1- name: SECRET_PAIR
2 severity: medium
3 confidence: moderate
4 type: pattern
5 values:
6 - (?P<variable>[`'\"]?(?i:token|secret|key|키|암호|암호화|토큰)[`'\"]?)((\s)*[=:](\s)*)(?P<quote>[`'\"(])?(?P<value>(?-i:(?P<a>[A-Z])|(?P<b>[a-z])|(?P<c>[0-9/_+=~!@#$%^&*;:?-])){8,80}(?(a)(?(b)(?(c)(\S|$)|(?!x)x)|(?!x)x)|(?!x)x))(?(quote)[)`'\"])
7 filter_type:
8 - ValueAllowlistCheck
9 - ValuePatternCheck
10 - ValueEntropyBase64Check
11 - ValueCoupleKeywordCheck
12 min_line_len: 16
13 required_substrings:
14 - token
15 - secret
16 - key
17 - ":"
18 - "/"
19 - "="
20 - 키
21 - 암호
22 - 암호화
23 - 토큰
24 target:
25 - doc
26
27- name: PASSWD_PAIR
28 severity: medium
29 confidence: moderate
30 type: pattern
31 values:
32 - (?P<variable>[`'\"]?(?i:(?<!id[ :/])pa[as]swo?r?ds?|pwd?|p/w|비밀번호|비번|패스워드|암호)[`'\"]?)((\s)*[=:](\s)*)(?P<quote>[`'\"(])?(?P<value>(?-i:(?P<a>[A-Z])|(?P<b>[a-z])|(?P<c>[0-9/_+=~!@#$%^&*;:?-])){8,31}(?(a)(?(b)(?(c)(\S|$)|(?!x)x)|(?!x)x)|(?!x)x))(?(quote)[)`'\"])
33 filter_type:
34 - ValueAllowlistCheck
35 - ValuePatternCheck
36 - ValueDictionaryKeywordCheck
37 - LineGitBinaryCheck
38 - ValueFilePathCheck
39 - ValueHexNumberCheck
40 min_line_len: 10
41 required_substrings:
42 - pass
43 - sword
44 - ":"
45 - "/"
46 - "="
47 - 비밀번호
48 - 비번
49 - 패스워드
50 - 암호
51 target:
52 - doc
53
54- name: IP_ID_PASSWORD_TRIPLE
55 severity: medium
56 confidence: moderate
57 type: pattern
58 values:
59 - (^|\s|(?P<variable>(?i:\bip[\s/]+id[\s/]+pw[\s/:]*))|(?P<url>://))(?P<ip>[0-2]?[0-9]{1,2}\.[0-2]?[0-9]{1,2}\.[0-2]?[0-9]{1,2}\.[0-2]?[0-9]{1,2})((\s*\()?|(?(variable)[\s,/]+|(?(url)[,]|[,/])))\s*\w[\w.-]{3,80}[\s,/]+(?P<value>(?(url)(?-i:(?P<a>[A-Z])|(?P<b>[a-z])|(?P<c>[0-9_+=~!@#$%^&*;?-])){7,31}(?(a)(?(b)(?(c)(\S|$)|(?!x)x)|(?!x)x)|(?!x)x)|(?-i:(?P<e>[A-Z])|(?P<f>[a-z])|(?P<g>[0-9/_+=~!@#$%^&*;?-])){7,31}(?(e)(?(f)(?(g)(\S|$)|(?!x)x)|(?!x)x)|(?!x)x)))(?:\s|[^/]|$)
60 filter_type:
61 - ValueAllowlistCheck
62 - ValuePatternCheck
63 - ValueDictionaryKeywordCheck
64 min_line_len: 10
65 required_substrings:
66 - "."
67 target:
68 - doc
69
70- name: ID_PAIR_PASSWD_PAIR
71 severity: medium
72 confidence: moderate
73 type: pattern
74 values:
75 - (?P<ddash>--)?(?P<variable>\w*(?i:pa[as]swords?|passwd?|pwd|\bp/w|\bpw|비밀번호|비번|패스워드|암호))\s*?(?(ddash)[ =]|[:=/>-]{1,2})\s*(?P<quote>[`'\"]+)?(?P<value>(?-i:(?P<a>[A-Z])|(?P<b>[a-z])|(?P<c>[0-9/_+=~!@#$%^&*;:?-])){4,31}(?(a)(?(b)(?(c)(\S|$)|(?!x)x)|(?!x)x)|(?!x)x))(?(quote)(?P=quote)|(\s|$))
76 - (?P<ddash>--)?(?P<variable>(?i:user\s*)?(?i:id|login|account|root|admin|user|name|wifi|role|host|default|계정|아이디))\s*?(?(ddash)[ =]|[ :=])\s*?(?P<value>\S+)
77 filter_type:
78 - ValueAllowlistCheck
79 - ValuePatternCheck
80 min_line_len: 10
81 required_substrings:
82 - pass
83 - sword
84 - p/w
85 - pw
86 - 비밀번호
87 - 비번
88 - 패스워드
89 - 암호
90 target:
91 - doc
92
93- name: ID_PASSWD_PAIR
94 severity: medium
95 confidence: moderate
96 type: pattern
97 values:
98 - (?P<variable>[\w.-]*(?i:(?P<id>\bid\b)|id\b|user|name|계정|아이디)[\w.-]*(?(id)[ :(/]+|[:(/]+)(?i:pa[as]swo?r?ds?|pwd?|비밀번호|비번|패스워드|암호))\)?(\s*->\s*|[ =:)(/]+|\s+is\s+|\s+are\s+|\s*는\s*|\s*은\s*|\s*설정은\s*)\(?(?P<id_value>[\w.-]{2,31})[ :\(/\"',]+(?P<value>(?-i:(?P<a>[A-Z])|(?P<b>[a-z])|(?P<c>[0-9/_+=~!@#$%^&*;:?-])){4,31}(?(a)(?(b)(?(c)(\S|$)|(?!x)x)|(?!x)x)|(?!x)x))
99 filter_type:
100 - ValueAllowlistCheck
101 - ValuePatternCheck
102 - ValueDictionaryKeywordCheck
103 min_line_len: 10
104 required_substrings:
105 - pw
106 - pass
107 - sword
108 - 비밀번호
109 - 비번
110 - 패스워드
111 - 암호
112 target:
113 - doc
114
115- name: API
116 severity: medium
117 confidence: moderate
118 type: keyword
119 values:
120 - api(?!tal)
121 filter_type: GeneralKeyword
122 use_ml: true
123 min_line_len: 11
124 required_substrings:
125 - api
126 target:
127 - code
128
129- name: IPv4
130 severity: info
131 confidence: weak
132 type: pattern
133 values:
134 - (?<![.0-9a-zA-Z])(?P<value>[0-2]?[0-9]{1,2}\.[0-2]?[0-9]{1,2}\.[0-2]?[0-9]{1,2}\.[0-2]?[0-9]{1,2})(?![.0-9a-zA-Z$])
135 filter_type:
136 - ValueIPCheck
137 min_line_len: 10
138 required_substrings:
139 - "."
140 target:
141 - code
142
143- name: IPv6
144 severity: info
145 confidence: strong
146 type: pattern
147 values:
148 - (?<![:0-9a-zA-Z])(?P<value>[0-9A-Fa-f]{0,4}:(:?[0-9A-Fa-f]{1,4}:?){0,6}:[0-9A-Fa-f]{1,4})(?![:0-9a-zA-Z])
149 filter_type:
150 - ValueIPCheck
151 min_line_len: 10
152 required_substrings:
153 - ":"
154 target:
155 - code
156
157- name: AWS Client ID
158 severity: high
159 confidence: moderate
160 type: pattern
161 values:
162 - (?<![0-9A-Za-z_+-])(?P<value>(ABIA|ACCA|AGPA|AIDA|AIPA|AKIA|ANPA|ANVA|AROA|APKA|ASCA|ASIA)[0-9A-Z]{16,17})(?![=0-9A-Za-z_+-])
163 filter_type: GeneralPattern
164 required_substrings:
165 - A
166 min_line_len: 20
167 required_regex: "[a-zA-Z0-9_/+-]{15,80}"
168 target:
169 - code
170 - doc
171
172- name: AWS Multi
173 severity: high
174 confidence: moderate
175 type: multi
176 values:
177 - (?<![0-9A-Za-z_+-])(?P<value>(ABIA|ACCA|AGPA|AIDA|AIPA|AKIA|ANPA|ANVA|AROA|APKA|ASCA|ASIA)[0-9A-Z]{16,17})(?![=0-9A-Za-z_+-])
178 - (?<![0-9A-Za-z_/+-])(?P<value>[0-9A-Za-z/+]{40,80})(?![=0-9A-Za-z_/+-])
179 filter_type: GeneralPattern
180 required_substrings:
181 - A
182 min_line_len: 20
183 required_regex: "[a-zA-Z0-9_/+-]{15,80}"
184 target:
185 - code
186 - doc
187
188- name: AWS MWS Key
189 severity: high
190 confidence: strong
191 type: pattern
192 values:
193 - (?<![0-9A-Za-z_+-])(?P<value>amzn\.mws\.[0-9a-z]{8}-[0-9a-z]{4}-[0-9a-z]{4}-[0-9a-z]{4}-[0-9a-z]{12})(?![=0-9A-Za-z_+-])
194 filter_type: GeneralPattern
195 required_substrings:
196 - amzn
197 min_line_len: 30
198 target:
199 - code
200 - doc
201
202- name: Credential
203 severity: medium
204 confidence: moderate
205 type: keyword
206 values:
207 - credential
208 filter_type: GeneralKeyword
209 use_ml: true
210 min_line_len: 18
211 required_substrings:
212 - credential
213 target:
214 - code
215
216- name: Dynatrace API Token
217 severity: high
218 confidence: moderate
219 type: pattern
220 values:
221 - (?<![0-9A-Za-z_+-])(?P<value>dt0[a-zA-Z]{1}[0-9]{2}\.[A-Z0-9]{24}\.[A-Z0-9]{64})(?![=0-9A-Za-z_+-])
222 filter_type: GeneralPattern
223 required_substrings:
224 - dt0
225 min_line_len: 90
226 target:
227 - code
228 - doc
229
230- name: Facebook Access Token
231 severity: high
232 confidence: moderate
233 type: pattern
234 values:
235 - (?<![0-9A-Za-z_+-])(?P<value>EAAC[0-9A-Za-z]{27,80})
236 filter_type: GeneralPattern
237 required_substrings:
238 - EAAC
239 min_line_len: 31
240 target:
241 - code
242 - doc
243
244- name: Github Old Token
245 severity: high
246 confidence: moderate
247 type: pattern
248 values:
249 - (?i)((git)[\w\-]*(token|key|api)[\w\-]*(\s)*(=|:|:=)(\s)*(["']?)(?P<value>[a-z|\d]{40})(["']?))
250 filter_type: GeneralPattern
251 use_ml: true
252 validations:
253 - GithubTokenValidation
254 required_substrings:
255 - git
256 min_line_len: 47
257 target:
258 - code
259 - doc
260
261- name: Google API Key
262 severity: high
263 confidence: moderate
264 type: pattern
265 values:
266 - (?<![0-9A-Za-z_+-])(?P<value>AIza[0-9A-Za-z_-]{35})(?![=0-9A-Za-z_+-])
267 filter_type: GeneralPattern
268 validations:
269 - GoogleApiKeyValidation
270 required_substrings:
271 - AIza
272 min_line_len: 39
273 target:
274 - code
275 - doc
276
277- name: Google Multi
278 severity: high
279 confidence: moderate
280 type: multi
281 values:
282 - (?P<value>[0-9]{3,80}-[0-9a-z_]{32}\.apps\.googleusercontent\.com)
283 - \b(?P<value>GOCSPX-[0-9A-Za-z_-]{28}|((?P<a>[A-Z])|(?P<b>[a-z])|(?P<c>[0-9_-])){24,80}(?(a)(?(b)(?(c)\b|(?!x)x)|(?!x)x)|(?!x)x))
284 filter_type: GeneralPattern
285 validations:
286 - GoogleMultiValidation
287 required_substrings:
288 - .apps.googleusercontent.com
289 min_line_len: 40
290 target:
291 - code
292 - doc
293
294- name: Google OAuth Secret
295 severity: high
296 confidence: strong
297 type: pattern
298 values:
299 - (?<![0-9A-Za-z_-])(?P<value>GOCSPX-[0-9A-Za-z_-]{28})(?![=0-9A-Za-z_+-])
300 filter_type: GeneralPattern
301 required_substrings:
302 - GOCSPX-
303 min_line_len: 40
304 target:
305 - code
306 - doc
307
308- name: Google OAuth Access Token
309 severity: high
310 confidence: moderate
311 type: pattern
312 values:
313 - (?<![0-9A-Za-z_+-])(?P<value>ya29\.[0-9A-Za-z_-]{22,8000})
314 filter_type: GeneralPattern
315 required_substrings:
316 - ya29.
317 min_line_len: 27
318 target:
319 - code
320 - doc
321
322- name: Heroku API Key
323 severity: high
324 confidence: moderate
325 type: pattern
326 values:
327 - (?i)(?P<value>heroku(.{0,20})?[0-9a-f]{8}(-[0-9a-f]{4})+-[0-9a-f]{12})(?![=0-9A-Za-z_+-])
328 filter_type: GeneralPattern
329 required_substrings:
330 - heroku
331 min_line_len: 24
332 target:
333 - code
334 - doc
335
336- name: Instagram Access Token
337 severity: high
338 confidence: strong
339 type: pattern
340 values:
341 - (?<![0-9A-Za-z_+-])(?P<value>IGQVJ[\w]{100,8000})
342 filter_type: GeneralPattern
343 required_substrings:
344 - IGQVJ
345 min_line_len: 105
346 target:
347 - code
348 - doc
349
350- name: JSON Web Token
351 severity: medium
352 confidence: moderate
353 type: pattern
354 values:
355 - (?<![.0-9A-Za-z_+-])(?P<value>eyJ[0-9A-Za-z_=-]{15,8000}([.0-9A-Za-z_=-]{1,8000})?)
356 filter_type: GeneralPattern
357 use_ml: true
358 required_substrings:
359 - eyJ
360 min_line_len: 18
361 target:
362 - code
363
364- name: MailChimp API Key
365 severity: high
366 confidence: moderate
367 type: pattern
368 values:
369 - (?<![0-9A-Za-z_+-])(?P<value>[0-9a-zA-Z]{32}-us[0-9]{1,2})(?![=0-9A-Za-z_+-])
370 filter_type: GeneralPattern
371 validations:
372 - MailChimpKeyValidation
373 required_substrings:
374 - -us
375 min_line_len: 35
376 target:
377 - code
378 - doc
379
380- name: MailGun API Key
381 severity: high
382 confidence: moderate
383 type: pattern
384 values:
385 - (?<![0-9A-Za-z_+-])(?P<value>key-[0-9a-zA-Z]{32})(?![=0-9A-Za-z_+-])
386 filter_type: GeneralPattern
387 required_substrings:
388 - key-
389 min_line_len: 36
390 target:
391 - code
392 - doc
393
394- name: Password
395 severity: medium
396 confidence: moderate
397 type: keyword
398 values:
399 - (?<!by)pass(?!ed|ing|es|\s+[a-z]{3,80})|pw(d|\b)
400 filter_type: PasswordKeyword
401 use_ml: true
402 min_line_len: 10
403 required_substrings:
404 - pass
405 - pw
406 target:
407 - code
408
409- name: PayPal Braintree Access Token
410 severity: high
411 confidence: strong
412 type: pattern
413 values:
414 - (?P<value>access_token\$production\$[0-9a-z]{16}\$[0-9a-z]{32})(?![=0-9A-Za-z_+-])
415 filter_type: GeneralPattern
416 required_substrings:
417 - access_token$production$
418 min_line_len: 72
419 target:
420 - code
421 - doc
422
423- name: PEM Private Key
424 severity: high
425 confidence: strong
426 type: pem_key
427 values:
428 - (?P<value>-----BEGIN\s(?!ENCRYPTED)[^-]*PRIVATE[^-]*KEY[^-]{0,40}-----(.+-----END[^-]+KEY[^-]{0,40}-----)?)
429 min_line_len: 27
430 target:
431 - code
432 - doc
433
434- name: BASE64 encoded PEM Private Key
435 severity: high
436 confidence: strong
437 type: pattern
438 values:
439 - (?P<value>[0-9A-Za-z_/+-]*LS0t(LS1CRUdJTiB|LUJFR0lOI|QkVHSU4g)[0-9A-Za-z_/+-]{0,11}(UFJJVkFURSBLRVkt|QUklWQVRFIEtFWS0t|FBSSVZBVEUgS0VZ)[0-9A-Za-z_/+-]+LS0t[0-9A-Za-z_/+-]+)
440 filter_type:
441 - ValueBase64EncodedPem
442 min_line_len: 300
443 required_substrings:
444 - UFJJVkFURSBLRVkt
445 - QUklWQVRFIEtFWS0t
446 - FBSSVZBVEUgS0VZ
447 target:
448 - code
449 - doc
450
451- name: BASE64 Private Key
452 severity: high
453 confidence: strong
454 type: pattern
455 values:
456 - (?P<value>\bMII[A-Za-f][0-9A-Za-z/+]{8}(?s:[^!#$&()*\-.:;<=>?@\[\]^_{|}~]{8,8000}))
457 filter_type:
458 - ValueBase64KeyCheck
459 min_line_len: 160
460 required_substrings:
461 - MII
462 target:
463 - code
464 - doc
465
466- name: Picatic API Key
467 severity: high
468 confidence: strong
469 type: pattern
470 values:
471 - (?P<value>sk_live_[0-9a-z]{32})(?![=0-9A-Za-z_+-])
472 filter_type: GeneralPattern
473 required_substrings:
474 - sk_live_
475 min_line_len: 40
476 target:
477 - code
478 - doc
479
480- name: Secret
481 severity: medium
482 confidence: moderate
483 type: keyword
484 values:
485 - secret
486 filter_type: GeneralKeyword
487 use_ml: true
488 min_line_len: 14
489 required_substrings:
490 - secret
491 target:
492 - code
493
494- name: SendGrid API Key
495 severity: high
496 confidence: moderate
497 type: pattern
498 values:
499 - (?P<value>SG\.[\w_]{16,32}\.[\w_]{16,64})
500 filter_type: GeneralPattern
501 required_substrings:
502 - SG.
503 min_line_len: 34
504 target:
505 - code
506 - doc
507
508- name: Shopify Token
509 severity: high
510 confidence: strong
511 type: pattern
512 values:
513 - (?P<value>shp(at|ca|pa|ss)_[a-fA-F0-9]{32})(?![=0-9A-Za-z_+-])
514 filter_type: TokenPattern
515 required_substrings:
516 - shp
517 min_line_len: 38
518 target:
519 - code
520 - doc
521
522- name: Slack Token
523 severity: high
524 confidence: strong
525 type: pattern
526 values:
527 - (?<![0-9A-Za-z_+-])(?P<value>xox[aboprst]\-[-a-zA-Z0-9]{10,250})
528 filter_type: GeneralPattern
529 validations:
530 - SlackTokenValidation
531 required_substrings:
532 - xox
533 min_line_len: 15
534 target:
535 - code
536 - doc
537
538- name: Slack Webhook
539 severity: high
540 confidence: strong
541 type: pattern
542 values:
543 - (?P<value>hooks\.slack\.com/services/T[0-9A-Z]{8,16}/B[0-9A-Z]{8,16}/\w{24})
544 filter_type: GeneralPattern
545 required_substrings:
546 - hooks.slack.com/services/T
547 min_line_len: 61
548 target:
549 - code
550 - doc
551
552- name: Stripe Standard API Key
553 severity: high
554 confidence: strong
555 type: pattern
556 values:
557 - (?P<value>sk_live_[0-9a-zA-Z]{24})(?![=0-9A-Za-z_+-])
558 filter_type: GeneralPattern
559 validations:
560 - StripeApiKeyValidation
561 required_substrings:
562 - sk_live_
563 min_line_len: 32
564 target:
565 - code
566 - doc
567
568- name: Stripe Restricted API Key
569 severity: high
570 confidence: strong
571 type: pattern
572 values:
573 - (?P<value>rk_live_[0-9a-zA-Z]{24})(?![=0-9A-Za-z_+-])
574 filter_type: GeneralPattern
575 required_substrings:
576 - rk_live_
577 min_line_len: 32
578 target:
579 - code
580 - doc
581
582- name: Square Access Token
583 severity: high
584 confidence: moderate
585 type: pattern
586 values:
587 - (?<![0-9A-Za-z_+-])(?P<value>EAAA[0-9A-Za-z_-]{60})(?![=0-9A-Za-z_+-])
588 filter_type: GeneralPattern
589 validations:
590 - SquareAccessTokenValidation
591 required_substrings:
592 - EAAA
593 min_line_len: 64
594 target:
595 - code
596 - doc
597
598- name: Square Client ID
599 severity: medium
600 confidence: strong
601 type: pattern
602 values:
603 - (?<![0-9A-Za-z_+-])(?P<value>sq0[a-z]{3}-[0-9A-Za-z_-]{22})(?![=0-9A-Za-z_+-])
604 filter_type: GeneralPattern
605 validations:
606 - SquareClientIdValidation
607 required_substrings:
608 - sq0
609 min_line_len: 29
610 target:
611 - code
612 - doc
613
614- name: Square OAuth Secret
615 severity: high
616 confidence: strong
617 type: pattern
618 values:
619 - (?P<value>sq0csp-[0-9A-Za-z_-]{43})(?![=0-9A-Za-z_+-])
620 filter_type: GeneralPattern
621 required_substrings:
622 - sq0csp
623 min_line_len: 50
624 target:
625 - code
626 - doc
627
628- name: Token
629 severity: medium
630 confidence: moderate
631 type: keyword
632 values:
633 - token(?!ize)
634 filter_type: GeneralKeyword
635 use_ml: true
636 min_line_len: 13
637 required_substrings:
638 - token
639 target:
640 - code
641
642- name: Twilio API Key
643 severity: high
644 confidence: moderate
645 type: pattern
646 values:
647 - (?<![0-9A-Za-z_+-])(?P<value>SK[0-9a-fA-F]{32})(?![=0-9A-Za-z_+-])
648 filter_type: GeneralPattern
649 required_substrings:
650 - SK
651 min_line_len: 34
652 target:
653 - code
654 - doc
655
656- name: URL Credentials
657 severity: high
658 confidence: moderate
659 type: pattern
660 values:
661 - (?P<value_leftquote>["'])?\w{2,80}://[\w%.:-]*(?P<separator>:)(?P<value>[^\s/\@:]{3,80})@[\w.-]+\\*(?P<value_rightquote>["'])?
662 filter_type: UrlCredentialsGroup
663 use_ml: true
664 required_substrings:
665 - ://
666 min_line_len: 10
667 target:
668 - code
669
670- name: Auth
671 severity: medium
672 confidence: moderate
673 type: keyword
674 values:
675 - auth(?!ors?(?!i[tz]))
676 filter_type: GeneralKeyword
677 use_ml: true
678 min_line_len: 12
679 required_substrings:
680 - auth
681 target:
682 - code
683
684- name: Key
685 severity: medium
686 confidence: moderate
687 type: keyword
688 values:
689 - key(?!word|board|pad|name)
690 filter_type: GeneralKeyword
691 use_ml: true
692 min_line_len: 11
693 required_substrings:
694 - key
695 target:
696 - code
697
698- name: Telegram Bot API Token
699 severity: high
700 confidence: moderate
701 type: pattern
702 values:
703 - (?P<value>[0-9]{8,10}:[0-9A-Za-z_-]{35})(?![=0-9A-Za-z_+-])
704 filter_type: GeneralPattern
705 required_substrings:
706 - :AA
707 min_line_len: 45
708 target:
709 - code
710 - doc
711
712- name: PyPi API Token
713 severity: high
714 confidence: strong
715 type: pattern
716 values:
717 - (?P<value>pypi-[\w_\-]{150,8000})
718 filter_type: GeneralPattern
719 required_substrings:
720 - pypi-
721 min_line_len: 155
722 target:
723 - code
724 - doc
725
726- name: Github Classic Token
727 severity: high
728 confidence: strong
729 type: pattern
730 values:
731 - (?<![0-9A-Za-z_+-])(?P<value>gh[pousr]_[0-9A-Za-z_]{36,255})
732 filter_type:
733 - ValueGitHubCheck
734 validations:
735 - GithubTokenValidation
736 required_substrings:
737 - ghp_
738 - gho_
739 - ghu_
740 - ghs_
741 - ghr_
742 min_line_len: 40
743 target:
744 - code
745 - doc
746
747- name: Github Fine-granted Token
748 severity: high
749 confidence: strong
750 type: pattern
751 values:
752 - (?<![0-9A-Za-z_+-])(?P<value>github_pat_[0-9A-Za-z_]{80,255})
753 filter_type: GeneralPattern
754 validations:
755 - GithubTokenValidation
756 required_substrings:
757 - github_pat_
758 min_line_len: 90
759 target:
760 - code
761 - doc
762
763- name: Firebase Domain
764 severity: info
765 confidence: moderate
766 type: pattern
767 values:
768 - (?<![0-9A-Za-z_])(?P<value>[a-z0-9.-]+\.firebaseio\.com|[a-z0-9.-]+\.firebaseapp\.com)
769 filter_type: GeneralPattern
770 required_substrings:
771 - .firebase
772 min_line_len: 16
773 target:
774 - code
775 - doc
776
777- name: AWS S3 Bucket
778 severity: info
779 confidence: moderate
780 type: pattern
781 values:
782 - (?<![0-9A-Za-z_])(?P<value>[a-z0-9.-]{3,63}\.s3\.amazonaws\.com|[a-z0-9.-]{3,63}\.s3-website[.-](eu|ap|us|ca|sa|cn))
783 filter_type: GeneralPattern
784 required_substrings:
785 - .s3-website
786 - .s3.amazonaws.com
787 min_line_len: 14
788 target:
789 - code
790 - doc
791
792- name: Nonce
793 severity: medium
794 confidence: moderate
795 type: keyword
796 values:
797 - nonce
798 filter_type: GeneralKeyword
799 use_ml: true
800 min_line_len: 13
801 required_substrings:
802 - nonce
803 target:
804 - code
805
806- name: Salt
807 severity: medium
808 confidence: moderate
809 type: keyword
810 values:
811 - salt
812 filter_type: GeneralKeyword
813 use_ml: true
814 min_line_len: 12
815 required_substrings:
816 - salt
817 target:
818 - code
819
820- name: Certificate
821 severity: medium
822 confidence: moderate
823 type: keyword
824 values:
825 - cert
826 filter_type: GeneralKeyword
827 use_ml: true
828 min_line_len: 12
829 required_substrings:
830 - cert
831 target:
832 - code
833
834- name: Jfrog Token
835 severity: high
836 confidence: strong
837 type: pattern
838 values:
839 - (?<![0-9A-Za-z_+-])(?P<value>(cmVmdGtuO[0-9A-Za-z_-]{55}|AKCp[0-9A-Za-z_-]{69}))(?![=0-9A-Za-z_+-])
840 filter_type:
841 - ValueJfrogTokenCheck
842 required_substrings:
843 - cmVmdGtuO
844 - AKCp
845 min_line_len: 64
846 target:
847 - code
848 - doc
849
850- name: Azure Access Token
851 severity: high
852 confidence: strong
853 type: pattern
854 values:
855 - (?<![0-9A-Za-z_+-])(?P<value>eyJ[A-Za-z0-9_=-]{50,500}\.eyJ[A-Za-z0-9_=-]+\.[A-Za-z0-9_=-]+)
856 filter_type:
857 - ValueJsonWebTokenCheck
858 required_substrings:
859 - eyJ
860 min_line_len: 148
861 target:
862 - code
863 - doc
864
865- name: Azure Secret Value
866 severity: high
867 confidence: moderate
868 type: pattern
869 values:
870 - (?<![0-9A-Za-z_+-])(?P<value>[a-zA-Z0-9_~.-]{3}8Q~[a-zA-Z0-9_~.-]{34})(?![=0-9A-Za-z_+-])
871 filter_type: TokenPattern
872 min_line_len: 40
873 required_substrings:
874 - 8Q~
875 target:
876 - code
877 - doc
878
879- name: Bitbucket App Password
880 severity: high
881 confidence: strong
882 type: pattern
883 values:
884 - (?<![0-9A-Za-z_+-])(?P<value>ATBB[A-Za-z0-9]{24}[A-F0-9]{8})(?![=0-9A-Za-z_+-])
885 filter_type:
886 - ValueAtlassianTokenCheck
887 min_line_len: 28
888 required_substrings:
889 - ATBB
890 target:
891 - code
892 - doc
893
894- name: Bitbucket Repository Access Token
895 severity: high
896 confidence: strong
897 type: pattern
898 values:
899 - (?<![0-9A-Za-z_+-])(?P<value>ATCTT3xFfGN0[a-zA-Z0-9-_]{171}=[A-F0-9]{8})(?![=0-9A-Za-z_+-])
900 filter_type: TokenPattern
901 min_line_len: 183
902 required_substrings:
903 - ATCTT3xFfGN0
904 target:
905 - code
906 - doc
907
908- name: Bitbucket HTTP Access Token
909 severity: high
910 confidence: strong
911 type: pattern
912 values:
913 - (?<![0-9A-Za-z_+-])(?P<value>BBDC-[NMO][ADgjQTwz][A-Za-z0-9+/]{42})(?![=0-9A-Za-z_+-])
914 filter_type:
915 - ValueAtlassianTokenCheck
916 min_line_len: 49
917 required_substrings:
918 - BBDC-
919 target:
920 - code
921 - doc
922
923- name: Bitbucket Client ID
924 severity: info
925 confidence: weak
926 type: pattern
927 values:
928 - (?<![.0-9A-Za-z_/+-])(?P<value>[a-zA-Z0-9]{18}([a-zA-Z0-9]{14})?)(?![0-9A-Za-z.$_/+-])
929 filter_type: WeirdBase64Token
930 min_line_len: 18
931 required_regex: "[a-zA-Z0-9_/+-]{15,80}"
932 target:
933 - code
934 - doc
935
936- name: Bitbucket Client Secret
937 severity: info
938 confidence: weak
939 type: pattern
940 values:
941 - (?<![.0-9A-Za-z_/+-])(?P<value>([a-zA-Z0-9_-]{32}){1,2})(?![0-9A-Za-z.$_/+-])
942 filter_type: WeirdBase64Token
943 min_line_len: 32
944 required_regex: "[a-zA-Z0-9_/+-]{15,80}"
945 target:
946 - code
947 - doc
948
949- name: Jira / Confluence PAT token
950 severity: high
951 confidence: strong
952 type: pattern
953 values:
954 - (?<![0-9A-Za-z_/+-])(?P<value>[NMO][ADgjQTwz][a-zA-Z0-9+/]{42})(?![=0-9A-Za-z_+-])
955 filter_type:
956 - ValueAtlassianTokenCheck
957 min_line_len: 44
958 required_substrings:
959 - M
960 - N
961 - O
962 required_regex: "[a-zA-Z0-9_/+-]{15,80}"
963 target:
964 - code
965 - doc
966
967- name: Atlassian Old PAT token
968 severity: info
969 confidence: weak
970 type: pattern
971 values:
972 - (?<![.0-9A-Za-z_/+-])(?P<value>[a-zA-Z0-9]{24})(?![=0-9A-Za-z.$_/+-])
973 filter_type: WeirdBase64Token
974 min_line_len: 24
975 required_regex: "[a-zA-Z0-9_/+-]{15,80}"
976 target:
977 - code
978 - doc
979
980- name: Atlassian PAT token
981 severity: high
982 confidence: strong
983 type: pattern
984 values:
985 - (?<![0-9A-Za-z_+-])(?P<value>ATATT3xFfGF0[a-zA-Z0-9-_]{171}=[A-F0-9]{8})(?![=0-9A-Za-z_+-])
986 filter_type: TokenPattern
987 min_line_len: 191
988 required_substrings:
989 - ATATT3xFfGF0
990 target:
991 - code
992 - doc
993
994- name: Digital Ocean Token
995 severity: high
996 confidence: strong
997 type: pattern
998 values:
999 - (?<![0-9A-Za-z_+-])(?P<value>do[op]_v1_[a-f0-9]{64})(?![=0-9A-Za-z_+-])
1000 filter_type: TokenPattern
1001 min_line_len: 71
1002 required_substrings:
1003 - doo_v1_
1004 - dop_v1_
1005 target:
1006 - code
1007 - doc
1008
1009- name: Dropbox OAuth2 API Access Token
1010 severity: high
1011 confidence: moderate
1012 type: pattern
1013 values:
1014 - (?<![0-9A-Za-z_+-])(?P<value>sl.[A-Za-z0-9_-]{135})(?![=0-9A-Za-z_+-])
1015 filter_type: TokenPattern
1016 min_line_len: 138
1017 required_substrings:
1018 - sl.
1019 target:
1020 - code
1021 - doc
1022
1023- name: NuGet API key
1024 severity: high
1025 confidence: moderate
1026 type: pattern
1027 values:
1028 - (?<![0-9A-Za-z_+-])(?P<value>oy2[a-z0-9]{43})(?![=0-9A-Za-z_+-])
1029 filter_type: TokenPattern
1030 min_line_len: 46
1031 required_substrings:
1032 - oy2
1033 target:
1034 - code
1035 - doc
1036
1037- name: Gitlab PAT
1038 severity: high
1039 confidence: strong
1040 type: pattern
1041 values:
1042 - (?<![0-9A-Za-z_+-])(?P<value>glpat-[a-zA-Z0-9_-]{20})(?![=0-9A-Za-z_+-])
1043 filter_type: TokenPattern
1044 min_line_len: 26
1045 required_substrings:
1046 - glpat-
1047 target:
1048 - code
1049 - doc
1050
1051- name: Gitlab Pipeline Trigger Token
1052 severity: high
1053 confidence: strong
1054 type: pattern
1055 values:
1056 - (?<![0-9A-Za-z_+-])(?P<value>glptt-[a-f0-9]{40})(?![=0-9A-Za-z_+-])
1057 filter_type: TokenPattern
1058 min_line_len: 46
1059 required_substrings:
1060 - glptt-
1061 target:
1062 - code
1063 - doc
1064
1065- name: Gitlab Registration Runner Token
1066 severity: high
1067 confidence: strong
1068 type: pattern
1069 values:
1070 - (?<![0-9A-Za-z_+-])(?P<value>GR1348941[a-zA-Z0-9_-]{20})(?![=0-9A-Za-z_+-])
1071 filter_type: TokenPattern
1072 min_line_len: 29
1073 required_substrings:
1074 - GR1348941
1075 target:
1076 - code
1077 - doc
1078
1079- name: Gitlab Registration Runner Token 2023
1080 severity: high
1081 confidence: strong
1082 type: pattern
1083 values:
1084 - (?<![0-9A-Za-z_+-])(?P<value>glrt-[a-zA-Z0-9_-]{20})(?![=0-9A-Za-z_+-])
1085 filter_type: TokenPattern
1086 min_line_len: 25
1087 required_substrings:
1088 - glrt-
1089 target:
1090 - code
1091 - doc
1092
1093- name: Grafana Provisioned API Key
1094 severity: high
1095 confidence: strong
1096 type: pattern
1097 values:
1098 - (?<![0-9A-Za-z_+-])(?P<value>eyJ[a-zA-Z0-9=/-]{64,360})(?![=0-9A-Za-z_+-])
1099 filter_type:
1100 - ValueGrafanaCheck
1101 min_line_len: 67
1102 required_substrings:
1103 - eyJ
1104 target:
1105 - code
1106 - doc
1107
1108- name: Grafana Access Policy Token
1109 severity: high
1110 confidence: strong
1111 type: pattern
1112 values:
1113 - (?<![0-9A-Za-z_+-])(?P<value>glc_eyJ[a-zA-Z0-9=/-]{80,360})(?![=0-9A-Za-z_+-])
1114 filter_type:
1115 - ValueGrafanaCheck
1116 min_line_len: 87
1117 required_substrings:
1118 - glc_eyJ
1119 target:
1120 - code
1121 - doc
1122
1123- name: Dropbox API secret (long term)
1124 severity: high
1125 confidence: weak
1126 type: pattern
1127 values:
1128 - (?<![0-9A-Za-z_+-])(?=[A-Za-z0-9]{64})(?P<value>[A-Za-z0-9]{10,12}[B-Za-z0-9]A{10,12}[B-Za-z0-9][A-Za-z0-9]{40,44})(?![=0-9A-Za-z_+-])
1129 filter_type: []
1130 min_line_len: 43
1131 required_substrings:
1132 - AAAAAAAAAA
1133 target:
1134 - code
1135 - doc
1136
1137- name: Dropbox App secret
1138 severity: info
1139 confidence: weak
1140 type: pattern
1141 values:
1142 - (?<![.0-9A-Za-z_/+-])(?P<value>[a-z0-9]{15})(?![=0-9A-Za-z_/+-])
1143 filter_type: WeirdBase36Token
1144 min_line_len: 15
1145 required_regex: "[a-zA-Z0-9_/+-]{15,80}"
1146 target:
1147 - code
1148 - doc
1149
1150- name: Gitlab Incoming Email Token
1151 severity: info
1152 confidence: weak
1153 type: pattern
1154 values:
1155 - (?<![.0-9A-Za-z_/+-])(?P<value>[a-z0-9]{24,25})(?![=0-9A-Za-z_/+-])
1156 filter_type: WeirdBase36Token
1157 min_line_len: 24
1158 required_regex: "[a-zA-Z0-9_/+-]{15,80}"
1159 target:
1160 - code
1161 - doc
1162
1163- name: Gitlab Feed Token
1164 severity: info
1165 confidence: weak
1166 type: pattern
1167 values:
1168 - (?<![.0-9A-Za-z_/+-])(?P<value>[a-zA-Z0-9_-]{20})(?![=0-9A-Za-z_/+-])
1169 filter_type: WeirdBase64Token
1170 min_line_len: 20
1171 required_regex: "[a-zA-Z0-9_/+-]{15,80}"
1172 target:
1173 - code
1174 - doc
1175
1176- name: Jira 2FA
1177 severity: info
1178 confidence: weak
1179 type: pattern
1180 values:
1181 - (?<![.0-9A-Za-z_/+-])(?P<value>[A-Z2-7]{16})(?![=0-9A-Za-z_/+-])
1182 filter_type:
1183 - ValueCoupleKeywordCheck
1184 - ValuePatternCheck
1185 - ValueEntropyBase32Check
1186 - ValueBase32DataCheck
1187 - ValueTokenBase32Check
1188 min_line_len: 16
1189 required_regex: "[a-zA-Z0-9_/+-]{15,80}"
1190 target:
1191 - code
1192 - doc
1193
1194- name: OpenAI Token
1195 severity: high
1196 confidence: strong
1197 type: pattern
1198 values:
1199 - (?<![.0-9A-Za-z_/+-])(?P<value>sk-\w{20}T3BlbkFJ\w{20})(?![=0-9A-Za-z_/+-])
1200 min_line_len: 51
1201 required_regex: T3BlbkFJ
1202 target:
1203 - code
1204 - doc
1205
1206- name: Docker Swarm Token
1207 severity: high
1208 confidence: strong
1209 type: pattern
1210 values:
1211 - (?<![.0-9A-Za-z_/+-])(?P<value>SWMTKN-1-[0-9a-z]{50}-[0-9a-z]{25})(?![=0-9A-Za-z_/+-])
1212 min_line_len: 85
1213 filter_type:
1214 - ValueCoupleKeywordCheck
1215 required_regex: SWMTKN-1-
1216 target:
1217 - code
1218 - doc