Rules Configuration

- name: DOC_GET
  severity: medium
  confidence: weak
  type: pattern
  values:
    - (?P<variable>(\w*(?i:비밀번호|비번|패스워드|키|암호화?|토큰|(?<!by)pass(?!e[dns]|ing|ion|age)|\bpwd?\b|token|secret|key|cred)\w*)\s*(설정은|[=:!]{1,3}))?\s*([._0-9A-Za-z\[\]]*get(env)?\s*\(\s*(?(variable)[^,]+|[\"'\\]*(\\*([\"']|&(quot|apos|#3[49]);)){0,4}(\w*(?i:(?<!by)pass(?!e[dns]|ing|ion|age|\s+[a-z]{3,80})|\bpwd?\b|token|secret|key|cred)\w*))(\\*([\"']|&(quot|apos|#3[49]);)){0,4})\s*,\s*(default\s*=\s*)?([brufl@]{1,2}(?=\\*[\"'&]))?(?P<lq>(\\*([\"']|&(quot|apos|#3[49]);)){1,4})(?P<value>(.(?!(?P=lq))){4,80}.?)
  filter_type:
    - ValueAllowlistCheck
    - LineGitBinaryCheck
    - LineUUEPartCheck
    - ValueFilePathCheck
    - ValuePatternCheck(5)
    - ValueLengthCheck(4,80)
  min_line_len: 8
  required_substrings:
    - pass
    - pw
    - token
    - secret
    - key
    - cred
    - 비밀번호
    - 비번
    - 패스워드
    - 암호
    - 키
    - 토큰
  target:
    - doc
  use_ml: true

- name: DOC_CREDENTIALS
  severity: medium
  confidence: weak
  type: pattern
  values:
    - (?P<wrap>[\"'`(])?\s*(?P<variable>(\w*(?i:(?<!by)passw?o?r?d?s?(?!e[dns]|ing|ion|age)|pwd?\b|\bp/w\b|token|secret|key|credential)\w*|비밀번호|비번|패스워드|키|암호화?|토큰))[\"'`]*(\s+(?i:is|are|was|were)(\s*[:-])?\s+|\s*(설정은|[=:!]{1,3})\s*)(?P<quote>[\"'`]{1,6})?(?P<value>(?(quote)(?(wrap)[^\"'`)]{4,80}|[^\"'`]{4,80})|(?(wrap)[^\"'`)]{4,80}|\S{4,80})))
  filter_type:
    - ValueAllowlistCheck
    - LineGitBinaryCheck
    - LineUUEPartCheck
    - ValueFilePathCheck
    - ValuePatternCheck(5)
    - ValueLengthCheck(4,80)
  min_line_len: 8
  required_substrings:
    - pass
    - sword
    - pw
    - p/w
    - paasw
    - 비밀번호
    - 비번
    - 패스워드
    - 암호
    - token
    - secret
    - key
    - credential
    - 키
    - 토큰
  target:
    - doc
  use_ml: true

- name: SECRET_PAIR
  severity: medium
  confidence: moderate
  type: pattern
  values:
    - (?P<variable>[\"'`]?(?i:token|secret|key|키|암호화?|토큰)[\"'`]?)((\s)*[=:](\s)*)(?P<quote>[\"'`(])?(?P<value>(?-i:(?P<a>[A-Z])|(?P<b>[a-z])|(?P<c>[0-9/_+=~!@#$%^&*;:?-])){8,80}(?(a)(?(b)(?(c)(\S|$)|(?!x)x)|(?!x)x)|(?!x)x))(?(quote)[)\"'`])
  filter_type:
    - ValueAllowlistCheck
    - ValuePatternCheck(4)
    - ValueEntropyBase64Check
    - ValueMorphemesCheck
  min_line_len: 16
  required_substrings:
    - token
    - secret
    - key
    - 키
    - 암호
    - 토큰
  target:
    - doc

- name: PASSWD_PAIR
  severity: medium
  confidence: moderate
  type: pattern
  values:
    - (?P<variable>[\"'`]?(?i:(?<!id[ :/])pa[as]swo?r?ds?|pwd?|p/w|비밀번호|비번|패스워드|암호)[\"'`]?)((\s)*[=:](\s)*)(?P<quote>[\"'`(])?(?P<value>(?-i:(?P<a>[A-Z])|(?P<b>[a-z])|(?P<c>[0-9/_+=~!@#$%^&*;:?-])){8,64}(?(a)(?(b)(?(c)(\S|$)|(?!x)x)|(?!x)x)|(?!x)x))(?(quote)[)\"'`])
  filter_type:
    - ValueAllowlistCheck
    - ValuePatternCheck(4)
    - ValueDictionaryKeywordCheck
    - LineGitBinaryCheck
    - LineUUEPartCheck
    - ValueFilePathCheck
    - ValueHexNumberCheck
  min_line_len: 10
  required_substrings:
    - pass
    - sword
    - pw
    - p/w
    - paasw
    - 비밀번호
    - 비번
    - 패스워드
    - 암호
  target:
    - doc

- name: IP_ID_PASSWORD_TRIPLE
  severity: medium
  confidence: moderate
  type: pattern
  values:
    - (^|\s|(?P<variable>(?i:\bip[\s/]{1,80}id[\s/]{1,80}pw[\s/:]{0,80}))|(?P<url>://))(?P<ip>(?<![0-9.])[0-2]?[0-9]{1,2}\.[0-2]?[0-9]{1,2}\.[0-2]?[0-9]{1,2}\.[0-2]?[0-9]{1,2}(?![0-9.]))((\s*[(])?|(?(variable)[\s,/]{1,80}|(?(url)[,]|[,/])))\s*\w[\w.-]{3,80}[\s,/]{1,80}(?P<value>(?(url)(?-i:(?P<a>[A-Z])|(?P<b>[a-z])|(?P<c>[0-9_+=~!@#$%^&*;?-])){7,64}(?(a)(?(b)(?(c)(\S|$)|(?!x)x)|(?!x)x)|(?!x)x)|(?-i:(?P<e>[A-Z])|(?P<f>[a-z])|(?P<g>[0-9/_+=~!@#$%^&*;?-])){7,64}(?(e)(?(f)(?(g)(\S|$)|(?!x)x)|(?!x)x)|(?!x)x)))(?:\s|[^/]|$)
  filter_type:
    - ValueAllowlistCheck
    - ValuePatternCheck(4)
    - ValueDictionaryKeywordCheck
  min_line_len: 10
  required_substrings:
    - "."
  target:
    - doc

- name: ID_PAIR_PASSWD_PAIR
  severity: medium
  confidence: moderate
  type: pattern
  values:
    - (?P<ddash>--)?(?P<variable>\w*(?i:pa[as]swords?|passwd?|pwd|\bp/w|\bpw|비밀번호|비번|패스워드|암호))\s*?(?(ddash)[ =]|[:=/>-]{1,2})\s*(?P<quote>[\"'`]{1,8})?(?P<value>(?-i:(?P<a>[A-Z])|(?P<b>[a-z])|(?P<c>[0-9/_+=~!@#$%^&*;:?-])){4,64}(?(a)(?(b)(?(c)(\S|$)|(?!x)x)|(?!x)x)|(?!x)x))(?(quote)(?P=quote)|(\s|$))
    - (?P<ddash>--)?(?P<variable>(?i:user\s*)?(?i:id|login|account|root|admin|user|name|wifi|role|host|default|계정|아이디))\s*?(?(ddash)[ =]|[ :=])\s*?(?P<value>\S+)
  filter_type:
    - ValueAllowlistCheck
    - ValuePatternCheck(4)
  min_line_len: 10
  required_substrings:
    - pass
    - sword
    - p/w
    - pw
    - 비밀번호
    - 비번
    - 패스워드
    - 암호
  target:
    - doc

- name: ID_PASSWD_PAIR
  severity: medium
  confidence: moderate
  type: pattern
  values:
    - (?P<variable>[\w.-]{0,80}(?i:(?P<id>\bid\b)|id\b|user|name|계정|아이디)[\w.-]{0,80}(?(id)[ :(/]{1,80}|[:(/]{1,80})(?i:pa[as]swo?r?ds?|pwd?|비밀번호|비번|패스워드|암호))\)?(\s*->\s*|[ =:)(/]{1,80}|\s+is\s+|\s+are\s+|\s*는\s*|\s*은\s*|\s*설정은\s*)\(?(?P<id_value>[\w.-]{2,64})[ :\(/\"',]{1,80}(?P<value>(?-i:(?P<a>[A-Z])|(?P<b>[a-z])|(?P<c>[0-9/_+=~!@#$%^&*;:?-])){4,64}(?(a)(?(b)(?(c)(\S|$)|(?!x)x)|(?!x)x)|(?!x)x))
  filter_type:
    - ValueAllowlistCheck
    - ValuePatternCheck(4)
    - ValueDictionaryKeywordCheck
  min_line_len: 10
  required_substrings:
    - pw
    - pass
    - sword
    - 비밀번호
    - 비번
    - 패스워드
    - 암호
  target:
    - doc

- name: UUID
  severity: info
  confidence: strong
  type: pattern
  values:
    - (?:^|/|[^\\0-9A-Za-z+_-]|\\[0abfnrtv]|(?:%|\\x)[0-9A-Fa-f]{2}|\\[0-7]{3}|\\[Uu][0-9A-Fa-f]{4}|\x1B\[[0-9;]{0,80}m)(?P<value>[0-9A-F]{8}(-[0-9A-F]{4}){3}-[0-9A-F]{12}|[0-9a-f]{8}(-[0-9a-f]{4}){3}-[0-9a-f]{12})(?![0-9A-Za-z_+-])
  min_line_len: 36
  required_substrings:
    - "-"
  filter_type:
    - ValuePatternCheck(4)
  use_ml: false
  target:
    - code
    - doc

- name: Akamai Credentials
  severity: high
  confidence: strong
  type: pattern
  values:
    - (?P<value>akab-[0-9a-z]{16}-[0-9a-z]{16})(?!\.[0-9a-z-]{1,80}\.akamaiapis\.net)
  filter_type: GeneralPattern
  required_substrings:
    - akab-
  min_line_len: 38
  target:
    - code
    - doc

- name: AWS Client ID
  severity: high
  confidence: moderate
  type: pattern
  values:
    - (?:^|/|[^\\0-9A-Za-z+_-]|\\[0abfnrtv]|(?:%|\\x)[0-9A-Fa-f]{2}|\\[0-7]{3}|\\[Uu][0-9A-Fa-f]{4}|\x1B\[[0-9;]{0,80}m)(?P<value>(ABIA|ACCA|AGPA|AIDA|AIPA|AKIA|ANPA|ANVA|AROA|APKA|ASCA|ASIA)[0-9A-Z]{16,17})(?![0-9A-Za-z_+-])
  filter_type: GeneralPattern
  required_substrings:
    - ABIA
    - ACCA
    - AGPA
    - AIDA
    - AIPA
    - AKIA
    - ANPA
    - ANVA
    - AROA
    - APKA
    - ASCA
    - ASIA
  min_line_len: 20
  required_regex: "[0-9A-Za-z_/+-]{15}"
  target:
    - code
    - doc

- name: AWS Multi
  severity: high
  confidence: moderate
  type: multi
  values:
    - (?:^|/|[^\\0-9A-Za-z+_-]|\\[0abfnrtv]|(?:%|\\x)[0-9A-Fa-f]{2}|\\[0-7]{3}|\\[Uu][0-9A-Fa-f]{4}|\x1B\[[0-9;]{0,80}m)(?P<value>A(KIA|SIA)[0-9A-Z]{16})(?![0-9A-Za-z_])
    - (?:^|/|[^\\0-9A-Za-z+_-]|\\[0abfnrtv]|(?:%|\\x)[0-9A-Fa-f]{2}|\\[0-7]{3}|\\[Uu][0-9A-Fa-f]{4}|\x1B\[[0-9;]{0,80}m)(?P<value>((?P<a>[A-Z])|(?P<b>[a-z])|(?P<c>[0-9/+])){40,44}(?(a)(?(b)(?(c)\b|(?!x)x)|(?!x)x)|(?!x)x))(?![0-9A-Za-z/+])
  filter_type:
    - LineSpecificKeyCheck
    - ValuePatternCheck
    - ValueBase64PartCheck
    - ValueMorphemesCheck
  required_substrings:
    - AKIA
    - ASIA
  min_line_len: 20
  required_regex: "[0-9A-Za-z_/+-]{15}"
  target:
    - code
    - doc

- name: AWS MWS Key
  severity: high
  confidence: strong
  type: pattern
  values:
    - (?P<value>amzn\.mws\.[0-9a-z]{8}-[0-9a-z]{4}-[0-9a-z]{4}-[0-9a-z]{4}-[0-9a-z]{12})(?![0-9A-Za-z_-])
  filter_type: GeneralPattern
  required_substrings:
    - amzn.mws.
  min_line_len: 30
  target:
    - code
    - doc

- name: Dynatrace API Token
  severity: high
  confidence: moderate
  type: pattern
  values:
    - (?:^|/|[^\\0-9A-Za-z+_-]|\\[0abfnrtv]|(?:%|\\x)[0-9A-Fa-f]{2}|\\[0-7]{3}|\\[Uu][0-9A-Fa-f]{4}|\x1B\[[0-9;]{0,80}m)(?P<value>dt0[A-Za-z]{1}[0-9]{2}\.[0-9A-Z]{24}\.[0-9A-Z]{64})(?![0-9A-Za-z_-])
  filter_type: TokenPattern
  required_substrings:
    - dt0
  min_line_len: 90
  target:
    - code
    - doc

- name: Facebook Access Token
  severity: high
  confidence: moderate
  type: pattern
  values:
    - (?:^|/|[^\\0-9A-Za-z+_-]|\\[0abfnrtv]|(?:%|\\x)[0-9A-Fa-f]{2}|\\[0-7]{3}|\\[Uu][0-9A-Fa-f]{4}|\x1B\[[0-9;]{0,80}m)(?P<value>EAA[0-9A-Za-z]{80,800})
  filter_type:
    - ValuePatternCheck
    - ValueBase64PartCheck
  required_substrings:
    - EAA
  min_line_len: 80
  target:
    - code
    - doc

- name: Facebook App Token
  severity: high
  confidence: moderate
  type: pattern
  values:
    - (?:^|/|[^\\0-9A-Za-z+_-]|\\[0abfnrtv]|(?:%|\\x)[0-9A-Fa-f]{2}|\\[0-7]{3}|\\[Uu][0-9A-Fa-f]{4}|\x1B\[[0-9;]{0,80}m)(?P<value>[0-9]{12,18}\|[0-9A-Za-z_-]{24,28})(?![0-9A-Za-z_+-])
  filter_type: TokenPattern
  required_substrings:
    - "|"
  required_regex: "[0-9A-Za-z_/+-]{15}"
  min_line_len: 33
  target:
    - code
    - doc

- name: Google API Key
  severity: high
  confidence: moderate
  type: pattern
  values:
    - (?:^|/|[^\\0-9A-Za-z+_-]|\\[0abfnrtv]|(?:%|\\x)[0-9A-Fa-f]{2}|\\[0-7]{3}|\\[Uu][0-9A-Fa-f]{4}|\x1B\[[0-9;]{0,80}m)(?P<value>AIza[0-9A-Za-z_-]{35})
  filter_type: TokenPattern
  required_substrings:
    - AIza
  min_line_len: 39
  target:
    - code
    - doc

- name: Google Multi
  severity: high
  confidence: moderate
  type: multi
  values:
    - (?P<value>[0-9]{3,80}-[0-9a-z_]{32}\.apps\.googleusercontent\.com)
    - \b(?P<value>GOCSPX-[0-9A-Za-z_-]{28}|((?P<a>[A-Z])|(?P<b>[a-z])|(?P<c>[0-9_-])){24,80}(?(a)(?(b)(?(c)\b|(?!x)x)|(?!x)x)|(?!x)x))
  filter_type: GeneralPattern
  required_substrings:
    - .apps.googleusercontent.com
  min_line_len: 40
  target:
    - code
    - doc

- name: Google OAuth Secret
  severity: high
  confidence: strong
  type: pattern
  values:
    - (?P<value>GOCSPX-[0-9A-Za-z_-]{28})(?![0-9A-Za-z_-])
  filter_type: TokenPattern
  required_substrings:
    - GOCSPX-
  min_line_len: 40
  target:
    - code
    - doc

- name: Google OAuth Access Token
  severity: high
  confidence: moderate
  type: pattern
  values:
    - (?P<value>ya29\.[0-9A-Za-z_-]{22,8000})
  filter_type: TokenPattern
  required_substrings:
    - ya29.
  min_line_len: 27
  target:
    - code
    - doc

- name: Google OAuth Refresh Token
  severity: medium
  confidence: weak
  type: pattern
  values:
    - (?:^|/|[^\\0-9A-Za-z+_-]|\\[0abfnrtv]|(?:%|\\x)[0-9A-Fa-f]{2}|\\[0-7]{3}|\\[Uu][0-9A-Fa-f]{4}|\x1B\[[0-9;]{0,80}m)(?P<value>1//0[0-9A-Za-z_-]{80,8000})
  filter_type: TokenPattern
  required_substrings:
    - 1//0
  min_line_len: 84
  target:
    - code
    - doc

- name: Heroku Credentials
  severity: high
  confidence: strong
  type: pattern
  values:
    - (?P<value>HRKU-([0-9A-Za-z_-]{60}|[0-9A-Fa-f]{8}(-[0-9A-Fa-f]{4}){3}-[0-9A-Fa-f]{12}))
  filter_type: TokenPattern
  required_substrings:
    - HRKU-
  min_line_len: 41
  target:
    - code
    - doc

- name: Instagram Access Token
  severity: high
  confidence: strong
  type: pattern
  values:
    - (?P<value>IGQVJ[=0-9A-Za-z_-]{100,8000})(?![=0-9A-Za-z_-])
  filter_type: TokenPattern
  required_substrings:
    - IGQVJ
  min_line_len: 105
  target:
    - code
    - doc

- name: JSON Web Token
  severity: medium
  confidence: strong
  type: pattern
  values:
    - (?P<value>eyJ[=0-9A-Za-z_+/-]{15,8000}(\.[=0-9A-Za-z_+/-]{0,8000}){2,16})(?![=0-9A-Za-z_-])
  filter_type:
    - ValueJsonWebTokenCheck
  required_substrings:
    - eyJ
  min_line_len: 64
  target:
    - code
    - doc

- name: JSON Web Key
  severity: medium
  confidence: strong
  type: pattern
  values:
    - (?P<value>\b(e(yJ|yAi|woi|wog|w0K)|W(yJ|3si|wp7|wog|w0K|3sK))[0-9A-Za-z_+/-]{60,8000})
  filter_type:
    - ValueJsonWebKeyCheck
  required_substrings:
    - eyJ
    - eyAi
    - ewoi
    - ewog
    - ew0K
    - WyJ
    - W3si
    - Wwp7
    - Wwog
    - Ww0K
    - W3sK
  min_line_len: 64
  target:
    - code
    - doc

- name: JWK
  severity: medium
  confidence: moderate
  type: multi
  values:
    - (?P<value>['"]?\b(?P<variable>kty)[^0-9A-Za-z_-]{1,8}(RSA|EC|oct)\b['"]?)
    - (?P<variable>\b[dk])[^0-9A-Za-z_-]{1,8}(?P<value>[0-9A-Za-z_-]{22,8000})(?![=0-9A-Za-z_-])
  filter_type:
    - ValuePatternCheck
    - ValueMorphemesCheck
  required_substrings:
    - kty
  min_line_len: 8
  target:
    - code
    - doc

- name: MailChimp API Key
  severity: high
  confidence: moderate
  type: pattern
  values:
    - (?:^|/|[^\\0-9A-Za-z+_-]|\\[0abfnrtv]|(?:%|\\x)[0-9A-Fa-f]{2}|\\[0-7]{3}|\\[Uu][0-9A-Fa-f]{4}|\x1B\[[0-9;]{0,80}m)(?P<value>[0-9A-Za-z_-]{32}-us[0-9]{1,2})(?![0-9A-Za-z_-])
  filter_type: TokenPattern
  required_substrings:
    - -us
  min_line_len: 35
  target:
    - code
    - doc

- name: MailGun API Key
  severity: high
  confidence: moderate
  type: pattern
  values:
    - (?:^|/|[^\\0-9A-Za-z+_-]|\\[0abfnrtv]|(?:%|\\x)[0-9A-Fa-f]{2}|\\[0-7]{3}|\\[Uu][0-9A-Fa-f]{4}|\x1B\[[0-9;]{0,80}m)(?P<value>key-[0-9a-z]{32}|[0-9a-f]{32}-[0-9a-f]{8}-[0-9a-f]{8})(?![0-9A-Za-z_-])
  filter_type: TokenPattern
  required_regex: "[0-9A-Za-z_/+-]{15}"
  min_line_len: 36
  target:
    - code
    - doc

- name: PayPal Braintree Access Token
  severity: high
  confidence: strong
  type: pattern
  values:
    - (?P<value>access_token\$production\$[0-9a-z]{16}\$[0-9a-z]{32})(?![0-9A-Za-z_-])
  filter_type: GeneralPattern
  required_substrings:
    - access_token$production$
  min_line_len: 72
  target:
    - code
    - doc

- name: PEM Private Key
  severity: high
  confidence: strong
  type: pem_key
  values:
    - (?P<value>-----BEGIN\s(?!ENCRYPTED)[^-]{0,80}PRIVATE[^-]{0,80}KEY[^-]{0,40}-----(.+-----END[^-]{1,80}KEY[^-]{0,40}-----)?)
  min_line_len: 27
  target:
    - code
    - doc

- name: BASE64 encoded PEM Private Key
  severity: high
  confidence: strong
  type: pattern
  values:
    - (?P<value>[0-9A-Za-z_/+-]{0,8000}LS0t(LS1CRUdJTiB|LUJFR0lOI|QkVHSU4g)[0-9A-Za-z_/+-]{0,11}(UFJJVkFURSBLRVkt|QUklWQVRFIEtFWS0t|FBSSVZBVEUgS0VZ)[0-9A-Za-z_/+-]{1,8000}LS0t[0-9A-Za-z_/+-]{1,8000})
  filter_type:
    - ValueBase64EncodedPem
  min_line_len: 300
  required_substrings:
    - UFJJVkFURSBLRVkt
    - QUklWQVRFIEtFWS0t
    - FBSSVZBVEUgS0VZ
  target:
    - code
    - doc

- name: BASE64 Private Key
  severity: high
  confidence: strong
  type: pattern
  values:
    - (?P<value>MII[A-Za-f][0-9A-Za-z/+]{8}(?s:[^!#$&()*\-.:;<=>?@\[\]^_{|}~]{8,8000}))
  filter_type:
    - ValueBase64KeyCheck
  min_line_len: 160
  required_substrings:
    - MII
  target:
    - code
    - doc

- name: Picatic API Key
  severity: high
  confidence: strong
  type: pattern
  values:
    - (?P<value>sk_live_[0-9a-z]{32})(?![0-9A-Za-z_-])
  filter_type: GeneralPattern
  required_substrings:
    - sk_live_
  min_line_len: 40
  target:
    - code
    - doc

- name: SendGrid API Key
  severity: high
  confidence: moderate
  type: pattern
  values:
    - (?:^|/|[^\\0-9A-Za-z+_-]|\\[0abfnrtv]|(?:%|\\x)[0-9A-Fa-f]{2}|\\[0-7]{3}|\\[Uu][0-9A-Fa-f]{4}|\x1B\[[0-9;]{0,80}m)(?P<value>SG\.[0-9A-Za-z_-]{16,32}\.[0-9A-Za-z_-]{16,64})
  filter_type: TokenPattern
  required_substrings:
    - SG.
  min_line_len: 34
  target:
    - code
    - doc

- name: Shopify Token
  severity: high
  confidence: strong
  type: pattern
  values:
    - (?P<value>shp(at|ca|pa|ss)_[0-9A-Fa-f]{32})(?![0-9A-Za-z_-])
  filter_type: TokenPattern
  required_substrings:
    - shp
  min_line_len: 38
  target:
    - code
    - doc

- name: Slack Token
  severity: high
  confidence: strong
  type: pattern
  values:
    - (?P<value>(xapp|xox[a-z])\-[0-9A-Za-z-]{10,250})(?![0-9A-Za-z_-])
  filter_type: TokenPattern
  required_substrings:
    - xox
    - xapp
  min_line_len: 15
  target:
    - code
    - doc

- name: Slack Webhook
  severity: medium
  confidence: strong
  type: pattern
  values:
    - (?P<variable>hooks\.slack\.com/services)(?P<value>/T[0-9A-Z]{8,16}/B[0-9A-Z]{8,16}/[0-9A-Za-z_]{24})
  filter_type: GeneralPattern
  required_substrings:
    - hooks.slack.com/services/T
  min_line_len: 61
  target:
    - code
    - doc

- name: Stripe Credentials
  severity: high
  confidence: strong
  type: pattern
  values:
    - (?P<value>(whsec|[prs]k_(test|live))_[0-9A-Za-z]{24,160})
  filter_type: GeneralPattern
  required_substrings:
    - k_live_
    - k_test_
    - whsec_
  min_line_len: 32
  target:
    - code
    - doc

- name: Square Access Token
  severity: high
  confidence: moderate
  type: pattern
  values:
    - (?:^|/|[^\\0-9A-Za-z+_-]|\\[0abfnrtv]|(?:%|\\x)[0-9A-Fa-f]{2}|\\[0-7]{3}|\\[Uu][0-9A-Fa-f]{4}|\x1B\[[0-9;]{0,80}m)(?P<value>EAAA[0-9A-Za-z_-]{60})(?![0-9A-Za-z_-])
  filter_type:
    - ValuePatternCheck
    - ValueBase64PartCheck
  required_substrings:
    - EAAA
  min_line_len: 64
  target:
    - code
    - doc

- name: Square Credentials
  severity: medium
  confidence: strong
  type: pattern
  values:
    - (?:^|/|[^\\0-9A-Za-z+_-]|\\[0abfnrtv]|(?:%|\\x)[0-9A-Fa-f]{2}|\\[0-7]{3}|\\[Uu][0-9A-Fa-f]{4}|\x1B\[[0-9;]{0,80}m)(?P<value>sq0[a-z]{3}-[0-9A-Za-z_-]{22}([0-9A-Za-z_-]{21})?)(?![0-9A-Za-z_-])
  filter_type: TokenPattern
  required_substrings:
    - sq0
  min_line_len: 29
  target:
    - code
    - doc

- name: Twilio Credentials
  severity: high
  confidence: moderate
  type: pattern
  values:
    - (?:^|/|[^\\0-9A-Za-z+_-]|\\[0abfnrtv]|(?:%|\\x)[0-9A-Fa-f]{2}|\\[0-7]{3}|\\[Uu][0-9A-Fa-f]{4}|\x1B\[[0-9;]{0,80}m)(?P<value>(AC|AD|AL|CA|CF|CL|CN|CR|FW|IP|KS|MM|NO|PK|PN|QU|RE|SC|SD|SK|SM|TR|UT|XE|XR)[0-9A-Fa-f]{32})(?![0-9A-Za-z_+-])
  filter_type: TokenPattern
  required_substrings:
    - AC
    - AD
    - AL
    - CA
    - CF
    - CL
    - CN
    - CR
    - FW
    - IP
    - KS
    - MM
    - "NO"
    - PK
    - PN
    - QU
    - RE
    - SC
    - SD
    - SK
    - SM
    - TR
    - UT
    - XE
    - XR
  min_line_len: 34
  target:
    - code
    - doc

- name: Telegram Bot API Token
  severity: high
  confidence: moderate
  type: pattern
  values:
    - (?:^|/|[^\\0-9A-Za-z+_-]|\\[0abfnrtv]|(?:%|\\x)[0-9A-Fa-f]{2}|\\[0-7]{3}|\\[Uu][0-9A-Fa-f]{4}|\x1B\[[0-9;]{0,80}m)(?P<value>[0-9]{8,10}:[0-9A-Za-z_-]{35})(?![0-9A-Za-z_-])
  filter_type: TokenPattern
  required_substrings:
    - :AA
  min_line_len: 45
  target:
    - code
    - doc

- name: PyPi API Token
  severity: high
  confidence: strong
  type: pattern
  values:
    - (?P<value>pypi-[0-9A-Za-z_-]{150,255})
  filter_type: TokenPattern
  required_substrings:
    - pypi-
  min_line_len: 155
  target:
    - code
    - doc

- name: NPM Token
  severity: high
  confidence: strong
  type: pattern
  values:
    - (?:^|/|[^\\0-9A-Za-z+_-]|\\[0abfnrtv]|(?:%|\\x)[0-9A-Fa-f]{2}|\\[0-7]{3}|\\[Uu][0-9A-Fa-f]{4}|\x1B\[[0-9;]{0,80}m)(?P<value>npm_[0-9A-Za-z_-]{36,255})
  filter_type:
    - ValueGitHubCheck
  required_substrings:
    - npm_
  min_line_len: 40
  target:
    - code
    - doc

- name: Github Classic Token
  severity: high
  confidence: strong
  type: pattern
  values:
    - (?:^|/|[^\\0-9A-Za-z+_-]|\\[0abfnrtv]|(?:%|\\x)[0-9A-Fa-f]{2}|\\[0-7]{3}|\\[Uu][0-9A-Fa-f]{4}|\x1B\[[0-9;]{0,80}m)(?P<value>gh[pousr]_[0-9A-Za-z_-]{36,255})
  filter_type:
    - ValueGitHubCheck
  required_substrings:
    - ghp_
    - gho_
    - ghu_
    - ghs_
    - ghr_
  min_line_len: 40
  target:
    - code
    - doc

- name: Github Fine-granted Token
  severity: high
  confidence: strong
  type: pattern
  values:
    - (?P<value>github_pat_[0-9A-Za-z_]{80,255})
  filter_type: GeneralPattern
  required_substrings:
    - github_pat_
  min_line_len: 90
  target:
    - code
    - doc

- name: Firebase Domain
  severity: info
  confidence: moderate
  type: pattern
  values:
    - (?:^|/|[^\\0-9A-Za-z+_-]|\\[0abfnrtv]|(?:%|\\x)[0-9A-Fa-f]{2}|\\[0-7]{3}|\\[Uu][0-9A-Fa-f]{4}|\x1B\[[0-9;]{0,80}m)(?P<value>[a-z0-9.-]{1,80}\.firebaseio\.com|[a-z0-9.-]{1,80}\.firebaseapp\.com)
  filter_type: GeneralPattern
  required_substrings:
    - .firebase
  min_line_len: 16
  target:
    - code
    - doc

- name: AWS S3 Bucket
  severity: info
  confidence: moderate
  type: pattern
  values:
    - (?:^|/|[^\\0-9A-Za-z+_-]|\\[0abfnrtv]|(?:%|\\x)[0-9A-Fa-f]{2}|\\[0-7]{3}|\\[Uu][0-9A-Fa-f]{4}|\x1B\[[0-9;]{0,80}m)(?P<value>[a-z0-9.-]{3,63}\.s3\.amazonaws\.com|[a-z0-9.-]{3,63}\.s3-website[.-](eu|ap|us|ca|sa|cn))
  filter_type: GeneralPattern
  required_substrings:
    - .s3-website
    - .s3.amazonaws.com
  min_line_len: 14
  target:
    - code
    - doc

- name: Jfrog Token
  severity: high
  confidence: strong
  type: pattern
  values:
    - (?P<value>(cmVmdGtuO[0-9A-Za-z_-]{55}|AKCp[0-9A-Za-z_-]{69}))(?![0-9A-Za-z_-])
  filter_type:
    - ValueJfrogTokenCheck
  required_substrings:
    - cmVmdGtuO
    - AKCp
  min_line_len: 64
  target:
    - code
    - doc

- name: Azure Access Token
  severity: high
  confidence: strong
  type: pattern
  values:
    - (?P<value>eyJ[=0-9A-Za-z_-]{50,500}\.eyJ[=0-9A-Za-z_-]{8,8000}\.[=0-9A-Za-z_-]{18,800})
  filter_type:
    - ValueAzureTokenCheck
  required_substrings:
    - eyJ
  min_line_len: 148
  target:
    - code
    - doc

- name: Azure Secret Value
  severity: high
  confidence: moderate
  type: pattern
  values:
    - (?:^|/|[^\\0-9A-Za-z+_-]|\\[0abfnrtv]|(?:%|\\x)[0-9A-Fa-f]{2}|\\[0-7]{3}|\\[Uu][0-9A-Fa-f]{4}|\x1B\[[0-9;]{0,80}m)(?P<value>[0-9A-Za-z_~.-]{3}8Q~[0-9A-Za-z_~.-]{34})(?![0-9A-Za-z_-])
  filter_type: TokenPattern
  min_line_len: 40
  required_substrings:
    - 8Q~
  target:
    - code
    - doc

- name: Azure Storage Account Key
  severity: high
  confidence: moderate
  type: pattern
  values:
    - (?:^|/|[^\\0-9A-Za-z+_-]|\\[0abfnrtv]|(?:%|\\x)[0-9A-Fa-f]{2}|\\[0-7]{3}|\\[Uu][0-9A-Fa-f]{4}|\x1B\[[0-9;]{0,80}m)(?P<value>[0-9A-Za-z]{52}JQQJ9[9DH][0-9A-Za-z]{26}([0-9A-Za-z=]{4})?)(?![0-9A-Za-z_/+-])
  min_line_len: 80
  filter_type:
    - ValuePatternCheck(17)
  required_substrings:
    - JQQJ99
    - JQQJ9D
    - JQQJ9H
  target:
    - code
    - doc

- name: Bitbucket App Password
  severity: high
  confidence: strong
  type: pattern
  values:
    - (?P<value>ATBB[0-9A-Za-z]{24}[A-F0-9]{8})(?![0-9A-Za-z_])
  filter_type:
    - ValueAtlassianTokenCheck
  min_line_len: 28
  required_substrings:
    - ATBB
  target:
    - code
    - doc

- name: Bitbucket Repository Access Token
  severity: high
  confidence: strong
  type: pattern
  values:
    - (?P<value>ATCTT3xFfGN0[0-9A-Za-z_-]{80,800}(\\?=|%3[dD])[A-F0-9]{8})
  filter_type:
    - ValueAtlassianTokenCheck
  min_line_len: 160
  required_substrings:
    - ATCTT3xFfGN0
  target:
    - code
    - doc

- name: Bitbucket HTTP Access Token
  severity: high
  confidence: strong
  type: pattern
  values:
    - (?P<value>BBDC-[MNO][ADQTgjwz][AEIMQUYcgk][012345wxyz][0-9A-Za-z_-]{40})
  filter_type:
    - ValueAtlassianTokenCheck
  min_line_len: 49
  required_substrings:
    - BBDC-
  target:
    - code
    - doc

- name: Jira / Confluence PAT token
  severity: high
  confidence: strong
  type: pattern
  values:
    - (?<!BBDC-)(?P<value>[MNO][ADQTgjwz][AEIMQUYcgk][012345wxyz][0-9A-Za-z_-]{40})(?![0-9A-Za-z_-])
  filter_type:
    - ValueAtlassianTokenCheck
  min_line_len: 44
  required_substrings:
    - M
    - N
    - O
  required_regex: "[0-9A-Za-z_/+-]{15}"
  target:
    - code
    - doc

- name: Atlassian PAT token
  severity: high
  confidence: strong
  type: pattern
  values:
    - (?P<value>ATATT3xFfGF0[0-9A-Za-z_-]{80,800}(\\?=|%3[dD])[A-F0-9]{8})
  filter_type:
    - ValueAtlassianTokenCheck
  min_line_len: 160
  required_substrings:
    - ATATT3xFfGF0
  target:
    - code
    - doc

- name: Digital Ocean Token
  severity: high
  confidence: strong
  type: pattern
  values:
    - (?P<value>do[opr]_v1_[a-f0-9]{64})(?![0-9A-Za-z_-])
  filter_type: TokenPattern
  min_line_len: 71
  required_substrings:
    - doo_v1_
    - dop_v1_
    - dor_v1_
  target:
    - code
    - doc

- name: Dropbox OAuth2 API Access Token
  severity: high
  confidence: moderate
  type: pattern
  values:
    - (?:^|/|[^\\0-9A-Za-z+_-]|\\[0abfnrtv]|(?:%|\\x)[0-9A-Fa-f]{2}|\\[0-7]{3}|\\[Uu][0-9A-Fa-f]{4}|\x1B\[[0-9;]{0,80}m)(?P<value>sl\.(u\.)?[0-9A-Za-z_-]{135})(?![0-9A-Za-z_-])
  filter_type: TokenPattern
  min_line_len: 138
  required_substrings:
    - sl.
  target:
    - code
    - doc

- name: NuGet API key
  severity: high
  confidence: moderate
  type: pattern
  values:
    - (?:^|/|[^\\0-9A-Za-z+_-]|\\[0abfnrtv]|(?:%|\\x)[0-9A-Fa-f]{2}|\\[0-7]{3}|\\[Uu][0-9A-Fa-f]{4}|\x1B\[[0-9;]{0,80}m)(?P<value>oy2[a-z0-9]{43})(?![0-9A-Za-z_-])
  filter_type: TokenPattern
  min_line_len: 46
  required_substrings:
    - oy2
  target:
    - code
    - doc

- name: Gitlab Prefix Token
  severity: high
  confidence: strong
  type: pattern
  values:
    - (?P<value>(_gitlab_session=|GR1348941|gl(agent|soat|ffct|p[at]t|oas|cbt|imt|[dfr]t)-)[0-9A-Za-z_-]{20,64}(\.[0-9A-Za-z_-]{2,16}){0,2})(?![0-9A-Za-z_-])
  filter_type:
    - ValuePatternCheck
  min_line_len: 25
  required_substrings:
    - _gitlab_session=
    - GR1348941
    - glagent-
    - glsoat-
    - glffct-
    - glpat-
    - gloas-
    - glptt-
    - glcbt-
    - glimt-
    - gldt-
    - glft-
    - glrt-
  target:
    - code
    - doc

- name: Grafana Provisioned API Key
  severity: high
  confidence: strong
  type: pattern
  values:
    - (?P<value>eyJ[=0-9A-Za-z_-]{64,360})(?![=0-9A-Za-z_-])
  filter_type:
    - ValueGrafanaCheck
  min_line_len: 67
  required_substrings:
    - eyJ
  target:
    - code
    - doc

- name: Grafana Access Policy Token
  severity: high
  confidence: strong
  type: pattern
  values:
    - (?P<value>glc_eyJ[0-9A-Za-z_-]{80,360})(?![0-9A-Za-z_-])
  filter_type:
    - ValueGrafanaCheck
  min_line_len: 87
  required_substrings:
    - glc_eyJ
  target:
    - code
    - doc

- name: Grafana Service Account Token
  severity: high
  confidence: strong
  type: pattern
  values:
    - (?P<value>glsa_[0-9A-Za-z_-]{32}_[0-9A-Fa-f]{8})
  min_line_len: 46
  filter_type:
    - ValueGrafanaServiceCheck
  required_substrings:
    - glsa_
  target:
    - code
    - doc

- name: Dropbox API secret (long term)
  severity: high
  confidence: weak
  type: pattern
  values:
    - (?:^|/|[^\\0-9A-Za-z+_-]|\\[0abfnrtv]|(?:%|\\x)[0-9A-Fa-f]{2}|\\[0-7]{3}|\\[Uu][0-9A-Fa-f]{4}|\x1B\[[0-9;]{0,80}m)(?=[0-9A-Za-z]{64})(?P<value>[0-9A-Za-z]{10,12}[B-Za-z0-9]A{10,12}[B-Za-z0-9][0-9A-Za-z]{40,44})(?![=0-9A-Za-z_/+-])
  filter_type: [ ]
  min_line_len: 43
  required_substrings:
    - AAAAAAAAAA
  target:
    - code
    - doc

- name: Dropbox App secret
  severity: info
  confidence: weak
  type: pattern
  values:
    - (?:^|/|[^\\0-9A-Za-z+_-]|\\[0abfnrtv]|(?:%|\\x)[0-9A-Fa-f]{2}|\\[0-7]{3}|\\[Uu][0-9A-Fa-f]{4}|\x1B\[[0-9;]{0,80}m)(?P<value>[a-z0-9]{15})(?![=0-9A-Za-z_/+-])
  filter_type: WeirdBase36Token
  min_line_len: 15
  required_regex: "[0-9A-Za-z_/+-]{15}"
  target:
    - code
    - doc

- name: Hashicorp Vault Token
  severity: high
  confidence: strong
  type: pattern
  values:
    - (?:^|/|[^\\0-9A-Za-z+_-]|\\[0abfnrtv]|(?:%|\\x)[0-9A-Fa-f]{2}|\\[0-7]{3}|\\[Uu][0-9A-Fa-f]{4}|\x1B\[[0-9;]{0,80}m)(?P<value>hv[brs]\.[0-9A-Za-z_-]{80,160})
  filter_type:
    - ValuePatternCheck
    - ValueEntropyBase64Check
  min_line_len: 90
  required_substrings:
    - hvb.
    - hvr.
    - hvs.
  target:
    - code
    - doc

- name: Hashicorp Terraform Token
  severity: high
  confidence: strong
  type: pattern
  values:
    - (?P<value>[0-9A-Za-z_-]{14}\.atlasv1\.[0-9A-Za-z_-]{67})(?![0-9A-Za-z_-])
  filter_type:
    - ValuePatternCheck
    - ValueMorphemesCheck
  min_line_len: 90
  required_substrings:
    - .atlasv1.
  target:
    - code
    - doc

- name: NKEY Seed
  severity: high
  confidence: weak
  type: pattern
  values:
    - (?:^|/|[^\\0-9A-Za-z+_-]|\\[0abfnrtv]|(?:%|\\x)[0-9A-Fa-f]{2}|\\[0-7]{3}|\\[Uu][0-9A-Fa-f]{4}|\x1B\[[0-9;]{0,80}m)(?P<value>S[ACNOPUX][A-Z2-7]{40,200})(?![=0-9A-Za-z_+-])
  min_line_len: 42
  filter_type:
    - ValueMorphemesCheck
    - ValuePatternCheck
    - ValueEntropyBase32Check
    - ValueBase32DataCheck
    - ValueTokenBase32Check
  required_substrings:
    - SA
    - SC
    - SN
    - SO
    - SP
    - SU
    - SX
  required_regex: "[0-9A-Za-z_/+-]{15}"
  target:
    - code
    - doc

- name: OTP / 2FA Secret
  severity: info
  confidence: weak
  type: pattern
  values:
    - (?:^|/|[^\\0-9A-Za-z+_-]|\\[0abfnrtv]|(?:%|\\x)[0-9A-Fa-f]{2}|\\[0-7]{3}|\\[Uu][0-9A-Fa-f]{4}|\x1B\[[0-9;]{0,80}m)(?P<value>([A-Z2-7]{16}){1,2})(?![=0-9A-Za-z_+-])
  filter_type:
    - ValueMorphemesCheck
    - ValuePatternCheck
    - ValueEntropyBase32Check
    - ValueBase32DataCheck
    - ValueTokenBase32Check
    - ValueBase64PartCheck
  min_line_len: 16
  required_regex: "[0-9A-Za-z_/+-]{15}"
  target:
    - code
    - doc

- name: OpenAI Token
  severity: high
  confidence: strong
  type: pattern
  values:
    - (?P<value>sk-[0-9A-Za-z_-]{16,160}(T3BlbkFJ|9wZW5BS|PcGVuQU)[0-9A-Za-z_-]{16,160})
  min_line_len: 51
  filter_type:
    - ValuePatternCheck
    - ValueMorphemesCheck
  required_substrings:
    - T3BlbkFJ
    - 9wZW5BS
    - PcGVuQU
  target:
    - code
    - doc

- name: Docker Access Token
  severity: high
  confidence: strong
  type: pattern
  values:
    - (?P<value>dckr_[op]at_[0-9A-Za-z_-]{27,32})
  min_line_len: 36
  filter_type:
    - ValuePatternCheck
    - ValueMorphemesCheck
  required_substrings:
    - dckr_pat_
    - dckr_oat_
  target:
    - code
    - doc

- name: Docker Swarm Token
  severity: high
  confidence: strong
  type: pattern
  values:
    - (?P<value>SWMTKN-1-[0-9a-z]{50}-[0-9a-z]{25})
  min_line_len: 85
  filter_type:
    - ValuePatternCheck
    - ValueMorphemesCheck
  required_substrings:
    - SWMTKN-1-
  target:
    - code
    - doc

- name: Docker Swarm Key
  severity: high
  confidence: strong
  type: pattern
  values:
    - (?P<value>SWMKEY-1-[0-9A-Za-z]{43})
  min_line_len: 52
  filter_type:
    - ValuePatternCheck
    - ValueMorphemesCheck
  required_substrings:
    - SWMKEY-1-
  target:
    - code
    - doc

- name: Groq API Key
  severity: high
  confidence: strong
  type: pattern
  values:
    - (?:^|/|[^\\0-9A-Za-z+_-]|\\[0abfnrtv]|(?:%|\\x)[0-9A-Fa-f]{2}|\\[0-7]{3}|\\[Uu][0-9A-Fa-f]{4}|\x1B\[[0-9;]{0,80}m)(?P<value>gsk_[0-9A-Za-z_-]{8,40}(WGdyb3FY|hncm9xW|YZ3JvcV)[0-9A-Za-z_-]{8,40})(?![0-9A-Za-z_-])
  min_line_len: 56
  filter_type:
    - ValuePatternCheck
  required_substrings:
    - WGdyb3FY
    - hncm9xW
    - YZ3JvcV
  target:
    - code
    - doc

- name: X AI API Key
  severity: high
  confidence: moderate
  type: pattern
  values:
    - (?:^|/|[^\\0-9A-Za-z+_-]|\\[0abfnrtv]|(?:%|\\x)[0-9A-Fa-f]{2}|\\[0-7]{3}|\\[Uu][0-9A-Fa-f]{4}|\x1B\[[0-9;]{0,80}m)(?P<value>xai-[0-9A-Za-z_-]{80})(?![0-9A-Za-z_-])
  min_line_len: 84
  filter_type:
    - ValuePatternCheck
    - ValueEntropyBase64Check
  required_substrings:
    - xai-
  target:
    - code
    - doc

- name: Notion Integration Token
  severity: high
  confidence: strong
  type: pattern
  values:
    - (?:^|/|[^\\0-9A-Za-z+_-]|\\[0abfnrtv]|(?:%|\\x)[0-9A-Fa-f]{2}|\\[0-7]{3}|\\[Uu][0-9A-Fa-f]{4}|\x1B\[[0-9;]{0,80}m)(?P<value>ntn_[0-9]{9}[0-9A-Za-z_-]{36,255})
  filter_type:
    - ValuePatternCheck
    - ValueEntropyBase64Check
  required_substrings:
    - ntn_
  min_line_len: 50
  target:
    - code
    - doc

- name: Hugging Face User Access Token
  severity: high
  confidence: moderate
  type: pattern
  values:
    - (?:^|/|[^\\0-9A-Za-z+_-]|\\[0abfnrtv]|(?:%|\\x)[0-9A-Fa-f]{2}|\\[0-7]{3}|\\[Uu][0-9A-Fa-f]{4}|\x1B\[[0-9;]{0,80}m)(?P<value>hf_[0-9A-Za-z_-]{34})(?![0-9A-Za-z_-])
  min_line_len: 37
  filter_type:
    - ValuePatternCheck
    - ValueEntropyBase64Check
  required_substrings:
    - hf_
  target:
    - code
    - doc

- name: Anthropic API Key
  severity: high
  confidence: strong
  type: pattern
  values:
    - (?P<value>sk-ant-api03-[0-9A-Za-z_-]{64,128})(?![0-9A-Za-z_-])
  min_line_len: 77
  filter_type:
    - ValuePatternCheck
  required_substrings:
    - sk-ant-api03-
  target:
    - code
    - doc

- name: Perplexity API Key
  severity: high
  confidence: strong
  type: pattern
  values:
    - (?P<value>pplx-[0-9A-Za-z_-]{40,64})(?![0-9A-Za-z_-])
  min_line_len: 45
  filter_type:
    - ValuePatternCheck
  required_substrings:
    - pplx-
  target:
    - code
    - doc

- name: Tavily API Key
  severity: high
  confidence: strong
  type: pattern
  values:
    - (?P<value>tvly-[0-9A-Za-z_-]{32,40})(?![0-9A-Za-z_-])
  min_line_len: 37
  filter_type:
    - ValuePatternCheck
  required_substrings:
    - tvly-
  target:
    - code
    - doc

- name: Sentry Organization Auth Token
  severity: high
  confidence: strong
  type: pattern
  values:
    - (?P<value>sntrys_eyJ[0-9A-Za-z_-]{80,8000}=*([0-9A-Za-z_-]{32,256})?)(?![0-9A-Za-z_-])
  min_line_len: 37
  filter_type:
    - ValuePatternCheck
  required_substrings:
    - sntrys_eyJ
  target:
    - code
    - doc

- name: Sentry User Auth Token
  severity: high
  confidence: strong
  type: pattern
  values:
    - (?P<value>sntryu_[0-9a-f]{64})(?![0-9A-Za-z_-])
  min_line_len: 37
  filter_type:
    - ValuePatternCheck
  required_substrings:
    - sntryu_
  target:
    - code
    - doc

- name: Discord Bot Token
  severity: high
  confidence: strong
  type: pattern
  values:
    - (?P<value>[MNO][ADQTgjwz][AEIMQUYcgk][012345wxyz][0-9A-Za-z_-]{20,24}\.[0-9A-Za-z_-]{6}\.[0-9A-Za-z_-]{30,40})(?![0-9A-Za-z_-])
  min_line_len: 62
  filter_type:
    - ValueDiscordBotCheck
  required_substrings:
    - M
    - N
    - O
  required_regex: "[0-9A-Za-z_/+-]{15}"
  target:
    - code
    - doc

- name: Discord Webhook
  severity: medium
  confidence: strong
  type: pattern
  values:
    - (?P<variable>discord(?:app)?\.com/api/webhooks)(?P<value>/[0-9]{16,22}/[0-9A-Za-z_-]{40,100})
  filter_type:
    - ValueMorphemesCheck
  required_substrings:
    - discordapp.com/api/webhooks
    - discord.com/api/webhooks
  min_line_len: 61
  target:
    - code
    - doc

- name: Tencent WeChat API App ID
  severity: medium
  confidence: weak
  type: pattern
  values:
    - (?:^|/|[^\\0-9A-Za-z+_-]|\\[0abfnrtv]|(?:%|\\x)[0-9A-Fa-f]{2}|\\[0-7]{3}|\\[Uu][0-9A-Fa-f]{4}|\x1B\[[0-9;]{0,80}m)(?P<value>wx[0-9a-f]{16})(?![0-9A-Za-z_-])
  min_line_len: 18
  filter_type: TokenPattern
  required_substrings:
    - wx
  target:
    - code
    - doc

- name: Salesforce Credentials
  severity: medium
  confidence: weak
  type: pattern
  values:
    - (?:^|/|[^\\0-9A-Za-z+_-]|\\[0abfnrtv]|(?:%|\\x)[0-9A-Fa-f]{2}|\\[0-7]{3}|\\[Uu][0-9A-Fa-f]{4}|\x1B\[[0-9;]{0,80}m)(?P<value>(3MVG[0-9A-Za-z_.]{24,200}|00D[0-9A-Za-z]{9,15}(![0-9A-Za-z_.]{24,200})?))(?![0-9A-Za-z_.])
  min_line_len: 12
  filter_type:
    - ValuePatternCheck(9)
    - ValueNumberCheck
    - ValueBase64PartCheck
  required_substrings:
    - 00D
    - 3MVG
  target:
    - code
    - doc

- name: Postman Credentials
  severity: medium
  confidence: moderate
  type: pattern
  values:
    - (?P<value>(PMAK-[0-9a-f]{24}-[0-9a-f]{34}|PMAT-[0-9A-Z]{26}))
  min_line_len: 29
  filter_type:
    - ValuePatternCheck
  required_substrings:
    - PMAK-
    - PMAT-
  target:
    - code
    - doc

- name: NTLM Token
  severity: medium
  confidence: strong
  type: pattern
  values:
    - (?P<value>TlRMTVNTUAADAAAA[=0-9A-Za-z_/+-]{8,8000})(?![0-9A-Za-z_/+-])
  filter_type:
    - ValueMorphemesCheck(2)
    - ValuePatternCheck
  min_line_len: 160
  required_substrings:
    - TlRMTVNTUAADAAAA
  target:
    - doc
    - code

- name: Basic Authorization
  severity: medium
  confidence: strong
  type: pattern
  values:
    - (?P<variable>(?i:basic))(?P<separator>\s+)(?P<value>[=0-9A-Za-z_/+-]{8,8000})(?![0-9A-Za-z_/+-])
  min_line_len: 18
  filter_type:
    - ValueBasicAuthCheck
  required_substrings:
    - basic
  target:
    - code
    - doc

- name: Bearer Authorization
  severity: medium
  confidence: moderate
  type: pattern
  values:
    - (?P<variable>(?i:bearer|ntlm))(?P<separator>\s+)(?P<value>[.0-9A-Za-z_/+-]{32,8000}=*)(?![0-9A-Za-z_/+-])
  min_line_len: 37
  filter_type: GeneralKeyword
  required_substrings:
    - bearer
    - ntlm
  target:
    - code
    - doc

- name: SQL Password
  severity: medium
  confidence: weak
  type: pattern
  values:
    - (\\[nrt]|\b)(?i:(?P<variable>(CREATE|ALTER|SET\s{1,8}PASSWORD|INSERT(\s{1,8}IGNORE)?|UPDATE\s{1,8}[^\s;]{1,80})\s{1,8}(LOGIN|USER|ROLE|FOR|INTO|SET)\s{1,8}([^\s;]{1,80}\s{1,8}|VALUES\s*\(){1,8}(IDENTIFIED((\s{1,8}WITH\s{1,8}\S{1,80})?\s{1,8}(BY|AS))|(=|WITH)?\s*PASSWORD\b(\s*=)?)))\s*(?P<wrap>[(]\s*)?(?P<value_leftquote>((?P<esq>\\{1,8})?([\"'`]|&(quot|apos|#3[49]);)){1,4})?(?P<value>(?(value_leftquote)((?!(?P=value_leftquote))(?(esq)((?!(?P=esq)([\"'`]|&(quot|apos|#3[49]);)).)|((?!(?P=value_leftquote)).)))|(?!&(quot|apos|#3[49]);)(\\+([ tnr]|[^\s\"'`])|[^\s\"'`,;\\])){3,80})(?(value_leftquote)(?P<value_rightquote>(?<!\\)(?P=value_leftquote))|(?(wrap)[)]|[\s\"'`,;]))
  filter_type:
    - ValueAllowlistCheck
    - ValuePatternCheck
  use_ml: true
  min_line_len: 8
  required_substrings:
    - password
    - identified
  target:
    - doc
    - code

- name: CURL User Password
  severity: high
  confidence: moderate
  type: pattern
  values:
    - (?P<variable>curl)\s.*(-[uU]|--(proxy-)?user)\s\s*(?P<value_leftquote>(\\*[\"']){1,3})?(?(value_leftquote)[^\"'\\:]|[^\s\"'\\:]){0,64}:(?P<value>(?(value_leftquote)[^\"'\\]|[^\s\"'\\]){4,64})(?(value_leftquote)(?P<value_rightquote>(\\?[\"']){1,3}))
  filter_type: GeneralKeyword
  use_ml: true
  required_substrings:
    - curl
  min_line_len: 16
  target:
    - code

- name: CMD ConvertTo-SecureString
  severity: high
  confidence: moderate
  type: pattern
  values:
    - (?P<variable>ConvertTo-SecureString(\s\s*-(String|AsPlainText|Force))*)\s\s*(?P<value_leftquote>(\\?[\"']){1,3})?(?P<value>(?(value_leftquote)[^\"'\\]|[^\s\"'\\]){4,800})(?(value_leftquote)(?P<value_rightquote>(\\?[\"']){1,3}))
  filter_type: GeneralKeyword
  use_ml: true
  required_substrings:
    - convertto-securestring
  min_line_len: 27
  target:
    - code

- name: CMD Password
  severity: high
  confidence: moderate
  type: pattern
  values:
    - (^|\W|\\[0abfnrtv]|(?:%|\\x)[0-9A-Fa-f]{2}|\\[0-7]{3}|\\[Uu][0-9A-Fa-f]{4}|\x1B\[[0-9;]{0,80}m)(?P<variable>-[A-Za-z_-]*(?i:pass(in|out|word|phrase)))(\s|\\?[\"'],)\s*(?!-)(?P<value_leftquote>(\\?[\"']){1,3})?(pass:)?(?!file:|env:|fd:)(?P<value>(?(value_leftquote)[^\"'\\]|[^\s\"'\\]){4,80})(?(value_leftquote)(?P<value_rightquote>(\\?[\"']){1,3}))
  filter_type: GeneralKeyword
  use_ml: true
  required_substrings:
    - pass
  min_line_len: 12
  target:
    - code

- name: CMD Token
  severity: high
  confidence: moderate
  type: pattern
  values:
    - (^|\W|\\[0abfnrtv]|(?:%|\\x)[0-9A-Fa-f]{2}|\\[0-7]{3}|\\[Uu][0-9A-Fa-f]{4}|\x1B\[[0-9;]{0,80}m)(?P<variable>-[A-Za-z_-]*(?i:token|oauth2-bearer))(\s|\\?[\"'],)\s*(?!-)(?P<value_leftquote>(\\?[\"']){1,3})?(?P<value>(?(value_leftquote)[^\"'\\]|[^\s\"'\\]){4,4000})(?(value_leftquote)(?P<value_rightquote>(\\?[\"']){1,3}))
  filter_type: GeneralKeyword
  use_ml: true
  required_substrings:
    - token
    - oauth2-bearer
  min_line_len: 12
  target:
    - code

- name: CMD Secret
  severity: high
  confidence: moderate
  type: pattern
  values:
    - (^|\W|\\[0abfnrtv]|(?:%|\\x)[0-9A-Fa-f]{2}|\\[0-7]{3}|\\[Uu][0-9A-Fa-f]{4}|\x1B\[[0-9;]{0,80}m)(?P<variable>-[A-Za-z_-]*(?i:secret)[A-Za-z_-]*)(\s|\\?[\"'],)\s*(?!-)(?P<value_leftquote>(\\?[\"']){1,3})?(pass:)?(?!file:|env:|fd:)(?P<value>(?(value_leftquote)[^\"'\\]|[^\s\"'\\]){4,4000})(?(value_leftquote)(?P<value_rightquote>(\\?[\"']){1,3}))
  filter_type: GeneralKeyword
  use_ml: true
  required_substrings:
    - secret
  min_line_len: 12
  target:
    - code

- name: URL Credentials
  severity: high
  confidence: moderate
  type: pattern
  values:
    - (?P<value_leftquote>[\"'])?(?P<variable>[+0-9A-Za-z-]{2,80}://)([^\s\'"<>\[\]^~`{|}:/]{0,80}:){1,3}(?P<value>[^\s\'"<>\[\]^~`{|}@:/]{3,80})@[^\s\'"<>\[\]^~`{|}@:/]{1,800}\\{0,8}(?P<value_rightquote>[\"'])?
  filter_type: UrlCredentialsGroup
  use_ml: true
  required_substrings:
    - ://
  min_line_len: 10
  target:
    - code

- name: API
  severity: low
  confidence: moderate
  type: keyword
  values:
    - api(?!tal)
  filter_type: GeneralKeyword
  use_ml: true
  min_line_len: 11
  required_substrings:
    - api
  target:
    - code

- name: Auth
  severity: medium
  confidence: moderate
  type: keyword
  values:
    - auth(?!ors?(?!i[tz]))
  filter_type: GeneralKeyword
  use_ml: true
  min_line_len: 12
  required_substrings:
    - auth
  target:
    - code

- name: Credential
  severity: medium
  confidence: moderate
  type: keyword
  values:
    - credential
  filter_type: GeneralKeyword
  use_ml: true
  min_line_len: 18
  required_substrings:
    - credential
  target:
    - code

- name: Key
  severity: high
  confidence: moderate
  type: keyword
  values:
    - key(?!word|board|pad|name)
  filter_type: GeneralKeyword
  use_ml: true
  min_line_len: 11
  required_substrings:
    - key
  target:
    - code

- name: Nonce
  severity: low
  confidence: moderate
  type: keyword
  values:
    - (?<!\\)nonce
  filter_type: GeneralKeyword
  use_ml: true
  min_line_len: 13
  required_substrings:
    - nonce
  target:
    - code

- name: Password
  severity: high
  confidence: moderate
  type: keyword
  values:
    - (?<!by)pass(?!e[dns]|ing|ion|age|\s+[a-z]{3,80})|pw(d|\b)
  filter_type: PasswordKeyword
  use_ml: true
  min_line_len: 10
  required_substrings:
    - pass
    - pw
  target:
    - code

- name: Salt
  severity: low
  confidence: moderate
  type: keyword
  values:
    - salt
  filter_type: GeneralKeyword
  use_ml: true
  min_line_len: 12
  required_substrings:
    - salt
  target:
    - code

- name: Secret
  severity: medium
  confidence: moderate
  type: keyword
  values:
    - secret
  filter_type: GeneralKeyword
  use_ml: true
  min_line_len: 14
  required_substrings:
    - secret
  target:
    - code

- name: Token
  severity: high
  confidence: moderate
  type: keyword
  values:
    - token(?!ize)
  filter_type: GeneralKeyword
  use_ml: true
  min_line_len: 13
  required_substrings:
    - token
  target:
    - code