Rules Configuration

- name: SECRET_PAIR
  severity: medium
  confidence: moderate
  type: pattern
  values:
    - (?P<variable>[`'\"]?(?i:token|secret|key|키|암호|암호화|토큰)[`'\"]?)((\s)*[=:](\s)*)(?P<quote>[`'\"(])?(?P<value>(?-i:(?P<a>[A-Z])|(?P<b>[a-z])|(?P<c>[0-9/_+=~!@#$%^&*;:?-])){8,80}(?(a)(?(b)(?(c)(\S|$)|(?!x)x)|(?!x)x)|(?!x)x))(?(quote)[)`'\"])
  filter_type:
    - ValueAllowlistCheck
    - ValuePatternCheck
    - ValueEntropyBase64Check
    - ValueCoupleKeywordCheck
  min_line_len: 16
  required_substrings:
    - token
    - secret
    - key
    - 키
    - 암호
    - 암호화
    - 토큰
  target:
    - doc

- name: PASSWD_PAIR
  severity: medium
  confidence: moderate
  type: pattern
  values:
    - (?P<variable>[`'\"]?(?i:(?<!id[ :/])pa[as]swo?r?ds?|pwd?|p/w|비밀번호|비번|패스워드|암호)[`'\"]?)((\s)*[=:](\s)*)(?P<quote>[`'\"(])?(?P<value>(?-i:(?P<a>[A-Z])|(?P<b>[a-z])|(?P<c>[0-9/_+=~!@#$%^&*;:?-])){8,31}(?(a)(?(b)(?(c)(\S|$)|(?!x)x)|(?!x)x)|(?!x)x))(?(quote)[)`'\"])
  filter_type:
    - ValueAllowlistCheck
    - ValuePatternCheck
    - ValueDictionaryKeywordCheck
    - LineGitBinaryCheck
    - LineUUEPartCheck
    - ValueFilePathCheck
    - ValueHexNumberCheck
  min_line_len: 10
  required_substrings:
    - pass
    - sword
    - pw
    - p/w
    - paasw
    - 비밀번호
    - 비번
    - 패스워드
    - 암호
  target:
    - doc

- name: IP_ID_PASSWORD_TRIPLE
  severity: medium
  confidence: moderate
  type: pattern
  values:
    - (^|\s|(?P<variable>(?i:\bip[\s/]{1,80}id[\s/]{1,80}pw[\s/:]{0,80}))|(?P<url>://))(?P<ip>[0-2]?[0-9]{1,2}\.[0-2]?[0-9]{1,2}\.[0-2]?[0-9]{1,2}\.[0-2]?[0-9]{1,2})((\s*\()?|(?(variable)[\s,/]{1,80}|(?(url)[,]|[,/])))\s*\w[\w.-]{3,80}[\s,/]{1,80}(?P<value>(?(url)(?-i:(?P<a>[A-Z])|(?P<b>[a-z])|(?P<c>[0-9_+=~!@#$%^&*;?-])){7,31}(?(a)(?(b)(?(c)(\S|$)|(?!x)x)|(?!x)x)|(?!x)x)|(?-i:(?P<e>[A-Z])|(?P<f>[a-z])|(?P<g>[0-9/_+=~!@#$%^&*;?-])){7,31}(?(e)(?(f)(?(g)(\S|$)|(?!x)x)|(?!x)x)|(?!x)x)))(?:\s|[^/]|$)
  filter_type:
    - ValueAllowlistCheck
    - ValuePatternCheck
    - ValueDictionaryKeywordCheck
  min_line_len: 10
  required_substrings:
    - "."
  target:
    - doc

- name: ID_PAIR_PASSWD_PAIR
  severity: medium
  confidence: moderate
  type: pattern
  values:
    - (?P<ddash>--)?(?P<variable>\w*(?i:pa[as]swords?|passwd?|pwd|\bp/w|\bpw|비밀번호|비번|패스워드|암호))\s*?(?(ddash)[ =]|[:=/>-]{1,2})\s*(?P<quote>[`'\"]{1,8})?(?P<value>(?-i:(?P<a>[A-Z])|(?P<b>[a-z])|(?P<c>[0-9/_+=~!@#$%^&*;:?-])){4,31}(?(a)(?(b)(?(c)(\S|$)|(?!x)x)|(?!x)x)|(?!x)x))(?(quote)(?P=quote)|(\s|$))
    - (?P<ddash>--)?(?P<variable>(?i:user\s*)?(?i:id|login|account|root|admin|user|name|wifi|role|host|default|계정|아이디))\s*?(?(ddash)[ =]|[ :=])\s*?(?P<value>\S+)
  filter_type:
    - ValueAllowlistCheck
    - ValuePatternCheck
  min_line_len: 10
  required_substrings:
    - pass
    - sword
    - p/w
    - pw
    - 비밀번호
    - 비번
    - 패스워드
    - 암호
  target:
    - doc

- name: ID_PASSWD_PAIR
  severity: medium
  confidence: moderate
  type: pattern
  values:
    - (?P<variable>[\w.-]{0,80}(?i:(?P<id>\bid\b)|id\b|user|name|계정|아이디)[\w.-]{0,80}(?(id)[ :(/]{1,80}|[:(/]{1,80})(?i:pa[as]swo?r?ds?|pwd?|비밀번호|비번|패스워드|암호))\)?(\s*->\s*|[ =:)(/]{1,80}|\s+is\s+|\s+are\s+|\s*는\s*|\s*은\s*|\s*설정은\s*)\(?(?P<id_value>[\w.-]{2,31})[ :\(/\"',]{1,80}(?P<value>(?-i:(?P<a>[A-Z])|(?P<b>[a-z])|(?P<c>[0-9/_+=~!@#$%^&*;:?-])){4,31}(?(a)(?(b)(?(c)(\S|$)|(?!x)x)|(?!x)x)|(?!x)x))
  filter_type:
    - ValueAllowlistCheck
    - ValuePatternCheck
    - ValueDictionaryKeywordCheck
  min_line_len: 10
  required_substrings:
    - pw
    - pass
    - sword
    - 비밀번호
    - 비번
    - 패스워드
    - 암호
  target:
    - doc

- name: API
  severity: medium
  confidence: moderate
  type: keyword
  values:
    - api(?!tal)
  filter_type: GeneralKeyword
  use_ml: true
  min_line_len: 11
  required_substrings:
    - api
  target:
    - code

- name: UUID
  severity: info
  confidence: strong
  type: pattern
  values:
    - (?<![0-9A-Za-z_-])(?P<value>[0-9A-Fa-f]{8}(-[0-9A-Fa-f]{4}){3}-[0-9A-Fa-f]{12})(?![0-9A-Za-z_-])
  min_line_len: 36
  required_substrings:
    - "-"
  required_regex: "[0-9A-Za-z_/+-]{15}"
  filter_type:
    - ValuePatternCheck
  use_ml: false
  target:
    - code
    - doc

- name: AWS Client ID
  severity: high
  confidence: moderate
  type: pattern
  values:
    - (?<![0-9A-Za-z_-])(?P<value>(ABIA|ACCA|AGPA|AIDA|AIPA|AKIA|ANPA|ANVA|AROA|APKA|ASCA|ASIA)[0-9A-Z]{16,17})(?![0-9A-Za-z_-])
  filter_type: GeneralPattern
  required_substrings:
    - A
  min_line_len: 20
  required_regex: "[0-9A-Za-z_/+-]{15}"
  target:
    - code
    - doc

- name: AWS Multi
  severity: high
  confidence: moderate
  type: multi
  values:
    - (?<![0-9A-Za-z_-])(?P<value>(ABIA|ACCA|AGPA|AIDA|AIPA|AKIA|ANPA|ANVA|AROA|APKA|ASCA|ASIA)[0-9A-Z]{16,17})(?![0-9A-Za-z_-])
    - (?<![0-9A-Za-z_/+-])(?P<value>[0-9A-Za-z/+]{35,80})(?![0-9A-Za-z_/+-])
  filter_type:
    - LineSpecificKeyCheck
    - ValuePatternCheck
    - ValueCoupleKeywordCheck(3)
  required_substrings:
    - A
  min_line_len: 20
  required_regex: "[0-9A-Za-z_/+-]{15}"
  target:
    - code
    - doc

- name: AWS MWS Key
  severity: high
  confidence: strong
  type: pattern
  values:
    - (?<![0-9A-Za-z_-])(?P<value>amzn\.mws\.[0-9a-z]{8}-[0-9a-z]{4}-[0-9a-z]{4}-[0-9a-z]{4}-[0-9a-z]{12})(?![0-9A-Za-z_-])
  filter_type: GeneralPattern
  required_substrings:
    - amzn
  min_line_len: 30
  target:
    - code
    - doc

- name: Credential
  severity: medium
  confidence: moderate
  type: keyword
  values:
    - credential
  filter_type: GeneralKeyword
  use_ml: true
  min_line_len: 18
  required_substrings:
    - credential
  target:
    - code

- name: Dynatrace API Token
  severity: high
  confidence: moderate
  type: pattern
  values:
    - (?<![0-9A-Za-z_-])(?P<value>dt0[A-Za-z]{1}[0-9]{2}\.[0-9A-Z]{24}\.[0-9A-Z]{64})(?![0-9A-Za-z_-])
  filter_type: GeneralPattern
  required_substrings:
    - dt0
  min_line_len: 90
  target:
    - code
    - doc

- name: Facebook Access Token
  severity: high
  confidence: moderate
  type: pattern
  values:
    - (?<![0-9A-Za-z_-])(?P<value>EAA[0-9A-Za-z]{80,800})
  filter_type:
    - ValuePatternCheck
    - ValueBase64PartCheck
  required_substrings:
    - EAA
  min_line_len: 80
  target:
    - code
    - doc

- name: Facebook App Token
  severity: high
  confidence: moderate
  type: pattern
  values:
    - (?<![0-9A-Za-z_-])(?P<value>[0-9]{12,18}\|[0-9A-Za-z_-]{24,28})(?![0-9A-Za-z_-])
  filter_type: GeneralPattern
  required_substrings:
    - "|"
  required_regex: "[0-9A-Za-z_/+-]{15}"
  min_line_len: 33
  target:
    - code
    - doc

- name: Github Old Token
  severity: high
  confidence: moderate
  type: pattern
  values:
    - (?i)((git)[0-9A-Za-z_-]{0,80}(token|key|api)[0-9A-Za-z_-]{0,80}(\s)*(=|:|:=)(\s)*(["']?)(?P<value>[0-9a-z]{40})(["']?))
  filter_type: GeneralPattern
  use_ml: true
  validations:
    - GithubTokenValidation
  required_substrings:
    - git
  min_line_len: 47
  target:
    - code
    - doc

- name: Google API Key
  severity: high
  confidence: moderate
  type: pattern
  values:
    - (?<![0-9A-Za-z_-])(?P<value>AIza[0-9A-Za-z_-]{35})(?![0-9A-Za-z_-])
  filter_type: GeneralPattern
  validations:
    - GoogleApiKeyValidation
  required_substrings:
    - AIza
  min_line_len: 39
  target:
    - code
    - doc

- name: Google Multi
  severity: high
  confidence: moderate
  type: multi
  values:
    - (?P<value>[0-9]{3,80}-[0-9a-z_]{32}\.apps\.googleusercontent\.com)
    - \b(?P<value>GOCSPX-[0-9A-Za-z_-]{28}|((?P<a>[A-Z])|(?P<b>[a-z])|(?P<c>[0-9_-])){24,80}(?(a)(?(b)(?(c)\b|(?!x)x)|(?!x)x)|(?!x)x))
  filter_type: GeneralPattern
  validations:
    - GoogleMultiValidation
  required_substrings:
    - .apps.googleusercontent.com
  min_line_len: 40
  target:
    - code
    - doc

- name: Google OAuth Secret
  severity: high
  confidence: strong
  type: pattern
  values:
    - (?<![0-9A-Za-z_-])(?P<value>GOCSPX-[0-9A-Za-z_-]{28})(?![0-9A-Za-z_-])
  filter_type: GeneralPattern
  required_substrings:
    - GOCSPX-
  min_line_len: 40
  target:
    - code
    - doc

- name: Google OAuth Access Token
  severity: high
  confidence: moderate
  type: pattern
  values:
    - (?<![0-9A-Za-z_-])(?P<value>ya29\.[0-9A-Za-z_-]{22,8000})
  filter_type: GeneralPattern
  required_substrings:
    - ya29.
  min_line_len: 27
  target:
    - code
    - doc

- name: Heroku API Key
  severity: high
  confidence: moderate
  type: pattern
  values:
    - (?i)(?P<value>heroku(.{0,20})?[0-9a-f]{8}(-[0-9a-f]{4})+-[0-9a-f]{12})(?![0-9A-Za-z_-])
  filter_type: GeneralPattern
  required_substrings:
    - heroku
  min_line_len: 24
  target:
    - code
    - doc

- name: Instagram Access Token
  severity: high
  confidence: strong
  type: pattern
  values:
    - (?<![0-9A-Za-z_-])(?P<value>IGQVJ[0-9A-Za-z_=-]{100,8000})
  filter_type: GeneralPattern
  required_substrings:
    - IGQVJ
  min_line_len: 105
  target:
    - code
    - doc

- name: JSON Web Token
  severity: medium
  confidence: strong
  type: pattern
  values:
    - (?<![0-9A-Za-z_-])(?P<value>eyJ[0-9A-Za-z_+/=-]{15,8000}(\.[0-9A-Za-z_+/=-]{0,8000}){2,16})
  filter_type:
    - ValueJsonWebTokenCheck
  required_substrings:
    - eyJ
  min_line_len: 18
  target:
    - code
    - doc

- name: MailChimp API Key
  severity: high
  confidence: moderate
  type: pattern
  values:
    - (?<![0-9A-Za-z_-])(?P<value>[0-9A-Za-z_-]{32}-us[0-9]{1,2})(?![0-9A-Za-z_-])
  filter_type: GeneralPattern
  validations:
    - MailChimpKeyValidation
  required_substrings:
    - -us
  min_line_len: 35
  target:
    - code
    - doc

- name: MailGun API Key
  severity: high
  confidence: moderate
  type: pattern
  values:
    - (?<![0-9A-Za-z_-])(?P<value>key-[0-9A-Za-z_-]{32})(?![0-9A-Za-z_-])
  filter_type: GeneralPattern
  required_substrings:
    - key-
  min_line_len: 36
  target:
    - code
    - doc

- name: Password
  severity: medium
  confidence: moderate
  type: keyword
  values:
    - (?<!by)pass(?!ed|ing|es|\s+[a-z]{3,80})|pw(d|\b)
  filter_type: PasswordKeyword
  use_ml: true
  min_line_len: 10
  required_substrings:
    - pass
    - pw
  target:
    - code

- name: PayPal Braintree Access Token
  severity: high
  confidence: strong
  type: pattern
  values:
    - (?P<value>access_token\$production\$[0-9a-z]{16}\$[0-9a-z]{32})(?![0-9A-Za-z_-])
  filter_type: GeneralPattern
  required_substrings:
    - access_token$production$
  min_line_len: 72
  target:
    - code
    - doc

- name: PEM Private Key
  severity: high
  confidence: strong
  type: pem_key
  values:
    - (?P<value>-----BEGIN\s(?!ENCRYPTED)[^-]{0,80}PRIVATE[^-]{0,80}KEY[^-]{0,40}-----(.+-----END[^-]{1,80}KEY[^-]{0,40}-----)?)
  min_line_len: 27
  target:
    - code
    - doc

- name: BASE64 encoded PEM Private Key
  severity: high
  confidence: strong
  type: pattern
  values:
    - (?P<value>[0-9A-Za-z_/+-]{0,8000}LS0t(LS1CRUdJTiB|LUJFR0lOI|QkVHSU4g)[0-9A-Za-z_/+-]{0,11}(UFJJVkFURSBLRVkt|QUklWQVRFIEtFWS0t|FBSSVZBVEUgS0VZ)[0-9A-Za-z_/+-]{1,8000}LS0t[0-9A-Za-z_/+-]{1,8000})
  filter_type:
    - ValueBase64EncodedPem
  min_line_len: 300
  required_substrings:
    - UFJJVkFURSBLRVkt
    - QUklWQVRFIEtFWS0t
    - FBSSVZBVEUgS0VZ
  target:
    - code
    - doc

- name: BASE64 Private Key
  severity: high
  confidence: strong
  type: pattern
  values:
    - (?P<value>\bMII[A-Za-f][0-9A-Za-z/+]{8}(?s:[^!#$&()*\-.:;<=>?@\[\]^_{|}~]{8,8000}))
  filter_type:
    - ValueBase64KeyCheck
  min_line_len: 160
  required_substrings:
    - MII
  target:
    - code
    - doc

- name: Picatic API Key
  severity: high
  confidence: strong
  type: pattern
  values:
    - (?P<value>sk_live_[0-9a-z]{32})(?![0-9A-Za-z_-])
  filter_type: GeneralPattern
  required_substrings:
    - sk_live_
  min_line_len: 40
  target:
    - code
    - doc

- name: Secret
  severity: medium
  confidence: moderate
  type: keyword
  values:
    - secret
  filter_type: GeneralKeyword
  use_ml: true
  min_line_len: 14
  required_substrings:
    - secret
  target:
    - code

- name: SendGrid API Key
  severity: high
  confidence: moderate
  type: pattern
  values:
    - (?P<value>SG\.[0-9A-Za-z_-]{16,32}\.[0-9A-Za-z_-]{16,64})
  filter_type: GeneralPattern
  required_substrings:
    - SG.
  min_line_len: 34
  target:
    - code
    - doc

- name: Shopify Token
  severity: high
  confidence: strong
  type: pattern
  values:
    - (?P<value>shp(at|ca|pa|ss)_[0-9A-Fa-f]{32})(?![0-9A-Za-z_-])
  filter_type: TokenPattern
  required_substrings:
    - shp
  min_line_len: 38
  target:
    - code
    - doc

- name: Slack Token
  severity: high
  confidence: strong
  type: pattern
  values:
    - (?<![0-9A-Za-z_-])(?P<value>xox[aboprst]\-[0-9A-Za-z-]{10,250})
  filter_type: GeneralPattern
  validations:
    - SlackTokenValidation
  required_substrings:
    - xox
  min_line_len: 15
  target:
    - code
    - doc

- name: Slack Webhook
  severity: high
  confidence: strong
  type: pattern
  values:
    - (?P<value>hooks\.slack\.com/services/T[0-9A-Z]{8,16}/B[0-9A-Z]{8,16}/\w{24})
  filter_type: GeneralPattern
  required_substrings:
    - hooks.slack.com/services/T
  min_line_len: 61
  target:
    - code
    - doc

- name: Stripe Standard API Key
  severity: high
  confidence: strong
  type: pattern
  values:
    - (?P<value>sk_live_[0-9A-Za-z_-]{24})(?![0-9A-Za-z_-])
  filter_type: GeneralPattern
  validations:
    - StripeApiKeyValidation
  required_substrings:
    - sk_live_
  min_line_len: 32
  target:
    - code
    - doc

- name: Stripe Restricted API Key
  severity: high
  confidence: strong
  type: pattern
  values:
    - (?P<value>rk_live_[0-9A-Za-z_-]{24})(?![0-9A-Za-z_-])
  filter_type: GeneralPattern
  required_substrings:
    - rk_live_
  min_line_len: 32
  target:
    - code
    - doc

- name: Square Access Token
  severity: high
  confidence: moderate
  type: pattern
  values:
    - (?<![0-9A-Za-z_-])(?P<value>EAAA[0-9A-Za-z_-]{60})(?![0-9A-Za-z_-])
  filter_type:
    - ValuePatternCheck
    - ValueBase64PartCheck
  validations:
    - SquareAccessTokenValidation
  required_substrings:
    - EAAA
  min_line_len: 64
  target:
    - code
    - doc

- name: Square Client ID
  severity: medium
  confidence: strong
  type: pattern
  values:
    - (?<![0-9A-Za-z_-])(?P<value>sq0[a-z]{3}-[0-9A-Za-z_-]{22})(?![0-9A-Za-z_-])
  filter_type: GeneralPattern
  validations:
    - SquareClientIdValidation
  required_substrings:
    - sq0
  min_line_len: 29
  target:
    - code
    - doc

- name: Square OAuth Secret
  severity: high
  confidence: strong
  type: pattern
  values:
    - (?P<value>sq0csp-[0-9A-Za-z_-]{43})(?![0-9A-Za-z_-])
  filter_type: GeneralPattern
  required_substrings:
    - sq0csp
  min_line_len: 50
  target:
    - code
    - doc

- name: Token
  severity: medium
  confidence: moderate
  type: keyword
  values:
    - token(?!ize)
  filter_type: GeneralKeyword
  use_ml: true
  min_line_len: 13
  required_substrings:
    - token
  target:
    - code

- name: Twilio Credentials
  severity: high
  confidence: moderate
  type: pattern
  values:
    - (?<![0-9A-Za-z_-])(?P<value>(AC|AD|AL|CA|CF|CL|CN|CR|FW|IP|KS|MM|NO|PK|PN|QU|RE|SC|SD|SK|SM|TR|UT|XE|XR)[0-9A-Fa-f]{32})(?![0-9A-Za-z_-])
  filter_type: TokenPattern
  required_substrings:
    - AC
    - AD
    - AL
    - CA
    - CF
    - CL
    - CN
    - CR
    - FW
    - IP
    - KS
    - MM
    - "NO"
    - PK
    - PN
    - QU
    - RE
    - SC
    - SD
    - SK
    - SM
    - TR
    - UT
    - XE
    - XR
  min_line_len: 34
  target:
    - code
    - doc

- name: CMD ConvertTo-SecureString
  severity: high
  confidence: moderate
  type: pattern
  values:
    - (^|\W|\\[tnr])(?P<variable>ConvertTo-SecureString(\s\s*-(String|AsPlainText|Force))*)\s\s*(?P<value_leftquote>(\\?[\"']){1,3})?(?P<value>(?(value_leftquote)[^\"'\\]|[^\s\"'\\]){4,800})(?(value_leftquote)(?P<value_rightquote>(\\?[\"']){1,3}))
  filter_type: GeneralKeyword
  use_ml: true
  required_substrings:
    - convertto-securestring
  min_line_len: 27
  target:
    - code

- name: CMD Password
  severity: high
  confidence: moderate
  type: pattern
  values:
    - (^|\W|\\[tnr])(?P<variable>-[A-Za-z_-]*(?i:pass(in|out|word|phrase)))\s\s*(?!-)(?P<value_leftquote>(\\?[\"']){1,3})?(pass:)?(?!file:|env:|fd:)(?P<value>(?(value_leftquote)[^\"'\\]|[^\s\"'\\]){4,80})(?(value_leftquote)(?P<value_rightquote>(\\?[\"']){1,3}))
  filter_type: GeneralKeyword
  use_ml: true
  required_substrings:
    - pass
  min_line_len: 12
  target:
    - code

- name: CMD Token
  severity: high
  confidence: moderate
  type: pattern
  values:
    - (^|\W|\\[tnr])(?P<variable>-[A-Za-z_-]*(?i:token))\s\s*(?!-)(?P<value_leftquote>(\\?[\"']){1,3})?(?P<value>(?(value_leftquote)[^\"'\\]|[^\s\"'\\]){4,4000})(?(value_leftquote)(?P<value_rightquote>(\\?[\"']){1,3}))
  filter_type: GeneralKeyword
  use_ml: true
  required_substrings:
    - token
  min_line_len: 12
  target:
    - code

- name: CMD Secret
  severity: high
  confidence: moderate
  type: pattern
  values:
    - (^|\W|\\[tnr])(?P<variable>-[A-Za-z_-]*(?i:secret)[A-Za-z_-]*)\s\s*(?!-)(?P<value_leftquote>(\\?[\"']){1,3})?(pass:)?(?!file:|env:|fd:)(?P<value>(?(value_leftquote)[^\"'\\]|[^\s\"'\\]){4,4000})(?(value_leftquote)(?P<value_rightquote>(\\?[\"']){1,3}))
  filter_type: GeneralKeyword
  use_ml: true
  required_substrings:
    - secret
  min_line_len: 12
  target:
    - code

- name: URL Credentials
  severity: high
  confidence: moderate
  type: pattern
  values:
    - (?P<value_leftquote>[\"'])?(?P<variable>[+0-9A-Za-z-]{2,80}://)([^\s\'"<>\[\]^~`{|}:/]{0,80}:){1,3}(?P<value>[^\s\'"<>\[\]^~`{|}@:/]{3,80})@[^\s\'"<>\[\]^~`{|}@:/]{1,800}\\{0,8}(?P<value_rightquote>[\"'])?
  filter_type: UrlCredentialsGroup
  use_ml: true
  required_substrings:
    - ://
  min_line_len: 10
  target:
    - code

- name: Auth
  severity: medium
  confidence: moderate
  type: keyword
  values:
    - auth(?!ors?(?!i[tz]))
  filter_type: GeneralKeyword
  use_ml: true
  min_line_len: 12
  required_substrings:
    - auth
  target:
    - code

- name: Key
  severity: medium
  confidence: moderate
  type: keyword
  values:
    - key(?!word|board|pad|name)
  filter_type: GeneralKeyword
  use_ml: true
  min_line_len: 11
  required_substrings:
    - key
  target:
    - code

- name: Telegram Bot API Token
  severity: high
  confidence: moderate
  type: pattern
  values:
    - (?P<value>[0-9]{8,10}:[0-9A-Za-z_-]{35})(?![0-9A-Za-z_-])
  filter_type: GeneralPattern
  required_substrings:
    - :AA
  min_line_len: 45
  target:
    - code
    - doc

- name: PyPi API Token
  severity: high
  confidence: strong
  type: pattern
  values:
    - (?P<value>pypi-[0-9A-Za-z_-]{150,8000})
  filter_type: GeneralPattern
  required_substrings:
    - pypi-
  min_line_len: 155
  target:
    - code
    - doc

- name: Github Classic Token
  severity: high
  confidence: strong
  type: pattern
  values:
    - (?<![0-9A-Za-z_-])(?P<value>gh[pousr]_[0-9A-Za-z_-]{36,255})
  filter_type:
    - ValueGitHubCheck
  validations:
    - GithubTokenValidation
  required_substrings:
    - ghp_
    - gho_
    - ghu_
    - ghs_
    - ghr_
  min_line_len: 40
  target:
    - code
    - doc

- name: Github Fine-granted Token
  severity: high
  confidence: strong
  type: pattern
  values:
    - (?<![0-9A-Za-z_-])(?P<value>github_pat_[0-9A-Za-z_]{80,255})
  filter_type: GeneralPattern
  validations:
    - GithubTokenValidation
  required_substrings:
    - github_pat_
  min_line_len: 90
  target:
    - code
    - doc

- name: Firebase Domain
  severity: info
  confidence: moderate
  type: pattern
  values:
    - (?<![0-9A-Za-z_])(?P<value>[a-z0-9.-]{1,80}\.firebaseio\.com|[a-z0-9.-]{1,80}\.firebaseapp\.com)
  filter_type: GeneralPattern
  required_substrings:
    - .firebase
  min_line_len: 16
  target:
    - code
    - doc

- name: AWS S3 Bucket
  severity: info
  confidence: moderate
  type: pattern
  values:
    - (?<![0-9A-Za-z_])(?P<value>[a-z0-9.-]{3,63}\.s3\.amazonaws\.com|[a-z0-9.-]{3,63}\.s3-website[.-](eu|ap|us|ca|sa|cn))
  filter_type: GeneralPattern
  required_substrings:
    - .s3-website
    - .s3.amazonaws.com
  min_line_len: 14
  target:
    - code
    - doc

- name: Nonce
  severity: medium
  confidence: moderate
  type: keyword
  values:
    - nonce
  filter_type: GeneralKeyword
  use_ml: true
  min_line_len: 13
  required_substrings:
    - nonce
  target:
    - code

- name: Salt
  severity: medium
  confidence: moderate
  type: keyword
  values:
    - salt
  filter_type: GeneralKeyword
  use_ml: true
  min_line_len: 12
  required_substrings:
    - salt
  target:
    - code

- name: Certificate
  severity: medium
  confidence: moderate
  type: keyword
  values:
    - cert
  filter_type: GeneralKeyword
  use_ml: true
  min_line_len: 12
  required_substrings:
    - cert
  target:
    - code

- name: Jfrog Token
  severity: high
  confidence: strong
  type: pattern
  values:
    - (?<![0-9A-Za-z_-])(?P<value>(cmVmdGtuO[0-9A-Za-z_-]{55}|AKCp[0-9A-Za-z_-]{69}))(?![0-9A-Za-z_-])
  filter_type:
    - ValueJfrogTokenCheck
  required_substrings:
    - cmVmdGtuO
    - AKCp
  min_line_len: 64
  target:
    - code
    - doc

- name: Azure Access Token
  severity: high
  confidence: strong
  type: pattern
  values:
    - (?<![0-9A-Za-z_-])(?P<value>eyJ[0-9A-Za-z_=-]{50,500}\.eyJ[0-9A-Za-z_=-]{8,8000}\.[0-9A-Za-z_=-]{18,800})
  filter_type:
    - ValueAzureTokenCheck
  required_substrings:
    - eyJ
  min_line_len: 148
  target:
    - code
    - doc

- name: Azure Secret Value
  severity: high
  confidence: moderate
  type: pattern
  values:
    - (?<![0-9A-Za-z_-])(?P<value>[0-9A-Za-z_~.-]{3}8Q~[0-9A-Za-z_~.-]{34})(?![0-9A-Za-z_-])
  filter_type: TokenPattern
  min_line_len: 40
  required_substrings:
    - 8Q~
  target:
    - code
    - doc

- name: Bitbucket App Password
  severity: high
  confidence: strong
  type: pattern
  values:
    - (?<![0-9A-Za-z_-])(?P<value>ATBB[0-9A-Za-z]{24}[A-F0-9]{8})(?![0-9A-Za-z_-])
  filter_type:
    - ValueAtlassianTokenCheck
  min_line_len: 28
  required_substrings:
    - ATBB
  target:
    - code
    - doc

- name: Bitbucket Repository Access Token
  severity: high
  confidence: strong
  type: pattern
  values:
    - (?<![0-9A-Za-z_-])(?P<value>ATCTT3xFfGN0[0-9A-Za-z_-]{80,800}(\\?=|%3[dD])[A-F0-9]{8})(?![0-9A-Za-z_-])
  filter_type:
    - ValueAtlassianTokenCheck
  min_line_len: 160
  required_substrings:
    - ATCTT3xFfGN0
  target:
    - code
    - doc

- name: Bitbucket HTTP Access Token
  severity: high
  confidence: strong
  type: pattern
  values:
    - (?<![0-9A-Za-z_-])(?P<value>BBDC-[NMO][ADgjQTwz][0-9A-Za-z_-]{42})(?![0-9A-Za-z_-])
  filter_type:
    - ValueAtlassianTokenCheck
  min_line_len: 49
  required_substrings:
    - BBDC-
  target:
    - code
    - doc

- name: Bitbucket Client ID
  severity: info
  confidence: weak
  type: pattern
  values:
    - (?<![.0-9A-Za-z_/+-])(?P<value>[0-9A-Za-z]{18}([0-9A-Za-z]{14})?)(?![0-9A-Za-z.$_/+-])
  filter_type: WeirdBase64Token
  min_line_len: 18
  required_regex: "[0-9A-Za-z_/+-]{15}"
  target:
    - code
    - doc

- name: Bitbucket Client Secret
  severity: info
  confidence: weak
  type: pattern
  values:
    - (?<![.0-9A-Za-z_/+-])(?P<value>([0-9A-Za-z_-]{32}){1,2})(?![0-9A-Za-z.$_/+-])
  filter_type: WeirdBase64Token
  min_line_len: 32
  required_regex: "[0-9A-Za-z_/+-]{15}"
  target:
    - code
    - doc

- name: Jira / Confluence PAT token
  severity: high
  confidence: strong
  type: pattern
  values:
    - (?<![0-9A-Za-z_-])(?P<value>[NMO][ADgjQTwz][0-9A-Za-z_-]{42})(?![0-9A-Za-z_-])
  filter_type:
    - ValueAtlassianTokenCheck
    - ValueBase64PartCheck
  min_line_len: 44
  required_substrings:
    - M
    - N
    - O
  required_regex: "[0-9A-Za-z_/+-]{15}"
  target:
    - code
    - doc

- name: Atlassian Old PAT token
  severity: info
  confidence: weak
  type: pattern
  values:
    - (?<![.0-9A-Za-z_/+-])(?P<value>[0-9A-Za-z]{24})(?![=0-9A-Za-z.$_/+-])
  filter_type: WeirdBase64Token
  min_line_len: 24
  required_regex: "[0-9A-Za-z_/+-]{15}"
  target:
    - code
    - doc

- name: Atlassian PAT token
  severity: high
  confidence: strong
  type: pattern
  values:
    - (?<![0-9A-Za-z_-])(?P<value>ATATT3xFfGF0[0-9A-Za-z_-]{80,800}(\\?=|%3[dD])[A-F0-9]{8})(?![0-9A-Za-z_-])
  filter_type:
    - ValueAtlassianTokenCheck
  min_line_len: 160
  required_substrings:
    - ATATT3xFfGF0
  target:
    - code
    - doc

- name: Digital Ocean Token
  severity: high
  confidence: strong
  type: pattern
  values:
    - (?<![0-9A-Za-z_-])(?P<value>do[op]_v1_[a-f0-9]{64})(?![0-9A-Za-z_-])
  filter_type: TokenPattern
  min_line_len: 71
  required_substrings:
    - doo_v1_
    - dop_v1_
  target:
    - code
    - doc

- name: Dropbox OAuth2 API Access Token
  severity: high
  confidence: moderate
  type: pattern
  values:
    - (?<![0-9A-Za-z_-])(?P<value>sl.[0-9A-Za-z_-]{135})(?![0-9A-Za-z_-])
  filter_type: TokenPattern
  min_line_len: 138
  required_substrings:
    - sl.
  target:
    - code
    - doc

- name: NuGet API key
  severity: high
  confidence: moderate
  type: pattern
  values:
    - (?<![0-9A-Za-z_-])(?P<value>oy2[a-z0-9]{43})(?![0-9A-Za-z_-])
  filter_type: TokenPattern
  min_line_len: 46
  required_substrings:
    - oy2
  target:
    - code
    - doc

- name: Gitlab Prefix Token
  severity: high
  confidence: strong
  type: pattern
  values:
    - (?<![0-9A-Za-z_-])(?P<value>(_gitlab_session=|GR1348941|gl(agent|soat|ffct|p[at]t|oas|cbt|imt|[dfr]t)-)[0-9A-Za-z_-]{20,64})(?![0-9A-Za-z_-])
  filter_type:
    - ValuePatternCheck
  min_line_len: 25
  required_substrings:
    - _gitlab_session=
    - GR1348941
    - glagent-
    - glsoat-
    - glffct-
    - glpat-
    - gloas-
    - glptt-
    - glcbt-
    - glimt-
    - gldt-
    - glft-
    - glrt-
  target:
    - code
    - doc

- name: Grafana Provisioned API Key
  severity: high
  confidence: strong
  type: pattern
  values:
    - (?<![0-9A-Za-z_-])(?P<value>eyJ[=0-9A-Za-z_-]{64,360})(?![0-9A-Za-z_-])
  filter_type:
    - ValueGrafanaCheck
  min_line_len: 67
  required_substrings:
    - eyJ
  target:
    - code
    - doc

- name: Grafana Access Policy Token
  severity: high
  confidence: strong
  type: pattern
  values:
    - (?<![0-9A-Za-z_-])(?P<value>glc_eyJ[0-9A-Za-z_-]{80,360})(?![0-9A-Za-z_-])
  filter_type:
    - ValueGrafanaCheck
  min_line_len: 87
  required_substrings:
    - glc_eyJ
  target:
    - code
    - doc

- name: Grafana Service Account Token
  severity: high
  confidence: strong
  type: pattern
  values:
    - (?<![0-9A-Za-z_-])(?P<value>glsa_[0-9A-Za-z_-]{32}_[0-9A-Fa-f]{8})(?![0-9A-Za-z_-])
  min_line_len: 46
  filter_type:
    - ValueGrafanaServiceCheck
  required_substrings:
    - glsa_
  target:
    - code
    - doc

- name: Dropbox API secret (long term)
  severity: high
  confidence: weak
  type: pattern
  values:
    - (?<![0-9A-Za-z_-])(?=[0-9A-Za-z]{64})(?P<value>[0-9A-Za-z]{10,12}[B-Za-z0-9]A{10,12}[B-Za-z0-9][0-9A-Za-z]{40,44})(?![=0-9A-Za-z_-])
  filter_type: []
  min_line_len: 43
  required_substrings:
    - AAAAAAAAAA
  target:
    - code
    - doc

- name: Dropbox App secret
  severity: info
  confidence: weak
  type: pattern
  values:
    - (?<![.0-9A-Za-z_/+-])(?P<value>[a-z0-9]{15})(?![=0-9A-Za-z_/+-])
  filter_type: WeirdBase36Token
  min_line_len: 15
  required_regex: "[0-9A-Za-z_/+-]{15}"
  target:
    - code
    - doc

- name: Gitlab Incoming Email Token
  severity: info
  confidence: weak
  type: pattern
  values:
    - (?<![.0-9A-Za-z_/+-])(?P<value>[a-z0-9]{24,25})(?![=0-9A-Za-z_/+-])
  filter_type: WeirdBase36Token
  min_line_len: 24
  required_regex: "[0-9A-Za-z_/+-]{15}"
  target:
    - code
    - doc

- name: Gitlab Feed Token
  severity: info
  confidence: weak
  type: pattern
  values:
    - (?<![.0-9A-Za-z_/+-])(?P<value>[0-9A-Za-z_-]{20})(?![=0-9A-Za-z_/+-])
  filter_type: WeirdBase64Token
  min_line_len: 20
  required_regex: "[0-9A-Za-z_/+-]{15}"
  target:
    - code
    - doc

- name: Hashicorp Vault Token
  severity: high
  confidence: strong
  type: pattern
  values:
    - (?<![.0-9A-Za-z_-])(?P<value>hv[brs]\.[0-9A-Za-z_-]{80,160})
  filter_type:
    - ValuePatternCheck
    - ValueEntropyBase64Check
  min_line_len: 90
  required_substring:
    - hvb.
    - hvr.
    - hvs.
  target:
    - code
    - doc

- name: Hashicorp Terraform Token
  severity: high
  confidence: strong
  type: pattern
  values:
    - (?<![.0-9A-Za-z_-])(?P<value>[0-9A-Za-z_-]{14}\.atlasv1\.[0-9A-Za-z_-]{67})(?![0-9A-Za-z_-])
  filter_type:
    - ValuePatternCheck
    - ValueEntropyBase64Check
  min_line_len: 90
  required_substring:
    - .atlasv1.
  target:
    - code
    - doc

- name: Jira 2FA
  severity: info
  confidence: weak
  type: pattern
  values:
    - (?<![.0-9A-Za-z_/+-])(?P<value>[A-Z2-7]{16})(?![=0-9A-Za-z_/+-])
  filter_type:
    - ValueCoupleKeywordCheck
    - ValuePatternCheck
    - ValueEntropyBase32Check
    - ValueBase32DataCheck
    - ValueTokenBase32Check
  min_line_len: 16
  required_regex: "[0-9A-Za-z_/+-]{15}"
  target:
    - code
    - doc

- name: OpenAI Token
  severity: high
  confidence: strong
  type: pattern
  values:
    - (?<![.0-9A-Za-z_-])(?P<value>sk-[0-9A-Za-z_-]{16,32}(T3BlbkFJ|9wZW5BS|PcGVuQU)[0-9A-Za-z_-]{16,32})(?![0-9A-Za-z_-])
  min_line_len: 51
  filter_type:
    - ValuePatternCheck
    - ValueEntropyBase64Check
  required_substrings:
    - T3BlbkFJ
    - 9wZW5BS
    - PcGVuQU
  target:
    - code
    - doc

- name: Docker Swarm Token
  severity: high
  confidence: strong
  type: pattern
  values:
    - (?<![.0-9A-Za-z_-])(?P<value>SWMTKN-1-[0-9a-z]{50}-[0-9a-z]{25})(?![0-9A-Za-z_-])
  min_line_len: 85
  filter_type:
    - ValueCoupleKeywordCheck
  required_substrings:
    - SWMTKN-1-
  target:
    - code
    - doc

- name: Groq API Key
  severity: high
  confidence: strong
  type: pattern
  values:
    - (?<![0-9A-Za-z_-])(?P<value>gsk_[0-9A-Za-z_-]{52})(?![0-9A-Za-z_-])
  min_line_len: 56
  filter_type:
    - ValuePatternCheck
    - ValueEntropyBase64Check
  required_substrings:
    - gsk_
  target:
    - code
    - doc

- name: Hugging Face User Access Token
  severity: high
  confidence: moderate
  type: pattern
  values:
    - (?<![0-9A-Za-z_-])(?P<value>hf_[0-9A-Za-z_-]{34})(?![0-9A-Za-z_-])
  min_line_len: 37
  filter_type:
    - ValuePatternCheck
    - ValueEntropyBase64Check
  required_substrings:
    - hf_
  target:
    - code
    - doc

- name: Discord Bot Token
  severity: high
  confidence: strong
  type: pattern
  values:
    - (?<![0-9A-Za-z_-])(?P<value>[NMO][ADgjQTwz][0-9A-Za-z_-]{22,26}\.[0-9A-Za-z_-]{6}\.[0-9A-Za-z_-]{30,40})(?![0-9A-Za-z_-])
  min_line_len: 62
  filter_type:
    - ValueDiscordBotCheck
  required_substrings:
    - M
    - N
    - O
  required_regex: "[0-9A-Za-z_/+-]{15}"
  target:
    - code
    - doc

- name: Tencent WeChat API App ID
  severity: medium
  confidence: weak
  type: pattern
  values:
    - (?<![0-9A-Za-z_-])(?P<value>wx[0-9a-f]{16})(?![0-9A-Za-z_-])
  min_line_len: 18
  filter_type: TokenPattern
  required_substrings:
    - wx
  target:
    - code
    - doc