version: v0.5
Comments / Notes:
-
Likely to cause large numbers of false positives - use with caution
-
password,secret,key, or password like prefix (fuzzy) -
Delimiters like
=or:(with padding) -
String with a number of chars until a breaking char
-
Not matching variables, placeholders or common configuration constants such as 'read' and 'write'
Pattern Format
[a-zA-Z0-9!.,$%&*+?^_`{|}()[\]\\/~-][a-zA-Z0-9\t !.,$%&*+?^_`{|}()[\]\\/~-]*Start Pattern
(?:\A|[^a-zA-Z0-9])(?i)[a-z0-9_.-]*(?:api|auth[a-z]+|jwt|mysql|db)?[_.-]?(?:pass?(?:wo?r?d|code|phrase)|secret|key|token)([_-][a-z0-9]+){0,3}([ \t]+As[ \t]+String)?[\t ]*(={1,3}|:)[\t ]*(?:["']|b["'])?End Pattern
(\z|[\r\n'"])Additional Matches
Add these additional matches to the Secret Scanning Custom Pattern.
-
Not Match:
^(?i)_?\)?((a-zA-Z0-9._]+[_.])?(?:the )?(?:pass?(wo?r?d|code|phrase)|pass|pwd|secret|token|key|tok|pw)|redacted|placeholder|dummy|thephrase|write|read|on|off|true|false|none|value|null( \? )?|nil|undefined|eof|ignore|eol|git|yes|no|y|n|f[0-9]{1,2}|[a-zA-Z]),?\s*\){0,2}[\]>)]?(?:\)\s*\{)?\\?(( or | \|\| ).*)?$
-
Not Match:
^\s*(?:(?:typing\.)?(?:(?:[Tt]uple|[Ll]ist|[Dd]ict|Callable|Iterable|Sequence|Optional|Union)\[.*|(?:int|str|float|(?:typing.)?Any|None|bytes|bool|ReadableBuffer)\s*(?:[,|].*)?|(?:Int|Swift\.Int|Int32)\.*))\s*$
-
Not Match:
^\s*(?:\.\.\.|\\|\\n|\\0|\?|\$\(|[,()[\]{}`.]\\?|-[)(]|\\f21b|0x[A-Fa-f0-9]+|[0-9]{1,4}|(?:~|/tmp|\.\.|\.|(/[a-zA-Z0-9./_-]+/)?[a-zA-Z0-9]+(\.(pem|crt|key|cer|pub|der)|_rsa))|\\{1,2}w\+/g,( \\?)?|%[sr]|geheim\$parole|\([Oo]ptional\).*|\$?(?:\{\{?[^}]+\}\}?|\(\(?[^)]+\)\)?|\[\[?[^\]+]\]\]?)|(before|hover|focus)(,| \{))?,?\s*(?:\s*(?:/\*|#|//).*)?$
-
Not Match:
^(?:function\s*\([^)]*\)\s*{\s*.*|\([^)]*\)\s*=>\s*(?:{\s*|[^;)]+[;)])|(?:new |\([A-Za-z]+\)\s*)?[a-zA-Z0-9_.]+\s*\(.*|(?:public|private) [A-Za-z0-9_]+ \{|[A-Za-z0-9_.-]+\s*\) \{)$|\{\{[^}]+\}\}|\$\{\{|\{\}$|\[\]$|(0x)?%[0-9]+x|%[dusx]\.$
-
Not Match:
^\s*(?:(?:self|this)\.[a-zA-Z_][a-zA-Z0-9_.]+[,[]?|[a-zA-Z0-9_.]+\[(?:[a-zA-Z0-9_.]+)?\]?|\$(?:[1-9]|[A-Za-z0-9_]+)\{?|os\.environ\[[^\]]\]|process\.env\.[A-Z0-9_]+)\s*(?:,|\|\||&&)?\s*$|`(%s|\+)
version: v0.1
Comments / Notes:
-
Expect many false positives if run against vendored-in code, such as JS libraries - use with caution
-
password,secret,key,tokenetc. password-like prefix (fuzzy) -
Delimiters like
=or:(with padding) -
Matches fewer characters (A-Za-z0-9_/+.!-), and requires matching quotes around the string
-
Attempts to remove variables, placeholders, and common configuration constants such as 'read' and 'write'
Pattern Format
((?i)[a-z0-9_.-]*(api|auth[a-z]*|jwt|mysql|db)[_.-]?)?((?i)pass?(wo?r?d|code|phrase)|secret|token|key)([_-][A-Za-z0-9]+){0,4}_{0,2}(["'`]|[ \t]+As[ \t]+String)?[\t ]*(?:=|>|:{1,3}=|\|\|:|<=|=>|:|\?=)[\t ]*([br]?"[A-Za-z0-9_/+.!-]+"|[br]?'[A-Za-z0-9_/+.!-]+')Start Pattern
\A|[^0-9A-Za-z]End Pattern
\z|[^A-Za-z0-9]Additional Matches
Add these additional matches to the Secret Scanning Custom Pattern.
-
Not Match:
^[A-Za-z0-9_.-]*(key|KEY|[Tt]oken|TOKEN)(_[a-zA-Z]+)?['"]?\s*([:=]|=>)\s*["']([Ee]mploye[er]|[Ss]taff|([Ss]earch)?[Rr]esult|[a-z][a-zA-Z]+CSX[A-Z][A-Za-z]+|[A-Za-z]*[Bb]ase(64|32|58)|object|claret|assigns?|clean|contains|error|expand|generate|hoist|indent(ation)?|invert|jumps?|pairs?|param(eter)?s?|pop|rewrite|temp(orary)?|token(s|i[sz]e)?|type|((un)?(quote|shift|wrap|finished))|[a-z]{2,10}([A-Z][a-z]{1,15}){1,6}|(compile|is|has|make|add|each|check|close|cache|format|tag|get|set)([A-Z][A-Za-z]+)?|gadget|classic|(try_)?(base|mode|grade|model)|words|identifier|[a-z.-]+\.(jpe?g|(x|ht)ml|txt|docx?|xlsx?|pdf|png)|enabled|name\.invalidPattern|\.|\.data-api|expect|file|config|ansi|Default(Type)?|Cache-Control|((notD|d)eepE|e)qual|name|NAME|package|version|VERSION|start|end|step|async|Event|throws|ok|notOK|verbose|push(Result)?|slimAssertions|(p|notP)ropEqual|((notS|s)trict|not)Equal|value|prev|next|year|key[0-9]?|destroy|[a-z]+EventListeners|timeout|str(ing)?|hmac|uuid|update|find|true|false|val|VAL|REDACTED|redacted|nop|F[0-9]{1,2}|[A-Za-z0-9]|[Nn][ui]ll|[Nn]one|[a-z_]+\.((tf)?state|id|key)|(hibernate|ws|err|i18n|employee|bs|org|com|sun|java)(\.[a-zA-Z0-9_]+){1,4}|[A-Z_]+_KEY)["']$
-
Not Match:
(?i)(token|key)[_-](name|format|type|enabled|success|type|method)\b
-
Not Match:
^(?i)token(_[A-Z]+)?['"]?\s*[:=]\s*['"](barline|parenthesis|qualified|suport|symbol|statementEnd|singleLineTitle|character|pageBreak|operator|optionalTitle|option|zupfnoter|chordname|macro|error|escape|indent|term|titleUnderline|tag|link|literal|(other|table)Block|list|value|control|set|support|injections|array|doc|source|heading|tokens|storage|empty|newline|empty_line|keyword|(line)?comment|meta|[lr]?paren|class|punctuation|regexp?|constant|string|entity|invalid|support|variable|multiline|language|paren|markup|singleline|nospell|text|array|doc|source|heading|tokens)(\.{1,2}[A-Za-z0-9_-]+){0,6}[!.]?["']$
-
Not Match:
^KEY_[A-Z]+[0-9]{0,3}: 'k[a-zA-Z0-9]{1,6}'$
-
Not Match:
['"` ](/dev/u?random|(/[a-zA-Z0-9./_-]+/)?[a-zA-Z0-9_-]{5,}(\.(pem|crt|key|cer|pub|der)|_rsa)|https?://.*|file://.*)['"`]$
version: v0.1
Comments / Notes:
-
password,secret,key, or password like prefix (fuzzy) -
Delimiters like
=or:(with padding) -
Has to be a token-like value - a 32, 40 or 64 character hex string
Pattern Format
[0-9a-f]{32}|[0-9a-f]{40}|[0-9a-f]{64}Start Pattern
(?:\A|[^a-zA-Z0-9])(?i)[a-z0-9._-]*(?:api|auth[a-z]+|jwt|mysql|db)?[_.-]?(?:pass?(?:wo?r?d|code|phrase)|secret|key|token)([_-][a-z0-9]+){0,3}([ \t]+As[ \t]+String)?[\t ]*(={1,3}|:)[\t ]*(?:["']|b["'])?End Pattern
(\z|[\r\n'"])version: v0.1
Comments / Notes:
-
The Base64 must contain numbers, upper case and lower case and be at least 12 characters long
-
password,secret,key, or password like prefix (fuzzy) -
Delimiters like
=or:(with padding)
Pattern Format
(([A-Za-z0-9+/]){4})*([A-Za-z0-9+/]{4}|[A-Za-z0-9+/]{3}=|[A-Za-z0-9+/]{2}==)Start Pattern
(?:\A|[^a-zA-Z0-9])(?i)[a-z0-9._-]*(?:api|auth[a-z]+|jwt|mysql|db)?[_.-]?(?:pass?(?:wo?r?d|code|phrase)|secret|key|token)([_-][a-z0-9]+){0,3}([ \t]+As[ \t]+String)?[\t ]*(={1,3}|:)[\t ]*(?:["']|b["'])?End Pattern
(\z|[\r\n'"])Additional Matches
Add these additional matches to the Secret Scanning Custom Pattern.
-
Match:
[0-9]
-
Match:
[A-Z]
-
Match:
[a-z]
-
Match:
^.{12,}$
version: v0.1
Comments / Notes:
-
The Base64 must contain numbers, upper case and lower case and be at least 12 characters long
-
password,secret,key, or password like prefix (fuzzy) -
Delimiters like
=or:(with padding) -
This matches _- instead of +/, for URI-safe Base64
Pattern Format
(([A-Za-z0-9_-]){4})*([A-Za-z0-9_-]{4}|[A-Za-z0-9_-]{3}=|[A-Za-z0-9_-]{2}==)Start Pattern
(?:\A|[^a-zA-Z0-9])(?i)[a-z0-9._-]*(?:api|auth[a-z]+|jwt|mysql|db)?[_.-]?(?:pass?(?:wo?r?d|code|phrase)|secret|key|token)([_-][a-z0-9]+){0,3}([ \t]+As[ \t]+String)?[\t ]*(={1,3}|:)[\t ]*(?:["']|b["'])?End Pattern
(\z|[\r\n'"])Additional Matches
Add these additional matches to the Secret Scanning Custom Pattern.
-
Match:
[0-9]
-
Match:
[A-Z]
-
Match:
[a-z]
-
Match:
^.{12,}$
version: v0.1
Pattern Format
(?i)[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}Start Pattern
\A|[^0-9A-Fa-f-]End Pattern
\z|[^0-9A-Fa-f-]Additional Matches
Add these additional matches to the Secret Scanning Custom Pattern.
-
Not Match:
^12345678-1234-5678-1234-567812345678$
-
Not Match:
^00000000-0000-0000-0000-000000000000$
-
Not Match:
^(?i)00010203-0405-0607-0809-0a0b0c0d0e0f$
-
Not Match:
^(?i)12345678-1234-1234-1234-123456789abc$
version: v0.2
Comments / Notes:
-
As used in an Authorization header
-
We try to remove common placeholders
-
Lower length limit of 12 to remove common false positives on "Token ", since most words are below 12 characters in length
Pattern Format
[a-zA-Z0-9_.=/+:-]{12,}Start Pattern
(Authorization: |['"])([Bb]earer |[Tt]oken (token=)?)End Pattern
\z|[\s'"]Additional Matches
Add these additional matches to the Secret Scanning Custom Pattern.
-
Not Match:
^(?:letmein|Oracle|SuperSecretString|foo|ababbdbbebbbebdbbe5538003023|XYZ_INVALID_ACCESTOKEN_XYZ|QQ==|Shizuku|mF_9.B5f-4.1JqM|h480djs93hd8|SlAV32hkKG|YmVlcDpib29w)$
-
Not Match:
^(?i)(?:dummy|fake|bearer|auth|invalid|your|my|the|undefined|github|oidc|database)(?:_api)?(?:_?token|key|secret)?$
-
Not Match:
^(?i)(?:[a-z0-9]|XYZ|ABC|123|.*_token)$
-
Not Match:
(^(?i)(x+|y+|z+|a+|\.+|.*\.\.\.)$|(?i)x{5})
version: v0.1
Pattern Format
(?i)client[_.-]?Id\s*([:=]|[=-]>|to|[!=]={1,2}|<>)\s*['"`]?[^\s'"`[\]{}()<>]+['"`]?\s*[,\r\n]\s*\bclient[_.-]?Secret\s*([:=]|[=-]>|to|[!=]={1,2}|<>)\s*['"`]?[^\s'"`[\]{}()<>]+['"`]?Start Pattern
\A|\bEnd Pattern
\z|\bAdditional Matches
Add these additional matches to the Secret Scanning Custom Pattern.
-
Not Match:
^(?i)client[_.-]?id\s*[:=]?\s*(string|str|None)\b|\.\.\.|\(string\)|(?i)Client(ID|Secret)[a-z]|^(?i)client[_.-]?id["'`]\)|"\$\{
-
Not Match:
^(?i)client[_.-]?id\s*[=:]\s*([a-z.]+(\[|\.get\())?["'`]?(\$\{|@)?[a-z0-9_.-]*((client|app)[_.-]?id|key)\b
-
Not Match:
(?i)client[_.-]?secret\s*[=:]\s*["'`]?(\$\{|@)?[a-z_.-]*(secret|token)\b
-
Not Match:
^(?i)client[_.-]?Id(:.,|:\s*client[_.-]?secret:)
-
Not Match:
xxxxx|\?\?\?\?\?|example|00000|123-?45|['"][^'"\s]{1,5}['"]|(?i)<client[_-]?id>