version: v0.1
Comments / Notes:
- Removed from Secret Scanning for private repositories: https://github.blog/changelog/2021-10-18-secret-scanning-no-longer-supports-azure-sql-connection-strings-in-private-repos/
Pattern Format
(?i)[a-z][a-z0-9-]+\.database(?:\.secure)?\.(?:(?:windows|usgovcloudapi)\.net|chinacloudapi\.cn|cloudapi\.de)version: v0.1
Pattern Format
eyJrIjoi[A-Za-z0-9_=-]{42}version: v0.1
Comments / Notes:
- Deprecated (supported by Secret Scanning)
Pattern Format
SG\.[a-zA-Z0-9-]{5,}\.[a-zA-Z0-9-]{5,}End Pattern
\z|[^a-zA-Z0-9-]version: v0.1
Pattern Format
[a-fA-F0-9]{64}Start Pattern
(?:(?:\A|[\r\n])\[auth\][^[]*\ntoken\s*=|(?:\A|\b)SENTRY_AUTH_TOKEN\s*=|(?:\A|\b)sentry-cli [^\r\n]*--auth-token |(?:\A|\b)auth\.token\s*=)\s*['"`]?End Pattern
\z|\s|['"`]Additional Matches
Add these additional matches to the Secret Scanning Custom Pattern.
-
Match:
\d\D|\D\d
version: v0.1
Pattern Format
[a-fA-F0-9]{32}Start Pattern
(?:(?:\A|[\r\n])\[auth\][^[]*\napi_key\s*=|(?:\A|\b)SENTRY_API_KEY\s*=|(?:\A|\b)sentry-cli [^\r\n]*--api-key |(?:\A|\b)auth\.api_key\s*=)\s*['"`]?End Pattern
\z|\s|['"`]Additional Matches
Add these additional matches to the Secret Scanning Custom Pattern.
-
Match:
\d\D|\D\d
version: v0.1
Comments / Notes:
- The secret part of the DSN is optional and effectively deprecated, and should be removed from the DSN: https://docs.sentry.io/product/sentry-basics/dsn-explainer
Pattern Format
[a-fA-F0-9]{32}Start Pattern
https://[a-fA-F0-9]{32}:End Pattern
@([a-z0-9-.]+\.)?sentry\.io(?:/[^?#]*)?/\d+Additional Matches
Add these additional matches to the Secret Scanning Custom Pattern.
-
Match:
\d\D|\D\d
version: v0.1
Pattern Format
(?:[a-fA-F0-9]{32}|[a-fA-F0-9]{64})Start Pattern
new SentryPlugin\(\s*\{[^}]*[,\n \t]apiKey:\s*['"]End Pattern
['"]Additional Matches
Add these additional matches to the Secret Scanning Custom Pattern.
-
Match:
\d\D|\D\d
version: v0.1
Pattern Format
[a-fA-F0-9]{64}Start Pattern
(?:\A|[\r\n])provider "sentry" {[^}]*[\n \t]token\s*=\s*['"]End Pattern
['"]Additional Matches
Add these additional matches to the Secret Scanning Custom Pattern.
-
Match:
\d\D|\D\d
version: v0.1
Comments / Notes:
- Okta token, starting with
00and 40 random alphanumeric with _ and -
Pattern Format
(0{2}[0-9A-Za-z_-]{40})Start Pattern
(\A|[^0-9A-Za-z_+/-])End Pattern
(\z|[^0-9A-Za-z_+/=-])Additional Matches
Add these additional matches to the Secret Scanning Custom Pattern.
-
Not Match:
[0-9A-Fa-f-]{30}
-
Not Match:
[a-zA-Z_-]{30}
-
Not Match:
^\d+(\.\d+)?e[+-]?\d+$
-
Not Match:
[\d_]{30}
version: v0.1
Comments / Notes:
-
Uses surrounding context to reduce false positives
-
Either
SSWSthen the token, or a variable startingoktafollowed by an assignment operator, then the token
Pattern Format
0{2}[0-9A-Za-z_-]{40}Start Pattern
(\bSSWS\s{1,5}|(?i)okta[_-]?(api[_-]?)?(token|key|secret)\s{0,28}([:=]|[=-]>|to|[!=]={1,2}|<>)\s{0,28}['"`]?)End Pattern
\z|[^0-9A-Za-z_+/=-]version: v0.1
Comments / Notes:
- Looks for surrounding context to confirm this is a DataDog API key, not some other 32-byte hex string
Pattern Format
[a-f0-9]{32}Start Pattern
(\A|\b)(((?i)(DD|DATADOG)_API_KEY)['"]?\s*(value)?[=:,]\s*['"]?|new DataDogWinston\({[^}]*apiKey:\s*'|terraformer import datadog [^\n]*--api-key=|provider "datadog" {[^}]*api_key\s*=\s*")End Pattern
\z|\bAdditional Matches
Add these additional matches to the Secret Scanning Custom Pattern.
-
Not Match:
^0+$
-
Not Match:
^1+$
-
Not Match:
^ef8d5de700e7989468166c40fc8a0ccd$
-
Not Match:
^(a0b1c2d3e4f5a6b7c8d9e0f1a2b3c4d5|1234567890abcdef1234567890abcdef)$
version: v0.1
Comments / Notes:
- Looks for surrounding context to confirm this is a DataDog App key, not some other 40-byte hex string
Pattern Format
[a-f0-9]{40}Start Pattern
(\A|\b)(((?i)(DD|DATADOG)_APP(LICATION)?_KEY)['"]?\s*(value)?[=:,]\s*['"]?|new DataDogWinston\({[^}]*apiKey:\s*'|terraformer import datadog [^\n]*--api-key=|provider "datadog" {[^}]*api_key\s*=\s*")End Pattern
\z|\bAdditional Matches
Add these additional matches to the Secret Scanning Custom Pattern.
-
Not Match:
^0+$
-
Not Match:
^1+$
-
Not Match:
a0b1c2d3e4f5a6b7c8d9e0f1a2b3c4d5e6f7a8b9
version: v0.1
Pattern Format
https://[a-z-]+\.webhook\.office\.com/webhookb2/[a-fA-F0-9]{8}-([a-fA-F0-9]{4}-){3}[a-fA-F0-9]{12}@[a-fA-F0-9]{8}-([a-fA-F0-9]{4}-){3}[a-fA-F0-9]{12}/[^/]+/[a-fA-F0-9]{32}/[a-fA-F0-9]{8}-([a-fA-F0-9]{4}-){3}[a-fA-F0-9]{12}Start Pattern
\A|\bEnd Pattern
\z|\bAdditional Matches
Add these additional matches to the Secret Scanning Custom Pattern.
-
Not Match:
^https://contoso\.
LaunchDarkly API or SDK key version: v0.1
Pattern Format
(api|sdk)-[a-f0-9-]{8}-[a-f0-9-]{4}-[a-f0-9-]{4}-[a-f0-9-]{4}-[a-f0-9-]{12}Start Pattern
\A|\bEnd Pattern
\z|\bversion: v0.1
Comments / Notes:
-
Looks for surrounding context to confirm this is a PagerDuty API key, not some other 20-byte alphanumeric string
-
The
Token token=prefix is used in an Authorization header; it's possible that a different vendor could use a similar key and this same prefix, causing results that are a different vendor's key
Pattern Format
[A-Za-z0-9_-]{20}Start Pattern
(\A|\b)(?i)((pd|pagerduty)_(service|api)_key['"`]?\s*([:=]|[?:]=|[=-]>)\s*['"`]?|Token token=)End Pattern
\z|\bAdditional Matches
Add these additional matches to the Secret Scanning Custom Pattern.
-
Match:
[A-Z]
-
Match:
[a-z]
-
Not Match:
^(pagerduty|pd)_(service|api)_
version: v0.1
Pattern Format
[0-9]{17}-[0-9a-f]{16}Start Pattern
(\A|\b)oauth_token=End Pattern
\z|\bversion: v0.1
Pattern Format
[0-9a-f]{32}Start Pattern
https:\/\/api\.flickr\.com\/services\/rest\/?([^ ]+&)?api_key=End Pattern
\z|\bversion: v0.1
Pattern Format
[0-9a-zA-Z]{20}Start Pattern
(\A|\b)(?i)_?(browserstack|bs|automate)_?\.?((Access|Auth)_?Key|Password)['"`]?\s*([:=]|[?:]=|[=-]>|,)\s*['"`]?End Pattern
\z|[^a-zA-Z0-9/+_-]version: v0.1
Pattern Format
[0-9a-zA-Z]{20}Start Pattern
(\A|\b)(?i)_?(Access|Auth)_?Key['"`]?\s*([:=]|[?:]=|[=-]>|,)\s*['"`]?End Pattern
\z|[^a-zA-Z0-9/+_-]version: v0.1
Pattern Format
[^:]+:[0-9a-zA-Z]{20}Start Pattern
https?://End Pattern
@hub-cloud\.browserstack\.com/version: v0.1
Pattern Format
[A-Za-z0-9]{24}Start Pattern
(\A|\b|[_.-])(?i)vercel[_.-]?((access|api)[_.-]?)?token\s*[=:]\s*['"]?End Pattern
\z|\s|['"]version: v0.1
Pattern Format
[A-Za-z0-9]{24}Start Pattern
(\A|\b)(?i)vercel[_.-]?((access|api)[_.-]?)?token\s*[=:]\s*['"]?End Pattern
\z|\s|['"]version: v0.1
Pattern Format
[A-Za-z0-9]{24}Start Pattern
(\A|\b)vercel [^\r\n]*--token=End Pattern
\z|\sversion: v0.1
Pattern Format
[A-Za-z0-9]{24}Start Pattern
(?i)client[._]?Id[:=]\s*['"]?oac_[A-Za-z0-9]{24}['"]?[^\n]*\n[^\n]*client[._]?Secret\s*[:=]\s*['"]?End Pattern
\z|[^A-Za-z.+/=_-]version: v0.1
Pattern Format
[a-f0-9]{8}-[a-f0-9]{4}-4[a-f0-9]{3}-[89ab][a-f0-9]{3}-[a-f0-9]{12}Start Pattern
(\b|\A)(?i)Bearer[ ]End Pattern
\b|\zversion: v0.1
Pattern Format
[a-zA-Z0-9~_.-]{34}Start Pattern
(?i)(client|azure[a-z_.-]{0,10})(key|secret|password|pwd|token)[a-z_.-]{0,9}\b['"`]?(\s{0,5}[\]\)])?\s{0,3}([:,=]|[=-]>|to|[!=]={1,2}|<>)?\s{0,5}([[{])?['"`]?End Pattern
\z|["'`]|\sAdditional Matches
Add these additional matches to the Secret Scanning Custom Pattern.
-
Match:
[A-Z][a-z]|[A-Z][a-z]
-
Match:
[0-9][A-Za-z]|[A-Za-z][0-9]
-
Match:
[.~_-][A-Za-z0-9]|[A-Za-z0-9][.~_-]
version: v0.1
Pattern Format
[a-fA-F0-9]{40}Start Pattern
(?i)(private_key_id|google_api_key)['"`]?(\s*[\]\)])?\s*([:,=]|[=-]>|to|[!=]={1,2}|<>)?\s*([[{])?['"`]?End Pattern
\b|\zOpenStack password or API key version: v0.1
Pattern Format
[^'",\r\n \t\x00-\x08]+Start Pattern
(?i)OPEN_?STACK_(PASSWORD|API_?KEY)[_A-Z]*['"`]?(\s*[\]\)])?\s*([:,=]|[=-]>|to|[!=]={1,2}|<>)?\s*([[{])?['"`]?End Pattern
['"\r\n,]|\zAdditional Matches
Add these additional matches to the Secret Scanning Custom Pattern.
-
Not Match:
^(ENV|[a-z_]+)\[$
-
Not Match:
^<%=.*%>$
-
Not Match:
^([a-z_]+\.api_?key|self\.[a-z_]+|os\.environ\.get\()$
-
Not Match:
^(\$\{?[A-Z]+\}?|<password>|\s+)$
-
Not Match:
^(@?[a-z_]+\[:.*\]|@[a-z_]+)$
AlienVault OTX API key version: v0.1
Pattern Format
[a-f0-9]{64}|[a-f0-9]{40}Start Pattern
(?i)ALIENVAULT(_?OTX)?(_?API)?_?KEY['"`]?(\s*[\]\)])?\s*([:,=]|[=-]>|to|[!=]={1,2}|<>)?\s*([[{])?['"`]?End Pattern
['"`\r\n,]|\zApollo.io API key version: v0.1
Pattern Format
service:[A-Za-z0-9-]+:[^\s'"`,\x00-\x08\x7f-\xff]+Start Pattern
(?i)key['"`]?(\s*[\]\)])?\s*([:,=]|[=-]>|to|[!=]={1,2}|<>)?\s*([[{])?['"`]?End Pattern
['"`,]|\z|\sClickUp API key version: v0.1
Pattern Format
pk_[0-9]{6,8}_[A-Z0-9]{32}Start Pattern
\b|\AEnd Pattern
\b|\zAmazon MWS Auth Token version: v0.1
Pattern Format
amzn\.mws\.[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}Start Pattern
\b|\AEnd Pattern
\b|\zJenkins API token version: v0.1
Pattern Format
[a-f0-9]{32,64}Start Pattern
(?i)jenkins_?(api[_-]?)?(token|secret|key)['"`]?(\s*[\]\)])?\s*([:,=]|[=-]>|to|[!=]={1,2}|<>)?\s*([[{])?['"`]?End Pattern
['"`\r\n,]|\zAWS S3 presigned URL version: v0.1
Pattern Format
https://[a-z-]+\.s3\.amazonaws\.com/[^?\s'"`\r\n]+\?[^\s'"`\r\n]+&X-Amz-Signature=[^\s'"`\r\n]+Start Pattern
\b|\AEnd Pattern
['"`\r\n,]|\zAzure Access Key in context in a variable assignment - legacy key format without internal identifiable features version: v0.1
Comments / Notes:
-
This is a legacy format for Azure Access Keys. The key is base64 encoded and encodes a fixed length key, so we know its length and that it always end in
==. -
The key lacks internal identifiable features, which are used in modern keys issued by these Azure services.
-
The use of
+instead of{86}in the regex pattern is due to limitations of secret scanning - make sure you use the "additional match" to constrain the length
Pattern Format
[A-Za-z0-9/+]+==Start Pattern
(\A|\b)(?i)(AZURE|ACCOUNT)(_?ACCESS|_?STORAGE(_?ACCOUNT)?)?_?KEY['"`]?(\s*[\]\)])?\s*([:,=]|[=-]>|to|[!=]={1,2}|<>)?\s*([[{])?['"`]?End Pattern
['"`\r\n,]|\zAdditional Matches
Add these additional matches to the Secret Scanning Custom Pattern.
-
Match:
^[A-Za-z0-9/+]{86}==$
Azure Shared Access Signature (SAS) Token version: v0.1
Comments / Notes:
-
This is a Shared Access Signature (SAS) token for Azure services. See these examples
-
The token is a URL query string parameter, and the signature is a base64 encoded HMAC-SHA256 hash, so is a fixed length in plain text and always ends in =
-
When encoded in a URL, the
+character is replaced with%2B, the/character is replaced with%2F, and the=character is replaced with%3D -
Because of the variable length of the characters (beacuse of the URL encoding), we use
{43,}to match the signature -
We ignore
https://files.oaiusercontent.com/because they are URLs for images generated by ChatGPT
Pattern Format
(https://[^?]+\?)?[^\s?/]*\bsig=([A-Za-z0-9]|%2[bfBF]){43,}%3[dD][^\s?/]*Start Pattern
\b|\AEnd Pattern
\z|\s|['"`]Additional Matches
Add these additional matches to the Secret Scanning Custom Pattern.
-
Match:
(^|&)sv=[0-9]{4}-[0-9]{2}-[0-9]{2}
-
Match:
(^|&)se=[0-9]{4}-[0-9]{2}-[0-9]{2}
-
Match:
(^|&)st=[0-9]{4}-[0-9]{2}-[0-9]{2}
-
Not Match:
^https://files\.oaiusercontent\.com/
CircleCI API token version: v0.1
Pattern Format
[a-f0-9]{40}Start Pattern
(?i)circle[_-]?(ci[_.-]?)?(api[_.-]?)?(token|key)['"`]?(\s*[\]\)])?\s*([:,=]|[=-]>|to|[!=]={1,2}|<>)?\s*([[{])?['"`]?End Pattern
['"`\r\n,]|\z