and sensitive application data."
-regex = '''(?i)(?:sentry)(?:[0-9a-z\-_\t .]{0,20})(?:[\s|']|[\s|"]){0,3}(?:=|>|:{1,3}=|\|\|:|<=|=>|:|\?=)(?:'|\"|\s|=|\x60){0,5}([a-f0-9]{64})(?:['|\"|\n|\r|\s|\x60|;]|$)'''
+regex = '''(?i)(?:sentry)(?:[0-9a-z\-_\t .]{0,20})(?:[\s'"\\]){0,3}(?:=|>|:{1,3}=|\|\|:|<=|=>|:|\?=)(?:['\"\\\s=\x60]){0,5}([a-f0-9]{64})(?:['\"\\\n\r\s\x60;<]|$)'''
keywords = [
"sentry",
]
@@ -2559,7 +2582,8 @@ keywords = [
[[rules]]
id = "shippo-api-token"
description = "Discovered a Shippo API token, potentially compromising shipping services and customer order data."
-regex = '''(?i)\b(shippo_(live|test)_[a-f0-9]{40})(?:['|\"|\n|\r|\s|\x60|;]|$)'''
+regex = '''(?i)\b(shippo_(live|test)_[a-f0-9]{40})(?:['\"\\\n\r\s\x60;<]|$)'''
+secretGroup = 1
keywords = [
"shippo_",
]
@@ -2599,7 +2623,7 @@ keywords = [
[[rules]]
id = "sidekiq-secret"
description = "Discovered a Sidekiq Secret, which could lead to compromised background job processing and application data breaches."
-regex = '''(?i)(?:BUNDLE_ENTERPRISE__CONTRIBSYS__COM|BUNDLE_GEMS__CONTRIBSYS__COM)(?:[0-9a-z\-_\t .]{0,20})(?:[\s|']|[\s|"]){0,3}(?:=|>|:{1,3}=|\|\|:|<=|=>|:|\?=)(?:'|\"|\s|=|\x60){0,5}([a-f0-9]{8}:[a-f0-9]{8})(?:['|\"|\n|\r|\s|\x60|;]|$)'''
+regex = '''(?i)(?:BUNDLE_ENTERPRISE__CONTRIBSYS__COM|BUNDLE_GEMS__CONTRIBSYS__COM)(?:[0-9a-z\-_\t .]{0,20})(?:[\s'"\\]){0,3}(?:=|>|:{1,3}=|\|\|:|<=|=>|:|\?=)(?:['\"\\\s=\x60]){0,5}([a-f0-9]{8}:[a-f0-9]{8})(?:['\"\\\n\r\s\x60;<]|$)'''
keywords = [
"bundle_enterprise__contribsys__com","bundle_gems__contribsys__com",
]
@@ -2688,7 +2712,7 @@ keywords = [
[[rules]]
id = "snyk-api-token"
description = "Uncovered a Snyk API token, potentially compromising software vulnerability scanning and code security."
-regex = '''(?i)(?:snyk_token|snyk_key|snyk_api_token|snyk_api_key|snyk_oauth_token)(?:[0-9a-z\-_\t .]{0,20})(?:[\s|']|[\s|"]){0,3}(?:=|>|:{1,3}=|\|\|:|<=|=>|:|\?=)(?:'|\"|\s|=|\x60){0,5}([0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12})(?:['|\"|\n|\r|\s|\x60|;]|$)'''
+regex = '''(?i)(?:snyk_token|snyk_key|snyk_api_token|snyk_api_key|snyk_oauth_token)(?:[0-9a-z\-_\t .]{0,20})(?:[\s'"\\]){0,3}(?:=|>|:{1,3}=|\|\|:|<=|=>|:|\?=)(?:['\"\\\s=\x60]){0,5}([0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12})(?:['\"\\\n\r\s\x60;<]|$)'''
keywords = [
"snyk_token","snyk_key","snyk_api_token","snyk_api_key","snyk_oauth_token",
]
@@ -2696,15 +2720,16 @@ keywords = [
[[rules]]
id = "square-access-token"
description = "Detected a Square Access Token, risking unauthorized payment processing and financial transaction exposure."
-regex = '''(?i)\b(sq0atp-[0-9A-Za-z\-_]{22})(?:['|\"|\n|\r|\s|\x60|;]|$)'''
+regex = '''(?i)\b((EAAA|sq0atp-)[0-9A-Za-z\-_]{22,60})(?:['\"\\\n\r\s\x60;<]|$)'''
+secretGroup = 1
keywords = [
- "sq0atp-",
+ "sq0atp-","eaaa",
]
[[rules]]
id = "squarespace-access-token"
description = "Identified a Squarespace Access Token, which may compromise website management and content control on Squarespace."
-regex = '''(?i)(?:squarespace)(?:[0-9a-z\-_\t .]{0,20})(?:[\s|']|[\s|"]){0,3}(?:=|>|:{1,3}=|\|\|:|<=|=>|:|\?=)(?:'|\"|\s|=|\x60){0,5}([0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12})(?:['|\"|\n|\r|\s|\x60|;]|$)'''
+regex = '''(?i)(?:squarespace)(?:[0-9a-z\-_\t .]{0,20})(?:[\s'"\\]){0,3}(?:=|>|:{1,3}=|\|\|:|<=|=>|:|\?=)(?:['\"\\\s=\x60]){0,5}([0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12})(?:['\"\\\n\r\s\x60;<]|$)'''
keywords = [
"squarespace",
]
@@ -2712,7 +2737,8 @@ keywords = [
[[rules]]
id = "stripe-access-token"
description = "Found a Stripe Access Token, posing a risk to payment processing services and sensitive financial data."
-regex = '''(?i)\b((sk)_(test|live)_[0-9a-z]{10,32})(?:['|\"|\n|\r|\s|\x60|;]|$)'''
+regex = '''(?i)\b((sk)_(test|live)_[0-9a-z]{10,32})(?:['\"\\\n\r\s\x60;<]|$)'''
+secretGroup = 1
keywords = [
"sk_test","sk_live",
]
@@ -2720,7 +2746,7 @@ keywords = [
[[rules]]
id = "sumologic-access-id"
description = "Discovered a SumoLogic Access ID, potentially compromising log management services and data analytics integrity."
-regex = '''(?i:(?:sumo)(?:[0-9a-z\-_\t .]{0,20})(?:[\s|']|[\s|"]){0,3})(?:=|>|:{1,3}=|\|\|:|<=|=>|:|\?=)(?:'|\"|\s|=|\x60){0,5}(su[a-zA-Z0-9]{12})(?:['|\"|\n|\r|\s|\x60|;]|$)'''
+regex = '''(?i:(?:sumo)(?:[0-9a-z\-_\t .]{0,20})(?:[\s'"\\]){0,3})(?:=|>|:{1,3}=|\|\|:|<=|=>|:|\?=)(?:['\"\\\s=\x60]){0,5}(su[a-zA-Z0-9]{12})(?:['\"\\\n\r\s\x60;<]|$)'''
entropy = 3
keywords = [
"sumo",
@@ -2736,7 +2762,7 @@ regexes = [
[[rules]]
id = "sumologic-access-token"
description = "Uncovered a SumoLogic Access Token, which could lead to unauthorized access to log data and analytics insights."
-regex = '''(?i)(?:sumo)(?:[0-9a-z\-_\t .]{0,20})(?:[\s|']|[\s|"]){0,3}(?:=|>|:{1,3}=|\|\|:|<=|=>|:|\?=)(?:'|\"|\s|=|\x60){0,5}([a-z0-9]{64})(?:['|\"|\n|\r|\s|\x60|;]|$)'''
+regex = '''(?i)(?:sumo)(?:[0-9a-z\-_\t .]{0,20})(?:[\s'"\\]){0,3}(?:=|>|:{1,3}=|\|\|:|<=|=>|:|\?=)(?:['\"\\\s=\x60]){0,5}([a-z0-9]{64})(?:['\"\\\n\r\s\x60;<]|$)'''
entropy = 3
keywords = [
"sumo",
@@ -2753,7 +2779,7 @@ keywords = [
[[rules]]
id = "travisci-access-token"
description = "Identified a Travis CI Access Token, potentially compromising continuous integration services and codebase security."
-regex = '''(?i)(?:travis)(?:[0-9a-z\-_\t .]{0,20})(?:[\s|']|[\s|"]){0,3}(?:=|>|:{1,3}=|\|\|:|<=|=>|:|\?=)(?:'|\"|\s|=|\x60){0,5}([a-z0-9]{22})(?:['|\"|\n|\r|\s|\x60|;]|$)'''
+regex = '''(?i)(?:travis)(?:[0-9a-z\-_\t .]{0,20})(?:[\s'"\\]){0,3}(?:=|>|:{1,3}=|\|\|:|<=|=>|:|\?=)(?:['\"\\\s=\x60]){0,5}([a-z0-9]{22})(?:['\"\\\n\r\s\x60;<]|$)'''
keywords = [
"travis",
]
@@ -2769,7 +2795,7 @@ keywords = [
[[rules]]
id = "twitch-api-token"
description = "Discovered a Twitch API token, which could compromise streaming services and account integrations."
-regex = '''(?i)(?:twitch)(?:[0-9a-z\-_\t .]{0,20})(?:[\s|']|[\s|"]){0,3}(?:=|>|:{1,3}=|\|\|:|<=|=>|:|\?=)(?:'|\"|\s|=|\x60){0,5}([a-z0-9]{30})(?:['|\"|\n|\r|\s|\x60|;]|$)'''
+regex = '''(?i)(?:twitch)(?:[0-9a-z\-_\t .]{0,20})(?:[\s'"\\]){0,3}(?:=|>|:{1,3}=|\|\|:|<=|=>|:|\?=)(?:['\"\\\s=\x60]){0,5}([a-z0-9]{30})(?:['\"\\\n\r\s\x60;<]|$)'''
keywords = [
"twitch",
]
@@ -2777,7 +2803,7 @@ keywords = [
[[rules]]
id = "twitter-access-secret"
description = "Uncovered a Twitter Access Secret, potentially risking unauthorized Twitter integrations and data breaches."
-regex = '''(?i)(?:twitter)(?:[0-9a-z\-_\t .]{0,20})(?:[\s|']|[\s|"]){0,3}(?:=|>|:{1,3}=|\|\|:|<=|=>|:|\?=)(?:'|\"|\s|=|\x60){0,5}([a-z0-9]{45})(?:['|\"|\n|\r|\s|\x60|;]|$)'''
+regex = '''(?i)(?:twitter)(?:[0-9a-z\-_\t .]{0,20})(?:[\s'"\\]){0,3}(?:=|>|:{1,3}=|\|\|:|<=|=>|:|\?=)(?:['\"\\\s=\x60]){0,5}([a-z0-9]{45})(?:['\"\\\n\r\s\x60;<]|$)'''
keywords = [
"twitter",
]
@@ -2785,7 +2811,7 @@ keywords = [
[[rules]]
id = "twitter-access-token"
description = "Detected a Twitter Access Token, posing a risk of unauthorized account operations and social media data exposure."
-regex = '''(?i)(?:twitter)(?:[0-9a-z\-_\t .]{0,20})(?:[\s|']|[\s|"]){0,3}(?:=|>|:{1,3}=|\|\|:|<=|=>|:|\?=)(?:'|\"|\s|=|\x60){0,5}([0-9]{15,25}-[a-zA-Z0-9]{20,40})(?:['|\"|\n|\r|\s|\x60|;]|$)'''
+regex = '''(?i)(?:twitter)(?:[0-9a-z\-_\t .]{0,20})(?:[\s'"\\]){0,3}(?:=|>|:{1,3}=|\|\|:|<=|=>|:|\?=)(?:['\"\\\s=\x60]){0,5}([0-9]{15,25}-[a-zA-Z0-9]{20,40})(?:['\"\\\n\r\s\x60;<]|$)'''
keywords = [
"twitter",
]
@@ -2793,7 +2819,7 @@ keywords = [
[[rules]]
id = "twitter-api-key"
description = "Identified a Twitter API Key, which may compromise Twitter application integrations and user data security."
-regex = '''(?i)(?:twitter)(?:[0-9a-z\-_\t .]{0,20})(?:[\s|']|[\s|"]){0,3}(?:=|>|:{1,3}=|\|\|:|<=|=>|:|\?=)(?:'|\"|\s|=|\x60){0,5}([a-z0-9]{25})(?:['|\"|\n|\r|\s|\x60|;]|$)'''
+regex = '''(?i)(?:twitter)(?:[0-9a-z\-_\t .]{0,20})(?:[\s'"\\]){0,3}(?:=|>|:{1,3}=|\|\|:|<=|=>|:|\?=)(?:['\"\\\s=\x60]){0,5}([a-z0-9]{25})(?:['\"\\\n\r\s\x60;<]|$)'''
keywords = [
"twitter",
]
@@ -2801,7 +2827,7 @@ keywords = [
[[rules]]
id = "twitter-api-secret"
description = "Found a Twitter API Secret, risking the security of Twitter app integrations and sensitive data access."
-regex = '''(?i)(?:twitter)(?:[0-9a-z\-_\t .]{0,20})(?:[\s|']|[\s|"]){0,3}(?:=|>|:{1,3}=|\|\|:|<=|=>|:|\?=)(?:'|\"|\s|=|\x60){0,5}([a-z0-9]{50})(?:['|\"|\n|\r|\s|\x60|;]|$)'''
+regex = '''(?i)(?:twitter)(?:[0-9a-z\-_\t .]{0,20})(?:[\s'"\\]){0,3}(?:=|>|:{1,3}=|\|\|:|<=|=>|:|\?=)(?:['\"\\\s=\x60]){0,5}([a-z0-9]{50})(?:['\"\\\n\r\s\x60;<]|$)'''
keywords = [
"twitter",
]
@@ -2809,7 +2835,7 @@ keywords = [
[[rules]]
id = "twitter-bearer-token"
description = "Discovered a Twitter Bearer Token, potentially compromising API access and data retrieval from Twitter."
-regex = '''(?i)(?:twitter)(?:[0-9a-z\-_\t .]{0,20})(?:[\s|']|[\s|"]){0,3}(?:=|>|:{1,3}=|\|\|:|<=|=>|:|\?=)(?:'|\"|\s|=|\x60){0,5}(A{22}[a-zA-Z0-9%]{80,100})(?:['|\"|\n|\r|\s|\x60|;]|$)'''
+regex = '''(?i)(?:twitter)(?:[0-9a-z\-_\t .]{0,20})(?:[\s'"\\]){0,3}(?:=|>|:{1,3}=|\|\|:|<=|=>|:|\?=)(?:['\"\\\s=\x60]){0,5}(A{22}[a-zA-Z0-9%]{80,100})(?:['\"\\\n\r\s\x60;<]|$)'''
keywords = [
"twitter",
]
@@ -2817,7 +2843,7 @@ keywords = [
[[rules]]
id = "typeform-api-token"
description = "Uncovered a Typeform API token, which could lead to unauthorized survey management and data collection."
-regex = '''(?i)(?:typeform)(?:[0-9a-z\-_\t .]{0,20})(?:[\s|']|[\s|"]){0,3}(?:=|>|:{1,3}=|\|\|:|<=|=>|:|\?=)(?:'|\"|\s|=|\x60){0,5}(tfp_[a-z0-9\-_\.=]{59})(?:['|\"|\n|\r|\s|\x60|;]|$)'''
+regex = '''(?i)(?:typeform)(?:[0-9a-z\-_\t .]{0,20})(?:[\s'"\\]){0,3}(?:=|>|:{1,3}=|\|\|:|<=|=>|:|\?=)(?:['\"\\\s=\x60]){0,5}(tfp_[a-z0-9\-_\.=]{59})(?:['\"\\\n\r\s\x60;<]|$)'''
keywords = [
"tfp_",
]
@@ -2825,7 +2851,7 @@ keywords = [
[[rules]]
id = "vault-batch-token"
description = "Detected a Vault Batch Token, risking unauthorized access to secret management services and sensitive data."
-regex = '''(?i)\b(hvb\.[a-z0-9_-]{138,212})(?:['|\"|\n|\r|\s|\x60|;]|$)'''
+regex = '''(?i)\b(hvb\.[a-z0-9_-]{138,212})(?:['\"\\\n\r\s\x60;<]|$)'''
keywords = [
"hvb",
]
@@ -2833,7 +2859,7 @@ keywords = [
[[rules]]
id = "vault-service-token"
description = "Identified a Vault Service Token, potentially compromising infrastructure security and access to sensitive credentials."
-regex = '''(?i)\b(hvs\.[a-z0-9_-]{90,100})(?:['|\"|\n|\r|\s|\x60|;]|$)'''
+regex = '''(?i)\b(hvs\.[a-z0-9_-]{90,100})(?:['\"\\\n\r\s\x60;<]|$)'''
keywords = [
"hvs",
]
@@ -2841,7 +2867,7 @@ keywords = [
[[rules]]
id = "yandex-access-token"
description = "Found a Yandex Access Token, posing a risk to Yandex service integrations and user data privacy."
-regex = '''(?i)(?:yandex)(?:[0-9a-z\-_\t .]{0,20})(?:[\s|']|[\s|"]){0,3}(?:=|>|:{1,3}=|\|\|:|<=|=>|:|\?=)(?:'|\"|\s|=|\x60){0,5}(t1\.[A-Z0-9a-z_-]+[=]{0,2}\.[A-Z0-9a-z_-]{86}[=]{0,2})(?:['|\"|\n|\r|\s|\x60|;]|$)'''
+regex = '''(?i)(?:yandex)(?:[0-9a-z\-_\t .]{0,20})(?:[\s'"\\]){0,3}(?:=|>|:{1,3}=|\|\|:|<=|=>|:|\?=)(?:['\"\\\s=\x60]){0,5}(t1\.[A-Z0-9a-z_-]+[=]{0,2}\.[A-Z0-9a-z_-]{86}[=]{0,2})(?:['\"\\\n\r\s\x60;<]|$)'''
keywords = [
"yandex",
]
@@ -2849,7 +2875,7 @@ keywords = [
[[rules]]
id = "yandex-api-key"
description = "Discovered a Yandex API Key, which could lead to unauthorized access to Yandex services and data manipulation."
-regex = '''(?i)(?:yandex)(?:[0-9a-z\-_\t .]{0,20})(?:[\s|']|[\s|"]){0,3}(?:=|>|:{1,3}=|\|\|:|<=|=>|:|\?=)(?:'|\"|\s|=|\x60){0,5}(AQVN[A-Za-z0-9_\-]{35,38})(?:['|\"|\n|\r|\s|\x60|;]|$)'''
+regex = '''(?i)(?:yandex)(?:[0-9a-z\-_\t .]{0,20})(?:[\s'"\\]){0,3}(?:=|>|:{1,3}=|\|\|:|<=|=>|:|\?=)(?:['\"\\\s=\x60]){0,5}(AQVN[A-Za-z0-9_\-]{35,38})(?:['\"\\\n\r\s\x60;<]|$)'''
keywords = [
"yandex",
]
@@ -2857,7 +2883,7 @@ keywords = [
[[rules]]
id = "yandex-aws-access-token"
description = "Uncovered a Yandex AWS Access Token, potentially compromising cloud resource access and data security on Yandex Cloud."
-regex = '''(?i)(?:yandex)(?:[0-9a-z\-_\t .]{0,20})(?:[\s|']|[\s|"]){0,3}(?:=|>|:{1,3}=|\|\|:|<=|=>|:|\?=)(?:'|\"|\s|=|\x60){0,5}(YC[a-zA-Z0-9_\-]{38})(?:['|\"|\n|\r|\s|\x60|;]|$)'''
+regex = '''(?i)(?:yandex)(?:[0-9a-z\-_\t .]{0,20})(?:[\s'"\\]){0,3}(?:=|>|:{1,3}=|\|\|:|<=|=>|:|\?=)(?:['\"\\\s=\x60]){0,5}(YC[a-zA-Z0-9_\-]{38})(?:['\"\\\n\r\s\x60;<]|$)'''
keywords = [
"yandex",
]
@@ -2865,7 +2891,7 @@ keywords = [
[[rules]]
id = "zendesk-secret-key"
description = "Detected a Zendesk Secret Key, risking unauthorized access to customer support services and sensitive ticketing data."
-regex = '''(?i)(?:zendesk)(?:[0-9a-z\-_\t .]{0,20})(?:[\s|']|[\s|"]){0,3}(?:=|>|:{1,3}=|\|\|:|<=|=>|:|\?=)(?:'|\"|\s|=|\x60){0,5}([a-z0-9]{40})(?:['|\"|\n|\r|\s|\x60|;]|$)'''
+regex = '''(?i)(?:zendesk)(?:[0-9a-z\-_\t .]{0,20})(?:[\s'"\\]){0,3}(?:=|>|:{1,3}=|\|\|:|<=|=>|:|\?=)(?:['\"\\\s=\x60]){0,5}([a-z0-9]{40})(?:['\"\\\n\r\s\x60;<]|$)'''
keywords = [
"zendesk",
]
diff --git a/detect/detect.go b/detect/detect.go
index 0f0e0c23f..cbc8dfe85 100644
--- a/detect/detect.go
+++ b/detect/detect.go
@@ -310,6 +310,13 @@ func (d *Detector) detectRule(fragment Fragment, rule config.Rule) []report.Find
secret = groups[rule.SecretGroup]
finding.Secret = secret
}
+ if strings.HasSuffix(finding.Secret, `"`) {
+ log.Debug().
+ Str("rule", rule.RuleID).
+ Strs("groups", groups).
+ Int("group", rule.SecretGroup).
+ Msg("secret ends with quote")
+ }
// check if the regexTarget is defined in the allowlist "regexes" entry
allowlistTarget := finding.Secret
diff --git a/detect/detect_test.go b/detect/detect_test.go
index 201829f95..3a4c65514 100644
--- a/detect/detect_test.go
+++ b/detect/detect_test.go
@@ -330,6 +330,29 @@ func TestDetect(t *testing.T) {
},
expectedFindings: []report.Finding{},
},
+ {
+ cfgName: "with_quotas",
+ fragment: Fragment{
+ Raw: `alibabaKey := "LTAIe7322523fb86ed64c836"`,
+ FilePath: "tmp.py",
+ },
+ expectedFindings: []report.Finding{
+ {
+ Description: "Detected an Alibaba Cloud AccessKey ID, posing a risk of unauthorized cloud resource access and potential data compromise.",
+ Match: `LTAIe7322523fb86ed64c836"`,
+ Secret: `LTAIe7322523fb86ed64c836`,
+ Line: `alibabaKey := "LTAIe7322523fb86ed64c836"`,
+ File: "tmp.py",
+ RuleID: "alibaba-access-key-id",
+ Tags: []string{},
+ Entropy: 3.8239348,
+ StartLine: 0,
+ EndLine: 0,
+ StartColumn: 16,
+ EndColumn: 40,
+ },
+ },
+ },
}
for _, tt := range tests {
diff --git a/report/sarif.go b/report/sarif.go
index 732e0463d..c6b1af1fa 100644
--- a/report/sarif.go
+++ b/report/sarif.go
@@ -55,7 +55,7 @@ func hasEmptyRules(tool Tool) bool {
func getRules(cfg config.Config) []Rules {
// TODO for _, rule := range cfg.Rules {
var rules []Rules
- for _, rule := range cfg.OrderedRules() {
+ for _, rule := range cfg.GetOrderedRules() {
shortDescription := ShortDescription{
Text: rule.Description,
}
diff --git a/testdata/config/with_quotas.toml b/testdata/config/with_quotas.toml
new file mode 100644
index 000000000..5c623806c
--- /dev/null
+++ b/testdata/config/with_quotas.toml
@@ -0,0 +1,11 @@
+title = "gitleaks config"
+
+[[rules]]
+id = "alibaba-access-key-id"
+description = "Detected an Alibaba Cloud AccessKey ID, posing a risk of unauthorized cloud resource access and potential data compromise."
+regex = '''(?i)\b((LTAI)(?i)[a-z0-9]{20})(?:['|\"|\n|\r|\s|\x60|;]|$)'''
+secretGroup = 1
+keywords = [
+ "ltai",
+]
+